En - AIX Checklist

8/13/2019 En - AIX Checklist

1/15

AIX CHECKLIST

By: Frank W. LyonsPresident of Entellus Technology Group, Inc.

!"#""#$%&"EntellusFL'aol.co(

I. Preli(inary )teps

*. +tain an organi-ational chart of the group responsile for the operating eniron(ent.

B. +tain any e/isting security and control procedures

0. +tain a description of the net1ork configuration

2. +tain a listing of the arious syste(s 3applications4 supported y the operatingsyste(

E. +tain a 5o description of the )yste( *d(inistrator

II. Installation *udit )teps

*. 6eie1 any design criteria for syste( security.

B. 2eter(ine 1hether the user access is controlled through the operating syste(, thedataase (anage(ent syste(, or the application front#end (enu syste(.

0. 2eter(ine 1hat docu(entation standards e/ist and 1hether they are eing follo1ed.

2. 2eter(ine 1ho acts as the )ecurity *d(inistrator for the operating eniron(ent.

E. 2eter(ine the standards for pass1ord (anage(ent and construction.

F. 6eie1 any e/isting security guidelines for users, groups, and functions.

III. Physical )ecurity

*. 6eie1 the net1ork configuration to ensure that all net1ork co(ponents arephysically secured.

These include File )erers, Bridges, 6outers, 7us80oncentrators, Gate1ays,Ter(inal )erers, and 9ode(s.

B. 2eter(ine 1ho is responsile and 1hat docu(entation is reuired for configurationchanges to the physical net1ork.


2/15

*re these procedures effectie;

*re the changes to the net1ork docu(ented;

*re users and other i(pacted parties properly notified;

0. Ensure that only the )yste( *d(inistrator or other authori-ed personnel haephysical access to the file serer console as the syste( can e reooted fro( the . )yste( *d(inistration

*. Identify all the )yste( *d(inistrators.

?grep :!: 8etc8pass1d

B. 2eter(ine that each ad(inistrator reuires this leel of authority.

0. 2eter(ine the change control procedures oer changes to users, progra(s, (enus,authorities, user scripts, hard1are and syste( soft1are.

2. 2eter(ine that the proper person or group is responsile for (onitoring the net1orkthat support the file serer.

E. 2eter(ine that the proper person or group is responsile for syste( shutdo1n andackups.

F. 2eter(ine if the )yste( *d(inistrator is supported y a ackup or at a (ini(u(their userid8pass1ord are kept in a secured location in case of an e(ergency.

G. 2eter(ine 1ho is responsile for (aintaining license agree(ents and if allagree(ents are eing (et.

>. )yste( )ecurity

The )yste( *d(inistrator=s interface for the *I@ syste( is the )yste( 9anage(entInterface Tool 3s(it4.Aou can inoke s(it y keying s(it at the operating syste( pro(pt.

*. 2uring the initial installation did the )yste( *d(inistrator create audit check su(files. These files 1ill allo1 the )ecurity *d(inistrator to erify that no changes haeeen (ade since the installation of the syste(.

The audit check su( files should contain a single#line entry for each file haing thefollo1ing infor(ation: 3)ee 8etc8security8sysck.cfg4


3/15

field co((ents

acl contains oth ase and e/tended access control list data for the file class a logical group to 1hich this file elongs

pathna(e *solute pathna(e o1ner Ether sy(olic or nu(eric I2 group Either sy(olic or nu(eric I2 (ode )y(olic representation as displayed y the ls #l co((and si-e )i-e of the file in ytes. 9a5or and (inor nu(ers arelisted for deices links u(er of hard links to pathna(e ersion u(eric alue, reported y 1hat3C4. checksu( File contents co(puted y a checksu( algorith(. This fieldreflects the slightest change to a file, een a single character.

sy(links Indicates 1hether the file has sy(olic or hard linksprogra( the associated checking progra( source the source file for this file

type the type of file

Producing these files should e a si(ple task. The resulting files should reside in asecured directory.

2yna(ic security routines should e run on a periodic asis to ensure that thesecritical files hae not e (odified 1ithout proper approal.B. 2eter(ine if the syste( is running in a secured 3trusted4 (ode.

8etc8security8pass1d For the pass1ord file

* trusted eniron(ent for(ats the pri(ary pass1ord file=s encrypted pass1ord8etc8pass1d to the 8etc8security8pass1d file and replaces the pass1ord field in the8etc8pass1d 1ith an


4/15

*uditing is enaled y entering 8etc8audit start

Files used y *udit

8etc8security8audit8config configuration infor(ation8etc8security8audit8eents audit eents of the syste(8etc8security8audit8inc(ds ackend co((ands8etc8security8audit8strea(c(ds co((ands that process strea( data8etc8security8audit8o5ects infor(ation aout audited o5ects

2. 6eie1 the audit logs to deter(ine if any unauthori-ed eent has occurred.

E. 6eie1 the inittas to ensure that only authori-ed entries are present and that access isproperly restricted.

?cat 8etc8initta

F. 6eie1 all the rc. scripts to ensure that only alid progra(s are e/ecuted 1ithin thesescripts.

G. 6eie1 the sulog to look for suspicious actiity

7. Ensure that the syste( ackup is done on a regular asis and that the ackup files areproperly stored.

>I. *ccount )ecurity

In traditional 7P#@ syste(s you can use the ls #l co((and to list off the per(issionsfor a directory or a file. +n a secure3trusted4 syste( you can use the lsacl co((and tosee 1hat per(issions are associated 1ith a gien file, and the chacl co((and to changethe access control lists of the file. *0Ls are attached to files or directories to allo1 the)ecurity *d(inistrator to assign discrete authority to indiiduals or groups.

*. +tain a listing of all user accounts and erify that each user is still an actie 1orkeron the syste(.

?cat 8etc8pass1d

Files associated 1ith the user accounts:

8etc8security8ids uid seuence nu(er 8etc8security8logins.cfg contains rules for pass1ord uality8etc8group group definitions8etc8security8group additional group infor(ation and flags


5/15

8etc8pass1d user account file8etc8security8pass1d encryption pass1ords8etc8security8user contains user e/tended attriutes8etc8security8eniron contains eniron(ental attriutes for users8etc8security8li(its contains file li(its

8etc8security8failedlogin contains an entry for eery ti(e a login fails

*lso the *I@ syste( has a file that contains a stan-a for each user kno1n to thesyste(. This can e otained y using the follo1ing co((and and file:

?cat 8etc8security8user

+ne other file that restricts the user is the 8etc8security8li(its file. This file contains thefollo1ing:

fsi-e is the largest file a user can create

core is the largest core file allo1ed in units of C ytes.

0P is the (a/i(u( nu(er of 0P#seconds a process is allo1ed eforeeing killed.

data is the largest data seg(ent allo1ed, in units of C ytes.

stack is the (a/i(u( stack si-e a process is allo1ed

rss is the (a/i(u( real (e(ory si-e a process can acuire

B. +tain a listing of all group accounts and erify that each user still needs to participatein the defined group.

*I@ 07E0HLI)T

The group file contains so(e pre#defined groups such as the follo1ing:

syste(staffinad(uucp(ail


6/15

securitycronprintauditecs

noodyusr

*. 6eie1 the access control per(ission on the critical syste( directories and files. Inaddition, reie1 the access control per(issions on the application=s directories and files. E/a(ple:

? ls (e(os

#r1/r1/r1/ C frank syste( !% !C8C (e(os

The ch(od co((and can still e used to change the per(issions for a file and shouldonly e used if the file has any *0Ls.

If you e/ecute a co((and such as

?aclget gets the *0L for a file ?aclput sets the *0L for a file ?acledit co(ines aclget and aclput

B. 6eie1 the users or groups 1ho hae 1rite authority into a directory or file.

0. 6eie1 the u(ask alue for a !". This is located in the 8etc8profile and the user=s.profile.

The 8etc8profile is a file that is e/ecuted each ti(e a user login to the syste(. Theu(ask ariale is only one entry in this file. The P*T7 ariale (ay also e listed. TheP*T7 ariale should also e reie1 to ensure that the path search is proper.

*nother para(eter for the 8etc8profile 1ithin *I@ is the follo1ing para(eter:

T9+T8TI9E+T defines the ti(e 3in seconds4 that a user can e idle efore eing auto(atically logged out of the syste(. T9+T is used y ksh

2. 6eie1 the syste( for setuid and setgid progra(s. 0o(pare the list against acertification list of authori-ed progra(s. se the find co((and to look for these type ofprogra(s especially root o1ned setuid or setgid progra(s.

? find 8 #user root #per( #!!! #e/ec ls #l JK M


7/15

This find co((and 1ill list root o1ned setuid progra(s

? find 8 #user root #per( #!!! #e/ec ls #l JK M

This find co((and 1ill list root o1ned setgid progra(s

E. Pass1ord )ecurity

0heck to ensure that all users hae a pass1ord.

