|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
| News | Redbooks | IBM Links | Recommended Links | Recommended Papers | FAQs | Security | Log administration | |
| Man pages | Security Hardening for Tivoli servers | Classic unix Tools | Patches | Random Findings | Humor | Etc |
|
|
While Solaris hardening is a well-established procedure usually based on JASS, AIX hardening is a very fuzzy area with few good papers and even less good scripts. Many component exists here and their but integration is not here. It's not easy to make a machine-hardening script written for Solaris to run on AIX, but still it's possible. One version of Titan can harden AIX but of course it needs serious modification and tuning before you can run it on production AIX 5.3 server (unless you have some grudges against your current company :-)
|
|
Some random points:
AIX has the capability to comply with the ITCS204 password restrictions.
AIX has screwed version of shadow passwords: it uses
/etc/security/passwd file for storing
encrypted passwords for each UIDs (encryption
seems to be performed by standard crypt(3) algorithm).
There is a tool called AIX Security Expert that can help shutdown unnecessary network services.
AIX® Security Expert provides a center for all security settings (TCP, NET, IPSEC, system, and auditing).AIX Security Expert is a system security hardening tool. AIX Security Expert provides simple menu settings for High Level Security, Medium Level Security, Low Level Security, and AIX Standard Settings security that integrate over 300 security configuration settings while still providing control over each security element for advanced administrators. AIX Security Expert can be used to implement the appropriate level of security, without the necessity of reading a large number of papers on security hardening and then individually implementing each security element.
AIX Security Expert can be used to take a security configuration snapshot. This snapshot can be used to set up the same security configuration on other systems. This both saves time and ensures that all systems have the proper security configuration in an enterprise environment.
AIX Security Expert can be run from Web-based System Manager, SMIT, or you can use the aixpert command.
Chapter 8. Securing AIX8.1 Overview
8.2 Step 1: Remove unnecessary services
8.2.1 Removing entries from /etc/inittab
8.2.2 Removing entries from /etc/rc.tcpip
8.2.3 Removing entries from /etc/inetd.conf
8.3 Step 2: Tighten configurations of remaining services
8.3.1 Domain Name System (DNS)
8.3.2 Network File System and Network Information Service
8.3.3 Simple Mail Transfer Protocol (SMTP)
8.3.4 Simple Network Management Protocol (SNMP)
8.3.5 Trivial File Transfer Protocol (TFTP)
8.3.6 Securing X11
8.3.7 File Transfer Protocol (ftp)
8.3.8 Protecting TCP services using SOCKS
8.4 Step 3: Set proper network (no) options
8.4.1 SYN attack protection
8.4.2 Broadcast protection
8.4.3 IP routing options
8.5 Step 4: Tighten up user accounts
8.6 Step 5: Set up strong password policy8.5.1 Removing unnecessary default accounts
8.5.2 Setting user attributes
8.5.3 Securing root
8.5.4 Other attributes
8.6.1 Modifying user password attributes
8.6.2 Password cracker utility
8.7 Step 6: Install additional security tools
8.8 Step 7: Monitor logs, audit trails, and system behavior
|
|
Switchboard | ||||
| Latest | |||||
| Past week | |||||
| Past month | |||||
 |
 |
 |
A new utility, /usr/sbin/multibos, is supplied in AIX 5L Version 5.3 with the 5300-03 Recommended Maintenance package package to create and manage a new instance of the operating system, so that there are two distinct and bootable instances within a single rootvg. The running instance, called the active base operating system (BOS), can be in production. Meanwhile, multibos operations are used to modify the non-running instance, which is called the standby BOS. The multibos utility enables the root user to set up, access, maintain, update, and customize the new instance of the BOS.
|
|
|
AFS is available via WebAuth (i.e. authenticated with your leland
ID) at:
http://lelandsystems.stanford.edu/dist/afs-clients/supported/
After downloading, follow the instructions for installing: http://lelandsystems.stanford.edu/services/afs/sysadmin/install/aix/
If you have decided not to install AFS, please see:
Kerberos without AFS.
If any of the above didn't make sense, please see:
More Information and Help on Kerberos
Your /etc/hosts.deny file should disallow anything not explicitly
stated in /etc/hosts.allow, i.e.:
ALL: ALL
Easy Installation - Download the hosts.allow and hosts.deny file and copy then to /etc.
More Information on TCP Wrappers
# Kerberos services eklogin stream tcp nowait root /usr/sbin/tcpd /etc/leland/klogind -ke kshell stream tcp nowait root /usr/sbin/tcpd /etc/leland/kshd -k ident stream tcp nowait root /usr/sbin/tcpd /etc/leland/sidentd kftgtd stream tcp nowait root /usr/sbin/tcpd /etc/leland/kftgtd telnet stream tcp nowait root /usr/sbin/tcpd /etc/leland/telnetd -a user daytime stream tcp nowait root internalRemember: After changed inetd.conf, you must send the inetd process a HUP signal so it re-reads the file and takes effect:
Note: If you want to run the kerberos popper server, you will need another srvtab specifically for that service in order for certain mail readers to work. Please contact srvtab-request@leland for the srvtab.pop srvtab.
Easy Installation - Download the file and copy it over /etc/inet/inetd.conf
More Information and Help on inetd
mail.debug /var/adm/maillog mail.none /var/adm/maillog auth.notice /var/adm/authlog lpr.debug /var/adm/lpd-errs kern.debug /var/adm/messages *.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/messagesOf course if the files mentioned in the right hand side don't exist, you will have to "touch" then to create them.
More Information and Help on Logging
More Information on AIX Permissions
ifstatus is also available for download:
http://security.stanford.edu/tools/ifstatus-2.1.tar.Z
More Information on Promiscuous Mode and Detection
|
|
|
|
|
|
|
|
|
AIX Security Expert provides a center for all security settings (TCP, NET, IPSEC, system, and auditing).AIX Security Expert is a system security hardening tool. AIX Security Expert provides simple menu settings for High Level Security, Medium Level Security, Low Level Security, and AIX Standard Settings security that integrate over 300 security configuration settings while still providing control over each security element for advanced administrators. AIX Security Expert can be used to implement the appropriate level of security, without the necessity of reading a large number of papers on security hardening and then individually implementing each security element.
AIX Security Expert can be used to take a security configuration snapshot. This snapshot can be used to set up the same security configuration on other systems. This both saves time and ensures that all systems have the proper security configuration in an enterprise environment.
AIX Security Expert can be run from Web-based System Manager, SMIT, or you can use the aixpert command.
|
|
|
March 2002. AIX is an open UNIX operating environment that provides increased levels of integration, flexibility, and reliability that are essential for meeting the high demands of today's e-business applications. This focus on versatility allows AIX to be used under a wide variety of workloads, from running on a symmetric multiprocessor, capable of managing thousands of transactions per minute, to running on a single-node workstation used for application development.
Because one of the goals of AIX is to achieve this level of versatility and power, many services are immediately available when you finish installing the operating system. However, this can result in a configuration that is vulnerable to security exposures if the system is not configured appropriately. To minimize the number of possible security exposures, the system administrator must be able to identify the workload characteristics of the environment. System hardening is a global philosophy of system security that focuses strongly not only on detection, but also on prevention. It involves removing unnecessary services from the base operating system, restricting user access to the system, enforcing password restrictions, controlling user and group rights, and enabling system accounting.
|
|
|
|
|
|
AIX has its own authentication framework, which is called the Loadable Authentication Module (LAM) system. So when using PAM under AIX, there are actually two different authentication systems in use. Both provide similar functionality, and both are modular, but they're designed very differently in terms of application API, module API, and config file format.If you have an application that uses the PAM application API, it will use the PAM modules configured in /etc/pam.conf; if you have an application that uses the LAM application API, it will use the LAM modules configured in /usr/lib/security/methods.cfg.
The LAM module API for AIX 5.2 is documented here:
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htmThe LAM module API was not documented in AIX 4.3, but my guess is that it was probably the same.AIX 4.3 does not include PAM. However, I've written a patch for building Linux-PAM under AIX.
The patch includes a PAM module called pam_aix that "converts" PAM calls into the corresponding LAM calls, so that PAM-aware applications can make use of LAM even though they don't have any knowledge of the LAM application API. Because LAM provides AIX's default authentication mechanism, pam_aix can be used as the default module in /etc/pam.conf, much as pam_unix is on other platforms. For example:
other auth required /usr/local/lib/security/pam_aix.so other account required /usr/local/lib/security/pam_aix.so other session required /usr/local/lib/security/pam_aix.so other password required /usr/local/lib/security/pam_aix.soThe stock AIX 5.1 CDs do not include PAM. Starting with ML01, the PAM library is included. However, no PAM modules are supplied and there is no default /etc/pam.conf file.
To address this problem, IBM has backported their implementation of the pam_aix module from AIX 5.2 and made it available for AIX 5.1:
https://techsupport.services.ibm.com/server/nav/pamNote that IBM's implementation of pam_aix was done completely independently of the one I wrote for AIX 4.3. It does not support the same options, but it works the same otherwise.AIX 5.2 has full support for PAM. It ships with the PAM library, the pam_aix module, and a default /etc/pam.conf file.
Similarly to the way that pam_aix "converts" from PAM to LAM, AIX 5.2 also includes a LAM module that "converts" from LAM to PAM. The IBM documentation refers to this as the "PAM module", which is extremely confusing; to avoid this, I will refer to this module using its full path, /usr/lib/security/PAM.
As mentioned above, pam_aix is a PAM module that you configure in /etc/pam.conf, and it allows PAM-aware applications to make use of LAM even though they don't have any knowledge of the LAM application API. Conversely, /usr/lib/security/PAM is a LAM module that you configure in /usr/lib/security/methods.cfg, and it allows LAM-aware applications to make use of PAM even though they don't have any knowledge of the PAM application API.
The /usr/lib/security/PAM LAM module is documented here:
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security/pam_overview.htmUnfortunately, /usr/lib/security/PAM is not a very elegent solution, because it requires major modifications on the part of any PAM module that you want to use with it. Because the LAM API does not support the notion of a conversation function, all PAM modules must be modified to use the pam_get_item() and pam_set_item() calls to communicate with the application.(If you're familiar with the PAM and LAM APIs, it's pretty obvious why this is a problem. PAM uses an out-of-band mechanism (the conversation function) to communicate with the application, while the LAM API uses iterative calls to the authenticate() function. Even if /usr/lib/security/PAM supplied its own conversation function for communicating with PAM, there's no reasonable way for the conversation function to jump back into the initial stack frame of the original authenticate() call without losing state between each iteration.)
Unfortunately, because the native AIX binaries (e.g., /bin/login and /bin/su) still call LAM directly, there is no reasonable way for them to use existing off-the-shelf PAM modules. The only alternative is to try to replace the native AIX binaries with open source alternatives that are PAM-aware, but that's a fairly complicated proposition, and I don't know of anyone who's actually tried to do that.
AIX 5.3 finally has native PAM support in all of the native AIX binaries (e.g., /bin/login, /bin/su, etc). By default, these binaries will still use the historic AIX authentication mechanism, but they can be configured to use PAM instead by changing a setting in /etc/security/login.cfg. For details, see:http://publib.boulder.ibm.com/infocenter/pseries/index.jsp?topic=/com.ibm.aix.doc/aixbman/security/pam_overview.htm
|
|
|
|
|
|
|
|
|
AIX® security services can be configured to call PAM modules through the use of the existing AIX loadable authentication module framework.Note: Prior to AIX 5.3 a loadable authentication module PAM was used to provide PAM authentication to native AIX applications. Due to differences in behavior between this solution and a true PAM solution, the PAM loadable authentication module is no longer the recommended means to provide PAM authentication to native AIX applications. Instead, the auth_type attribute in the usw stanza of /etc/security/login.cfg should be set to PAM_AUTH to enable PAM authentication in AIX. For more information on the auth_type attribute, see /etc/security/login.cfg. Use of the PAM loadable authentication module is still supported, but it is deprecated. You should use the auth_type attribute to enable PAM authentication.
When the /usr/lib/security/methods.cfg file is set up correctly, the PAM load module routes AIX security services (passwd, login, and so on) to the PAM library. The PAM library checks the /etc/pam.conf file to determine which PAM module to use and then makes the corresponding PAM SPI call. Return values from PAM are mapped to AIX error codes and returned to the calling program.Figure 1. AIX Security Service to PAM Module Path
This illustration shows the path that an AIX security service call takes when PAM is configured correctly. The PAM modules shown (pam_krb, pam_ldap, and pam_dce) are listed as examples of third-party solutions.
The PAM load module is installed in the /usr/lib/security directory and is an authentication-only module. The PAM module must be combined with a database to form a compound load module. The following example shows the stanzas that could be added to the methods.cfg file to form a compound PAM module with a database called files. The BUILTIN keyword for the db attribute designates the database as UNIX® files.
