Saturday, February 16, 2008

AIX Authorization/authentication administration

Authorization/authentication administration ____Report all password inconsistencies and not fix them: pwdck –n ALL ____Report all password inconsistencies and fix them: pwdck –y ALL ____Report all group inconsistencies and not fix them: grpck –n ALL ____Report all group inconsistencies and fix them: grpck –y ALL ____Browse the /etc/shadow, etc/password and /etc/group file weekly SUID/SGID ____Review all SUID/SGID programs owned by root, daemon, and bin. ____Review all SETUID programs: find / -perm -1000 –print ____Review all SETGID programs: find / -perm -2000 –print ____Review all sticky bit programs: find / -perm -3000 –print ____Set user .profile in /etc/security/.profile Permissions structures ____System directories should have 755 permissions at a minimum ____Root system directories should be owned by root ____Use the sticky bit on the /tmp and /usr/tmp directories. ____Run checksum (md5) against all /bin, /usr/bin, /dev and /usr/sbin files. ____Check device file permissions: ____disk, storage, tape, network (should be 600) owned by root. ____tty devices (should be 622) owned by root. ____/dev/null should be 777. ____List all hidden files in there directories ( the .files). ____List all writable directories (use the find command). ____$HOME directories should be 710 ____$HOME .profile or .login files should be 600 or 640. ____Look for un-owned files on the server: find / -nouser –print. Note: Do not remove any /dev files. ____Do not use r-type commands: rsh, rlogin, rcp and tftp or .netrc or .rhosts files. ____Change /etc/host file permissions to 660 and review its contents weekly. ____Check for both tcp/udp failed connections to the servers: netstat –p tcp; netstat –p udp. ____Verify contents of /etc/exports (NFS export file). ____If using ftp, make this change to the /etc/inetd.conf file to enable logging. ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd –l ____Set NFS mounts to –ro (read only) and only to the hosts that they are needed. ____Consider using extended ACL's (please review the tcb man page). ____Before making network connection collect a full system file listing and store it off-line: ls -Ra -la>/tmp/allfiles.system ____Make use of the strings command to check on files: strings /etc/hosts grep Kashmir Recommendations Remove unnecessary services By default the Unix operating system gives us 1024 services to connect to, we want to parse this down to a more manageable value. There are 2 files in particular that we want to parse. The first is the /etc/services file itself. A good starting point is to eliminate all unneeded services and add services as you need them. Below is a screenshot of an existing ntp server etc/services file on one of my lab servers. # # Network services, Internet style # ssh 22/udp ssh 22/tcp mail auth 113/tcp authentication sftp 115/tcp ntp 123/tcp # Network Time Protocol ntp 123/udp # Network Time Protocol # # UNIX specific services # login 513/tcp shell 514/tcp cmd # no passwords used Parse /etc/rc.tcpip file This file starts the daemons that we will be using for the tcp/ip stack on AIX servers. By default the file will start the sendmail, snmp and other daemons. We want to parse this to reflect what functionality we need this server for. Here is the example for my ntp server. # Start up the daemons # echo "Starting tcpip daemons:" trap 'echo "Finished starting tcpip daemons."' 0 # Start up syslog daemon (for error and event logging) start /usr/sbin/syslogd "$src_running" # Start up Portmapper start /usr/sbin/portmap "$src_running" # Start up socket-based daemons start /usr/sbin/inetd "$src_running" # Start up Network Time Protocol (NTP) daemon start /usr/sbin/xntpd "$src_running" This helps also to better understand what processes are running on the server. Remove unauthorized /etc/inittab entries Be aware of what is in the /etc/inittab file on the AIX servers. This file works like the registry in a Microsoft environment. If an intruder wants to hide an automated script, he would want it launched here or in the cron file. Monitor this file closely. Parse /etc/inetd.conf file This is the AIX system file that starts system services, like telnet, ftp, etc. We also want to closely watch this file to see if there are any services that have been enabled without authorization. If you are using ssh for example this is what the inetd.con file should look like. Because we are using other internet connections, this file is not used in my environment and should not be of use to you. This is why ssh should be used for all administrative connections into the environment. It provides an encrypted tunnel so connection traffic is secure. In the case of telnet, it is very trivial to sniff the UID and password. ## protocol. "tcp" and "udp" are interpreted as IPv4. ## ## service socket protocol wait/ user server server program ## name type nowait program arguments ## Edit /etc/rc.net This is network configuration file used by AIX. This is the file you