Control Standard Impact Procedure: 1.1 Environment 1.1.1

AIX WP:
Version 4.3
Client Filename: Date Year End Prepared By:
1 General Security Design

1.1 Environment
Control Standard Impact Procedure
1.1.1 The root user's PATH variable does not include If the root user's PATH includes '.' or “..”, the user The default path for the root user does not include
the Current Working Directory or its parent. is vulnerable to trojan horse attacks residing in the any directories which are writable by other users.
user's current working directory or its parent.
1.1.2 Any user's PATH variable does not include the If a user's PATH includes '.' or “..”, the user is The default path for any user should not include
Current Working Directory unless it’s the last vulnerable to trojan horse attacks residing in the any directories which are writable by themselves
entry in the PATH; any specific $HOME user's current working directory or its parent. or other users until checking for system supported
directories must be after the standard system commands first.
directories and before the current directories in a
user’s PATH variable.
1.2 Network Services
1 of 43
© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as the coordinating entity for a network of independent firms operating under the KPMG name. KPMG
International provides no services to clients. Each member firm of KPMG International is a legally and separate entity and each describes itself as such. All rights reserved.
AIX WP:
Version 4.3
1.2.1 Insecure Sendmail configuration options such as Several of the Sendmail commands present serious A mail program such as smap should be used.
WIZ, VRFY, EXPN and DEBUG are not used. security risks. For instance, the WIZ command Smap eliminates most of the security weaknesses
allows anyone who knows the "Wizard" password associated with sendmail.
to log into the system, gaining command line Simple Mail Transfer Protocol (SMTP)-compliant
access. VRFY and EXPN ("verify" and "expand" applications, such as the Sendmail program EXPN,
respectively) allow anyone to query the Sendmail allow an attacker to determine if an account exists
server as to the names of valid accounts on the on a system, providing significant assistance to a
system. DEBUG allows an outsider to put brute force attack on user accounts. EXPN
Sendmail in "debug" mode and execute commands provides additional information concerning users
on the system. on the system, such as if they exist and their full
names.
If you are running Sendmail, add the line
Opnoexpn to your Sendmail configuration file,
usually located in /etc/sendmail.cf. For other mail
servers, contact your vendor for information on
how to disable the expand command.
Newer versions of Sendmail are available at
http://www.sendmail.org or from
ftp://ftp.cs.berkeley.edu/ucb/sendmail.
1.2.2 The Sendmail daemon is only used if an The Sendmail program is the mail system's routing On AIX, sendmail is started by the Run Control
approved business justification exists. program. The UNIX program /usr/lib/sendmail (rc) scripts. Locate the entry for sendmail and
implements both the client and the server side of comment it out.
the mail program. Sendmail has been the source of
numerous security breaches on UNIX systems. In order for the changes to take effect, one must
Security vulnerabilities have been found in all either reboot or kill the currently running sendmail
versions of Sendmail, up to and including process.
Sendmail version 8.11.2 This is the latest version
of Sendmail – see www.sendmail.com
2 of 43
AIX WP:
Version 4.3
1.2.3 The sendmail.cf file allows only a minimal list The /etc/sendmail.cf file contains configuration Remove any T sendmail.cf directives not listing
of "trusted users." information necessary for sendmail to run, include uucp, root or daemon.
options which can create security vulnerabilities in
the mail system. The T configuration command
identifies the "trusted users" who can override a
sender's name in a mail message by using the -f
option with one of their own. Trusted users are
necessary for certain kinds of mail to flow
properly, but other trust relationships can be added
which introduce security vulnerabilities.
1.2.4 DNS is configured to disallow unauthorized Zone transfers can be used by intruders to rapidly DNS is configured to prevent unauthorized zone
zone transfers. obtain a complete map of an organization's servers. transfers as well as log unauthorized zone transfer
Such information is commonly used by intruders attempts.
to facilitate target scanning and selection during
break-in attempts.
1.2.5 If the WAN architecture allows access from Many network services are unnecessary and may Only network services which are necessary for
insecure networks such as the Internet, the pose a security risk if enabled on servers business operations are active.
server's network services are either disabled or accessable via the Internet or high risk WAN
implemented in a manner which appropriately segments.
minimizes the risk of intrusion from the insecure
networks.
1.2.6 The latest available version of BIND is installed Earlier versions of UNIX BIND contained security The latest available version of BIND should be
on the system problems which might allow an attacker to gain installed. Currently (01/17/2001/19/2000), the
access to the system latest version is BIND 9.1. You can find this
information at www.isc.org.
3 of 43
AIX WP:
Version 4.3
1.2.7 The Sendmail Aliases file is configured An incorrectly configured /etc/aliases file may 1) The aliases file must be owned by root and
securely. allow unauthorized access to the system. protected mode 644. Use the following command
to check the file permissions:
ls -l /etc/aliases
They should read:
"-rw-r--r--"
If permissions are incorrect, change them using the

following command:
chmod 644 /etc/aliases
2) Review the entries in the aliases file, using vi

/etc/aliases, and comment out any undesirable
entries (using a text editor, place a comment "#"
marker at the front of the line in question). In
particular:
a) Remove the decode alias, which might appear in

the alias file as follows:
decode: |/usr/bin/guudecode
b) Review for any other entries which execute a
program. Remove if not necessary.
If NIS is used, run /usr/sbin/newaliases after

changing the aliases file in order to rebuild the
maps.
4 of 43
AIX WP:
Version 4.3
1.2.8 The Sendmail mail queue file is configured Access to the mail queue can allow users to read Check the mail queue's permissions, by:
securely, with the minimum permissions other users mail, gaining sensitive information or
necessary for operation. to overwrite mail messages. ls -l /var/spool/mqueue/mqueue
Since only the owner, root, should have access, the

permissions should look like:
-rwx------
If permissions are not correct, change them by:
chmod 700 /usr/spool/mqueue/mqueue

1.2.9 The sendmail.cf file has secure file permissions. If the Sendmail configuration file has improper file The sendmail.cf file should be secured with
permissions (e.g., world writeable) there is an appropriate file permissions. The /etc/sendmail.cf
increased risk than an unauthorized user may gain file must be writable only by root with permission
privileged access to the system or cause a mode 640 or 660.
disruption of service.
1.2.10 Sendmail is implemented in a secure manner, Sendmail (a mail routing daemon) has been the Check www.ers.ibm.com for the latest patches;
including immediate installation of the latest source of numerous security breaches on UNIX follow site instructions to install patch. Subscribe
security patches as they become available. systems. Security vulnerabilities have been found to the IBM ERS service to keep abreast of latest
in all versions of Sendmail, up to and including patches to install, as well as the CERT
Sendmail version 8.8.11.2 (Sendmail is currently (www.cert.org) and Bugtraq (www.netspace.org)
on version 8.11.2 as of 12/29/2000 . You can find mailing lists for breaking news regarding Sendmail
this information at www.sendmail.com. (and other) security vulnerabilities. In addition,
the latest information on sendmail can be found at
www.sendmail.org.
Evaluate the need to run sendmail, and disable if

