Sunday, February 10, 2008

AIX Security Checklist

AIX Security Checklist

AIX Environment Procedures

The best way to approach this portion of the checklist is to do a comprehensive physical inventory of the servers. Serial numbers and physical location would be sufficient.

____Record server serial numbers
____Physical location of the servers

Next we want to gather a rather comprehensive list of both the AIX and pseries inventories. By running these next 4 scripts we can gather the information for analyze.

____Run these 4 scripts: sysinfo, tcpchk, nfsck and nethwchk. (See Appendix A for scripts)
____sysinfo:
____Determine active logical volume groups on the servers: lsvg -o
____List physical volumes in each volume group: lsvg –p "vgname"
____List logical volumes for each volume group: lsvg –l "vgname"
____List physical volumes information for each hard disk
____lspv hdiskx
____lspv –p hdiskx
____lspv –l hdiskx
____List server software inventory: lslpp -L
____List server software history: lslpp –h
____List all hardware attached to the server: lsdev –C | sort –d
____List system name, nodename, LAN network number, AIX release, AIX version and machine ID: uname –x
____List all system resources on the server: lssrc –a
____List inetd services: lssrc –t 'service name' –p 'process id'
____List all host entries on the servers: hostent -S
____Name all nameservers the servers have access to: namerslv –Is
____Show status of all configured interfaces on the server: netstat –i
____Show network addresses and routing tables: netstat –nr
____Show interface settings: ifconfig
____Check user and group system variables
____Check users: usrck –t ALL
____Check groups: grpck –t ALL
____Run tcbck to verify if it is enabled: tcbck
____Examine the AIX failed logins: who –s /etc/security/failedlogin
____Examine the AIX user log: who /var/adm/wtmp
____Examine the processes from users logged into the servers: who –p /var/adm/wtmp
____List all user attributes: lsuser ALL | sort –d
____List all group attributes: lsgroup ALL
____tcpchk:
____Confirm the tcp subsystem installed: lslpp –l | grep bos.net
____Determine if it is running: lssrc –g tcpip
____Search for .rhosts and .netrc files: find / -name .rhosts -print ; find / -name .netrc –print
____Checks for rsh functionality on host: cat /etc/hosts.equiv
____Checks for remote printing capability: cat /etc/hosts.lpd | grep v #
____nfschk:
____Verify NFS is installed: lslpp -L | bin/grep nfs
____Check NFS/NIS status: lssrc -g nfs | bin/grep active
____Checks to see if it is an NFS server and what directories are exported: cat /etc/xtab
____Show hosts that export NFS directories: showmount
____Show what directories are exported: showmount –e
____nethwchk
____Show network interfaces that are connected: lsdev –Cc if
____Display active connection on boot: odmget -q value=up CuAt | grep name|cut -c10-12
___Show all interface status: ifconfig ALL

Root level access

____Limit users who can su to another UID: lsuser –f ALL
____Audit the sulog: cat /var/adm/sulog
____Verify /etc/profile does not include current directory
____Lock down cron access
____To allow root only: rm –i /var/adm/cron/cron.deny and rm –I /var/adm/cron/cron.allow
____To allow all users: touch cron.allow (if file does not already exist)
____To allow a user access: touch /var/adm/cron/cron.allow then echo "UID">/var/adm/cron/cron.allow
____To deny a user access: touch /var/adm/cron/cron.deny then echo "UID">/var/adm/cron/cron.deny
____Disable direct herald root access: add rlogin=false to root in /etc/security/user file or through smit

____Limit the $PATH variable in /etc/environment. Use the users .profile instead.

Authorization/authentication administration

____Report all password inconsistencies and not fix them: pwdck –n ALL
____Report all password inconsistencies and fix them: pwdck –y ALL
____Report all group inconsistencies and not fix them: grpck –n ALL
____Report all group inconsistencies and fix them: grpck –y ALL
____Browse the /etc/shadow, etc/password and /etc/group file weekly


SUID/SGID

____Review all SUID/SGID programs owned by root, daemon, and bin.
____Review all SETUID programs: find / -perm -1000 –print
____Review all SETGID programs: find / -perm -2000 –print
____Review all sticky bit programs: find / -perm -3000 –print
____Set user .profile in /etc/security/.profile

Permissions structures

____System directories should have 755 permissions at a minimum
____Root system directories should be owned by root
____Use the sticky bit on the /tmp and /usr/tmp directories.
____Run checksum (md5) against all /bin, /usr/bin, /dev and /usr/sbin files.
____Check device file permissions:
____disk, storage, tape, network (should be 600) owned by root.
____tty devices (should be 622) owned by root.
____/dev/null should be 777.
____List all hidden files in there directories ( the .files).
____List all writable directories (use the find command).
____$HOME directories should be 710
____$HOME .profile or .login files should be 600 or 640.
____Look for un-owned files on the server: find / -nouser –print.
Note: Do not remove any /dev files.
____Do not use r-type commands: rsh, rlogin, rcp and tftp or .netrc or .rhosts files.
____Change /etc/host file permissions to 660 and review its contents weekly.