use to set your default network route along your no (for network options) attributes. Because the servers will not be used as routers to forward traffic and we do not want to use loose source routing at you, we will be making a few changes in this file. A lot of them are to protect from DOS and DDOS attacks from the internet. Also protects from ACK and SYN attacks on the internal network. ################################################################## ################################################################## # Changes made on 06/07/02 to tighten up socket states on this # server. ################################################################## if [ -f /usr/sbin/no ] ; then /usr/sbin/no -o udp_pmtu_discover=0 # stops autodiscovery of MTU /usr/sbin/no -o tcp_pmtu_discover=0 # on the network interface /usr/sbin/no -o clean_partial_conns=1 # clears incomplete 3-way conn. /usr/sbin/no -o bcastping=0 # protects against smurf icmp attacks /usr/sbin/no -o directed_broadcast=0 # stops packets to broadcast add. /usr/sbin/no -o ipignoreredirects=1 # prevents loose /usr/sbin/no -o ipsendredirects=0 # source routing /usr/sbin/no -o ipsrcrouterecv=0 # attacks on /usr/sbin/no -o ipsrcrouteforward=0 # our network /usr/sbin/no -o ip6srcrouteforward=0 # from using indirect /usr/sbin/no -o icmpaddressmask=0 # dynamic routes /usr/sbin/no -o nonlocsrcroute=0 # to attack us from /usr/sbin/no -o ipforwarding=0 # Stops server from acting like a router fi Securing root Change the /etc/motd banner This computer system is the private property of XYZ Insurance. It is for authorized use only. All users (authorized or non-authorized) have no explicit or implicit expectations of privacy. Any or all users of this system and all the files on this system may be intercepted, monitored, recorded, copied, audited, inspected and disclosed to XYZ Insurance's management personnel. By using this system, the end user consents to such interception, monitoring, recording, copying, auditing, inspection and disclosure at the discretion of such personnel. Unauthorized or improper use of this system may result in civil and/or criminal penalities and administrative or disciplinary action, as deemed appropriate by said actions. By continuing to use this system, the individual indicates his/her awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the provisions stated in this warning banner. Modify /etc/security/user root: loginretries = 5 – failed retries until account locks rlogin = false – Disables remote herald access to a root shell. Need to su from another UID. admgroups = system minage = 0 – minimum aging is no time value maxage = 4 – maximum aging is set to 30 days or 4 weeks umask = 22 Tighten up /etc/security/limits This is an attribute that should be changed due to a runaway resource hog. This orphaned process can grow to use an exorbinate amount of disk space. To provent this we can set the ulimit value here. default: #fsize = 2097151 fsize = 8388604 – sets the soft file block size to a max of 8 Gig. Variable changes in /etc/profile Set the $TMOUT variable in /etc/profile. This will cause an open shell to close after 15 minutes of inactivity. It works in conjunction with the screensaver, to prevent an open session to be used to either delete the server or worse corrupt data on the server. # Automatic logout, include in export line if uncommented TMOUT=900 4.6.5 Sudo is your friend…. This is a nice piece of code that the system administrators can use in order to allow "root-like" functionality. It allows a non-root user to run system binaries or commands. The /etc/sudoers file is used to configure exactly what the user can do. The service is configured and running on ufxcpidev. The developers are running a script called changeperms in order to tag there .ear files with there own ownership attributes. First we setup sudo to allow root-like or superuser doer access to sxnair. # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL sxnair,jblade,vnaidu ufxcpidev=/bin/chown * /usr/WebSphere/AppServer/installedApps/* # # # Override the built in default settings Defaults syslog=auth Defaults logfile=/var/log/sudo.log For more details, please see the XYZ Company Insurance Work Report that I compiled, or visit this URL: http://www.courtesan.com/sudo/. Tighten user/group attributes Change /etc/security/user These are some of the changes to the /etc/security/user file that will promote a more heightened configuration of default user attributes at your company. default: umask = 077 – defines umask values – 22 is readable only for that UID pwdwarntime = 7 – days of password expiration warnings loginretries = 5 – failed login attempts before account is locked histexpire = 52 – defines how long a password cannot be re-used histsize = 20 – defines how many previous passwords the system remembers minage = 2 – minimum number of weeks a password is valid maxage = 8 – maximum number of weeks a password is valid maxexpired = 4 – maximum time in weeks a password can be changed after it exp

No comments: