Improving the security of an AIX server

 

Operating system installation

On installation of the operating system only add the filesets needed to reduce the number of items installed on a server. This ensures that vulnerabilities are not introduced to the system through the installation of unnecessary software. Only filesets required to accomplish the business mission of the server should be included.

Changing the login screen

The login screen can give a potential hacker important information that could help them find vulnerabilities. This information may be the host name or the version of operating system.

Change the login message to display something like "Unauthorized use of this system is prohibited and could result in criminal enforcement and action".

You should only be using ssh to logon to your server. In this case modify the sshd_config file to use a banner file.

Add an entry similar to Banner /usr/local/etc/sshd_banner to the sshd_config file.

Then create the file /usr/local/etc/sshd_banner with the contents of your message.

Finally restart the sshd daemon.

If you are not using ssh then you can edit the file /etc/motd by removing the current contents and adding a message similar to the one above.

However the use of ssh is strongly recommended and without its use the server would not be considered secure.

Password security

The following statements are a good starting point for a password security policy.

1. Ensure that new passwords are not duplications of old passwords.

2. Passwords should contain a mixture of uppercase and lowercase letters, some numbers and no dictionary words.

3. Passwords should contain at least eight characters.

4. Passwords should be valid for no more than 60 days.

5. All user accounts should have a password.

6. Service accounts used by multiple users (e.g. oracle) should be set up as no-login and access should only be gained by using sudo.

Some of these requirements can be implemented by setting the following parameters.

These parameters are set in /etc/security/user with different values that can be set for high or medium security, there are other settings for lower security but these are not discussed here as they are not recommended.

mindiff specifies the minimum number of characters required in a new password that were not in the old password.
For High Level Security set to 4, and for Medium Level Security set to 3

minage specifies the minimum number of weeks before a password can be changed.
For High Level Security set to 1, and for Medium Level Security set to 4

maxage specifies the maximum number of weeks a password is valid.
For High Level Security set to 13, and for Medium Level Security set to 13

minalpha specifies the minimum number of alphabetic characters in a password.
For High Level Security set to 2, and for Medium Level Security set to 1

histexpire specifies the number of weeks before a password can be reset.
For High Level Security set to 13, and for Medium Level Security set to 13

maxrepeats specifies the maximum number of times a character can appear in a password.
For High Level Security set to 2, and for Medium Level Security set to 3

histsize specifies the number of previous passwords that a user cannot reuse.
For High Level Security set to 20, and for Medium Level Security set to 4

maxexpired specifies the maximum number of weeks after maxage that an expired password can be changed by the user.
For High Level Security set to 2, and for Medium Level Security set to 4

minother specifies the minimum of non-alphabetic characters in a password.
For High Level Security set to 2, and for Medium Level Security set to 1

minlen specifies the minimum length of a password.
For High Level Security set to 8, and for Medium Level Security set to 6

pwdwarntime specifies the number of days before the system issues a warning that a password change is required.
For High Level Security set to 5, and for Medium Level Security set to 5

System login accounts

Assign individual user accounts

To enable efficient auditing of user login access, all users should be assigned individual login accounts. Generic login accounts used by multiple users e.g. ops or dba, should be avoided. AIX logging will show login account details such as the source IP address, time and date of login and the account logged in to. This information may therefore (if individual accounts are used) help to identify the individual user concerned.

Inactive accounts

All accounts that have not been used for a specified amount of time should be disabled and then a specified time later deleted.

This may occur because the users have left and the system administrators have forgotten to remove their accounts or the users job role has changed.

A typical time frame is to disable the accounts after 90 days and delete the accounts after 120 days. However where the user is known to be leaving, their account should be deleted on the day they leave or sooner if it is no longer required.

Disable direct root login

To prevent hackers from logging into a server directly as root (should they obtain the root password), disable direct root access to the server. Any user that needs root access must login using their own account first then use the su command to switch user to the root account. This adds an extra layer of security but also allows you to monitor which users have gained root access.

Enable "su" from the Wheel group

A ‘Wheel Group’ is a method of controlling who has access to su from their own user account to the root superuser. This is controlled by adding the following to the root entry in /etc/security/user file.

root:
admgroups = whgroup

And the following in the whgroup entry in /etc/security/group file.

whgroup:
adms = root

A group named ‘whgroup’ should then be created and all those users who require the ability to su to root added to this group.

This group should be restricted to members of the System Administration Team.

Timeout idle sessions

Add the following line to the file /etc/security/.profile

TMOUT=900 ; TIMEOUT=900 ; export readonly TMOUT TIMEOUT

These settings will stop an idle ksh compatible session after 15 minutes inactivity.