PAM: program = /usr/lib/security/PAM PAMfiles: options = auth=PAM,db=BUILTINCreating and modifying users is then performed by using the -R option with the administration commands and by setting the SYSTEM attribute when a user is created. For example:mkuser -R PAMfiles SYSTEM=PAMfiles registry=PAMfiles pamuserThis action informs further calls to AIX security services (login, passwd, and so on) to use the PAM load module for authentication. While the files database was used for the compound module in this example, other databases, such as LDAP, can also be used if they are installed. Creating users as previously described will result in the following mapping of AIX security to PAM API calls:AIX PAM API ===== ========= authenticate --> pam_authenticate chpass --> pam_chauthtok passwdexpired --> pam_acct_mgmt passwdrestrictions --> No comparable mapping exists, success returnedCustomizing the /etc/pam.conf file allows the PAM API calls to be directed to the desired PAM module for authentication. To further refine the authentication mechanism, stacking can be implemented.
Data prompted for by an AIX security service is passed to PAM through the pam_set_item function because it is not possible to accommodate user dialog from PAM. PAM modules written for integration with the PAM module should retrieve all data with pam_get_item calls and should not attempt to prompt the user to input data because this is handled by the security service.
Loop detection is provided to catch possible configuration errors in which an AIX security service is routed to PAM and then a PAM module in turn attempts to call the AIX security service to perform the operation. Detection of this loop event will result in an immediate failure of the intended operation.Note: The /etc/pam.conf file should not be written to make use of the pam_aix module when using PAM integration from an AIX security service to a PAM module because this will result in a loop condition.
Google matched content |
Center for Internet Security - AIX Benchmark
[PDF] AIX 5L Version 5.3: Security Guide
This paper is meant to serve as an introductory guide to the basic security and server hardening functions present in AIX. Many of the features and functions shown throughout this guide are applicable to AIX 4.3 and above, but are more directed toward AIX 5.2. This guide attempts to cover a lot of ground and offers useful and necessary insight for anyone administering AIX machines.
March 2002. AIX is an open UNIX operating environment that provides increased levels of integration, flexibility, and reliability that are essential for meeting the high demands of today's e-business applications. This focus on versatility allows AIX to be used under a wide variety of workloads, from running on a symmetric multiprocessor, capable of managing thousands of transactions per minute, to running on a single-node workstation used for application development.
Because one of the goals of AIX is to achieve this level of versatility and power, many services are immediately available when you finish installing the operating system. However, this can result in a configuration that is vulnerable to security exposures if the system is not configured appropriately. To minimize the number of possible security exposures, the system administrator must be able to identify the workload characteristics of the environment. System hardening is a global philosophy of system security that focuses strongly not only on detection, but also on prevention. It involves removing unnecessary services from the base operating system, restricting user access to the system, enforcing password restrictions, controlling user and group rights, and enabling system accounting.
This paper is meant to serve as an introductory guide to the basic security and server hardening functions present in AIX. Many of the features and functions shown throughout this guide are applicable to AIX 4.3 and above, but are more directed toward AIX 5.2. Since security is and will always remain a major issue in server environments, it is crucial that system administrators have a strong working knowledge of security policy implementation and hardening features. This knowledge can be applied to new systems, or to bring older systems up to date.
All administrators should have a thorough understanding of what is presently installed and running on their system. But, with the wide range of server applications, administration specialization is often necessary. Therefore, it is imperative that at least one primary and one secondary administrator per team maintain a strong working knowledge of security. By staffing administrators with security emphasis, the system will be maintained with the newest updates, programs, and patches that deal with security or server hardening issues.
Keep in mind that security is defined on a server-by-server basis. Administrators should not implement any of these security features without personal research as some may cause software conflicts. Each feature must be fully understood and the system checked to ensure that the server will properly handle the security change. All tests should be made on a Proof of Concept box prior to production, as well as making sure all changes have gone through Change Management prior to implementation. Also, a backup of important files with a well-documented backout plan should always be utilized, especially when dealing with larger installs of security features on production servers.
Network security is very sturdy but should not be relied upon to the point of ignoring stand- alone security or server hardening features. Do not depend only on network security to safeguard the servers. This is the last line of defense, not the first. Many times networking can be bypassed internally within a company, or externally by accessing one vulnerable machine present on the network and running telnet/rsh to another server. One vulnerable node is very likely to be able to take down an entire network. Network security is very powerful, but should be used as a supplement, not a crutch.
NOTE: This is an early working draft, and as such is not very easy to read. I apologise for this, but the idea is to produce an outline, which then can be improved up and refined.
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March 12, 2019
