AIX
Security Toolkit
The toolkit is provided "AS
IS", without support. Also read the ROOTVG.NET disclaimer.
Please send us an email to request the download of the Security Toolkit by return attachment:
Overview
The original design of the unix operating system offered only basic security. AIX
has provided features which have significantly improved the security potential
of the operating system. The building blocks exist, but because AIX maintains
compliance with POSIX and other standards, implementing a secure system is often
difficult (for example, many security features are extensions to basic unix
functionality). The toolkit was developed to meet this challenge on versions 4
and 5 of AIX.
High level description of
toolkit
The toolkit was developed to provide a
reliable, quick and easy solution to security related challenges facing
administrators of AIX systems. It provides assistance in five areas: Basic
security issues, Software patch (apar) and efix management, Enhanced user
management and Security audit requirements.
1 Basic Security
Issues
AIX (in common with all other unix variants) ships with “insecure”
settings. This is an historical feature and provides ease of use. It was decided
to provide a method of removing these insecure settings which was repeatable,
reversible and documented. A significant amount of research has gone into the
identification of insecure settings as well as the determination of reasonable
secure settings.
2 Software patch
(apar) and efix management
IBM releases cumulative maintenance releases several times annually. These
contain all relevant software patches released since the last cumulative release
and include security patches. In some cases, individual patches may have been
available for up to six months prior to the cumulative release. It is accepted
that the majority of successful security breaches target known (and unpatched)
vulnerabilities. IBM releases emergency fixes (e-fixes) for urgent security
issues. Tools have been produced and are maintained to check for these patches
and e-fixes. This provides a method of keeping up to date with security critical
patches.
3 Enhanced user
management
AIX (in common with all other unix variants) still depends on simple ascii files
for the management of user and group ids, settings and passwords. AIX provides
additional tools which permit sophisticated control of user and group
characteristics, but these work for individual user rights. Tools have been
developed to permit the imposition and management of system wide policies for
user and group characteristics.
4 Security audit
requirements
All unix security auditing tools have common areas of attention. These include
security log management as well as files controlling remote system access. AIX
provides support for these items, but requires manual editing and inspection to
meet audit requirements. Tools have been developed to manage these issues in
ways which make it easy for administrators to satisfy security requirements.
Technical description of
toolkit
Initially, the intention was to develop a
tool with functionality similar to the ‘TITAN’ tool for Solaris but designed
specifically for AIX. This was done, but it was found that additional tools were
required. The toolset now consists of tools
in 4 areas.
1 | PTF and e-fix checking. Ptfck - check for current security ptfs. Chk_efix - check (based on active processes) whether e-fixes are required or applied. |
2 | General security check and compliance tool. Menu driven toolset which provides the following: Structured use of standard AIX user and password management utilities. Management of user and password databases; check/set minimum requirements. Checks for common security vulnerabilities (based on SANS/FBI top 20 recommendations). Tools to address common security vulnerabilities: disable insecure network services fix insecure network options disable automounter disable or restrict cde access restrict ftp access disable or harden DNS service disable or harden NFS service disable or harden remote access disable or harded sendmail |
3 | GSD331 (or custom) security check and
compliance tool. Menu driven toolset which provides the following: Check/set compliance with GSD331 requirements. Interactive compliance checking/setting. Batch facility is available for maintaining compliance. This toolset can be altered to meet customer requirements. If a customer has a well defined security policy, compliance can be automated. |
4 | Extended user and password database
management. Tools have been created to perform the following: Check/set default password strength and expiry rules. Normally, this is a manual operation which involves checking the user security files. Check/enforce user compliance with defaults. Normally requires manual editing of the security files. Report on users whose passwords have expired. These accounts can be locked. Report on dormant users. These accounts can be locked. Report on password change and user access. Not normally possible. Report on locked user accounts. Would normally require manual inspection of user security files. Manage wtmp, failedlogin and sulog files. Display, trim and print. |
The toolkit is provided "AS
IS", without support. Also read the ROOTVG.NET disclaimer.
Please send us an email to request the download of the Security Toolkit by return attachment:
Contribution of
Simon Taylor