[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Security Guide

Appendix A. Security Checklist

This appendix provides a checklist of security actions to perform on a newly installed or existing system. Although this list is not a complete security checklist, it can be used as a foundation to build a security checklist for your environment.

  1. When installing a new system, install AIX from secure base media. Perform the following procedures at installation time:
  2. Establish access control lists for restricted files and directories.
  3. Disable unneccessary user accounts and system accounts, such as daemon, bin, sys, adm, lp, uucp. Deleting accounts is not recommended because it deletes account information, such as user IDs and user names, which may still be associated with data on system backups. If a user is created with a previously deleted user ID and the system backup is restored on the system, the new user might have unexpected access to the restored system.
  4. Review the /etc/inetd.conf, /etc/inittab, /etc/rc.nfs, and /etc/rc.tcpip files on a regular basis and remove all unnecessary daemons and services.
  5. Verify that the permissions for the following files are set correctly:
    -rw-rw-r-- root     system  /etc/filesystems
    -rw-rw-r-- root     system  /etc/hosts
    -rw------- root     system  /etc/inittab
    -rw-r--r-- root     system  /etc/vfs
    -rw-r--r-- root     system  /etc/security/failedlogin
    -rw-rw---- root     audit   /etc/security/audit/hosts
    
  6. Disable the root account from being able to remotely log in. The root account should be able to log in only from the system console.
  7. Enable system auditing. For more information, see Auditing.
  8. Enable a login control policy. For more information, see Login Control.
  9. Disable user permissions to run the xhost command. For more information, see Managing X11 and CDE Concerns.
  10. Prevent unauthorized changes to the PATH environment variable. For more information, see PATH Environment Variable.
  11. Disable telnet, rlogin, and rsh. For more information, see TCP/IP Security.
  12. Establish user account controls. For more information, see User Account Control.
  13. Enforce a strict password policy. For more information, see Passwords.
  14. Establish disk quotas for user accounts. For more information, see Recovering from Over-Quota Conditions.
  15. Allow only administrative accounts to use the su command. Monitor the su command's logs in the /var/adm/sulog file.
  16. Enable screen locking when using X-Windows.
  17. Restrict access to the cron and at commands to only the accounts that need access to them.
  18. Alias the ls command to show hidden files and characters in a file name.
  19. Alias the rm command to avoid accidentally deleting files from the system.
  20. Disable unnecessary network services. For more information, see Network Services.
  21. Perform frequent system backups and verify the integrity of backups.
  22. Subscribe to security-related e-mail distribution lists.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]