0heck to ensure that all users are using the shado1 pass1ord syste(.

0heck to ensure that no user I2 are duplicated.

6eie1 all accounts 1ith a I2 of

2eter(ine if all users listed in the 8etc8pass1d are still alid.

2eter(ine if the pass1ord aging criteria is adeuate

Pass1ord aging is enaled y placing the necessary infor(ation in thepass1ord field

2eter(ine if all pass1ords are at least si/ characters long

2eter(ine if all pass1ords are run against a


8/15

dae(on ad( uucp lp hpd

guest noody lpd

G. 7o(e 2irectories

Ensure that the user=s ho(e directories and files are not 1ritale y anyone e/cept theo1ner or root

Ensure that the .profile .cshrc, and .login files are not 1ritale y anyone other thanthe o1ner

Inestigate and re(oe if possile the use of any .rhost files 1ithin the user=s ho(edirectory

Ensure that .netrc file is not used as the it allo1s for the user to ypass the .loginauthentication for re(ote login and een contains the user=s unencrypted pass1ord. If itis used and is reuired it should not e read or 1ritale y anyone other than it=s o1ner.

Ensure that root=s .profile has a proper P*T7 ariale 1ith no


9/15


10/15

(inother is the nu(er of non#alphaetic characters reuired in thepass1ord.

(a/logins is the (a/i(u( nu(er of locally logged in users at a gien ti(e.The only

alid para(eters are , %, and !. Oero (eans an unli(itednu(er.

(inalpha is the nu(er of alphaetic characters reuired in the pass1ord.

shells defines the alid shells a user can access.

herald para(eters for the initial screen display

>II. et1ork )ecurity

*. 6eie1 the 8etc8e/ports file to see 1hich files can e (ounted y another (achine.

The 8etc8e/ports file lists entries that consist of the path na(e of a file syste(follo1ed y a series of na(es of co(puters and na(es of groups of co(puters. Toidentify the groups of co(puters list off the contents of the 8etc8netgroup file.

Each one line entry should hae t1o fields. The first is the na(e of the file syste(eing e/ported. The second and suseuent na(e the syste( to 1hich the file syste( can ee/ported. If fe1er than t1o fields are present, the file syste( can e shipped any1here inthe 1orld.B. List the 8etc8hosts.eui file to erify the na(es of other co(puters that can allo1their users to signon to this host 1ithout proiding a pass1ord.

>erify that each of these other hosts do not e/tend unauthori-ed priileges to anotheruser or node.

*nother file associated 1ith the trusted eniron(ent is the .rhost files 1hich couldallo1 so(eone to proide any other user to access their authorities 1ithout a pass1ord.

*I@ 07E0HLI)T

0. 2eter(ine if an ad(inistratie do(ain has een set up.


11/15

If so, erify that root is controlled on each local host other1ise so(eone can otainroot authorities on any (achine 1ithin the do(ain.

>erify that consistency is (aintained for user na(e, uid, and gid a(ong pass1ord

files in the do(ain.

>erify that consistency is (aintained for group files on all (achines 1ithin thedo(ain.

2. >erify per(ission settings on net1ork control files

The follo1ing files should neer e 1ritale y pulic:

net1orks et1ork na(es and their addresses hosts et1ork hosts and their addresses

hosts.eui 6e(ote hosts allo1ed access euialent to the local host serices )erices na(e dataase e/ports List of files syste(s eing e/ported to F) clients protocols Protocol na(e dataase inetd.conf Internet configuration file T0P8IP serices netgroup List of net1ork#1ide groups .netrc allo1s for the processing of re/ec and ftp co((ands 1ithout (anualpass1ord

erification. 3The .netrc file contains unencrypted pass1ordinfor(ation4

E. 6eie1 the use of 0P

F. 6eie1 the use of anony(ous ftp

G. 6eie1 the use of tftp

7. 9ode( security

se of a s(art card or so(e type of secured dial#ack

se of an additional pass1ord

Hept access list current

>III. 2eice File )ecurity

*. 0heck the 8de directory for special deices that do not hae the proper per(issionsettings.


12/15

B. Ensure that all deices only reside 1ithin the 8de directory.

0. Ensure that access to deice such as (e(, k(e(, and s1ap are properly protected.

2. Ter(inal ports on I@ syste(s (ay e 1ritale y anyone, so you can allo1 usersto co((unicate y using the 1rite or talk progra(s. +nly the o1ner should hae readper(issions.