the service is not used. If sendmail is necessary,
conisder using a more secure version (e.g, Qmail)
or a sendmail wrapper (smrsh, SMAP / SMAPD).
5 of 43
AIX WP:
Version 4.3
1.2.11 Unnecessary RPC services are disabled. RPC services provide unauthenticated or weakly Where RPC is necessary, secure versions of RPC
authenticated access to systems to remotely which implement strong authentication and
execute commands (Remote Procedure Calls) for encryption are used.
distributed computing. RPC is used for services
such as NFS, but can be a significant vulnerability
source.
1.2.12 Protect against an account name/password Parameters in the /etc/security/login.cfg file can be Set the parameters appropriately to protect against
guessing attack. set by port to delay or prohibit additional logins a guessing attack on sensitive ports (i.e. a modem
after a failed login. port).
Examine failed logins using
/usr/bin/who `-s` `/etc/security/failedlogin`
1.2.13 The organizational structure of the IS and IS personnel resources are insufficient to allow for MIS resources should be devoted to security. Job
security groups provides for adequate UNIX the time and effort needed to address security descriptions of system, network and database
security. issues, security needs are generally assigned a very administrators should include security related
low priority. tasks.
1.3 Network Information Services (NIS/NIS+)
1.3.1 (If NIS is used) a current (i.e., patched) version NIS offer a robust set of administration options Contact your vendor for the most up-to-date
of NIS is implemented for enterprise wide user that organizations can use centrally manage access patches for NIS/NIS+.
authentication. to system resources. However, there are many
options that need to be configured correctly to To check for active NIS, use:
provide security over the NIS environment. isypset=`domainname | /bin/grep “^[a-zA-Z]”
Moreover, many security related vulnerabilities If active, to check the NIS domainname, use:
have been associated with NIS. Thus, if NIS is not /usr/bin/domainname
properly configured and patched, there is an
increased risk an unauthorized user could gain
privileged access to system resources.
6 of 43
AIX WP:
Version 4.3
1.3.2 If NIS is used, it only provides users with access Users with domain-wide access may have Limited access via NIS can be accomplished by
to those systems they have a business need to privileges which go beyond their job creating one or more designated login shells on
access. responsibilities, including unauthorized access to each machine.
sensitive files.
For instance, the server sales may contain the login
shells /usr/local/salessh and /usr/local/salesapp, the
former being a copy of /bin/sh and the latter being
a shell which launches an application on this
server.
Most users will now have the NIS entry

/usr/local/salesapp, while users requiring shell
access to the server will have the NIS entry
/usr/local/salessh. These users can now be
administered on a domain-wide basis, but their
login access is limited to the server sales.
Note also that the .login/.cshrc/.profile files can

play a role in controlling NIS access.
1.3.3 NIS configuration files have secure file World-writable NIS configuration files could NIS configuration files have restrictive
permissions. make it possible for an attacker to change NIS permissions. In particular, the passwd.adjunct file
information, including adding privileged accounts. is not accessible by users other than root.
The umask value for the root user is set to 077 to

ensure that files are created with secure default
permissions.
1.3.4 NIS Master servers do not use NIS for password Since NIS master servers are key to NIS security, NIS master servers use only local account
information. and thus a point of compromise for the entire information for authentication.
network, such systems should have extra security
protections
7 of 43
AIX WP:
Version 4.3
1.3.5 Root level UIDs are only defined on the local If root IDs are implemented domain-wide using NIS contains no root level UIDs (uid=0).
server and do not provide domain-wide access NIS, it is likely that system administrators will
through the NIS password file. have privileged access to systems not required for
their job functions, while the compromise of a
single root account would result in the
compromise of all systems in the domain.
1.4 System Configuration
1.4.1 Access to the at command is limited. The at command allow users to run commands at a Review the at.allow and at.deny files for
later time, using the cron command queue. The appropriate entries, using the cat command. If
unrestricted use of these commands is a security users other than root have a business need to use
risk. the at and batch commands, create the at.allow and
at.deny files to control which users can use the at
command. The login names of users that are
allowed to use the at command must be listed in
the at.allow file. The at.deny file specifies the list
of denied users.
These files must be owned by root and members of

the sys group, with permissions mode 640.
Where necessary, add entries to at.allow and

at.deny using a text editor, and change
permissions on these files using chmod.
8 of 43
AIX WP:
Version 4.3
1.4.2 Devices (except terminals) are not world Improperly protected devices (which are Use the chmod command to set appropriate
readable, writeable or executable. represented to the UNIX OS as files) can leave permissions on device files.
systems vulnerable to attackers. For instance, if an
attacker can write to the /dev/kmem device (kernel
memory) with a debugger, he may be able to
modify his UserID (to become root), modify data
in system buffers, or write garbage over critical
data structures, causing the system to crash.
Similarly, unauthorized access to disk devices,
tape devices, network devices and terminals being
used by others can lead to problems.
1.4.3 The network interface card should not be in Most Ethernet cards can be placed in To determine whether the network interface is in
promiscuous mode. "promiscuous" mode, which enables a user to promiscuous mode, use the CPM tools, available
gather and review all Ethernet packets on the local from www.cert.org
subnetwork, including the data in those packets,
such as passwords. Intruders will often attempt to
install such gathering software (such as etherfind
or tcpdump) upon breaking into the system, in
order to gain further access.
1.4.4 Use of the mount command should not be Users can inadvertantly mount systems over one Remove the mount command from world access
executable by users and any untrusted file another and do not need to routinely mount file and require untrusted file systems to be mounted
system (i.e. CD-ROMS) should only be mounted susyems. A file system mounted, such as a CD- with the –o nosuid option.
without the ability to execute suid programs. ROM may contain suid to root programs, allowing
an attacker to gain root access.
1.5 Support, Maintenance & Planning
9 of 43
AIX WP:
Version 4.3
1.5.1 Corporate IS security policies include specific AIX System Administrator that does not know and Review the corporate information security policies
sections pertaining to the UNIX environment, understand the Corporate IS security policies may and procedures to determine if sufficient support
including configuration guidelines to significant wrongly configure the AIX system and thereby exists for a controlled environment. UNIX policies
security areas. expose the system to security risks. should include specific configuration guidelines,
tailored to particular environments such as "file
servers," "DMZ systems," etc.
10 of 43
AIX WP:
Version 4.3
1.5.2 Procedures must be implemented for the regular The system may be needlessly vulnerable to Inquire about the system administrator's
acquisition and installation of vendor (both IBM security flaws discovered on an ongoing basis, in procedures for obtaining the latest and Inquire
and third party applications) patches and terms of both system penetration and denial of about the system administrator's procedures for
upgrades necessary to correct security flaws, as service. System crackers are aware of security obtaining the latest and installing the security
well as installation of workarounds for flaws, and will exploit them if patches are not patches and workarounds.
unpatched problems. implemented.
Review vendor resources (including
www.ers.ibm.com) and security sites such as
CERT (www.cert.org) and Bugtraq
(www.netspace.org) for the existence of security-
related system patches for the particular OS, and
install said patches. If using an older version of the
OS, upgrading to the latest version of the OS (plus
any patches for that version is usually preferable to
keeping the older version with patches. The IBM
ERS web site contains (but not for any other
software such as a third party Web server or for
Sendmail - consult other vendors as appropriate.
Important: Some patches may change to your

