Hardening AIX

(rough outline draft #2
I started this in Nov.2001, but the project was abandoned..
)

NOTE: This is an early working draft, and as such is not very easy to read. I apologise for this, but the idea is to produce an outline, which then can be improved up and refined.

By Seán Boran

This document presents a step-by-step approach to securely installing AIX 4.3 (TBD exact version) for use in a  sensitive environment. All steps have been tested on Pilot Globe systems.

The focus here is on preparing the Operating System to securely run services, rather than the setup of the services themselves. An accompanying tool will be developed to allow corresponding automated hardening.

The process of hardening involves installing patches, disabling unneeded services, configuring accounts correctly, restricting file permissions, limiting SID/SGID files, configuring OS security features, and monitoring the system for unusual behaviour.


Table of contents

  1. Preparation
  2. Initial OS installation
  3. Minimize network services
  4. Kernel Tuning
  5. Logging
  6. File / Directory Access Control
  7. System Authentication / Access Control
  8. User Accounts and Environment
  9. Hardening specific services (optional for later?, or refer to other documents?): snmp, smtp, http, dns, time sync & ntp, AIXwindows/CDE.
  10. Install additional security tools
  11. Create Tripwire image, backup, test
  12. Maintenance: monitoring | Software patches
  13. References

1. Preparation


2. Initial OS installation

TBD:


Minimize network services

Principles

Network services present a significant risk to security:

Minimise Inetd network Services

Inetd a process which automatically starts certain daemons such as telnet, ftp, if connections are made.

Inetd services can be enabled or disabled with the command 'chsubserver' on AIX. Likewise after changes to inetd configuration, the daemon needs to be send a hang-up signal - 'refresh -s inetd'. For example:

[server1]# chsubserver -d -v daytime -p udp
[server1]# chsubserver -d -v daytime -p tcp
[server1]# grep daytime /etc/inetd.conf
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal

It is recommended that ALL services except the following be disabled:

..... TBD list ...

The can be achieved with the following commands:
chsubserver -d -v daytime -p udp
chsubserver -d -v daytime -p tcp
..... TBD list ...

securetcpip ?

Special services which may be needed (discuss what measures to take for each one)

  1. ftp

  2. telnet

  3. other?

  4. tftp - for diskless booting : /etc/tftpaccess.ctl

Minimize /etc/rc.tcpip network services

A description of what services are started in /etc/rc.tcpip and how they can be changed with chrctcp.

/usr/sbin/no -o clean_partial_conns=1
/usr/sbin/no -o bcastping=0
/usr/sbin/no -o directed_broadcast=0
/usr/sbin/no -o ipignoreredirects=1
/usr/sbin/no -o ipsendredirects=0
/usr/sbin/no -o ipsrcroutesend=0
/usr/sbin/no -o ipsrcrouterecv=0
/usr/sbin/no -o ipsrcrouteforward=0
/usr/sbin/no -o ip6srcrouteforward=0
/usr/sbin/no -o icmpaddressmask=0
/usr/sbin/no -o nonlocsrcroute=0
/usr/sbin/no -o tcp_pmtu_discover=0
/usr/sbin/no -o udp_pmtu_discover=0
/usr/sbin/no -o ipforwarding=0


Minimize /etc/rc.nfs network services

A description of /etc/rc.nfs

/etc/exports

secure nfs : /usr/secretdata -secure


Minimize inittab services

A description of what services are started in /etc/inittab and how they can be changed with mkitab and rmitab.


Minimize other services


Kernel Tuning

 


Logging

The default syslogd(8) configuration does nothing -- you won't get any important messages logged unless you configure the file /etc/syslog.conf.

Only programs that are writing into audit logs should have write access to these log files.

Consider splitting logs by applications and priority. Consider centralised logging, analysis of usage statistics and reporting of exceptions. Consider logging more that the UNIX defaults.

TBD:


File / Directory Access Control

5.1 Root directory

5.2 Application and System files and directories

5.3 System directories

5.4 Login Shell scripts

5.5 Home Directories

5.6 SUID and SGID programs

5.7 Dangerous files

5.8 Filesystem mounting

/etc/filesystems

To reduce the risk of trojan horses and unauthorised modifications, in /etc/vfstab, mount / with options "remount,nosuid", /var with "nosuid", /tmp with "size=100m,nosuid" (allow /tmp to only use 100MB of swap space and disallow execution of SUID programs).

