Escolar Documentos
Profissional Documentos
Cultura Documentos
Version 4.3
1 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
1.2.1 Insecure Sendmail configuration options such as Several of the Sendmail commands present serious A mail program such as smap should be used.
WIZ, VRFY, EXPN and DEBUG are not used. security risks. For instance, the WIZ command Smap eliminates most of the security weaknesses
allows anyone who knows the "Wizard" password associated with sendmail.
to log into the system, gaining command line Simple Mail Transfer Protocol (SMTP)-compliant
access. VRFY and EXPN ("verify" and "expand" applications, such as the Sendmail program EXPN,
respectively) allow anyone to query the Sendmail allow an attacker to determine if an account exists
server as to the names of valid accounts on the on a system, providing significant assistance to a
system. DEBUG allows an outsider to put brute force attack on user accounts. EXPN
Sendmail in "debug" mode and execute commands provides additional information concerning users
on the system. on the system, such as if they exist and their full
names.
If you are running Sendmail, add the line
Opnoexpn to your Sendmail configuration file,
usually located in /etc/sendmail.cf. For other mail
servers, contact your vendor for information on
how to disable the expand command.
Newer versions of Sendmail are available at
http://www.sendmail.org or from
ftp://ftp.cs.berkeley.edu/ucb/sendmail.
1.2.2 The Sendmail daemon is only used if an The Sendmail program is the mail system's routing On AIX, sendmail is started by the Run Control
approved business justification exists. program. The UNIX program /usr/lib/sendmail (rc) scripts. Locate the entry for sendmail and
implements both the client and the server side of comment it out.
the mail program. Sendmail has been the source of
numerous security breaches on UNIX systems. In order for the changes to take effect, one must
Security vulnerabilities have been found in all either reboot or kill the currently running sendmail
versions of Sendmail, up to and including process.
Sendmail version 8.11.2 This is the latest version
of Sendmail – see www.sendmail.com
2 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
1.2.3 The sendmail.cf file allows only a minimal list The /etc/sendmail.cf file contains configuration Remove any T sendmail.cf directives not listing
of "trusted users." information necessary for sendmail to run, include uucp, root or daemon.
options which can create security vulnerabilities in
the mail system. The T configuration command
identifies the "trusted users" who can override a
sender's name in a mail message by using the -f
option with one of their own. Trusted users are
necessary for certain kinds of mail to flow
properly, but other trust relationships can be added
which introduce security vulnerabilities.
1.2.4 DNS is configured to disallow unauthorized Zone transfers can be used by intruders to rapidly DNS is configured to prevent unauthorized zone
zone transfers. obtain a complete map of an organization's servers. transfers as well as log unauthorized zone transfer
Such information is commonly used by intruders attempts.
to facilitate target scanning and selection during
break-in attempts.
1.2.5 If the WAN architecture allows access from Many network services are unnecessary and may Only network services which are necessary for
insecure networks such as the Internet, the pose a security risk if enabled on servers business operations are active.
server's network services are either disabled or accessable via the Internet or high risk WAN
implemented in a manner which appropriately segments.
minimizes the risk of intrusion from the insecure
networks.
1.2.6 The latest available version of BIND is installed Earlier versions of UNIX BIND contained security The latest available version of BIND should be
on the system problems which might allow an attacker to gain installed. Currently (01/17/2001/19/2000), the
access to the system latest version is BIND 9.1. You can find this
information at www.isc.org.
3 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
1.2.7 The Sendmail Aliases file is configured An incorrectly configured /etc/aliases file may 1) The aliases file must be owned by root and
securely. allow unauthorized access to the system. protected mode 644. Use the following command
to check the file permissions:
ls -l /etc/aliases
"-rw-r--r--"
4 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
1.2.8 The Sendmail mail queue file is configured Access to the mail queue can allow users to read Check the mail queue's permissions, by:
securely, with the minimum permissions other users mail, gaining sensitive information or
necessary for operation. to overwrite mail messages. ls -l /var/spool/mqueue/mqueue
1.2.11 Unnecessary RPC services are disabled. RPC services provide unauthenticated or weakly Where RPC is necessary, secure versions of RPC
authenticated access to systems to remotely which implement strong authentication and
execute commands (Remote Procedure Calls) for encryption are used.
distributed computing. RPC is used for services
such as NFS, but can be a significant vulnerability
source.
1.2.12 Protect against an account name/password Parameters in the /etc/security/login.cfg file can be Set the parameters appropriately to protect against
guessing attack. set by port to delay or prohibit additional logins a guessing attack on sensitive ports (i.e. a modem
after a failed login. port).