system configuration to insecure defaults.installing
the security patches and workarounds.
Review vendor resources (including

www.ers.ibm.com) and security sites such as
CERT (www.cert.org) and Bugtraq
(www.netspace.org) for the existence of security-
related system patches for the particular OS, and
install said patches
Important: Some patches may change to your

system configuration to insecure defaults.
11 of 43
AIX WP:
Version 4.3
1.5.3 If significant programming is done on the server, A disorderly development environment, including • Develop applications on a
an appropriate system development life cycle problems such as a blurring of the development development system. (NOTE:
and change control methodology is in place. and production environments, insufficient quality Development system needs to be
assurance testing, insufficient documentation, and completely separate from Production
excessive programmer privileges, can lead to a system and network).
breakdown in the security of the system and the • Test new application/program on
integrity of the production data. the Development/Test system. Provide the
test criteria and application/program
documentation.
• Submit program to Quality &
Assurance group for testing.
• Develop a migration plan to the
Production system.
• Prepare a back-out plan.
• Notify the system administrator
about the migration and the tentative date.
• If all tests have been conducted
and passed, submit a change request
following the Change Management
Process.
• If all authorizations have been
obtained and the date approved, migrate
to production according to plan.
• Verify that the migrated
application is working.
• Provide any required
maintenance documentation to the system
administrator.
1.6 Physical Access
12 of 43
AIX WP:
Version 4.3
1.6.1 The server's physical surroundings are designed If a computer is not stored in a clean, cool Rooms containing critical servers should be
for the safety and availability of the system, environment, it may be subject to more climate-controlled.
including cleanliness (lack of dust), appropriate breakdowns and loss of data.
and stable temperature and humidity, and neat If conditions are inappropriate, take steps to
and controlled cabling. correct.
2 Identification
2.1 User Accounts
2.1.1 Each user has a unique user name and user ID. UNIX tracks users by UID, rather than by All server user names and UIDs are unique.
username. Therefore, where users share UIDs,
they may gain access to each others' files, while The process for user addition and deletion is
security administrators will not be able to track constructed so as to minimize the risk of duplicate
specific security events to specific users. user names and UIDs.
2.1.2 User account group identification (GID) codes UNIX UIDs under 100 are reserved for system To change a user's UID or GID, use the smit tool.
should be greater than 100 and never be 1 or 0. accounts. By allowing users to have UIDs under Next, use the chmod command to change
User account UIDs should be greater than 100 100, the risk is increased that the user will have ownership any files owned by the old UID to the
and must never be 0. access to information or resources that are new UID.
reserved for more powerful system level accounts.
13 of 43
AIX WP:
Version 4.3
2.1.3 User names follow an organizational naming Following a pre-defined set of standards allows for Best Practices call for a naming standard which
convention. the easier recognition of new accounts that may makes it hard for outsiders to guess individual
have been created in violation of policy, either by account names based on personal information.
intruders or system administrators.
We have a namiming standard in the Account
Management and MSB Introduction documents.
You may want to reference these two documents
here.
This naming standard prevents outsiders' deriving

user account names from publically available
information such as employee names. User
account names can be used in combination with
password guessing and social engineering to gain
unauthorized access to systems.
2.1.4 Generic or group user accounts are not used. A Generic user accounts limit accountability on user If a generic account is identified, perform the
generic account is identified as a user account in actions performed while logged in as a generic following:
which multiple users, on a regular basis, access user. Use of a generic account are extremely
and have knowledge of a single user account difficult to audit since it is impossible differentiate 1. Identify the purpose of the account,
with a known identification/password between the activities of individual users, making 2. Identify all users of the account,
combination. it a high priority target for intruders. 3. Create unique accounts for all users of the
generic account,
4. Assign appropriate rights to all new user
accounts, and
5. Delete the generic account.
14 of 43
AIX WP:
Version 4.3
2.1.5 Third party tech support accounts are disabled, Vendor accounts are often left enabled, with Vendor support accounts should only be enabled
and only enabled temporarily as needed. default passwords shared among vendor on a temporary basis.
employees and known to vendor ex-employees.
Support contracts with third-party vendors should
be reviewed to determine liability in case a break-
in takes place through the vendor's network.
The third-party vendor should be contacted to

determine whether secure systems practices are
being followed, whether third-party security
reviews have been performed, and whether such
reviews are available for inspection.
2.2.1 Default system accounts that do not need to be Default system accounts, such as daemon, bin, sys The following accounts provided by default with
used are disabled. and adm, are automatically created when the AIX AIX 4.x should be disabled:
Operating System is installed. Many of these
accounts are never logged into but are instead daemon, bin, sys, adm, uucp, guest, nobody, lpd.
place holders for software ownership.
2.2.1 All user accounts should be managed Managing user accounts and their associated Use the smit utility whenever its capabilitiy is
consistently to minimize inappropriate account parameters by editing the native unix files, or even sufficient. All normal administration of user
configurations. the mkuser command can lead to accounts should utilize the smit utility.
misconfiguartions creating a security exposure.
15 of 43
AIX WP:
Version 4.3
3 Authentication
3.1 User Accounts
3.1.1 Accounts that run a single command, without UNIX allows accounts that simply run a single Delete any unauthenticated single command logins
authentication, are not allowed. command or application program (rather than a using the smit tool.
shell) at login. These accounts typically have no
password and are used, for example, to allow
people to log in as who to obtain a list of who is on
the system, to log in as lpq to check the printer
queue, and so on. Examples of such accounts
include who, finger, lpq, mail, news, date, uptime,
sync, and help. These types of accounts are often
exploited by an intruder.
3.1.2 Dormant accounts are removed or disabled. Dormant entries are a target for intruders, as the Procedures should be in place for checking for
account user will not notice the activity. dormant accounts on a regular basis.
3.2 Password Composition & Management

3.2.1 Passwords are not easily guessable, i.e. words Passwords which are easy to guess give intruders Define password/user characteristics in
found in a dictionary, or a variation on the user an easy opportunity to break into the system. /etc/security/user, /etc/security/mkuser.default,
name; they do not pertain directly to a user's /etc/security/login.cfg
family or personal interests. While passwords
should contain both alpha and numeric Minimum requirements (defined in
characters, passwords with special characters are /etc/security/user):
even harder to guess or crack with a utility. • minlen=8
• maxage=60
• minage=1
• maxrepeat=12
16 of 43
AIX WP:
Version 4.3
• minalpha=6
• minother=2
• mindiff=3
• maxexpired=3
• histsize=24
• pwdwarntime=14
• Set dictionlist= dictionary file of
invalid passwords
Set minimum default values for smit user field
(defined in /etc/security/user) for the default stanza
as follows:
• admin=false
• login=true
• su=false
• daemon=true
• rlogin=false
• sugroups=ALL
• ttys=ALL
• auth1=SYSTEM
• auth2=NONE
• tpath=noask
• umask=027
• expire=0
17 of 43
AIX WP:
Version 4.3
3.2.2 A unique initial password must be assigned to If passwords are distributed in printed format or by Initial system passwords should be created in a
all new accounts and all users must change their e-mail, the likelihood is greatly increased that the secure manner, for instance by using a random
passwords immediately when using a new information will fall into the hands of intruders, character generator. Users should be required to
account for the first time and passwords are who can intercept e-mail or regularly check the obtain their initial system password in person and
distributed in a secure manner. office printer for password lists. instructed to destroy any written material which
may contain their password. We have a clearly
defined process for new user password creation
and communication in our Account Management
Policy and MSB Introduction. We need to either
reference these two documents or write the
appropriate guidelines.
3.2.3 Root passwords should be different for each Using the same root password on all machines can The root password is set differently on each
machine. lead to compromise of all machines with the machine. The frequency with which they are
compromise of just one. changed should be irregular and unpredictable.
3.2.4 The root account does not allow for the Separation of duties is basic to security controls. Utilize the Administrative Roles feature to achieve
separation of duties. The root account is all-powerful; access to this greater separation of duties and to reduce the
account for a subset of privileges violates this number of personnel requiring the root account
concept. access.
3.2.5 The shadow password file is used, with The standard UNIX password file is world Password shadowing should be in use for every
appropriate file permissions. readable, so that anyone logged into the system account on the system. No encrypted passwords
can read the file and attempt to crack the account should exist in the etc/passwd file (null, * and !
passwords, including root. The shadow password only in the password field).
file removes this threat by moving the password
information to a separate file, readable only by
root. If the shadow password file is accessible by
other users, the value of the shadow file is lost.
18 of 43
AIX WP:
Version 4.3
3.2.6 Insure proper password maintenance. Improperly maintained passwords can result in To scan for password inconsistencies, use:
explotitation of the system and reduce user /usr/bin/pwdck –n ALL
accountability. To scan for group inconsistencies, use:
/usr/bin/grpck –n ALL
• Both of these will report errors
but will not fix them automatically. To
have the errors fixed, change the “-n” to
“-y” in both cases.
Review /etc/passwd, /etc/security/passwd,

/etc/security/group regularly for changes
3.3.1 Only one root level account (UID = 0) is defined Multiple root level accounts increase the risk that Only one account with UID=0 exists on the
on the server. users have system access privileges not required system.
for their job functions. In addition, intruders who
target privileged accounts have multiple Administrators are required to log into their own
opportunities to gain root access. It also becomes unprivileged accounts and su to root. No direct
more difficult to maintain an accurate audit trail logins to the system as root are allowed.
when more than one root-level user exists on the
system. Administrators are to never su to root from a user’s
session without resetting the path variable or
entering the full path for each command.
4 System Access Controls
4.1 User Accounts
19 of 43
AIX WP:
Version 4.3
4.1.1 Employee accounts are removed in a timely Unnecessary accounts or accounts with Business processes should be in place which
manner after separation from employment. unnecessary privileges create additional access ensure that all organizational accounts are created,
paths for intruders. updated and deleted in a timely manner.
Often, and particularly in large orgainzations,

software to support the above processes must be
acquired.
4.1.2 End users are not provided command line (shell) Access to the command line via a shell (the The following methods, in order of effectiveness,
access to the UNIX operating system unless command line interpreter) increases the risk that represent best practices:
necessary for their job functions. the user can access unauthorized resources, as well
as the risk to the system if an account is 1) Replace the shell located in the last field of the
compromised. password file (cat /etc/passwd). with a menu
program,
2) Use the chroot command to prevent user from

accessing unauthorized files,
3) Give users a restricted shell with no access to

cd, rm, cat, and other sensitive commands
(historical implementations of restricted shells
have often been found to be ineffective).
Note that restricting the shell is ineffective unless

the rshd daemon is disabled on the server.
4.1.3 User configurable environment files should only Only the user should have write access to these Group and world require no access privilieges to
be changeable by the user or root. files and no other users need to be able to see the following files:
them. $HOME./.profile
$HOME./cshrc.
$HOME./.Xdefaults
20 of 43
AIX WP:
Version 4.3
4.1.4 The umask is set to control access to newly Files and directories are created with a default set The umask setting should be one of:
created files. Only the owner of a file has of permissions; these default permissions are
default permissions to read, write and execute controlled by the umask (user mask) system 077 - Most restrictive, but may hinder some
the newly created file. variable. Often, the default permissions are far in collaborative efforts. Only the user has any access
excess of what is needed for job functions, such as to the files he/she creates.
default world read and write privileges, creating
opportunities for access to sensitive files or 027 - Somewhat less restrictive. Allows others in
compromise of other accounts including root. the user's group to read files created by the user.
022 - Less restrictive. Allows any user to read

files created by the user.
The umask value must be set in the system file

/etc/default/login.
User umasks are set in the /etc/profile file (for

Bourne and Korn shell users) and in the .login or
.cshrc files in the user's home directory.
For files deemed sensitive or confidential, use

ACLs to further refine file access permissions.

21 of 43
AIX WP:
Version 4.3
4.2.1 Any ' r ' services such as rlogin, rsh, rexec and By using .rhosts authentication on a server, a user Run the securetcpip command to disable the ‘r’
.rhosts files are disabled. can permit specified users on specified machines commands and deamons
to log in to the server without entering a password.
Thus, individual users can set security policy A cron job should be established to periodically
(without the system administrator's knowledge), check for, and remove, all 'r' commands such as
potentially leading to loss of critical resources rlogin, rsh, rexec, rcp and .rhosts files. This can be
within that account, and potentially compromising accomplished manually by issuing the following
the entire host. command:
find / $-name .rhosts -o -name .netrc $ -print
Remove any 'r' files that are not required (rm