____Check for both tcp/udp failed connections to the servers: netstat –p tcp; netstat –p udp.
____Verify contents of /etc/exports (NFS export file).
____If using ftp, make this change to the /etc/inetd.conf file to enable logging.
ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd –l
____Set NFS mounts to –ro (read only) and only to the hosts that they are needed.
____Consider using extended ACL's (please review the tcb man page).
____Before making network connection collect a full system file listing and store it off-line:
ls -Ra -la>/tmp/allfiles.system
____Make use of the strings command to check on files: strings /etc/hosts | grep Kashmir

Recommendations

Remove unnecessary services

By default the Unix operating system gives us 1024 services to connect to, we want to parse this down to a more manageable value. There are 2 files in particular that we want to parse. The first is the /etc/services file itself. A good starting point is to eliminate all unneeded services and add services as you need them. Below is a screenshot of an existing ntp server etc/services file on one of my lab servers.

#
# Network services, Internet style
#
ssh 22/udp
ssh 22/tcp mail
auth 113/tcp authentication
sftp 115/tcp
ntp 123/tcp # Network Time Protocol
ntp 123/udp # Network Time Protocol
#
# UNIX specific services
#
login 513/tcp
shell 514/tcp cmd # no passwords used

Parse /etc/rc.tcpip file

This file starts the daemons that we will be using for the tcp/ip stack on AIX servers. By default the file will start the sendmail, snmp and other daemons. We want to parse this to reflect what
functionality we need this server for. Here is the example for my ntp server.

# Start up the daemons
#
echo "Starting tcpip daemons:"
trap 'echo "Finished starting tcpip daemons."' 0
# Start up syslog daemon (for error and event logging)
start /usr/sbin/syslogd "$src_running"


# Start up Portmapper

start /usr/sbin/portmap "$src_running"

# Start up socket-based daemons
start /usr/sbin/inetd "$src_running"

# Start up Network Time Protocol (NTP) daemon
start /usr/sbin/xntpd "$src_running"

This helps also to better understand what processes are running on the server.


Remove unauthorized /etc/inittab entries

Be aware of what is in the /etc/inittab file on the AIX servers. This file works like the registry in a Microsoft environment. If an intruder wants to hide an automated script, he would want it launched here or in the cron file. Monitor this file closely.

Parse /etc/inetd.conf file

This is the AIX system file that starts system services, like telnet, ftp, etc. We also want to closely watch this file to see if there are any services that have been enabled without authorization. If you are using ssh for example this is what the inetd.con file should look like. Because we are using other internet connections, this file is not used in my environment and should not be of use to you. This is why ssh should be used for all administrative connections into the environment. It provides an encrypted tunnel so connection traffic is secure. In the case of telnet, it is very trivial to sniff the UID and password.

## protocol. "tcp" and "udp" are interpreted as IPv4.
##
## service socket protocol wait/ user server server program
## name type nowait program arguments
##

Edit /etc/rc.net

This is network configuration file used by AIX. This is the file you use to set your default network route along your no (for network options) attributes. Because the servers will not be used as routers to forward traffic and we do not want to use loose source routing at you, we will be making a few changes in this file. A lot of them are to protect from DOS and DDOS attacks from the internet. Also protects from ACK and SYN attacks on the internal network.

