AIX Security Checklist 详细的AIX 安全 Checklist

A. This info taken from AIX Redbook.
*************************
High level AIX security Audit Checklist

- AIX Environment Overview
- Superuser access
- Login/password administration
- Monitoring suid/sgid programs
- System/user file/directory permission

1. AIX Environment Overview

- Record serial numbers of all keys, remove keys and store in
safe location. Lock systems in NORMAL or SECURE.
- Run error logger to check the error log : errpt -a |more
- Enable accounting per instructions found in AIX System
Management Guide or aix.accounting file via anonymous ftp at
ftp.vt.edu: /pub/cc/rs6000.
- Run tcbck, usrck, grpck after all AIX software installations.
- The following scrips are available via anonymous ftp at ftp.vt.edu:
/pub/cc/rs6000.

- sysinfo
- This script determines system inventory.

- Determine rootvg names: lsvg
- List physical vols in each rootvg:
lsvg -p rootvg
- List logical vols in each rootvg:
lsvg -l rootvg
- List physical volume information for each
disk: lspv hdiskX
lspv -p hdiskX
lspv -l hdiskX
- List software inventory: lslpp -l
- List software history: lslpp -h
- List system name, name of node, LAN network number,
AIX release number, AIX operating system version,
machine ID number:
uname -x
- List all hardware connected to system:
lsdev -C | sort -d
- List NFS status
lssrc -g nfs
- List inet service: inetserv -s -S -X
- List host table entries: hostent -S
- List nameserver entries: namerslv -s -I
- List network status: netstat -i
netstat -nr
- Examine failed logins:
/usr/bin/who '-s' '/etc/security/failedlogin'
- Examine user group definitions:
/usr/sbin/lsgroup '-fa' 'id' 'users' 'ALL'
- Examine user information:
/usr/sbin/lsuser '-fa' 'id' 'groups' 'home' 'auditclasses' 'login' \
'su' 'rlogin' 'telnet' 'ttys' 'ALL'

- tcpchk
- This script checks the status of your tcp
subsystem. It also determines who's using
.netrc, .rhosts files.
- Determine the TCP subsystems installed:
- lslpp -l |grep bos.net
- lssrc -g tcpip
- Searches for .rhosts, .netrc files:
find / -name '.rhosts' -print
find / -name '.netrc' -print
- Searches for hosts that can use r-commands:
if [ -x /usr/sbin/inetd -a -f /etc/hosts.equiv ]; then
echo " the following hosts are allowed to rsh, rcp, rlogin"
echo
cat /etc/hosts.equiv | grep -v "#"
echo " "
fi
- Checks to see who can submit remote print jobs
if [ -x /usr/sbin/inetd -a -f /etc/hosts.lpd ]; then
echo " the following hosts are allowed to submit remote print jobs"
echo " ONLY"
cat /etc/hosts.lpd | grep -v "#"
echo " "
fi

- tcbck
- see man pages for more information
- nfsck
- This script checks the status of your NFS and
NIS subsystems

- Checks to see if nfs is installed:
lslpp -l |/bin/grep nfs
- Check to see if nfs/nis is active:
lssrc -g nfs|/bin/grep active
- Checks to see if this system is an NFS server:
if [ -x /usr/sbin/nfsd -a -f /etc/exports ]; then
echo "This machine is an NFS server"
- Displays which directories are exported:
cat /etc/xtab
- Displays hosts that are exporting directories:
/usr/bin/showmount
- If the host is a client, show what's mounted
from remote systems:
mount | grep -v "^ "
- Checks to see if nis is active:
isypset=`domainname | /bin/grep "^[a-zA-Z]"`
- If so, display the NIS domainname:
/usr/bin/domainname
- nethwchk
- Lists connected network interfaces:
lsdev -C -c if

- Show which ones come up at boot:
odmget -q"value='up'" CuAt|grep name|cut -c10-12
- Show interface status:
ifconfig en0
ifconfig et0

2. Superuser Access

- Keep root users to a minimum
- Do: lsuser -f ALL
to see which userids each user can use with su.
- Audit su command.
- Make sure /etc/profile doesn't include current directory.
- Verify cron setup:

To allow root only:
- remove: /var/adm/cron/cron.deny
&
/var/adm/cron/cron.allow
To allow anyone to use it:
- touch cron.deny if it does not exist.
To explicitly allow a user and no one else except root:
- touch cron.allow
- put userid in it
To explicitly deny a user:
- touch cron.deny
- put userid in it

- Disable direct logins for root by setting: 'User can LOGIN REMOTELY?
= false' in SMIT CHANGE/SHOW User Characteristics Screen.

