[Solved] aix audit check list

AIX CHECKLIST By:Frank W. Lyons President of Entellus Technology Group, Inc. 407-774-8397 [email protected] com I. Preliminary Steps A. Obtain an organizational chart of the group responsible for the operating environment. B. Obtain any existing security and control procedures C. Obtain a description of the network configuration D. Obtain a listing of the various systems (applications) supported by the operating system E. Obtain a job description of the System Administrator II. Installation Audit Steps A. Review any design criteria for system security. B.

Determine whether the user access is controlled through the operating system, the database management system, or the application front-end menu system. C. Determine what documentation standards exist and whether they are being followed. D. Determine who acts as the Security Administrator for the operating environment. E. Determine the standards for password management and construction. F. Review any existing security guidelines for users, groups, and functions. III. Physical Security A. Review the network configuration to ensure that all network components are physically secured.

These include File Servers, Bridges, Routers, Hubs/Concentrators, Gateways, Terminal Servers, and Modems. B. Determine who is responsible and what documentation is required for configuration changes to the physical network. Are these procedures effective? Are the changes to the network documented? Are users and other impacted parties properly notified? C. Ensure that only the System Administrator or other authorized personnel have physical access to the file server console as the system can be rebooted from the ‘A’ drive and a new root password can be supplied. IV. System Administration A. Identify all the System Administrators. grep :0: /etc/passwd B. Determine that each administrator requires this level of authority. C. Determine the change control procedures over changes to users, programs, menus, authorities, user scripts, hardware and system software. D. Determine that the proper person or group is responsible for monitoring the network that support the file server. E. Determine that the proper person or group is responsible for system shutdown and backups. F. Determine if the System Administrator is supported by a backup or at a minimum their userid/password are kept in a secured location in case of an emergency. G.

Determine who is responsible for maintaining license agreements and if all agreements are being met. V. System Security The System Administrator’s interface for the AIX system is the System Management Interface Tool (smit). You can invoke smit by keying smit at the operating system prompt. A. During the initial installation did the System Administrator create audit check sum files. These files will allow the Security Administrator to verify that no changes have been made since the installation of the system. The audit check sum files should contain a single-line entry for each file having the following information: (See /etc/security/sysck. fg) field comments aclcontains both base and extended access control list data for the file classa logical group to which this file belongs pathname Absolute pathname owner Ether symbolic or numeric ID group Either symbolic or numeric ID mode Symbolic representation as displayed by the ls -l command size Size of the file in bytes.

Major and minor numbers are listed for devices links Number of hard links to pathname version Numeric value, reported by what(1). checksum File contents computed by a checksum algorithm. This field reflects the slightest change to a file, even a single character. symlinks Indicates whether the file has symbolic or hard links programthe associated checking program sourcethe source file for this file ypethe type of file Producing these files should be a simple task. The resulting files should reside in a secured directory. Dynamic security routines should be run on a periodic basis to ensure that these critical files have not be modified without proper approval. B. Determine if the system is running in a secured (trusted) mode. /etc/security/passwd For the password file A trusted environment formats the primary password file’s encrypted password /etc/passwd to the /etc/security/passwd file and replaces the password field in the /etc/passwd with an ‘! ’.

In addition, it forces all user to use passwords, creates an audit ID number for each user, sets the audit flag on for all existing users, and converts the at, batch, and crontab files to use the submitter’s audit ID. C. Determine if auditing has been enabled. Use the following file to look at defined audit events: /etc/security/audit/events Determine if minimal set of auditable events is being recorded. Auditing is enabled by entering /etc/audit start Files used by Audit /etc/security/audit/configconfiguration information /etc/security/audit/eventsaudit events of the system /etc/security/audit/bincmdsbackend commands etc/security/audit/streamcmdscommands that process stream data /etc/security/audit/objectsinformation about audited objects D. Review the audit logs to determine if any unauthorized event has occurred. E. Review the inittabs to ensure that only authorized entries are present and that access is properly restricted. $cat /etc/inittab F. Review all the rc. scripts to ensure that only valid programs are executed within these scripts. G. Review the sulog to look for suspicious activity H. Ensure that the system backup is done on a regular basis and that the backup files are properly stored. VI. Account Security