Examine failed logins using
/usr/bin/who `-s` `/etc/security/failedlogin`
1.2.13 The organizational structure of the IS and IS personnel resources are insufficient to allow for MIS resources should be devoted to security. Job
security groups provides for adequate UNIX the time and effort needed to address security descriptions of system, network and database
security. issues, security needs are generally assigned a very administrators should include security related
low priority. tasks.
1.3 Network Information Services (NIS/NIS+)
Control Standard Impact Procedure
1.3.1 (If NIS is used) a current (i.e., patched) version NIS offer a robust set of administration options Contact your vendor for the most up-to-date
of NIS is implemented for enterprise wide user that organizations can use centrally manage access patches for NIS/NIS+.
authentication. to system resources. However, there are many
options that need to be configured correctly to To check for active NIS, use:
provide security over the NIS environment. isypset=`domainname | /bin/grep “^[a-zA-Z]”
Moreover, many security related vulnerabilities If active, to check the NIS domainname, use:
have been associated with NIS. Thus, if NIS is not /usr/bin/domainname
properly configured and patched, there is an
increased risk an unauthorized user could gain
privileged access to system resources.
6 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
1.3.2 If NIS is used, it only provides users with access Users with domain-wide access may have Limited access via NIS can be accomplished by
to those systems they have a business need to privileges which go beyond their job creating one or more designated login shells on
access. responsibilities, including unauthorized access to each machine.
sensitive files.
For instance, the server sales may contain the login
shells /usr/local/salessh and /usr/local/salesapp, the
former being a copy of /bin/sh and the latter being
a shell which launches an application on this
server.
7 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
1.3.5 Root level UIDs are only defined on the local If root IDs are implemented domain-wide using NIS contains no root level UIDs (uid=0).
server and do not provide domain-wide access NIS, it is likely that system administrators will
through the NIS password file. have privileged access to systems not required for
their job functions, while the compromise of a
single root account would result in the
compromise of all systems in the domain.
1.4 System Configuration
Control Standard Impact Procedure
1.4.1 Access to the at command is limited. The at command allow users to run commands at a Review the at.allow and at.deny files for
later time, using the cron command queue. The appropriate entries, using the cat command. If
unrestricted use of these commands is a security users other than root have a business need to use
risk. the at and batch commands, create the at.allow and
at.deny files to control which users can use the at
command. The login names of users that are
allowed to use the at command must be listed in
the at.allow file. The at.deny file specifies the list
of denied users.
8 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
1.4.2 Devices (except terminals) are not world Improperly protected devices (which are Use the chmod command to set appropriate
readable, writeable or executable. represented to the UNIX OS as files) can leave permissions on device files.
systems vulnerable to attackers. For instance, if an
attacker can write to the /dev/kmem device (kernel
memory) with a debugger, he may be able to
modify his UserID (to become root), modify data
in system buffers, or write garbage over critical
data structures, causing the system to crash.
Similarly, unauthorized access to disk devices,
tape devices, network devices and terminals being
used by others can lead to problems.
1.4.3 The network interface card should not be in Most Ethernet cards can be placed in To determine whether the network interface is in
promiscuous mode. "promiscuous" mode, which enables a user to promiscuous mode, use the CPM tools, available
gather and review all Ethernet packets on the local from www.cert.org
subnetwork, including the data in those packets,
such as passwords. Intruders will often attempt to
install such gathering software (such as etherfind
or tcpdump) upon breaking into the system, in
order to gain further access.
1.4.4 Use of the mount command should not be Users can inadvertantly mount systems over one Remove the mount command from world access
executable by users and any untrusted file another and do not need to routinely mount file and require untrusted file systems to be mounted
system (i.e. CD-ROMS) should only be mounted susyems. A file system mounted, such as a CD- with the –o nosuid option.
without the ability to execute suid programs. ROM may contain suid to root programs, allowing
an attacker to gain root access.
1.5 Support, Maintenance & Planning
Control Standard Impact Procedure
9 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
1.5.1 Corporate IS security policies include specific AIX System Administrator that does not know and Review the corporate information security policies
sections pertaining to the UNIX environment, understand the Corporate IS security policies may and procedures to determine if sufficient support
including configuration guidelines to significant wrongly configure the AIX system and thereby exists for a controlled environment. UNIX policies
security areas. expose the system to security risks. should include specific configuration guidelines,
tailored to particular environments such as "file
servers," "DMZ systems," etc.