E. Ensure that an indiidual user does not o1n any deice e/cept for their ter(inaldeice or local printer. *I@ 07E0HLI)T

I@. Batch Qos )ecurity

*. )cheduled 5os 1ithin the I@ eniron(ent are setup in a file called the crontas.This file has a one line entry for each 5o to e e/ecuted at a gien ti(e. This file,especially the one o1ned y root, should e reie1ed to ensure that only alid entries and5os are run.

B. +ther 5os can e run 1ith the at co((and. 2eter(ine if the at co((and isrestricted y reie1ing a file called at.allo1 and at.deny

@. Log File

*. sing the last co((and you can reie1 the last login atte(pts on the syste(

B. se the 8etc81t(p to reie1 connection session

? f1t(p R 8etc81t(p

0. 6eie1 the 8usr8ad(8(essages for SB*2 login atte(pts

2. 0heck to see if accounting is turned on

The accton turns on accounting

E. 2isplaying process accounting records

The acctco( 1ill allo1 you to display records fro( any file containing processaccounting records

@I. )pecial 0o((ands or 6outines

*. sysck 6uns the grpck, usrck, and p1dck co((ands


13/15

B. grpck This co((and erifies that all users listed as group (e(ers aredefined as users, that the gid is uniue, and that the group na(e is correctlyfor(ed.

0. usrck The usrck co((and erifies (any para(eters of the useriddefinition.

2. p1dck The p1dck co((and checks authentication stan-as in 8etc8pass1d and8etc8security8pass1d.

2EFIITI+):

kernel Is the piece of soft1are that controls the co(puter and is often called theoperating syste(

shell Is a co((and interpreter and a progra( such as sh, csh, ksh, rsh, and tsh

*I@ uses the ksh.drier Is a progra( that enales the kernel to co((unicate 1ith a gien type ofperipheral

8de8k(e( Is a special deice file that allo1s access to the ra( locations occupiedy the kernel

8 The root directory

8de The 8de directory contains the deices attached to I@

8in The 8in directory contains a s(all suset of 7P#@ co((ands

8etc The 8etc directory contains (any files including the pass1d file

8t(p The 8t(p directory is used for te(porary file storage

8etc8initta 0ontains infor(ation aout syste( run leels and also has a entry foreach ter(inal

E/a(ple: !::respa1n:8etc8getty ttyC!

! N id N operating syste( leel respa1n N action 8etc8getty N progra( to e/ecute


14/15

8etc8rc 2efines actions taken during startup

8etc8pass1d 2eter(ines 1ho can log into your syste(

root:r$%u$io%rt:!:C:6oot )yste( +1ner:8:8in8sh

*I@ uses a shado1 pass1d file in the 8etc8security directory. With thisfile the pri(ary pass1d file 1ould look like the follo1ing:

root:D:!:C:6oot )yste( +1ner:8:8in8ksh

8etc8group Identifies the users that for( a group

audit:U::frank,anne,katie,(ichaella

8etc8ttytype * dataase of ter(inal types

.e/rc 9aps ter(inal characteristics and sets up key definitions

8etc8(otd 0ontains the (essage of the day

F

2EFIITI+):

8etc8profile E/ecute auto(atically during the login process

.profile E/ecutes each ti(e the user successfully logs in using the Bourne3sh4,Horn3ksh4, or rsh

.kshrc Horn shell script that supple(ents actions taken y the .profile file

per(issions Eerything in I@ is treated like a file. That is a data file is a file, so isa directory, so is a ter(inal, so is a (ode(, and etc. Each of these is identified y the filetype. The file types

are: d N directory # N a data or progra( file c N a character file N a lock file l N a sy(olic link p N a pipe or FIF+


15/15

Aou can otain this infor(ation y running the ls #l co((and

? ls #l (e(os #r1/r1/r1/ C frank audit Qan " C: (e(os

The first digit is the file type The second through the C! digit are the per(ission

r1/ for o1ner 1hich is frank r1/ for group 1hich is audit r1/ for other 1hich is not sho1n ut represents authoritiesfor all other

ch(od 0o((and to change the per(issions on a filecho1n 0o((and to change the o1nership of a file

u(ask 2efault per(ission leels for all ne1 files createdcronta *uto(ate 5o processing. Each entry contains the follo1ing infor(ation:

(inute !#& hour !#% dates C#%C (onths C#C days !# !N)unday runstring specifies the co((and line or script file to e/ecute

*n entry of

Documents

En - AIX Checklist