Implementing and Maintaining AIX Security Policies

{LANG_NAVORIGIN} Operating System
Andre Derek Protas 03/25/2005

Hardening Features

Server hardening is used to prevent intrusion and exploitation. These features are essential, especially for systems that require high network access. Keep in mind what level of security is needed for the server based upon the data and applications running. There is a standard security framework to be implemented on all servers, but higher security needs call for stronger features. If there are any questions or concerns about any of the features, refer to the documented source.

.netrc/.rhosts/hosts.equiv Files

• Summary:
  • These files are meant to help automate certain functions. These files can offer some "shortcuts", but can also be very large security risks. They should be deleted as they are not encrypted but hold usernames and passwords. If the system requires that these files remain intact, they should be confirmed to have 600 permission.
• Location of File:
  • $HOME/.netrc
• Reference:
  • Strengthening AIX Security
• Default Security:
  • Files are present and unencrypted.
• Standard Security:
  • Permissions = 600.
  • Continually check for new files of these types (crontab) and ensure they are not being created.
• Enhanced Security:
  • Delete all .netrc/.rhosts/hosts.equiv files. Automation of functions should not be necessary for higher security machines.

Login Message

• Summary:
  • Ensure that the login screen to an AIX system does not tip off an intruder to the version or possibly the patches applied. By knowing what system and what patches are installed, an intruder knows what exploits could be used on the system. This will save them time and will concentrate their efforts on documented exploits for that system.
• Location of File:
  • /etc/security/login.cfg
• Reference:
  • AIX Security Manual (page 17)
• Default Security:
  • The default login screen for an AIX machine will show the name of the system along with the AIX version and possibly even the maintenance level.
• Standard Security:
  • "nnnnnnnnnnnnnnnnnnnnWelcome to: <server name>nrUnauthorized Access is Prohibitednrlogin:"
• Enhanced Security:
  • "nnnnnnnnnnnnnnnnnnnnUnauthorized Access is Prohibitedrnlogin:

X11 Interception

• Summary:
  • The X11 server has the vulnerability of allow keystroke logging via the xwd and xwud commands. These commands may be necessary for certain programs or accesses to the system. Confirm by reviewing access dates of the commands to ensure that they are not being used.
• Location of File:
  • xwd and xwud commands.
• Reference:
  • AIX Security Manual (page 20)
• Default Security:
  • xwd and xwud are enabled and active.
• Standard Security:
  • xwd and xwud should be disabled and OpenSSH should be installed to ensure that server interaction is not done over clear-text transfer.

GUI Disabling

• Summary:
  • Security issues are common when dealing with desktop environments. These environments can be exploited by intruders and can cause numerous threats. Typically the GUI is not utilized in higher security servers and causes unnecessary vulnerabilites.
• Location of File:
  • /etc/rc.dt
• Reference:
  • AIX Security Manual (page 20)
• Default Security:
  • Desktop environments (KDE, GNOME, and CDE) are installed.
• Standard Security:
  • CDE only.
• Enhanced Security:
  • No desktop environment.

Direct Root Login

• Summary:
  • Administrators must su – in order to gain root access. This will ensure that the only people accessing / are administrators. This servers two purposes: two layers of passwords to gain root access and logging of which administrator does gain root access (sulog).
• Command:
  • /etc/security
    • Only entry should be "console"
    • Permissions should be set to 400.
• Reference:
  • AIX Security Manual (page 21)
• Default Security:
  • Direct root login is allowed.
• Standard Security:
  • Disable direct root login for remote.
• Enhanced Security:
  • Disable direct root login for console (as well as CDE, which should be disable anyway)

Unnecessary Accounts

• Summary:
  • Be leaving default user accounts, the accounts may be used as a stepping stone for an intruder to gain access to other accounts. These accounts, unless being used, should be disabled.
• Command:
  • smit rmuser
• Reference:
  • AIX Security Manual (page 33)
• Default Security:
  • uucp and nuucp : The owner of the hidden files for the uucp protocol. This protocol is used to communicate with other UNIX machines other than AIX and has been overtaken by other protocols (ftp, etc).
  • ipd : Owner of files used by printing subsystem.
  • imnadm : IMN search engine used for Documentation Library Search.
  • guest : Allows access to user who do not have access to accounts.
• Standard Security:
  • guest and imnadm accounts must be disabled.
• Enhanced Security:
  • Ensure all files that are owned by bin and migrated to be owned by root. The bin accounts should remain, but should not own any files.
  • Have lockout times for non-administrator accounts. By enforcing availability to regular users only to work hours, non-work hour attacks will be minimized to only administrator accounts.
  • Disable all mentioned accounts. Ensure that there are no dependencies upon those owners that may cause problems with the removal of the accounts.

Unnecessary Groups

• Summary:
  • There are three groups that may not be needed after the standard install of AIX 5.2.
    • uucp : Group to which uucp and nuucp users belong.
    • printq : Group to which the lpd user belongs.
    • imnadm : Group to which imnadm user belongs.
• Location of File:
  • /etc/group
• Reference:
  • AIX Security Manual (page 33)
• Default Security:
  • All three are groups are enabled.
• Standard Security:
  • If none of the groups are necessary on the server, disable all three accounts.