10 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
1.5.2 Procedures must be implemented for the regular The system may be needlessly vulnerable to Inquire about the system administrator's
acquisition and installation of vendor (both IBM security flaws discovered on an ongoing basis, in procedures for obtaining the latest and Inquire
and third party applications) patches and terms of both system penetration and denial of about the system administrator's procedures for
upgrades necessary to correct security flaws, as service. System crackers are aware of security obtaining the latest and installing the security
well as installation of workarounds for flaws, and will exploit them if patches are not patches and workarounds.
unpatched problems. implemented.
Review vendor resources (including
www.ers.ibm.com) and security sites such as
CERT (www.cert.org) and Bugtraq
(www.netspace.org) for the existence of security-
related system patches for the particular OS, and
install said patches. If using an older version of the
OS, upgrading to the latest version of the OS (plus
any patches for that version is usually preferable to
keeping the older version with patches. The IBM
ERS web site contains (but not for any other
software such as a third party Web server or for
Sendmail - consult other vendors as appropriate.
1.5.3 If significant programming is done on the server, A disorderly development environment, including • Develop applications on a
an appropriate system development life cycle problems such as a blurring of the development development system. (NOTE:
and change control methodology is in place. and production environments, insufficient quality Development system needs to be
assurance testing, insufficient documentation, and completely separate from Production
excessive programmer privileges, can lead to a system and network).
breakdown in the security of the system and the • Test new application/program on
integrity of the production data. the Development/Test system. Provide the
test criteria and application/program
documentation.
• Submit program to Quality &
Assurance group for testing.
• Develop a migration plan to the
Production system.
• Prepare a back-out plan.
• Notify the system administrator
about the migration and the tentative date.
• If all tests have been conducted
and passed, submit a change request
following the Change Management
Process.
• If all authorizations have been
obtained and the date approved, migrate
to production according to plan.
• Verify that the migrated
application is working.
• Provide any required
maintenance documentation to the system
administrator.
1.6 Physical Access
Control Standard Impact Procedure
12 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
1.6.1 The server's physical surroundings are designed If a computer is not stored in a clean, cool Rooms containing critical servers should be
for the safety and availability of the system, environment, it may be subject to more climate-controlled.
including cleanliness (lack of dust), appropriate breakdowns and loss of data.
and stable temperature and humidity, and neat If conditions are inappropriate, take steps to
and controlled cabling. correct.
2 Identification
2.1 User Accounts
Control Standard Impact Procedure
2.1.1 Each user has a unique user name and user ID. UNIX tracks users by UID, rather than by All server user names and UIDs are unique.
username. Therefore, where users share UIDs,
they may gain access to each others' files, while The process for user addition and deletion is
security administrators will not be able to track constructed so as to minimize the risk of duplicate
specific security events to specific users. user names and UIDs.
2.1.2 User account group identification (GID) codes UNIX UIDs under 100 are reserved for system To change a user's UID or GID, use the smit tool.
should be greater than 100 and never be 1 or 0. accounts. By allowing users to have UIDs under Next, use the chmod command to change
User account UIDs should be greater than 100 100, the risk is increased that the user will have ownership any files owned by the old UID to the
and must never be 0. access to information or resources that are new UID.
reserved for more powerful system level accounts.
13 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
2.1.3 User names follow an organizational naming Following a pre-defined set of standards allows for Best Practices call for a naming standard which
convention. the easier recognition of new accounts that may makes it hard for outsiders to guess individual
have been created in violation of policy, either by account names based on personal information.
intruders or system administrators.
We have a namiming standard in the Account
Management and MSB Introduction documents.
You may want to reference these two documents
here.
14 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
2.1.5 Third party tech support accounts are disabled, Vendor accounts are often left enabled, with Vendor support accounts should only be enabled
and only enabled temporarily as needed. default passwords shared among vendor on a temporary basis.
employees and known to vendor ex-employees.
Support contracts with third-party vendors should
be reviewed to determine liability in case a break-
in takes place through the vendor's network.
15 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
3 Authentication
3.1 User Accounts
Control Standard Impact Procedure
3.1.1 Accounts that run a single command, without UNIX allows accounts that simply run a single Delete any unauthenticated single command logins
authentication, are not allowed. command or application program (rather than a using the smit tool.
shell) at login. These accounts typically have no
password and are used, for example, to allow
people to log in as who to obtain a list of who is on
the system, to log in as lpq to check the printer
queue, and so on. Examples of such accounts
include who, finger, lpq, mail, news, date, uptime,
sync, and help. These types of accounts are often
exploited by an intruder.
