Implementing and Maintaining AIX Security Policies

{LANG_NAVORIGIN} Operating System
Andre Derek Protas 03/25/2005

Security Related Websites

Many of the best places to learn about those who we are defending from are from the exploiters themselves. This list offers many computer exploit websites (as well as various tutorials) that can offer great assistance into hardening servers.

ciac.llnl.gov	www.linuxsecurity.com/
www.cd.purdue.edu/coast/	www.microsoft.com/technet/security/
www.pclinuxonline.com/	www.net-security.org
Dir.yahoo.com/Computers_and_Internet/security_and_encryption/	www.niscc.gov.uk/
hack4u.owns.us/	www.packetstormsecurity.com/
kloosterboy.nl/	fux0r.phathookups.com/
localareasecurity.com	www.proxomitron.info/
Publib16.bouler.ibm.com/pseries/en_US/infocenter/base	www.radium.ncsc.mil/tpep/library/rainbox
Security-protocols.com	www.radium.ncsc.mil/tpep/process/faq-sect3
www.cerias.purdue.edu	www.rootcompromise.org/
www.cert.org/	www.roothack.org/
www.cymru.com/	www.rootprompt.org/
www.dc214.org/	www.sans.org/
www.defcon.org/	www.securityfocus.com/
www.eeye.com/	www.spidynamics.com/
www.faqs.org/faqs/computer-security	www.theregister.co.uk/
www.faqs.org/faqs/cryptography-faq/	www.trusecure.com/
www.first.org	www.uniras.gov.uk/vuls/2004/236929/index
www.freewebz.com/lexsdomain/index.htm	www.vnunet.com/Home
www.gocsi.com/	www.worldwidewardrive.org/
www.hackinthebox.org/	www-1.ibm.com/servers/security/planner
www.hackthissite.org	www-3.ibm.com/security/index.shtml
www.hackwire.com/	www.infosyssec.com/
www.iana.org/assignments/port-numbers	www.insecure.org/sploits_AIX.html
www.robertgraham.com/	hxdef.czweb.org/
www.l0pht.com/	www.tcim.com
www.governmnetsecurity.org	www.foundstone.com
www.ietf.org/	www.auscert.org.au/
ftp://ftp.purcupine.org/pub/security/index.html	http://www.intelligententerprise.com/info_centers
http://www.owasp.org/index	www.2600.com
www.alw.nih.gov/security/prog-full.html	www.ebcvg.com
www.securitywizardry.com	www.hackerslab.org
www.infosecuritywriters.com	www.hdcwargame.com
www.ossim.net	www.try2hack.nl
wargames.unix.se	www.mod-x.co.uk
www.arcanum.co.nz	lightning.prohosting.com/thegame
www.ralf-mengwasser.de	Digitalparadox.org
www.cyberarmy.com	www.learntohack.org
hackme.elderson.net	x-avier.com
www.slyfx.com	m4tr1x.wsn.at
vortex.labs.pulltheplug.com	www.hackerplayground.com
quiz.ngsec.biz:8080

Conclusion

By reading through this paper and utilizing the checklist that accompanies it, an AIX administrator now has a base knowledge of security, server hardening, intrusion detection, auditing, and security tools. This knowledge can be directly applied to their servers and many vulnerable holes will now be filled. Bear in mind that many holes that exist have yet to be discovered. Therefore, it is critical that every AIX security-minded administrator maintains their knowledge of security by researching and referring to the Internet resources that have been attached. If there is ever a question about implementation of any of the suggested features, refer to the AIX Security manuals that were designated with the specified feature (all features have been documented).

Help other administrators by documenting all changes and vulnerabilities found. Many times one administrator will find a hole and fix it, while many other servers that may be on the same network are left vulnerable. Communication and documentation is essential to keep AIX servers secure.

By utilizing this paper and checklist, the overall security of all AIX systems will be dramatically improved.

“If you know the enemy and you know yourself, you need not fear the result of a hundred battles”
-Sun Tzu

Questions may be directed to randori82 [at] hotmail [dot] com.

Standard Security Measures

This is a summary of standard security implementations that should be incorporated in every system. The only explanation for not implementing a feature is that it causes conflict on that machine (in which case, a similar security fix should be sought out).

This list may also be used as an audit checklist for regular security systems.