##################################################################
##################################################################
# Changes made on 06/07/02 to tighten up socket states on this

# server.

##################################################################
if [ -f /usr/sbin/no ] ; then
/usr/sbin/no -o udp_pmtu_discover=0 # stops autodiscovery of MTU
/usr/sbin/no -o tcp_pmtu_discover=0 # on the network interface
/usr/sbin/no -o clean_partial_conns=1 # clears incomplete 3-way conn.
/usr/sbin/no -o bcastping=0 # protects against smurf icmp attacks
/usr/sbin/no -o directed_broadcast=0 # stops packets to broadcast add.
/usr/sbin/no -o ipignoreredirects=1 # prevents loose
/usr/sbin/no -o ipsendredirects=0 # source routing
/usr/sbin/no -o ipsrcrouterecv=0 # attacks on
/usr/sbin/no -o ipsrcrouteforward=0 # our network
/usr/sbin/no -o ip6srcrouteforward=0 # from using indirect
/usr/sbin/no -o icmpaddressmask=0 # dynamic routes
/usr/sbin/no -o nonlocsrcroute=0 # to attack us from
/usr/sbin/no -o ipforwarding=0 # Stops server from acting like a router
fi


Securing root

Change the /etc/motd banner

This computer system is the private property of XYZ Insurance. It is for authorized use only. All users (authorized or non-authorized) have no explicit or implicit expectations of privacy.

Any or all users of this system and all the files on this system may be intercepted, monitored, recorded, copied, audited, inspected and disclosed to XYZ Insurance's management personnel.

By using this system, the end user consents to such interception, monitoring, recording, copying, auditing, inspection and disclosure at the discretion of such personnel. Unauthorized or improper use of this system may result in civil and/or criminal penalities and administrative or disciplinary action, as deemed appropriate by said actions. By continuing to use this system, the individual indicates his/her awareness of and consent to these terms and conditions of use.

LOG OFF IMMEDIATELY if you do not agree to the provisions stated in this warning banner.

Modify /etc/security/user

root:
loginretries = 5 – failed retries until account locks
rlogin = false – Disables remote herald access to a root shell. Need to su from another UID.
admgroups = system
minage = 0 – minimum aging is no time value
maxage = 4 – maximum aging is set to 30 days or 4 weeks
umask = 22


Tighten up /etc/security/limits

This is an attribute that should be changed due to a runaway resource hog. This orphaned process can grow to use
an exorbinate amount of disk space. To provent this we can set the ulimit value here.

default:
#fsize = 2097151
fsize = 8388604 – sets the soft file block size to a max of 8 Gig.

Variable changes in /etc/profile

Set the $TMOUT variable in /etc/profile. This will cause an open shell to close after 15 minutes of inactivity. It works in conjunction with the screensaver, to prevent an open session to be used to either delete the server or worse corrupt data on the server.

# Automatic logout, include in export line if uncommented
TMOUT=900

4.6.5 Sudo is your friend….

This is a nice piece of code that the system administrators can use in order to allow "root-like" functionality. It allows a non-root user to run system binaries or commands. The /etc/sudoers file is used to configure exactly what the user can do. The service is configured and running on ufxcpidev. The developers are running a script called changeperms in order to tag there .ear files with there own ownership attributes.


First we setup sudo to allow root-like or superuser doer access to sxnair.

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL
sxnair,jblade,vnaidu ufxcpidev=/bin/chown * /usr/WebSphere/AppServer/installedApps/*
#
#
# Override the built in default settings
Defaults syslog=auth


Defaults logfile=/var/log/sudo.log

For more details, please see the XYZ Company Insurance Work Report that I compiled, or visit this
URL: http://www.courtesan.com/sudo/.

Tighten user/group attributes

Change /etc/security/user

These are some of the changes to the /etc/security/user file that will promote a more heightened
configuration of default user attributes at your company.

default:

umask = 077 – defines umask values – 22 is readable only for that UID
pwdwarntime = 7 – days of password expiration warnings
loginretries = 5 – failed login attempts before account is locked
histexpire = 52 – defines how long a password cannot be re-used
histsize = 20 – defines how many previous passwords the system remembers
minage = 2 – minimum number of weeks a password is valid
maxage = 8 – maximum number of weeks a password is valid
maxexpired = 4 – maximum time in weeks a password can be changed after it exp

7 comments:

Unknown said...

It is very helpful to me.

Anonymous said...

Very Helpful, Great Job..!

Ram said...

This stuff is really superb.
Thnax for u work
cd u plz give me the four scipts sysinfo, tcpchk, nfsck and nethwchk which i am unable to find them

Unknown said...

Hello,

Great work!!!
Everybody will definately get a great resource for AIX Security Checklist.

--- Sachin jadhav

Anish AIX said...

excellent work,Guptaji.
Very helpful. :)

bdclary said...

Very comprehensive list. Thanks.

Question: Assuming rlogin for root is set to false, what effect does loginretries have on su? If loginretries is set to 5 and someone is trying to brute force the root password through su, will the root account be locked out?

Unknown said...

really great work. Proud to say you are my master.