3.1.2 Dormant accounts are removed or disabled. Dormant entries are a target for intruders, as the Procedures should be in place for checking for
account user will not notice the activity. dormant accounts on a regular basis.
• minalpha=6
• minother=2
• mindiff=3
• maxexpired=3
• histsize=24
• pwdwarntime=14
• Set dictionlist= dictionary file of
invalid passwords
Set minimum default values for smit user field
(defined in /etc/security/user) for the default stanza
as follows:
• admin=false
• login=true
• su=false
• daemon=true
• rlogin=false
• sugroups=ALL
• ttys=ALL
• auth1=SYSTEM
• auth2=NONE
• tpath=noask
• umask=027
• expire=0
17 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
3.2.2 A unique initial password must be assigned to If passwords are distributed in printed format or by Initial system passwords should be created in a
all new accounts and all users must change their e-mail, the likelihood is greatly increased that the secure manner, for instance by using a random
passwords immediately when using a new information will fall into the hands of intruders, character generator. Users should be required to
account for the first time and passwords are who can intercept e-mail or regularly check the obtain their initial system password in person and
distributed in a secure manner. office printer for password lists. instructed to destroy any written material which
may contain their password. We have a clearly
defined process for new user password creation
and communication in our Account Management
Policy and MSB Introduction. We need to either
reference these two documents or write the
appropriate guidelines.
3.2.3 Root passwords should be different for each Using the same root password on all machines can The root password is set differently on each
machine. lead to compromise of all machines with the machine. The frequency with which they are
compromise of just one. changed should be irregular and unpredictable.
3.2.4 The root account does not allow for the Separation of duties is basic to security controls. Utilize the Administrative Roles feature to achieve
separation of duties. The root account is all-powerful; access to this greater separation of duties and to reduce the
account for a subset of privileges violates this number of personnel requiring the root account
concept. access.
3.2.5 The shadow password file is used, with The standard UNIX password file is world Password shadowing should be in use for every
appropriate file permissions. readable, so that anyone logged into the system account on the system. No encrypted passwords
can read the file and attempt to crack the account should exist in the etc/passwd file (null, * and !
passwords, including root. The shadow password only in the password field).
file removes this threat by moving the password
information to a separate file, readable only by
root. If the shadow password file is accessible by
other users, the value of the shadow file is lost.
18 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
3.2.6 Insure proper password maintenance. Improperly maintained passwords can result in To scan for password inconsistencies, use:
explotitation of the system and reduce user /usr/bin/pwdck –n ALL
accountability. To scan for group inconsistencies, use:
/usr/bin/grpck –n ALL
• Both of these will report errors
but will not fix them automatically. To
have the errors fixed, change the “-n” to
“-y” in both cases.
19 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
4.1.1 Employee accounts are removed in a timely Unnecessary accounts or accounts with Business processes should be in place which
manner after separation from employment. unnecessary privileges create additional access ensure that all organizational accounts are created,
paths for intruders. updated and deleted in a timely manner.
20 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
4.1.4 The umask is set to control access to newly Files and directories are created with a default set The umask setting should be one of:
created files. Only the owner of a file has of permissions; these default permissions are
default permissions to read, write and execute controlled by the umask (user mask) system 077 - Most restrictive, but may hinder some
the newly created file. variable. Often, the default permissions are far in collaborative efforts. Only the user has any access
excess of what is needed for job functions, such as to the files he/she creates.
default world read and write privileges, creating
opportunities for access to sensitive files or 027 - Somewhat less restrictive. Allows others in
compromise of other accounts including root. the user's group to read files created by the user.
21 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
4.2.1 Any ' r ' services such as rlogin, rsh, rexec and By using .rhosts authentication on a server, a user Run the securetcpip command to disable the ‘r’
.rhosts files are disabled. can permit specified users on specified machines commands and deamons
to log in to the server without entering a password.
Thus, individual users can set security policy A cron job should be established to periodically
(without the system administrator's knowledge), check for, and remove, all 'r' commands such as
potentially leading to loss of critical resources rlogin, rsh, rexec, rcp and .rhosts files. This can be
within that account, and potentially compromising accomplished manually by issuing the following
the entire host. command:
22 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
4.2.3 Data files are given only the minimum access World writeable data files can be changed by Obtain a list of world readable and writeable files
permissions necessary for operation. anyone having any access to the system. Even and directories by:
without malicious intent, an inexperienced user
may accidentally make critical changes to sensitive find / \(-perm -0004 -o -perm -0002 \) -print >>
data files, or inadvertently allow an intruder to kpmg.txt
gain unauthorized access.