In traditional HP-UX systems you can use the ls -l command to list off the permissions for a directory or a file. On a secure(trusted) system you can use the lsacl command to see what permissions are associated with a given file, and the chacl command to change the access control lists of the file. ACLs are attached to files or directories to allow the Security Administrator to assign discrete authority to individuals or groups. A. Obtain a listing of all user accounts and verify that each user is still an active worker on the system. $cat /etc/passwd Files associated with the user accounts: etc/security/idsuid sequence number /etc/security/logins. cfgcontains rules for password quality /etc/groupgroup definitions /etc/security/groupadditional group information and flags /etc/passwduser account file /etc/security/passwdencryption passwords /etc/security/usercontains user extended attributes /etc/security/environcontains environmental attributes for users /etc/security/limitscontains file limits /etc/security/failedlogincontains an entry for every time a login fails Also the AIX system has a file that contains a stanza for each user known to the system. This can be obtained by using the following command and file: cat /etc/security/user One other file that restricts the user is the /etc/security/limits file. This file contains the following: fsizeis the largest file a user can create core is the largest core file allowed in units of 512 bytes. CPUis the maximum number of CPU-seconds a process is allowed before being killed. datais the largest data segment allowed, in units of 512 bytes. stackis the maximum stack size a process is allowed rssis the maximum real memory size a process can acquire B. Obtain a listing of all group accounts and verify that each user still needs to participate in the defined group. AIX CHECKLIST

The group file contains some pre-defined groups such as the following: system staff bin adm uucp mail security cron printq audit ecs nobody usr A. Review the access control permission on the critical system directories and files. In addition, review the access control permissions on the application’s directories and files. Example: $ ls memos -rwxrwxrwx 1 frank system 0635 01/12 memos The chmod command can still be used to change the permissions for a file and should only be used if the file has any ACLs. If you execute a command such as $aclgetgets the ACL for a file $aclputsets the ACL for a file acleditcombines aclget and aclput B. Review the users or groups who have write authority into a directory or file. C. Review the umask value for a 027. This is located in the /etc/profile and the user’s . profile. The /etc/profile is a file that is executed each time a user login to the system. The umask variable is only one entry in this file. The PATH variable may also be listed. The PATH variable should also be review to ensure that the path search is proper. Another parameter for the /etc/profile within AIX is the following parameter: TMOUT/TIMEOUT defines the time (in seconds) that a user can be idle before being utomatically logged out of the system. TMOUT is used by ksh D. Review the system for setuid and setgid programs. Compare the list against a certification list of authorized programs. Use the find command to look for these type of programs especially root owned setuid or setgid programs. $ find / -user root -perm -4000 -exec ls -l {} ; This find command will list root owned setuid programs $ find / -user root -perm -2000 -exec ls -l {} ; This find command will list root owned setgid programs E. Password Security Check to ensure that all users have a password. Check to ensure that all users are using the shadow password system.

Check to ensure that no user ID are duplicated. Review all accounts with a UID of ‘0’ Determine if all users listed in the /etc/passwd are still valid. Determine if the password aging criteria is adequate Password aging is enabled by placing the necessary information in the password field Determine if all passwords are at least six characters long Determine if all passwords are run against a ‘hacker dictionary’ before being accepted initially or when changed. F. Pseudo-Accounts Most UNIX systems have pseudo accounts that are not associated with an individual user and do not need to have an interact login shell.