Unnecessary Services

• Summary:
  • Many services are automatically configured and run on startup. Most of these servers have specific tasks and do not require all of the preconfigured services to be running. Some of these unnecessary services also hold security risks and should therefore be disabled, especially those which are listening on ports.
• Location of File:
  • /etc/inetd.conf
  • /etc/inittab
  • /etc/rc.nfs
  • /etc/rc.tcpip
  • /var/adm/inetd.sec
• Reference:
  • AIX Security Manual (page 219 - Appendix C)
• Default Security:
  • Common services are installed and typical run when server is up.
• Standard Security:
  • Ensure that /etc/inetd.conf and /var/adm/inetd.sec are owned by root and have permissions of 600.
  • Refer to the documentation listed from IBM and disable services based upon the needs of the server. Any extra services that are not needed by that server must be disabled.
• Enhanced Security:
  • Refer to Chapter 8 of the AIX Security Supplement to review tightening up services that must be maintained on the server.

FTP Exploitation

• Summary:
  • The ftp command must not have the sticky bit for root. If the sticky bit is set, there is a certain command sequence that will force the server to run arbitrary code from another remote server. This code could easily be malicious, and this exploit should be avoided.
• Location of File:
  • /bin/ftp (check permissions)
  • ~ftp/bin - 555
  • ~ftp/etc - 111
• Reference:
  • www.insecure.org/sploits_AIX.html (ftp mget vulnerability)
• Default Security:
  • Setuid bit is set for ftp
• Standard Security:
  • Setuid bit must be disabled.
  • To ensure other vulnerability security, always make sure that the ftp version present is the highest available (maintenance levels will include updates).
  • For other security concerns, ensure the ftp directory does not have: .rhosts, .forward, .netrc files.

Remote Root

• Summary:
  • Remote root access is very dangerous, especially with telnet where the password is transferred over clear-text. Although this is a huge security concern, many times remote root access is necessary for server administration.
• Location of File:
  • /etc/security/user
    • "rlogin = " for root user.
• Reference:
  • AIX Security Supplement (page 159)
• Default Security:
  • Remote login is activated.
• Standard Security:
  • Use OpenSSH so that the root password is transferred via encryption, not clear-text.
• Enhanced Security:
  • Disable remote login. By distributing root authority (as discussed earlier), root access can be avoided by using different administration accounts for different permissions. OpenSSH should still be implemented.

Authentication

• Summary:
  • Authentication is used primarily to ensure that users and services are who they say they are. Authentication uses encryption as well as ticket management systems to ensure that security is implemented on all services and that users are not "spoofing" other users by using their IP addresses or passwords.
• Location of File:
  • cas.server and cas.client
• Reference:
  • AIX Security Manual (page 77)
  • http://web.mit.edu/kerberos/www/dialogue.html
• Default Security:
  • No Authentication is implemented on install.
• Standard Security:
  • Use OpenSSH to offer minimal authentication for used of remote login.
• Enhanced Security:
  • Implement and enforce use of PKI (AIX Security Manual p. 77), Kerberos, PAM, and LDAP. Be careful as the configuration of many system files may be dependent on the previous settings before installation. On new systems, implement authentication in the installation to ensure dependency stability. On running systems, do research into each authentication module suggested and investigate dependency problems that may arise.
  • The use of biometrics/secureID is suggested.

IPSec

• Summary:
  • IPSec holds many secure network tools such as vpn that should be implemented, especially when remotely logging into the server. These files can be found on the install media. This package is required for all IPv6 connections, and is suggested for IPv4 connections as well.
• Check if IPSec has been installed:
  • lslpp -L '*ipsec*'
    • bos.msg.en_US.net.ipsec
    • bos.net.ipsec.keymgt
    • bos.net.ipsec.rte
    • bos.net.ipsec.websm
• Reference:
  • AIX Security Supplement (page 19)
• Default Security:
  • IPec may be present, but may not be active after install.
• Standard Security:
  • Activate IPSec and log all traffic.
• Enhanced Security:
  • Configure IPSec as a packet filter and define filtering rules. Also, by using smitty installp in the IPSec directory, vpn tunnels can be configured.

SecureTCPIP

• Summary:
  • For systems that require higher security, many commands should not be allowed execution. For instance, rlogin, rlogind, rcp, rsh, rshd, tftp, tftpd, trpt.
• Command:
  • To block execution of these non-secure commands, only one command is necessary: securetcpip.
• Reference:
  • AIX Security Manual (page 121)
• Default Security:
  • All of the previously mentioned commands are activate and executable.
• Standard Security:
  • Because some of these commands may be necessary to certain processes or programs, standard security practice would be to disable those that aren't.
• Enhanced Security:
  • Run securetcpip each time TCP/IP is installed and ensure that these commands are not used.

Port Knocking

• Summary:
  • Requires a “password” to open a specific port. For instance, port 28 cannot be opened until port 1256, 1257, and 1259 were pinged within 3 seconds. This sequence can change each time it is used to ensure non-predictability.
• Location of File:
  • There must be a client script to go along with the server script. The client script should be kept secure (encryption/removable media).
• Reference:
  • www.portknocking.org offers many useful scripts.
• Default Security:
  • Firewall support from networking services.
• Enhanced Security:
  • If certain non-secure protocols must be used, keep the ports closed until the passcode has been pinged. This will keep these protocols to be only used by authorized personnel.

Your IP address will be sent with this e-mail

From e-mail to e-mail