This command will search the file system for
world readable and writeable files and send the
contents to a local text file called "kpmg.txt".
23 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
4.2.4 UNIX executables (e.g. /bin/sh and World writeable binaries and shell scripts can be Executables and shell scripts generally should not
/usr/sbin/netstat), shell scripts (e.g. the /etc/rc changed or replaced with command files to give be world writeable, e.g., those in /bin, /usr/sbin,
scripts) and configuration files (e.g. the intruder further access, or to damage the /dev, (although some devices may need to be world
/etc/inittab, /etc/inetd.conf, .profile and .login) system (a.k.a. a "Trojan horse"). In any event, writeable), /etc, /etc/conf, /etc/default, /etc/init.d,
are given only the minimum privileges inexperienced users may accidentally damage the /etc/log, /lib, /root, /shlib. Some key system files
necessary for operation. system or make hard to trace bugs due to critical which should not be world writeable include
files. /etc/passwd, /etc/group, /etc/profile, /etc/vfstab
(default boot parameters), /etc/default/fs and
/etc/dfs/fstypes (file system types), /etc/initab,
/sbin/init and /etc/bootrc (boot script).
24 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
4.4.1 A server key lock facility is used (if available), Key lock facilities can prevent illicit or Policies should be developed, implemented and
and the key is removed and stored in a secure unauthorized use of the system. effectively communicated concerning the
location. procedures for the proper use of the key lock
facility.
25 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
4.4.4 The server's physical surroundings are designed If a computer is not stored in a clean, cool Rooms containing critical servers should be
for the safety and availability of the system, environment, it may be subject to more climate-controlled.
including cleanliness (lack of dust), appropriate breakdowns and loss of data.
and stable temperature and humidity, and neat If conditions are inappropriate, take steps to
and controlled cabling. correct.
26 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
27 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
5.1.1 Access to the Crontab command is limited. Best The crontab command submits, edits, list, or Review (using cat) the files cron.allow and
practices call for only the root user to have remove cron jobs. A cron job is a command run by cron.deny, which control access to crontab. The
access. the cron daemon at regularly scheduled intervals. files must be owned by root and members of the
The crontab program is owned by root and run sys group, with permissions mode 640. Under
with the SUID bit set. By default, everyone on the AIX, the crontab access files are
system can use the crontab command. /etc/cron.d/cron.allow and cron.deny. The
cron.allow file is checked by the system first. This
file must include all of the login names (one name
per line) of users allowed to use the crontab
command. The root user's login name (root) must
be listed in the cron.allow file. The cron.deny file
must be used to list the login names of users who
are not allowed to use crontab. If neither the
cron.deny nor the cron.allow file exists, only the
superuser can submit a job with the crontab
command.
5.1.2 Idle/inactive terminals are automatically locked If accounts are not logged out (e.g. if the user Idle or inactive terminals should be automatically
or logged out after a period of inactivity. doesn't log out at lunchtime or the end of the work logged out after 5-20 minutes of inactivity,
day) someone with physical access to a terminal depending on business needs and work patterns.
can gain access to sensitive information or install (TMOUT variable for the Korn shell, TIMEOUT
backdoors allowing later access to the account. for the Borne shell)
29 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
6 Privileges
6.1 User Accounts
Control Standard Impact Procedure
6.1.1 Membership in privileged groups is limited to Accounts listed in privileged groups, such as Only necessary and authorized users belong to
users with a business necessity for such access. GID=0, have access to group writeable files privileged groups. Membership in privileged
created and owned by the root user. Allowing groups should be limited to users with a business
unauthorized users to have a GID=0 increases the need for the access. Of particular concern on AIX
risk that sensitive system configuration files will are the admin, adms and audit groups, whose
be changed or deleted. menbership should be tightly controlled. For the
predefined AIX groups, users should be added to
the staff group only, or locally created groups.
6.1.2 Regularly examine group definitions. A common exploit is for an attacker to modify To examine user group definitions, use:
group permissions and privileges so that their /usr/sbin/lsgroup `-fa` `id` `users` `ALL`
activities are possibly less noticeable to the system
administrator.