Be sure that the password field is properly protected by not allowing anyone to signon to these accounts. By placing an ‘NP’ for no password within the password field, these accounts cannot be signed onto. Determine if accounts such as the following have been removed from the /etc/passwd file: date who sync tty Other entries must remain as pseudo users such as: bin daemon adm uucp lp hpdb guest nobody lpd G. Home Directories Ensure that the user’s home directories and files are not writable by anyone except the owner or root Ensure that the . profile . cshrc, and . ogin files are not writable by anyone other than the owner Investigate and remove if possible the use of any . rhost files within the user’s home directory Ensure that . netrc file is not used as the it allows for the user to bypass the . login authentication for remote login and even contains the user’s unencrypted password. If it is used and is required it should not be read or writable by anyone other than it’s owner. Ensure that root’s . profile has a proper PATH variable with no ‘dot’ as the first entry. A good PATH A bad PATH

PATH=/bin:/usr/bin:/etc PATH=. :/bin:/usr/bin:/etc H. User Stanza The /etc/security/user file contains a stanza for each user known to the system plus a default stanza. The parameters controlled in this file are: adminindicates whether the user is an administrator. If yes/true/always then only root can can this user’s attributes. The default is no. daemon defines whether this user can use the cron and SRC daemons. expiresspecifies an expiration date for the user. The format is MMDDhhmmYY. The default is 0 indicating that the account well never expire. ogincontrols login from a local terminal. If you specify false here the userid is locked for all locally attached terminals but might not be locked for remote access. rlogin controls login from a remote terminal or port. It controls whether or not this userid can be accessed remotely via the rlogin command. It does not prevent local logins telnetdefines whether this userid can be remotely logged into with the telnet command. If used in conjunction with login and rlogin a userid can be secured from anybody logging into that userid, but it is not secured against the use of su. ucontrols whether other users can switch to this account by using su command. sugroups controls which groups can switch to this userid by using su. If an ! precedes the group name it denies access for that group. The ALL keyword means that all groups have access (the default). A blank indicates the default, i. e. ALL tpathindicates trusted path characteristics. Trusted path is part of the trusted computer base which ensures that the user only access directories and files that are considered safe. ttysdefines the terminals that can be used. The full path name of the terminal’s must be given.

AIX CHECKLIST I. Security stanza The following file contains security stanza parameters that apply to the whole system and it provides some control over password quality: /etc/security/login. cfg Parameters for this file are as follows: maxage/minage defines the maximum/minimum age(in weeks) of a password maxrepeatdefines the number of times one character can be repeated in the password mindiffcompares the new password with the old one. mindiff is the minimum number of characters that must be different. minotheris the number of non-alphabetic characters required in the password. axlogins is the maximum number of locally logged in users at a given time. The only valid parameters are 2, 32, and 0. Zero means an unlimited number. minalphais the number of alphabetic characters required in the password. shellsdefines the valid shells a user can access. herald parameters for the initial screen display VII. Network Security A. Review the /etc/exports file to see which files can be mounted by another machine. The /etc/exports file lists entries that consist of the path name of a file system followed by a series of names of computers and names of groups of computers.

To identify the groups of computers list off the contents of the /etc/netgroup file. Each one line entry should have two fields. The first is the name of the file system being exported. The second and subsequent name the system to which the file system can be exported. If fewer than two fields are present, the file system can be shipped anywhere in the world. B. List the /etc/hosts. equiv file to verify the names of other computers that can allow their users to signon to this host without providing a password. Verify that each of these other hosts do not extend unauthorized privileges to another user or node.

Another file associated with the trusted environment is the . rhost files which could allow someone to provide any other user to access their authorities without a password. AIX CHECKLIST C. Determine if an administrative domain has been set up. If so, verify that root is controlled on each local host otherwise someone can obtain root authorities on any machine within the domain. Verify that consistency is maintained for user name, uid, and gid among password files in the domain. Verify that consistency is maintained for group files on all machines within the domain. D.

Verify permission settings on network control files The following files should never be writable by public: networks Network names and their addresses hosts Network hosts and their addresses hosts. equiv Remote hosts allowed access equivalent to the local host services Services name database exports List of files systems being exported to NFS clients protocols Protocol name database inetd. conf Internet configuration file & TCP/IP services netgroup List of network-wide groups netrc allows for the processing of rexec and ftp commands without manual password verification. (The . netrc file contains unencrypted password information) E. Review the use of UUCP F. Review the use of anonymous ftp G. Review the use of tftp H. Modem security Use of a smart card or some type of secured dial-back Use of an additional password Kept access list current VIII. Device File Security A. Check the /dev directory for special devices that do not have the proper permission settings. B. Ensure that all devices only reside within the /dev directory. C.