<filename>).
If 'r' files are required, utilize a utility such as

Tripwire to verify that the files are not modified.
Where .rhosts files are permitted, they should be

limited to those users with a need for UNIX r-
services. This can be accomplished on a per-user
basis by editing the 'rlogin=no' parameter in
/etc/security/user.
.rhosts files may be effectively monitored by

including them in the AIX Trusted Computing
Base.
4.2.2 All user shells are listed in the /etc/shells file. The program chsh uses /etc/shells to determine The /etc/shells file exists and contains the names of
which files are valid shells when the user wishes to a small number of valid shells.
change their shell. A user may be able to use any
file as a shell if /etc/shells does not exist.
22 of 43
AIX WP:
Version 4.3
4.2.3 Data files are given only the minimum access World writeable data files can be changed by Obtain a list of world readable and writeable files
permissions necessary for operation. anyone having any access to the system. Even and directories by:
without malicious intent, an inexperienced user
may accidentally make critical changes to sensitive find / $-perm -0004 -o -perm -0002 $ -print >>
data files, or inadvertently allow an intruder to kpmg.txt
gain unauthorized access.
This command will search the file system for
world readable and writeable files and send the
contents to a local text file called "kpmg.txt".
Note: exact command syntax may vary from

system to system. Consult the system's man page.
Also, this file may have already been created in a
previous review step.
Review the list for appropriateness.
Change file permissions as necessary using chmod.
23 of 43
AIX WP:
Version 4.3
4.2.4 UNIX executables (e.g. /bin/sh and World writeable binaries and shell scripts can be Executables and shell scripts generally should not
/usr/sbin/netstat), shell scripts (e.g. the /etc/rc changed or replaced with command files to give be world writeable, e.g., those in /bin, /usr/sbin,
scripts) and configuration files (e.g. the intruder further access, or to damage the /dev, (although some devices may need to be world
/etc/inittab, /etc/inetd.conf, .profile and .login) system (a.k.a. a "Trojan horse"). In any event, writeable), /etc, /etc/conf, /etc/default, /etc/init.d,
are given only the minimum privileges inexperienced users may accidentally damage the /etc/log, /lib, /root, /shlib. Some key system files
necessary for operation. system or make hard to trace bugs due to critical which should not be world writeable include
files. /etc/passwd, /etc/group, /etc/profile, /etc/vfstab
(default boot parameters), /etc/default/fs and
/etc/dfs/fstypes (file system types), /etc/initab,
/sbin/init and /etc/bootrc (boot script).
Tools such as Tripwire ensure that system

executables have not been tampered with.
Alternatively, the AIX Trusted Computing Base

(TCB) should be expanded to include the system
executables.
4.3 Password Composition & Management
4.3.1 Account names and passwords are not If account names and passwords are embedded in Account names and passwords should not be
embedded in scripts, files or applications. login scripts, files or applications, anyone with embedded in executables or text files, including
read access to the scripts, files or applications (e.g. .netrc files.
using the strings command) could extract the
username and password, and gain unauthorized
access to the system.
4.4 Physical Access
24 of 43
AIX WP:
Version 4.3
4.4.1 A server key lock facility is used (if available), Key lock facilities can prevent illicit or Policies should be developed, implemented and
and the key is removed and stored in a secure unauthorized use of the system. effectively communicated concerning the
location. procedures for the proper use of the key lock
facility.
A key lock facility is used (if available) to prevent

unauthorized use or removal of a system. The key
is removed and stored in a secure location.
4.4.2 The server console is physically secured within With physical access to the server console, all Develop and implement procedures to control
a locked facility. system security can be bypassed. It may be physical access to the system.
possible for unauthorized persons to obtain
confidential data located on the server, or even - Servers should be located in locked rooms with
reboot and take control over the server giving them physical access restricted to authorized personnel.
instant root access without a password.
- Key or card access to these rooms should be
limited to those who have a job requirement to
enter the room frequently.
- Visitors and vendors should be escorted at all

times.
- Closed-circuit surveillance of the server room

entrance should be considered.
4.4.3 The system key lock is in the secure position. Without this preventive measure, anyone with Ensure that the system key lock is in the secure
physical access to the server could cause it to position and that the key is removed and securely
reboot off of any tape, diskette, CD-ROM or hard stored.
drive, potentially allowing access to all
information stored on the server.
25 of 43
AIX WP:
Version 4.3
4.4.4 The server's physical surroundings are designed If a computer is not stored in a clean, cool Rooms containing critical servers should be
for the safety and availability of the system, environment, it may be subject to more climate-controlled.
including cleanliness (lack of dust), appropriate breakdowns and loss of data.
and stable temperature and humidity, and neat If conditions are inappropriate, take steps to
and controlled cabling. correct.
26 of 43
AIX WP:
Version 4.3
5 Resource Access Controls

27 of 43
AIX WP:
Version 4.3
5.1.1 Access to the Crontab command is limited. Best The crontab command submits, edits, list, or Review (using cat) the files cron.allow and
practices call for only the root user to have remove cron jobs. A cron job is a command run by cron.deny, which control access to crontab. The
access. the cron daemon at regularly scheduled intervals. files must be owned by root and members of the
The crontab program is owned by root and run sys group, with permissions mode 640. Under
with the SUID bit set. By default, everyone on the AIX, the crontab access files are
system can use the crontab command. /etc/cron.d/cron.allow and cron.deny. The
cron.allow file is checked by the system first. This
file must include all of the login names (one name
per line) of users allowed to use the crontab
command. The root user's login name (root) must
be listed in the cron.allow file. The cron.deny file
must be used to list the login names of users who
are not allowed to use crontab. If neither the
cron.deny nor the cron.allow file exists, only the
superuser can submit a job with the crontab
command.
To allow root only, remove the two files:

/var/adm/cron/cron.deny
&
/var/adm/cron/cron.allow
Where necessary, add appropriate entries to the

cron.allow and cron.deny files.
To explicity allow a user to use crontab:

• touch cron.allow
• put the userid in it
To explicitly deny a user:

• touch cron.deny
• put the userid in it 28 of 43
AIX WP:
Version 4.3
5.1.2 Idle/inactive terminals are automatically locked If accounts are not logged out (e.g. if the user Idle or inactive terminals should be automatically
or logged out after a period of inactivity. doesn't log out at lunchtime or the end of the work logged out after 5-20 minutes of inactivity,
day) someone with physical access to a terminal depending on business needs and work patterns.
can gain access to sensitive information or install (TMOUT variable for the Korn shell, TIMEOUT
backdoors allowing later access to the account. for the Borne shell)
29 of 43
AIX WP:
Version 4.3
6 Privileges
6.1 User Accounts
6.1.1 Membership in privileged groups is limited to Accounts listed in privileged groups, such as Only necessary and authorized users belong to
users with a business necessity for such access. GID=0, have access to group writeable files privileged groups. Membership in privileged
created and owned by the root user. Allowing groups should be limited to users with a business
unauthorized users to have a GID=0 increases the need for the access. Of particular concern on AIX
risk that sensitive system configuration files will are the admin, adms and audit groups, whose
be changed or deleted. menbership should be tightly controlled. For the
predefined AIX groups, users should be added to
the staff group only, or locally created groups.
6.1.2 Regularly examine group definitions. A common exploit is for an attacker to modify To examine user group definitions, use:
group permissions and privileges so that their /usr/sbin/lsgroup `-fa` ìd` ùsers` ÀLL`
activities are possibly less noticeable to the system
administrator.
6.1.3 Regularly examine user information. A common exploit is for an attacker to modify To examing user information, use (single
group memberships for cracked accounts so that command):
their activieites are possibly less noticeable to the /user/sbin/lsuser `-fa` ìd` `groups` `home`
system administrator. àuditclasses` `login` `su` `rlogin` `telnet` `ttys`
ÀLL`
30 of 43
AIX WP:
Version 4.3
6.1.4 SUID and SGID programs are used only when If the SUID bit is set in the file permissions, the Where SUID or SGID programs are necessary,
no other reasonable, more secure means exists program executes with the permissions of the restrict access to SUID and SGID programs by
for the function. Where such programs are owner of the program in addition to the user creating a group especially for that program. This
necessary, they are implemented in a secure executing it. For example, ps, the process status group should have execute permissions, while
manner, including limiting access to such program, is SUID to root because it needs to read 'world' should not have access to the program. The
programs using group permissions. from system memory, something normal users are permission bits on such a program would look like:
not allowed to do. The SGID bit behaves in r-sr-x--- 1 root print 9872 Dec 28
exactly the same way as the SUID bit, except that 17:44 print_cleaner
the program operates with the permission of the
group associated with the file. A vulnerability in a SUID programs should NOT be shell scripts, but
SUID root program (e.g.) can lead to a root-level should be compiled from C or a similar language.
compromise of the system. Accordingly, world
writable SUID programs are especially dangerous.
6.1.5 Disable direct logins for root. Allowing for someone to log in directly as root is Set ‘User can LOGIN REMOTELY? = false’ in
dangerous because it removes a layer of SMIT CHANGE/SHOW User Characteristics
authentication and it may be more prone to a Screen.
sniffing attack to capture the password.
31 of 43
AIX WP:
Version 4.3

6.2.1 If the system contains particularly sensitive data, Root access gives complete control over the Utilize the Administrative Roles feature to achieve
or if strong controls on privileged access are system, including the power to crash the system or greater separation of duties and to reduce the
otherwise required, software controls exist to erase all data. While AIX is not equipped by number of personnel requiring the root account
manage and limit root access. default with exceptionally strong controls on root access.
activity, such controls are available where
necessary, in the form of free software such as Use a third-party facility to further partition root
sudo and larger packages such as SeOS, CA or functionality, if required. For example, "sudo-
Tivoli Security Management. These packages root" accounts can be set up and used by system
allow you to restrict which commands root can operators to do system backups without providing
run, and to log the activity of root users. full root functionality.
For sensitive data files, use ACLs to implement

refined access controls.
If sudo is not in use, inquire about the

appropriateness of using sudo.
Keep root users to a minimum.

To see which userids each user can use with su,
use:
lsuser –f ALL
32 of 43
AIX WP:
Version 4.3
7 Accountability
7.1 Intrusion Detection
7.1.1 A regular program of logging and monitoring is Logging and monitoring is often ignored or under A program of logging and monitoring is in place
in place. utilized by system administrators, as it is often which includes real-time monitoring and
given a low priority by both IS and other notification of potential intrusions.
departments. However, it is the only way to ensure
the effectiveness of security measures, provide the
opportunity to react to security breaches, and
collect evidence of potential intrusions.
7.1.2 Log files are not world writeable. Log files provide the system audit trail and must Log files, including syslog and messages, should
be properly protected from unauthorized not be writable by users other than root. Change
modification. permissions using the command
chmod go-w syslog
7.1.3 The loginlog is not world writeable. If the loginlog is world writeable, a intruder may The loginlog should not be writable by any user
delete records of their attempts to gain access, other than root.
decreasing the likelihood that that their activities
will be discovered. Change permissions using the command
chmod go-w loginlog
7.2.1 The "sticky bit" is set on all world-writeable If the sticky bit is not set on a world-writable The sticky bit should be set on all public
public directories. directory, files in that directory may be renamed or directories which are normally world-writable,
removed by users other than the owner of the such as /tmp, /usr/tmp (/var/tmp) and
directory or file. Some applications create /usr/spool/uucppublic. Set the sticky bit using
temporary files in public directories; if the sticky chmod +t <name>.
bit is not set, an intruder might be able to No sensitive or confidential information should
overwrite the temporary files and compromise the be written to files in these directories, since any
application. user can read them.
7.3 Logging & Monitoring
33 of 43
AIX WP:
Version 4.3
8 Remote Access Management

8.1 User Accounts
8.1.1 Root login is restricted to the console. If root login is not restricted to the console, then Remote logins as root are not permitted.
the list of intruders who may attempt to directly
gain root access increases from only those with
physical access to the system to (potentially)
anyone in the world. Users may still login to an
unprivileged account and su to root.
8.1.2 .netrc files are implemented securely. .netrc files can be a source of security risk because Forbid the use of .netrc files unless they are
of the authentication information they contain. absolutely necessary (e.g.: the risk of
The $HOME/.netrc file is used by the ftp and disseminating remote passwords is acceptable).
rexec commands to allow automatic login to
remote hosts without specifying passwords, and To prevent the use of .netrc files, adhere to the
contains a list of host names, login names, and following standards:
unencrypted passwords and other information to
use at the remote hosts. This gives anyone with 1. They should not contain passwords,
read access to the .netrc file (root on the local host) 2. They should be 0 bytes, and
the ID's and passwords of remote systems. 3. They should be owned by root.
8.1.3 Users such as root, as well as various system Use of FTP access through the root account allows Using a text editor, edit the file /etc/ftpusers. To
accounts, are not allowed to use FTP. an additional remote path to supervisor level disable ftp access for a particular account, add the
access by an intruder. Allowing FTP from system name of the account to the file.
accounts (such as bin, smtp and sys) which
normally would not require FTP also create
additional paths into the system without providing
an offsetting business benefit.
8.2 NFS
34 of 43
AIX WP:
Version 4.3
8.2.1 Use NFS only when necessary. Check regularly The NFS service allows for users to mount a To check current NFS status use:
for unauthorized NFS activation and use. systems filesystems remotely. This service is a lssrc –g nfs
common way to exploit a system and gain access
to private information. To check if NFS is installed, use:
lslpp –l | /bin/grep nfs
To check if NFS is active, use:

lssrc –g nfs | /bin/grep active
To display which directories are exported, use:

cat /etc/xtab
To display which hosts are exporting directories,

use:
/usr/bin/showmount
If the host is a client, to show what’s mounted

from remote systems, use:
mount | grep –v “^ ”
35 of 43
AIX WP:
Version 4.3
8.2.2 File systems are not mounted writeable, absent The default configuration of NFS is to grant full The access control options, and recommended
of a compelling business justification. access (read, write and execute) to all hosts to a settings for the /etc/export and etc/dfs/dfstab files
Executables are mounted read only, if at all. mounted file system. Thus there is a high chance are:
of allowing access to unauthorized individuals. -ro=host, host - Exports the directory read-only. If
this option is not specified, the directory is
Unauthenticated access to server executables can exported with read-write permission,
lead to numerous security vulnerabilities due to -access=host,host - Restricts access to only the
flaws in the mounted programs. Program coding named hosts or netgroup name. If no -access
mistakes which can become security exploits exist option is specified, all hosts will have access. The
(whether publicly known or not) in as many as default value allows any machine to mount the
50% of programs. directory,
-rw=host,host - Exports the directory read-write.
This mode of exporting inherently lowers directory
security and must be implemented with caution,
-root=host,host - Allows superuser access from the
named hosts. If NFS root access is not enabled for
a remote NFS client, the root UID of the server is
mapped to a default UID of -2 or 60001 (the
nobody account) This restricts access against the
superuser UID on a remote machine. Exports
specifying root access are inherently less security
and must be implemented with caution. The
default is for no hosts to be granted root access.
-secure - Requires NFS clients to use a more
secure protocol when accessing the directory.
Export only to fully-qualified host names to

prevent spoofing.
Revise where inappropriate.
Use ACLs to implement refined access controls;

36 of 43
AIX WP:
Version 4.3
8.2.3 NFS exported file systems are protected with Entering a directory or filesystem in the NFS should be configured to allow for the
access lists. /etc/exports file without specifying an access list minimum access necessary. The number of
allows any host to mount the directory. servers allowed to mount an exported file system
whould be reduced to the minimum necessary. If
the /etc/exports file does not specify a list of hosts
for each exported file system, then NFS is
insecurely configured.
Additionally, do not use the 'root=' option unless

absolutely necessary.
8.2.4 NFS mounted files and directories are If individual file permissions in NFS mounted Files and directories on the server should be
configured with appropriately secure file shares are not configured for security, the protected by setting their owner to root and their
permissions. likelihood that unauthorized users will have access protection mode to 755 (in the case of programs
to sensitive information increases. and directories) or 644 (in the case of data files).
37 of 43
AIX WP:
Version 4.3
8.3.1 Network services, including login, telnet, FTP, Servers often display sensitive information by Instead of banners that identify system type and
and HTTP do not display system identifying default, such as the hostname, the OS version, and other sensitive information, network services
banners prior to authentication. Instead, a the server software version, e.g. ftp.clienthost.com, display generic warning banners.
warning message displays a warning against AIX4.3.3, wuftp version2.14(b9). An intruder
unauthorized use. could then attempt to exploit known vulnerabilities The first thing to do when reducing the footprint of
in these software types (available from public a Unix box is to remove any and all
Internet databases). Legitimate users generally do "announcements" sent out to the world. When
not need to know such information. A warning someone telnets to a box running Unix, they are
message may also be necessary for subsequent greeted with the response:
prosecution of offenders.
$ telnet 10.16.17.205
Trying 10.16.17.205...
Connected to 10.16.17.205.
Escape character is '^]'.
AIXOS 4.3
login:
This is a simple, quick, and effective way to find