Security Policy
Description	Check	Fix
Hardware Passwords	If the machine boots up without prompting for a password, the system is vulnerable.	Refer to BIOS manual and implement a BIOS password.
Login Control	/etc/security/login.conf	sak_enabled:false logintimes: logindisable:4 logininterval:60 loginreenable:30 logindelay:5
System Resource Control	/etc/security/limits	Limit services and users from using too many resources.
Global .profile's	Check permissions for $HOME/.profile	User profiles should not be writeable by anyone but root. Administration should create the profile files.
Password Strengthening	/etc/security/user	dictionlist:NA maxrepeats:4 maxexpired:4 maxage:16 histsize:20 histexpire:26
Null Passwords	awk -F: '{if($2 == "") print $1}' etc/passwd	Ensure that no users are seen to have a null password. Disable the account immediately or create a temporary password.
Physical Security	Badge Readers, Camera Installations, Human Surveillance should be incorporated.	Incorporate the previously described security checkpoints.
Trusted Computing Base	/etc/security/sysck.cfg	If TCB is not installed, the system will have to be reinstalled with the TCB option activated.
User Control Administrator	/etc/security/user	Create two accounts (other than root) that have permissions to write to the user config file.
Distributed Root Authority	/etc/security/user	Separate the power of root between three sets separate administrators. One set for user control (as described earlier), one for file-system maintenance, and one for other privelaged commands (such as mount).

System Hardening
Description	Check	Fix
.netrc Files	Check Permissions of :$HOME/.netrc	Ensure permissions are 600 and the files are owned by root.
Login Message	/etc/security/login.conf Herald : <login message>	Herald:"nnnnnnnnnnnnn nnnnnnnnnnrWelcome to Server: <server name> nrUnauthorized Access is Prohibitednrlogin:"
X11 Interception Vulnerability	xwd and xwud should be removed from /bin	Implement Secure Shell
GUI Disabling	Check GUI interface at terminal	Remove KDE and GNOME if they are installed. CDE should be the only GUI to be used as the others can offer security risks.
Direct Root Login	Check permissions of the command: /etc/securetty Should be 400 and should only have one entry in the file : console	Ensure that root login is only directly available for the console (which requires physical access). If CDE is being used on the system, check /etc/dt/config/Xstartup to ensure that root console login via CDE.
Unnecessary Accounts	/etc/security/user	Disable guest and imnadm accounts.
Unnecessary Groups	/etc/group	Disable uucp, printq, imnadm accounts.
Unnecessary Services	/etc/inetd.conf /etc/inittab /etc/rc.nfs /etc/rc.tcpip	Refer to AIX Service documentation (AIX Security Guide) and disable services that are unnecessary to the function of the server.
FTP Remote Code Execution Vulnerability	Check Permission of: /bin/ftp	Ensure that the sticky bit for owner is disabled.
Remote Root Login	/etc/security/user	User Secure Shell to login remotely as root.
Authentication	N/A	Implement OpenSSH for minimal authentication instead of telnet.
IPSec	lslpp -L '*ipsec*' should reveal: bos.msg.en_US.net.ipsec bos.net.ipsec.keymgt bos.net.ipsec.rte bos.net.ipsec.websm	Activate IPSec so that it logs all IP traffic for future auditing.
SecureTCPIP	Test rcp, rlogin, rsh, and tftp commands. If any are available, securetcpip is not enabled.	Disable previously mentioned commands as needed. If all are unnecessary, run securetcpip.

System Integrity
Description	Check	Fix
UID Control	awk -F: '{if($3 == 0) print $1}' /etc/passwd	If any users other than root are listed, disable those users.
Audit Control	/etc/security/audit	Use audit subsystem watch command to watch for events on specific files
Remote Syslog Exploit	netstat -a | grep udp : check to see if the syslog daemon is listening. if there is no udp user, check all netstat -a entries.	Put a resource limit on syslog storage space to ensure DoS attacks will be disabled for remote syslog vulnerabilities.
TCPD aka "TCP Wrapper"	/etc/inetd.conf	Ensure that this file will execute tcpd for audit purposes.
PortSentry	www.psionic.com/abacus/portsentry	Launch port sentry to log possible port scans on the system.
Tripwire	www.tripwire.com	Implement Tripwire on the following /etc files: crontabs, passwd, profile, hosts.equiv, ftpusers, security (directory), syslog.conf, publickey, .rootkey, keystore, shadow, filesystem, inittab, group, vfs.

Vulnerability Assessment The following programs should be launched against a system prior to rollout to production. Once in production, extreme care must be taken when using these programs. Ensure written authorization prior to launch of any of these programs as well as pass through Change Control.
COPS	John the Ripper	SNORT	SAINT
NMAP	NSA	Nessus	SARA
Crack	FPing	AIDE

Enhanced Security Measures

This is a summary of enhanced security implementations that should be incorporated in higher security-demanding systems. The only explanation for not implementing a feature is that it causes conflict on that machine (in which case, a similar security fix should be sought out).
This list may also be used as an audit checklist for enhanced security systems.