Ensure that access to device such as mem, kmem, and swap are properly protected. D. Terminal ports on UNIX systems may be writable by anyone, so you can allow users to communicate by using the write or talk programs. Only the owner should have read permissions. E. Ensure that an individual user does not own any device except for their terminal device or local printer. AIX CHECKLIST IX. Batch Jobs Security A. Scheduled jobs within the UNIX environment are setup in a file called the crontabs. This file has a one line entry for each job to be executed at a given time.

This file, especially the one owned by root, should be reviewed to ensure that only valid entries and jobs are run. B. Other jobs can be run with the at command. Determine if the at command is restricted by reviewing a file called at. allow and at. deny X. Log File A. Using the last command you can review the last login attempts on the system B. Use the /etc/wtmp to review connection session $ fwtmp < /etc/wtmp C. Review the /usr/adm/messages for “BAD” login attempts D. Check to see if accounting is turned on The accton turns on accounting E.

Displaying process accounting records The acctcom will allow you to display records from any file containing process accounting records XI. Special Commands or Routines A. sysckRuns the grpck, usrck, and pwdck commands B. grpckThis command verifies that all users listed as group members are defined as users, that thegid is unique, and that the group name is correctly formed. C. usrckThe usrck command verifies many parameters of the userid definition. D. pwdckThe pwdck command checks authentication stanzas in /etc/passwd and /etc/security/passwd. DEFINITIONS: ernel Is the piece of software that controls the computer and is often called the operating system shell Is a command interpreter and a program such as sh, csh, ksh, rsh, and tsh AIX uses the ksh. driver Is a program that enables the kernel to communicate with a given type of peripheral /dev/kmem Is a special device file that allows access to the ram locations occupied by the kernel / The root directory /dev The /dev directory contains the devices attached to UNIX bin The /bin directory contains a small subset of HP-UX commands /etc The /etc directory contains many files including the passwd file /tmp The /tmp directory is used for temporary file storage /etc/inittab Contains information about system run levels and also has a entry for each terminal Example: 04:2:respawn:/etc/getty tty10 04 = id 2 = operating system level respawn = action /etc/getty = program to execute /etc/rc Defines actions taken during startup etc/passwd Determines who can log into your system root:r832uq8io3rt6:0:1:

Root System Owner:/:/bin/sh AIX uses a shadow passwd file in the /etc/security directory. With this file the primary passwd file would look like the following: root:! :0:1:Root System Owner:/:/bin/ksh /etc/group Identifies the users that form a group audit:*:25:frank,anne,katie,michaella /etc/ttytype A database of terminal types .exrc Maps terminal characteristics and sets up key definitions /etc/motd Contains the message of the day F DEFINITIONS: etc/profile Execute automatically during the login process .profile Executes each time the user successfully logs in using the Bourne(sh), Korn(ksh), or rsh .kshrc Korn shell script that supplements actions taken by the . profile file permissions Everything in UNIX is treated like a file. That is a data file is a file, so is a directory, so is a terminal, so is a modem, and etc. Each of these is identified by the file type. The file types are: d = directory – = a data or program file c = a character file = a block file l = a symbolic link p = a pipe or FIFO You can obtain this information by running the ls -l command $ ls -l memos -rwxrwxrwx 1 frank audit 456 Jan 7 12:45 memos The first digit is the file type The second through the 10 digit are the permission rwx for owner which is frank rwx for group which is audit rwx for other which is not shown but represents authorities for all other chmod Command to change the permissions on a file hown Command to change the ownership of a file umask Default permission levels for all new files created crontab Automate job processing. Each entry contains the following information: minute 0-59 hour 0-23 dates 1-31 months 1-12 days 0-6 0=Sunday runstring specifies the command line or script file to execute An entry of ‘*’ means all values for that entry smit System Management Interface Tool defaults Default values for the mkuser command and smit etc/security/mkuser. default default group in AIX is staff

"Looking for a Similar Assignment? Order now and Get a Discount!

Place New Order
It's Free, Fast & Safe

"Looking for a Similar Assignment? Order now and Get a Discount!