AIX Security Checklist
AIX Security Checklist AIX Environment Procedures The best way to approach this portion of the checklist is to do a comprehensive physical inventory of the servers. Serial numbers and physical location would be sufficient. ____Record server serial numbers ____Physical location of the servers Next we want to gather a rather comprehensive list of both the AIX and pseries inventories. By running these next 4 scripts we can gather the information for analyze. ____Run these 4 scripts: sysinfo, tcpchk, nfsck and nethwchk. (See Appendix A for scripts) ____sysinfo: ____Determine active logical volume groups on the servers: lsvg -o ____List physical volumes in each volume group: lsvg –p "vgname" ____List logical volumes for each volume group: lsvg –l "vgname" ____List physical volumes information for each hard disk ____lspv hdiskx ____lspv –p hdiskx ____lspv –l hdiskx ____List server software inventory: lslpp -L ____List server software history: lslpp –h ____List all hardware attached to the server: lsdev –C sort –d ____List system name, nodename, LAN network number, AIX release, AIX version and machine ID: uname –x ____List all system resources on the server: lssrc –a ____List inetd services: lssrc –t 'service name' –p 'process id' ____List all host entries on the servers: hostent -S ____Name all nameservers the servers have access to: namerslv –Is ____Show status of all configured interfaces on the server: netstat –i ____Show network addresses and routing tables: netstat –nr ____Show interface settings: ifconfig ____Check user and group system variables ____Check users: usrck –t ALL ____Check groups: grpck –t ALL ____Run tcbck to verify if it is enabled: tcbck ____Examine the AIX failed logins: who –s /etc/security/failedlogin ____Examine the AIX user log: who /var/adm/wtmp ____Examine the processes from users logged into the servers: who –p /var/adm/wtmp ____List all user attributes: lsuser ALL sort –d ____List all group attributes: lsgroup ALL ____tcpchk: ____Confirm the tcp subsystem installed: lslpp –l grep bos.net ____Determine if it is running: lssrc –g tcpip ____Search for .rhosts and .netrc files: find / -name .rhosts -print ; find / -name .netrc –print ____Checks for rsh functionality on host: cat /etc/hosts.equiv ____Checks for remote printing capability: cat /etc/hosts.lpd grep v # ____nfschk: ____Verify NFS is installed: lslpp -L bin/grep nfs ____Check NFS/NIS status: lssrc -g nfs bin/grep active ____Checks to see if it is an NFS server and what directories are exported: cat /etc/xtab ____Show hosts that export NFS directories: showmount ____Show what directories are exported: showmount –e ____nethwchk ____Show network interfaces that are connected: lsdev –Cc if ____Display active connection on boot: odmget -q value=up CuAt grep namecut -c10-12 ___Show all interface status: ifconfig ALL Root level access ____Limit users who can su to another UID: lsuser –f ALL ____Audit the sulog: cat /var/adm/sulog ____Verify /etc/profile does not include current directory ____Lock down cron access ____To allow root only: rm –i /var/adm/cron/cron.deny and rm –I /var/adm/cron/cron.allow ____To allow all users: touch cron.allow (if file does not already exist) ____To allow a user access: touch /var/adm/cron/cron.allow then echo "UID">/var/adm/cron/cron.allow ____To deny a user access: touch /var/adm/cron/cron.deny then echo "UID">/var/adm/cron/cron.deny ____Disable direct herald root access: add rlogin=false to root in /etc/security/user file or through smit ____Limit the $PATH variable in /etc/environment. Use the users .profile instead.