6.1.3 Regularly examine user information. A common exploit is for an attacker to modify To examing user information, use (single
group memberships for cracked accounts so that command):
their activieites are possibly less noticeable to the /user/sbin/lsuser `-fa` `id` `groups` `home`
system administrator. `auditclasses` `login` `su` `rlogin` `telnet` `ttys`
`ALL`
30 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
6.1.4 SUID and SGID programs are used only when If the SUID bit is set in the file permissions, the Where SUID or SGID programs are necessary,
no other reasonable, more secure means exists program executes with the permissions of the restrict access to SUID and SGID programs by
for the function. Where such programs are owner of the program in addition to the user creating a group especially for that program. This
necessary, they are implemented in a secure executing it. For example, ps, the process status group should have execute permissions, while
manner, including limiting access to such program, is SUID to root because it needs to read 'world' should not have access to the program. The
programs using group permissions. from system memory, something normal users are permission bits on such a program would look like:
not allowed to do. The SGID bit behaves in r-sr-x--- 1 root print 9872 Dec 28
exactly the same way as the SUID bit, except that 17:44 print_cleaner
the program operates with the permission of the
group associated with the file. A vulnerability in a SUID programs should NOT be shell scripts, but
SUID root program (e.g.) can lead to a root-level should be compiled from C or a similar language.
compromise of the system. Accordingly, world
writable SUID programs are especially dangerous.
6.1.5 Disable direct logins for root. Allowing for someone to log in directly as root is Set ‘User can LOGIN REMOTELY? = false’ in
dangerous because it removes a layer of SMIT CHANGE/SHOW User Characteristics
authentication and it may be more prone to a Screen.
sniffing attack to capture the password.
31 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
32 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
7 Accountability
7.1 Intrusion Detection
Control Standard Impact Procedure
7.1.1 A regular program of logging and monitoring is Logging and monitoring is often ignored or under A program of logging and monitoring is in place
in place. utilized by system administrators, as it is often which includes real-time monitoring and
given a low priority by both IS and other notification of potential intrusions.
departments. However, it is the only way to ensure
the effectiveness of security measures, provide the
opportunity to react to security breaches, and
collect evidence of potential intrusions.
7.1.2 Log files are not world writeable. Log files provide the system audit trail and must Log files, including syslog and messages, should
be properly protected from unauthorized not be writable by users other than root. Change
modification. permissions using the command
chmod go-w syslog
7.1.3 The loginlog is not world writeable. If the loginlog is world writeable, a intruder may The loginlog should not be writable by any user
delete records of their attempts to gain access, other than root.
decreasing the likelihood that that their activities
will be discovered. Change permissions using the command
chmod go-w loginlog
7.2 System Configuration
Control Standard Impact Procedure
7.2.1 The "sticky bit" is set on all world-writeable If the sticky bit is not set on a world-writable The sticky bit should be set on all public
public directories. directory, files in that directory may be renamed or directories which are normally world-writable,
removed by users other than the owner of the such as /tmp, /usr/tmp (/var/tmp) and
directory or file. Some applications create /usr/spool/uucppublic. Set the sticky bit using
temporary files in public directories; if the sticky chmod +t <name>.
bit is not set, an intruder might be able to No sensitive or confidential information should
overwrite the temporary files and compromise the be written to files in these directories, since any
application. user can read them.
7.3 Logging & Monitoring
Control Standard Impact Procedure
33 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
34 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
8.2.1 Use NFS only when necessary. Check regularly The NFS service allows for users to mount a To check current NFS status use:
for unauthorized NFS activation and use. systems filesystems remotely. This service is a lssrc –g nfs
common way to exploit a system and gain access
to private information. To check if NFS is installed, use:
lslpp –l | /bin/grep nfs
35 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
8.2.2 File systems are not mounted writeable, absent The default configuration of NFS is to grant full The access control options, and recommended
of a compelling business justification. access (read, write and execute) to all hosts to a settings for the /etc/export and etc/dfs/dfstab files
Executables are mounted read only, if at all. mounted file system. Thus there is a high chance are:
of allowing access to unauthorized individuals. -ro=host, host - Exports the directory read-only. If
this option is not specified, the directory is
Unauthenticated access to server executables can exported with read-write permission,
lead to numerous security vulnerabilities due to -access=host,host - Restricts access to only the
flaws in the mounted programs. Program coding named hosts or netgroup name. If no -access
mistakes which can become security exploits exist option is specified, all hosts will have access. The
(whether publicly known or not) in as many as default value allows any machine to mount the
50% of programs. directory,
-rw=host,host - Exports the directory read-write.
This mode of exporting inherently lowers directory
security and must be implemented with caution,
-root=host,host - Allows superuser access from the
named hosts. If NFS root access is not enabled for
a remote NFS client, the root UID of the server is
mapped to a default UID of -2 or 60001 (the
nobody account) This restricts access against the
superuser UID on a remote machine. Exports
specifying root access are inherently less security
and must be implemented with caution. The
default is for no hosts to be granted root access.
