Every now and then I google: SecuringAIX (I write a blog by that name, so I am curious where it stands - and to my dismay I did not make the top5 today from my current location.
However, this unix.com/aix thread did make the top5- and, imho, it is lacking in clarity and ease. So, I thought I would post a refresher - AIX Hardening 101.
Since AIX 5.3, ML05 I believe (so we are anno 2005 I believe) - AIX intradiced a tool known as AIX Security Expert , or aixpert . This is meant to be pretty much - push button security - from it's start at least as much more has been added.
For a test drive - let it tell you what it finds wrong (note, wrong means different. If the level you choose thinks 4 is the right number and you have a different number (e.g., 3 or 5) it will say it is failed.).
So, test drive - no configuration changes made to your system with:
Here is my checklist of security-related things i do when i install a new system:
Create administrative FSes
root needs some places to store things: system documentation, logs, scripts, etc.. In most cases there is "/usr/local/bin" and roots home. Create FSes for some or all of these directories so that the content doesn't land in "/". Full root-fses usually cause some headache for the admins.
Install ssh
You need ssh itself and openssl for that. Get both from IBMs Linux Toolbox for AIX website and install with rpm.
Disable "classic" means of connection: telnet, ftp, rlogin, rexec, ....
Notice that you might need rlogin in some cases, but as a rule of thumb all these non-securified services should be disabled. Make sure these will not be started at system start any more.
Disable/limit root-login
The best way to become root is to log on with your regular user-ID and then switch to root. Therefore remote login for root can and should be disabled. Console login should be allowed, because there might be emergency situations where it is necessary. Someone able to get to the console is most probably also allowed to log on as root.
Set up sudo
Download from the IBM site where you got ssh.
Set up ntp
Especially when you use Kerberos you need consistent timekeeping throughout your environment, so connect your system to your local Stratum-2-server. Set the method to "slew" for database systems (i.e. Oracle is quite picky about duplicate timestamps when you set it to "step").
Edit /etc/motd and /etc/security/login.cfg
Its a good idea to be able to immediately recognize at which system you are when you log on. If you put some distinct banners at the login screen chances are you notice them even in times of stress if you have mistyped the machines name. (It is really easy to type "ssh server3" instead of "ssh server2" or something such.)
Now is a good time to look at so-called Role Based Access Control solutions - aka RBAC, rather than sudo. IT audit requirements are moving in this direction.
If you go sudo - it is not enough to install it and let everyone just sudo su - .
And be sure and define a seperate group, no files in it, only admins, with are allowed to su to root ( sugroups setting for root is the name of this group, default is keyword ALL - meaning any group is accepted)
AIX supplies ssh on the DVD with AIX 6.1 and AIX 7.1, no additional download needed.
Big plus on suggestion to setup non-rootvg filesystems (i.e., not just a seperate filesystem, but have an additional volume group for these items, so that "rootvg" can be replaced (e.g., fresh install) and you will not lose any vital configuration information by accident. Not saying the steps to "replace" rootvg are simple, but this is much simplier than losing the info, or having to extract outdated information from an "ancient" mksysb backup file.
edit motd: yes, but a standard message for all systems - best practice seems to be to mention that only authorized users are permitted, and actions may be logged. Proceding implies consent and other "legal stuff".
Important change: change the pwd_algorithm setting (none set, so crypt by default) in /etc/security/login.cfg
All the other edits, disabling programs, root login, etc. - just use # aixpert -l h (or #aixpert -l high )
AIXpert setting of High is intended for Internet facing servers. more common is that in data centre, firewall protected servers will use the medium setting.
You need to watch with medium as it by default will disable both NFS and NTP, so you should always review the entire content of the XML files before you apply them to existing live systems.