3. Login/password administration

- Define password/user characteristics in /etc/security/user,
/etc/security/mkuser.default, /etc/security/login.cfg
- Minimum requirements (defined in /etc/security/user):
- maxage=8
- maxrepeat=2
- minalpha=5
- mindiff=2
- maxrepeats=3
- Set minimum default values for smit user field
(defined in /etc/security/user),
for the DEFAULT stanza:
- admin=false
- login=true
- su=false
- daemon=true
- rlogin=false
- sugroups=ALL
- ttys=ALL
- auth1=SYSTEM
- auth2=NONE
- tpath=nosak
- umask=027
- expire=0

- Scan for password inconsistencies:
- run /usr/bin/pwdck -n ALL to report errors but not fix them.
- run /usr/bin/pwdck -y ALL to fix errors and report them.
- Scan for group inconsistencies:
- run /usr/sbin/grpck -n ALL to report errors but not fix them.
- run /usr/sbin/grpck -y ALL to fix errors and report them.
- Review /etc/passwd, /etc/security/passwd, /etc/group and
/etc/security/group regularly.
- If systems are NIS'd, use 'ypcat passwd' to get passwd file
in standard format and then run CRACK against it to check
for weak passwords. Use npasswd for proactive checking. Run
CRACK regularly to check for weak passwords. Run COPS regularly.
- Consider requiring passwords from two users to access critical
accounts. When logging in such account, you'll be prompted
for the account passwd and another users passwd. Enable this
feature by specifying the second account in the PRIMARY
AUTHENTICATION METHOD field of SMIT ADD USER screen.
This sets up a two-person login.
- Set system-wide default process limits in
/etc/security/limits.
- Set default group, shell, home dir and other default
attributes for users in /usr/lib/security/mkuser.default. Consider
changing the default group name from staff to something local.
- Set default environment variables in /etc/environment,
/etc/profile and /etc/security/environ.
- CAUTION: when using NIS, the passwd file can be displayed
in standard unix format rather than in the shadow passwd
form. Make sure your NIS domain name is a well kept secret.

4. SUID/SGID

- Review all suid/sgid programs owned by root, daemon, bin or
groups: bin, kmem, mail. Initial list should contain owner,
group, perms and checksum. All suid/sgid programs should be
mode 511 minimum
- Use: find / -perm -1000 -print
find / -perm -2000 -print
find / -perm -4000 -print
alternatively to search for setuid, setgid and sticky bit files.

5. System/user file/directory permissions

- System dirs should have perm 755 minimum.
- System dirs used by root for programs should be owned by root.
- Set sticky bit on /tmp, /usr/tmp
- UUCP, cron table, syslogs, system source code should be
closed to general users.
- AIX default for /usr/sbin/mount, /usr/sbin/acct/acctcom and
/usr/sbin/login, login is 555.
- Monitor checksums for : login, su, passwd, cu, crypt, tip and
rlogin. Use /usr/bin/sysck command to do this.
- Only one copy of system commands and these should be in the
system dir.
- Device file perms:
disk, storage, tape, network device files: 600, owned
by root.
tty device files: 622, owned by root.
/dev/null: 777
- List all hidden files in dirs (the .files)
- List all writable dirs. Use find command to do this.
- User HOME dirs should be mode 710. Mode 711 allows others
to inspect subdirs with permission.
- .profile, .login files should be mode 600 or 640.
- Set appropriate umask in /etc/profile
- Search for unowned files: find / -nouser -print
Do not remove files from /dev.
- Check for 'at' jobs owned by root and verify their function.
- Restrict r-command usage.


1. Advise users to not use rsh, rcp, rlogin, tftp unless
you have secured them. Do not use .rhosts,
/etc/hosts.equiv or .netrc files.

2. Run securetcpip command to disable these services.
Use tcpchk script to search for .netrc files.


3. Set /etc/hosts to 660. Review its contents regularly. .netrc should never be
used because they contain unencrypted password info.