-secure - Requires NFS clients to use a more
secure protocol when accessing the directory.
8.2.3 NFS exported file systems are protected with Entering a directory or filesystem in the NFS should be configured to allow for the
access lists. /etc/exports file without specifying an access list minimum access necessary. The number of
allows any host to mount the directory. servers allowed to mount an exported file system
whould be reduced to the minimum necessary. If
the /etc/exports file does not specify a list of hosts
for each exported file system, then NFS is
insecurely configured.
37 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
8.3.1 Network services, including login, telnet, FTP, Servers often display sensitive information by Instead of banners that identify system type and
and HTTP do not display system identifying default, such as the hostname, the OS version, and other sensitive information, network services
banners prior to authentication. Instead, a the server software version, e.g. ftp.clienthost.com, display generic warning banners.
warning message displays a warning against AIX4.3.3, wuftp version2.14(b9). An intruder
unauthorized use. could then attempt to exploit known vulnerabilities The first thing to do when reducing the footprint of
in these software types (available from public a Unix box is to remove any and all
Internet databases). Legitimate users generally do "announcements" sent out to the world. When
not need to know such information. A warning someone telnets to a box running Unix, they are
message may also be necessary for subsequent greeted with the response:
prosecution of offenders.
$ telnet 10.16.17.205
Trying 10.16.17.205...
Connected to 10.16.17.205.
Escape character is '^]'.
AIXOS 4.3
login:
8.3.2 Only necessary network services are enabled. Unintended network access can be granted by Remove all unnecessary services by commenting
Where necessary, services are only implemented computers that have more services enabled that is them out of the inetd.conf file (restarting the inetd
in a secure manner, including IP filtering, TCP necessary. UNIX systems often are configured process is required at this point (kill –HUP <pid>)
Wrapper, and installation with the latest "out of the box" with numerous network services or out of the appropriate boot script, as necessary
software patches. that are often unneeded, such as the Berkeley R (by placing a comment mark (#) at the beginning
commands (rshell, rexec and rlogin) and obsolete of the lines describing the service).
network testing services such as echo, discard and
chargen. After installation, system administrators To verify inet services running use:
will often install unnecessary services, because netserv –s –S -X
they, or their managers, underestimate the security
concerns involved. If a service is not enabled, it
cannot be used to break in to the system.
8.3.3 Rlogin and rshell are used only if an approved Rlogin and rsh provide remote virtual terminal and The use of rshd and rlogind is not allowed unless a
business justification exists. remote execution services similar to Telnet and viable business justification exists. Employ secure
rexec. However: methods for remote shells and remote logins that
a. rlogind and rshd do not require that the user type include advanced authentication and encryption
his login name; the login name is automatically (e.g., Secure Shell- SSH).
transmitted at the start of the connection.
b. If the connection comes from a trusted host (via
hosts.equiv) or trusted user (via .rhosts), rlogind
and rshd will accept the connection without
requiring a password.
39 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
8.3.4 Tftpd is disabled except on servers which act as The Trivial File Transfer Protocol (TFTP) is used If TFTP is required, restrict access to server files
a boot host. On these servers, tftp is configured to allow users to retrieve files without requiring an so that sensitive files can not be retrieved remotely
securely. account on the remote system. TFTP is an via tftp.
unauthenticated file transfer service. It is
commonly used for booting diskless workstations
and downloading server code or fonts for X-
terminals over the network. Many implementations
of TFTP have security problems. In particular,
unrestricted TFTP access allows remote intruders
to retrieve a copy of any world-readable file
without authentication, such as /etc/passwd.
8.3.5 The finger daemon is only used if an approved The Finger daemon service allows a remote user to If the finger service is necessary, a newer version
business justification exists, and then only in a obtain information about local users, such as their should be run which requires that a user name be
secure manner. user name, full name, home directory, last login provided along with any request. This keeps
time, and in some cases when she last received arbitrary outsiders from obtaining a complete list
and/or read her mail. The fingerd program allows of users logged in to the server.
users (and intruders) on remote hosts to obtain this
information.