Security Policy
Description	Check	Fix
Hardware Passwords	If the machine boots up without prompting for a password, the system is vulnerable.	Bios password as well as a power- on password should be activated as well as be unique.
Login Control	/etc/security/login.conf	sak_enabled:true logintimes:<specify time values> logindisable:3 logininterval:300 loginreenable:360 logindelay:10
System Resource Control	/etc/security/limits	Limit services and users from using too many resources.
Global .profile's	Check permissions for $HOME/.profile	User profiles should not be writeable by anyone but root. Administration should create the profile files. Enforce Automatic Logoff by appending the following line to the profile: TMOUT = 600; TIMEOUT = 600; export readonly TMOUT TIMOUT
Password Strengthening	/etc/security/user	dictionlist:/usr/share/dict/words maxrepeats:2 maxexpired:2 maxage:4 histsize:20 histexpire:52
Null Passwords	awk -F: '{if($2 == "") print $1}' etc/passwd	Ensure that no users are seen to have a null password. Disable the account immediately or create a temporary password. Run this daily via crontab.
Physical Security	Badge Readers, Camera Installations, Human Surveillance should be incorporated.	Incorporate the previously described security checkpoints as well as incorporate biometrics or secure authentication devices such as mobile storage USB sticks with authentication tickets or biometric authentication built in.
Trusted Computing Base	/etc/security/sysck.cfg	If TCB is not installed, the system will have to be reinstalled with the TCB option activated. Thoroughly audit all programs in the TCB. Add programs if they are necessary and proven to be fully secured.
User Control Administrator	/etc/security/user	Create two accounts (other than root) that have permissions to write to the user config file.
Distributed Root Authority	/etc/security/user	Separate root power into more than three different administrators. The more modular, the more secure.

System Hardening
Description	Check	Fix
.netrc Files	Check Permissions of :$HOME/.netrc	Remove .netrc files.
Login Message	/etc/security/login.conf Herald : <login message>	Herald:"nnnnnnnnnnnnn nnnnnnnnnnrUnauthorized Access is Prohibitednrlogin:"
X11 Interception Vulnerability	xwd and xwud should be removed from /bin	Implement Secure Shell
GUI Disabling	Check GUI interface at terminal	No desktop environment should be installed.
Direct Root Login	Check permissions of the command: /etc/security Should be 400 and should only have one entry in the file : console	Ensure that root login is only directly available for the console (which requires physical access).
Unnecessary Accounts	/etc/security/user	Disable guest, imnadm, ipd, uucp, nuucp.
Unnecessary Groups	/etc/group	Disable uucp, printq, imnadm accounts.
Unnecessary Services	/etc/inetd.conf /etc/inittab /etc/rc.nfs /etc/rc.tcpip	Refer to AIX Service documentation (AIX Security Guide) and disable services that are unnecessary to the function of the server.
FTP Remote Code Execution Vulnerability	Check Permission of: /bin/ftp	Ensure that the sticky bit for owner is disabled.
Remote Root Login	/etc/security/user	Disable remote login. rlogin = false for root user
Authentication	N/A	Implement OpenSSH, PKI, Kerberos, PAM, and LDAP to suit the needs of the server.
IPSec	lslpp -L '*ipsec*' should reveal: bos.msg.en_US.net.ipsec bos.net.ipsec.keymgt bos.net.ipsec.rte bos.net.ipsec.websm	Activate IPSec so that it logs all IP traffic for future auditing. Configure IPSec as a packet filter and define filtering rules.
SecureTCPIP	Test rcp, rlogin, rsh, and tftp commands. If any are available, securetcpip is not enabled.	Run securetcpip every time TCP/IP is installed.
Port Knocking	Dependent on level of security: could be local, offline, or even on a thumbdrive.	Implement port knocking on insecure protocol ports (such as telnet) if these must be used for certain functions.

System Integrity
Description	Check	Fix
UID Control	awk -F: '{if($3 == 0) print $1}' /etc/passwd	If any users other than root are listed, disable those users.
Audit Control	/etc/security/audit	Launch audit subsystem in full.
Remote Syslog Exploit	netstat -a | grep udp : check to see if the syslog daemon is listening. if there is no udp user, check all netstat -a entries.	Put a resource limit on syslog storage space. Disable syslog remote daemon.
TCPD aka "TCP Wrapper"	/etc/inetd.conf	Use tcpd for audit. Use tcpd to block certain protocols such as telnet, rlogin, and finger from certain hosts. Incorporate with PortSentry to block port scanning hosts.
PortSentry	www.psionic.com/abacus/portsentry	Implement PortSentry with tcpd to act as a dynamic port scanning host blocker.
Tripwire	www.tripwire.com	Implement Tripwire on all /etc/*. Keep tripwire binaries and configuration offline so that they cannot be tampered with.

Vulnerability Assessment In a high security environment, keep an image of the production servers up to date on proof of concept boxes. The following programs should be utilized (at minimum) once a month to try to break the proof of concept box. Following an intrusion, create a stopgap and implement it on the original image of the production server. If the patch holds up and does not cause any conflict, report it to www.cert.org and implement it on the production server. Be creative.
COPS	John the Ripper	SNORT	SAINT
NMAP	NSA	Nessus	SARA
Crack	FPing	AIDE

Your IP address will be sent with this e-mail

From e-mail to e-mail