4. The securetcpip command disables non-trusted daemons and
appls. It comments out the entries in /etc/inetd.conf and sets perms to
000 for the individual daemons.

stopsrc -g tcpip
securetcpip

It disables rshd, rlogind, tftpd, rlogin, rcp, rsh, tftp, trpt. It is
reversible. Note that xstations may use tftp to download server code to
them.

5. Check .rhosts, .netrc, /etc/hosts.equiv, /etc/hosts and
/etc/inetd.conf regularly against checklist version.

6. Use netstat -p tcp to look for failed connection attempts.

7. Verify contents of /etc/exports and run exportfs -av
to implements the changes.

8. Change ftp entry in /etc/inetd.conf to ftpd -l to enable logging.

9. Set permission of exported dirs to be as limited as
possible. Do NOT export high level dirs unless necessary.

10. Enable AIX auditing [Optional]

Set instructions in /etc/security/audit/config, events, objects,
bincmds and streamcmds.
- Events - defines the occurrences to be audited.
- Use auditpr command to set,
- Audit classes are defined in config.
- Audit record formats are found in /usr/include/sys/audit.h
- Audit event types: per process - to audit each process a user
runs, per object - to audit object accesses and the mode of
access (r, Rw, success/fail). objects are defined in objects.

General Steps:
- Save original /etc/security/audit/events and config
files
- Modify config file to audit selected events
- Determine when to start auditing and the format
(bin or stream).
- Enter: audit start
to enable auditing.
- Review the output after a certain period of time
to make sure it's what you want.

11. Use the '/usr/sbin/watch' command to observe audit events for a program
you're not sure of.

12. Set up a separate account to do software installs. For example, define
it as acct swinstall.

13. Use the tsh command to run a trusted command interpreter. This
executes commands that are marked as members of the Trusted Computing
Base (TCB). The 'shell' command exits the tsh state.

14. Use Access Control Lists to tighten security on file:
- /usr/bin/aclget - shows status of file
- /usr/bin/acledit - allows you to change perm status
- /usr/bin/aclput - write status to file

setenv EDITOR /usr/bin/vi

AIX Terminology - base ACL is standard Unix permission stuff
Extended ACL is what these commands give.
SUID, SGID are same but SVTX = sticky bit

Any user can create an extended ACL for any file they own.
Three keywords:
permit - allows user/group access
deny - forbids user/group access
specify - defines the file access

Base permission CANNOT override a 'deny' keyword. User AND Group
must match.


15. List all files in your system:
cd /
li -Ra -l -a > filename

save the output off-line.

16. Check for failed logins by: /usr/bin/who -s /etc/security/failedlogin

17. Do not allow IFS (input field separator) to be changed in
/etc/profile and monitor its usage in user profiles.

18. Default AIX file permissions are 644 for files and 755 for dirs.
Adjust accordingly. AIX allows only root to use the 'chown' command.
- Set user profile files to 740
- System dirs should have other perms = 0

19. Keep track of these administrative files and archive as necessary:
- usr/adm/cron/log
- /usr/adm/wtmp
- /usr/adm/pacct
- /var/adm/messages
- /var/adm/acct/nite/*
- /var/adm/dtmp
- /var/adm/qacct
- /var/adm/acct/sum/*
- /var/adm/acct/fiscal/*
- /usr/bin/mail/*
- /etc/utmp
- /etc/security/failedlogin

20. Do not use UUCP unless absolutely necessary.

21. Use the '/usr/bin/strings' command to check any suspicious binaries.

22. Consider implementing disk quotas on your systems. See man pages for the
'quota' command.

23. Route copies of syslogs to a central machine. Edit /etc/syslog.conf
and do the following:

1. Add the following line:
*.debug @host
where host is the hostname of the central machine.
2. Place authentication messages in a separate syslog file, for
example, /var/adm/seclog:
auth.debug /var/adm/seclog
3. Place others in a file other than the standard AIX syslog
file, /var/adm/messages.

24. Archive system logs by creating a shell script that does the
following:

1. cd /var/adm
2. mv -f messages messages.old
3. cp /dev/null messages
4. chmod 644 messages
5. ps ax |grep syslog
6. kill -1 (syslog pid # from step 5)
7. move messages.old to the archive site.

note: make sure you use the name of the syslog file in these steps.
The name 'messages' is the standard AIX syslog name and if you
changed the default name (per step 23), make sure you use that name.