out what OS is running on that system. To close
this information leak, the file /etc/default/telnetd
should be created with the following line in it:
BANNER=""
This effectively eliminates the AIXOS 4.3 banner
from telnet.
$ telnet 10.16.17.205
Trying 10.16.17.205...
Connected to 10.16.17.205.
Escape character is '^]'.
login:
Similarly, in the file /etc/default/ftpd, the same
BANNER="" command removes the AIXOS 4.3
id tag from the ftpd prompt:
38 of 43
AIX WP:
Version 4.3
8.3.2 Only necessary network services are enabled. Unintended network access can be granted by Remove all unnecessary services by commenting
Where necessary, services are only implemented computers that have more services enabled that is them out of the inetd.conf file (restarting the inetd
in a secure manner, including IP filtering, TCP necessary. UNIX systems often are configured process is required at this point (kill –HUP <pid>)
Wrapper, and installation with the latest "out of the box" with numerous network services or out of the appropriate boot script, as necessary
software patches. that are often unneeded, such as the Berkeley R (by placing a comment mark (#) at the beginning
commands (rshell, rexec and rlogin) and obsolete of the lines describing the service).
network testing services such as echo, discard and
chargen. After installation, system administrators To verify inet services running use:
will often install unnecessary services, because netserv –s –S -X
they, or their managers, underestimate the security
concerns involved. If a service is not enabled, it
cannot be used to break in to the system.
8.3.3 Rlogin and rshell are used only if an approved Rlogin and rsh provide remote virtual terminal and The use of rshd and rlogind is not allowed unless a
business justification exists. remote execution services similar to Telnet and viable business justification exists. Employ secure
rexec. However: methods for remote shells and remote logins that
a. rlogind and rshd do not require that the user type include advanced authentication and encryption
his login name; the login name is automatically (e.g., Secure Shell- SSH).
transmitted at the start of the connection.
b. If the connection comes from a trusted host (via
hosts.equiv) or trusted user (via .rhosts), rlogind
and rshd will accept the connection without
requiring a password.
39 of 43
AIX WP:
Version 4.3
8.3.4 Tftpd is disabled except on servers which act as The Trivial File Transfer Protocol (TFTP) is used If TFTP is required, restrict access to server files
a boot host. On these servers, tftp is configured to allow users to retrieve files without requiring an so that sensitive files can not be retrieved remotely
securely. account on the remote system. TFTP is an via tftp.
unauthenticated file transfer service. It is
commonly used for booting diskless workstations
and downloading server code or fonts for X-
terminals over the network. Many implementations
of TFTP have security problems. In particular,
unrestricted TFTP access allows remote intruders
to retrieve a copy of any world-readable file
without authentication, such as /etc/passwd.
8.3.5 The finger daemon is only used if an approved The Finger daemon service allows a remote user to If the finger service is necessary, a newer version
business justification exists, and then only in a obtain information about local users, such as their should be run which requires that a user name be
secure manner. user name, full name, home directory, last login provided along with any request. This keeps
time, and in some cases when she last received arbitrary outsiders from obtaining a complete list
and/or read her mail. The fingerd program allows of users logged in to the server.
users (and intruders) on remote hosts to obtain this
information.
8.3.6 The FTP daemon is only used if an approved The File Transfer Protocol (FTP) allows users to If FTP is required, it should be enabled with the
business justification exists. connect to remote systems and transfer files. FTP following standard:
may be used in either authenticated (where a
plaintext username and password are required) or 1. Only the latest release (including patches)
anonymous (no username or password required) should be used, as various FTP servers have
mode, depending on system configuration. In security bugs that allow intruders to break into the
either case, FTP allows remote access to the system,
server’s files, without secure authentication. FTP 2. Anonymous FTP is not allowed, and
is an issue both because it allows remote users 3. The /etc/ftpusers file is utilized to restrict login
access to the file system and because legitimate from defined accounts.
users have been known to unwittingly store
sensitive corporate information on publically
available FTP sites.
40 of 43
AIX WP:
Version 4.3
8.3.7 The remote printer daemon is securely The /etc/hosts.lpd file is used to specify the remote Edit the hosts.lpd file as necessary, using a text
configured. hosts that are allowed to communicate with the lpd editor.
printer daemon and access local printer queues. An Change file permissions using:
improper configuration can lead to unauthorized chmod 640 /etc/hosts.lpd
root access.
8.3.8 The Rexec daemon is only used if an approved The rexec (RPC remote program execution) allows The use of rexecd is not allowed unless a viable
business justification exists. users to execute commands on remote computers business justification exists. Employ a secure
without prior authentication. methods for remote command execution that
employs advanced authentication and encryption
(e.g., Secure Shell- SSH).
8.3.9 The Telnet daemon is only used if an approved Telnet provides remote virtual terminal service If telnet functionality is needed, the standard telnet
business justification exists. similar to that provided by a dial-up modem. server is replaced with a program which encrypts
Usernames and passwords are susceptible to passwords, such as ssh.
sniffing, as they are transmitted in plaintext. On
the other hand, even without a known username Limit access to those accounts with a business
and password, telnet is susceptible to remote justification through the accounts’ LOGIN
attack. Because it is significantly faster to connect REMOTELY fields.
with telnet than it is to call up with a modem, an
attacker can try to guess more passwords in a
given amount of time. Also, it is often easier (and
less expensive) to call a computer anonymously on
the Internet than over the phone lines.
41 of 43
AIX WP:
Version 4.3
8.3.10 UUCP is only used if necessary for an approved All versions of UNIX provide a rudimentary form UUCP can be disabled by changing the 'home
business purposes. of networking called UUCP, which allows files directory' and 'shell' fields of the uucp passwd file
and electronic mail to be transferred, as well as entry to '/dev/null'.
remote command execution. Installation of the
UUCP subsystem is not recommended: a) there is Disable UUCP-related commands such as uucp,
no pairing of a single individual with a UID on uulog, uuname, uupick, uusend, uustat, uuto, uux,
UUCP, b) many UUCP systems are configured as well as commands in /usr/lib/uucp (Note that the
with anonymous logins. Unless UUCP is carefully uuencode and uudecode commands should not be
configured, sensitive information can be stolen and disabled, as they are used by other applications
files can be sent to your system that can such as mail clients. However, make sure that
compromise security. uuencode is not SUID, or else the user could
accidentally create SUID executables).
8.3.11 X Windows is only used if necessary for an Not restricting access to workstation or server X If X windows is not needed, it should be disabled
approved business purposes. If required, it is Windows sessions allows other users or intruders by editing the AIX rc startup files and commenting
implemented in a secure manner, using secure on the intranet to perform keystroke logging, view out the line which starts X windows.
shell to encrypt X traffic. . X Window sessions and re-map the keyboard.
If X windows is needed, it may be configured to
use an encrypting "tunnel" such as Secure Shell.
8.3.12 Direct modem access to servers is only used if It is not uncommon for systems to be configured Several options are available for increasing modem
necessary for an approved business purpose; if with insecure direct modem access, either “out of security.
necessary it is implemented in a secure manner. the box” or thereafter by non-security conscious
administrators. Dial-up modems allow anyone who If practical, dial-back modems should be used.
knows the correct telephone number to access the
system and try to break in. For example, it is not Hardware tokens is a secure way of providing
uncommon for the modem to have no password, or remote access, and should be used if at all possible
a simple password such as “guest”. Also, if
improperly configured, modems may allow an
attacker to call a system and obtain access to an
already logged-in line that another user has
unknowingly left behind.
42 of 43
AIX WP:
Version 4.3
8.3.13 hosts.equiv files are not used to establish trust The file /etc/hosts.equiv is used to establish global, /etc/hosts.equiv files are not used to establish trust
relationships. password-less trust relationships between remote relationships between hosts.
systems and the server, similar to .rhosts files (the
system actually checks hosts.equiv first, then No application should need unauthenticated access
.rhosts if no matches are found). to another server. If such applications exist and
are mission-critical, they should be configured to
make narrow use of the .rhosts feature of AIX
while alternative applications are investigated or
developed internally.
43 of 43

Control Standard Impact Procedure: 1.1 Environment 1.1.1

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Control Standard Impact Procedure: 1.1 Environment 1.1.1

Enviado por

Direitos autorais:

Formatos disponíveis

AIX WP:

Client Filename: Date Year End Prepared By:

1 General Security Design

Client Filename: Date Year End Prepared By:

Client Filename: Date Year End Prepared By:

Client Filename: Date Year End Prepared By:

They should read:

If permissions are incorrect, change them using the

chmod 644 /etc/aliases

2) Review the entries in the aliases file, using vi

a) Remove the decode alias, which might appear in

If NIS is used, run /usr/sbin/newaliases after

Client Filename: Date Year End Prepared By:

Since only the owner, root, should have access, the

If permissions are not correct, change them by:

chmod 700 /usr/spool/mqueue/mqueue

Evaluate the need to run sendmail, and disable if

Client Filename: Date Year End Prepared By:

Client Filename: Date Year End Prepared By:

Most users will now have the NIS entry

Note also that the .login/.cshrc/.profile files can

The umask value for the root user is set to 077 to

Client Filename: Date Year End Prepared By:

These files must be owned by root and members of

Where necessary, add entries to at.allow and

Client Filename: Date Year End Prepared By:

Client Filename: Date Year End Prepared By:

Client Filename: Date Year End Prepared By:

Important: Some patches may change to your

Review vendor resources (including

Important: Some patches may change to your

Client Filename: Date Year End Prepared By:

Client Filename: Date Year End Prepared By:

Client Filename: Date Year End Prepared By:

This naming standard prevents outsiders' deriving

Client Filename: Date Year End Prepared By:

The third-party vendor should be contacted to

Client Filename: Date Year End Prepared By:

3.2 Password Composition & Management

Client Filename: Date Year End Prepared By:

Client Filename: Date Year End Prepared By:

Client Filename: Date Year End Prepared By:

Review /etc/passwd, /etc/security/passwd,

Client Filename: Date Year End Prepared By:

Often, and particularly in large orgainzations,

2) Use the chroot command to prevent user from

3) Give users a restricted shell with no access to

Note that restricting the shell is ineffective unless

Client Filename: Date Year End Prepared By:

022 - Less restrictive. Allows any user to read

The umask value must be set in the system file

User umasks are set in the /etc/profile file (for

For files deemed sensitive or confidential, use

4.2 System Configuration

Client Filename: Date Year End Prepared By:

find / \(-name .rhosts -o -name .netrc \) -print

Remove any 'r' files that are not required (rm

If 'r' files are required, utilize a utility such as

Where .rhosts files are permitted, they should be

.rhosts files may be effectively monitored by

Client Filename: Date Year End Prepared By:

Note: exact command syntax may vary from