8.3.6 The FTP daemon is only used if an approved The File Transfer Protocol (FTP) allows users to If FTP is required, it should be enabled with the
business justification exists. connect to remote systems and transfer files. FTP following standard:
may be used in either authenticated (where a
plaintext username and password are required) or 1. Only the latest release (including patches)
anonymous (no username or password required) should be used, as various FTP servers have
mode, depending on system configuration. In security bugs that allow intruders to break into the
either case, FTP allows remote access to the system,
server’s files, without secure authentication. FTP 2. Anonymous FTP is not allowed, and
is an issue both because it allows remote users 3. The /etc/ftpusers file is utilized to restrict login
access to the file system and because legitimate from defined accounts.
users have been known to unwittingly store
sensitive corporate information on publically
available FTP sites.
40 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
8.3.7 The remote printer daemon is securely The /etc/hosts.lpd file is used to specify the remote Edit the hosts.lpd file as necessary, using a text
configured. hosts that are allowed to communicate with the lpd editor.
printer daemon and access local printer queues. An Change file permissions using:
improper configuration can lead to unauthorized chmod 640 /etc/hosts.lpd
root access.
8.3.8 The Rexec daemon is only used if an approved The rexec (RPC remote program execution) allows The use of rexecd is not allowed unless a viable
business justification exists. users to execute commands on remote computers business justification exists. Employ a secure
without prior authentication. methods for remote command execution that
employs advanced authentication and encryption
(e.g., Secure Shell- SSH).
8.3.9 The Telnet daemon is only used if an approved Telnet provides remote virtual terminal service If telnet functionality is needed, the standard telnet
business justification exists. similar to that provided by a dial-up modem. server is replaced with a program which encrypts
Usernames and passwords are susceptible to passwords, such as ssh.
sniffing, as they are transmitted in plaintext. On
the other hand, even without a known username Limit access to those accounts with a business
and password, telnet is susceptible to remote justification through the accounts’ LOGIN
attack. Because it is significantly faster to connect REMOTELY fields.
with telnet than it is to call up with a modem, an
attacker can try to guess more passwords in a
given amount of time. Also, it is often easier (and
less expensive) to call a computer anonymously on
the Internet than over the phone lines.
41 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
8.3.10 UUCP is only used if necessary for an approved All versions of UNIX provide a rudimentary form UUCP can be disabled by changing the 'home
business purposes. of networking called UUCP, which allows files directory' and 'shell' fields of the uucp passwd file
and electronic mail to be transferred, as well as entry to '/dev/null'.
remote command execution. Installation of the
UUCP subsystem is not recommended: a) there is Disable UUCP-related commands such as uucp,
no pairing of a single individual with a UID on uulog, uuname, uupick, uusend, uustat, uuto, uux,
UUCP, b) many UUCP systems are configured as well as commands in /usr/lib/uucp (Note that the
with anonymous logins. Unless UUCP is carefully uuencode and uudecode commands should not be
configured, sensitive information can be stolen and disabled, as they are used by other applications
files can be sent to your system that can such as mail clients. However, make sure that
compromise security. uuencode is not SUID, or else the user could
accidentally create SUID executables).
8.3.11 X Windows is only used if necessary for an Not restricting access to workstation or server X If X windows is not needed, it should be disabled
approved business purposes. If required, it is Windows sessions allows other users or intruders by editing the AIX rc startup files and commenting
implemented in a secure manner, using secure on the intranet to perform keystroke logging, view out the line which starts X windows.
shell to encrypt X traffic. . X Window sessions and re-map the keyboard.
If X windows is needed, it may be configured to
use an encrypting "tunnel" such as Secure Shell.
8.3.12 Direct modem access to servers is only used if It is not uncommon for systems to be configured Several options are available for increasing modem
necessary for an approved business purpose; if with insecure direct modem access, either “out of security.
necessary it is implemented in a secure manner. the box” or thereafter by non-security conscious
administrators. Dial-up modems allow anyone who If practical, dial-back modems should be used.
knows the correct telephone number to access the
system and try to break in. For example, it is not Hardware tokens is a secure way of providing
uncommon for the modem to have no password, or remote access, and should be used if at all possible
a simple password such as “guest”. Also, if
improperly configured, modems may allow an
attacker to call a system and obtain access to an
already logged-in line that another user has
unknowingly left behind.
42 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
8.3.13 hosts.equiv files are not used to establish trust The file /etc/hosts.equiv is used to establish global, /etc/hosts.equiv files are not used to establish trust
relationships. password-less trust relationships between remote relationships between hosts.
systems and the server, similar to .rhosts files (the
system actually checks hosts.equiv first, then No application should need unauthenticated access
.rhosts if no matches are found). to another server. If such applications exist and
are mission-critical, they should be configured to
make narrow use of the .rhosts feature of AIX
while alternative applications are investigated or
developed internally.
43 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.