Virus scanning

Use the command virscan on filesystems that may contain files that are transferred to /from PCs.

ACLs

ACL commands : aclget Gets the ACL for a file. aclput Sets the ACL for a file. acledit Combines aclget and aclput.



System Authentication / Access Control

Batch Utilities: at/cron

Users are not allowed to use 'cron' or 'at', access to these tools to be restricted accordingly. System accounts should be explicitly given access if needed. Enable logging of cron activity. Ensure that all command scripts that are to be executed with root privilege by cron, at, or batch are owned by root and set to mode 755 or more restrictive.

Devices: disks, tty*

Consider setting restrictive permissions on raw disk devices used by databases.

Ports: In /etc/security/login.cfg,or via 'smit login_port' we could set:
* Port NAME /dev/ttyp0
Allowed LOGIN TIMES []
Login RETRY DELAY [0]
Number of FAILED LOGINS before port is locked [0] 
INTERVAL for counting failed logins [0]
REENABLE DELAY for locked port [0]

Login Banners

Edit /etc/security/login.cfg or try:

chsec -f /etc/security/login.cfg -s default -a herald=" NOTICE TO USERS\r\n\r\nUse of this machine waives all rights to your privacy,\r\n\r and is consent to be monitored.\r\n\rUnauthorized use prohibited.\r\n\r\n\r\nlogin: "

Consoles & boot security

s2/TCB Auditing

TCB is a good tool to detect penetrations and configuration changes. It is not installed by default. You have the option to install TCB during the initial installation. It cannot be added without reinstalling AIX.

/etc/security/audit/config

TCB monitors over 600 files, plus the devices (/dev), by default. It stores these files in an ASCII file, /etc/security/sysck.cfg. Make a backup of this file to a floppy disk and write protect it immediately.

We should be able to use this as an alternative to tripwire?

The installp command automatically updates the TCB when you install PTFs /i.e. patches). However, E-Fixes, naturally, do not update TCB. So if you apply an E-Fix to your system, you will need to manually update TCB.

Store TCB read-only on floppy? with backup config.



User Accounts and Environment

General policy

User account policy

 

Temporary accounts

TBD

Temporary access to existing accounts

TBD

Application/daemon account policy

Administrator/Privileged access account policy

TBD:


top

Install additional security tools

At this stage standard tools/utilities are going to be installed, the most important being SSH. These tools should already have been compiled and tested extensively on another machine. They are typically transferred as tar files, by CD or FTP. 


Create Tripwire image, backup, test

Test - Do SSH and the standard tools work? Check log entries, check console messages. Does the system behave as expected?

Mount /usr and /opt read-only (in /etc/vfstab with "ro" option). This reduces the risk of trojan horses and unauthorised modifications.
Mount other partitions nosuid (SUID programs cannot assume other identities).
Reboot.
Run the mount command to check that filesystems options are effective.


Maintenance

Monitoring Tasks

9.2.1 Intrusion monitoring tasks

9.2.1.1 File integrity: size, permissions, ownership

nice tcbck -n tree
or tripwire?

9.2.1.2 Network ports visible
9.2.1.3 Network traffic intrusion

9.2.2 Log Statistics
9.2.3 Log Exception monitoring

9.2.4 Availability / reliability
Processes, ping hosts, snmp, rpc, remote check of specific services.

9.2.5 Example Schedules: Daily, Weekly, Monthly

Software Patches


References

[1]    AIX 4.3 Network Hardening

Information Systems and Technology University of Waterloo
http://ist.uwaterloo.ca/security/howto/2001-01-15/
http://ist.uwaterloo.ca/security/howto/2001-01-15/aix-network-harden.tar

A PDF version has been created:
http://boran.dyndns.org/aix

[2]     AIX - RS/6000 Documentation Library (IBM)

Auditing notes:

Several “check” commands (grpck, usrck, pwdck, and tcbck) and “list”
commands (lsuser and lsgroup) are available for use by root or anyone in the
security group.
The grpck, usrck, and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes.
Flags are: -n Reports errors but does not fix them. e.g.
grpck -n ALL
lsgroup -f ALL >> /tmp/check
lsuser -f ALL >> /tmp/check


Seán Boran, Last Update: 05 avril, 2002