Professional Documents
Culture Documents
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
AIX1 Ensure Patches, Packages and 1.1 Apply latest OS patches The system has up-to-date patches
Initial Lockdown of the system is Installing up-to-date vendor patches and developing a and packages, and the system is
appropriate. procedure for keeping up-to-date with vendor patches are locked-down to reduce the number
critical for the security and reliability of the system. of vulnerabilities.
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
documentation and to suit your particular environment.
Configuring TCP Wrappers is beyond the scope of this
Benchmark.
Note: Do not deny access to your system without allowing
access.
2. Modify /etc/inetd.conf:
cd /etc
awk '($3 ~ /^tcp/) && ($6 !~ /(internal|tcpd)$/) \
{ $7 = $6; $6 = "/usr/local/bin/tcpd" }; \
{ print }' inetd.conf > inetd.conf.with_tcp_wrappers
cp inetd.conf.with_tcp_wrappers inetd.conf
chown root:system inetd.conf
chmod 644 inetd.conf inetd.conf.with_tcp_wrappers
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
inetd-based services being disabled, there is no point in
running inetdat boot time.
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
[ `lslpp -L bos.net.nis.client 2>&1 | \
grep -c "not installed"` -eq 0 ] && \
/usr/lib/instl/sm_inst installp_cmd -u \
-f'bos.net.nis.client'
(AIX 5):
for SVC in routed gated named timed rwhod mrouted \
snmpd hostmibd dpid2 lpd portmap autoconf6 \
ndpd-router ndpd-host; do
echo "Turning off $SVC"
stopsrc -s $SVC
chrctcp -d $SVC
done
for SVC in piobe i4ls httpdlite pmd writesrv; do
echo "Turning off $SVC"
stopsrc -s $SVC
rmitab $SVC
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
done
pmd
mkitab -i cron "pmd:2:wait:/usr/bin/pmd > /dev/console
2>&1 #
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
Start PM daemon"
chrctcp -a pmd
httpdlite
mkitab -i cron
"httpdlite:2:once:/usr/IMNSearch/httpdlite/httpdlite -r
/etc/IMNSearch/httpdlite/httpdlite.conf & >/dev/console
2>&1"
chrctcp -a httpdlite
AIX4 Kernel tuning to harden the 4.1 Disable core dumps A more secure system.
system configuration. Edit /etc/security/limits and change the core value in the
default stanza to:
core 0
Add the following line below it:
core_hard = 0
Execute these commands:
echo "# Added by CISecurity Benchmark" >> /etc/profile
echo "ulimit -c 0" >> /etc/profile
chdev -l sys0 -a fullcore=false
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
# ICMP Redirect is a poor excuse for a routing protocol.
/usr/sbin/no -o ipignoreredirects=1
/usr/sbin/no -o ipsendredirects=0
# Refuse to have anything to do with source-routed
packets.
/usr/sbin/no -o ipsrcrouteforward=0
/usr/sbin/no -o ipsrcrouterecv=0
/usr/sbin/no -o ipsrcroutesend=0
/usr/sbin/no -o nonlocsrcroute=0
EOF
chmod +x /etc/rc.net-tune
mkitab -i rctcpip "rcnettune:2:wait:/etc/rc.net-tune > \
/dev/console 2>&1"
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
stopsrc -s syslogd
startsrc -s syslogd
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
else
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
/var/tmp/hostmibd.log \
/var/tmp/snmpd.log \
/var/adm/ras/*
/var/ct/RMstart.log
do
if [ -f $FILE ]; then
echo "Fixing log file permissions on $FILE"
chmod o-rw $FILE
fi
done
AIX6 File/directory permissions/access 6.1 Verify passwd and group file permissions System access is available only to
are restricted to authorized users chown -R root:security /etc/passwd /etc/group /etc/security authorized users with appropriate
and regularly reviewed. file/directory permissions.
chown -R root:audit /etc/security/audit
chmod 644 /etc/passwd /etc/group
chmod 750 /etc/security
chmod -R go-w,o-r /etc/security
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
following commands:
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
accounts and regularly reviewed. 7.2 Create /etc/ftpusers
lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read
NAME; do
if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -lt 200 ]; then
echo "Adding $NAME to /etc/ftpusers"
echo $NAME >> /etc/ftpusers.new
fi
done
sort -u /etc/ftpusers.new > /etc/ftpusers
rm /etc/ftpusers.new
chown root:system /etc/ftpusers
chmod 600 /etc/ftpusers
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
file=/usr/dt/config/Xservers
fi
awk '/Xsun/ && !/^#/ && !/-nolisten tcp/ \
{ print $0 " -nolisten tcp"; next }; \
{ print }' $file > $file.new
mkdir -p /etc/dt/config
mv $file.new /etc/dt/config/Xservers
chown root:bin /etc/dt/config/Xservers
chmod 444 /etc/dt/config/Xservers
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
ls /var/spool/cron/crontabs | grep -v root >> cron.allow
ls /var/spool/cron/atjobs | grep -v root >> at.allow
chown root:sys cron.allow at.allow
chmod 400 cron.allow at.allow
cat at.allow
cat cron.allow
cat at.deny cron.deny # this should fail
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
group files
The command:
grep ^+: /etc/passwd /etc/group
should return no lines of output.
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
done
if [ `grep -c "chmod $NEW_PERMS $1" \
/usr/lib/security/mkuser.sys` -eq 0 ]; then
sed -e "s/mkdir \$1/mkdir \$1 \&\& chmod $NEW_PERMS \
$1/g" \
/usr/lib/security/mkuser.sys > /tmp/mkuser.tmp
mv /tmp/mkuser.tmp /usr/lib/security/mkuser.sys
chmod 750 /usr/lib/security/mkuser.sys
fi
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
Stop!!! Read the discussion before proceeding.
if [ -e "$HOME/.rhosts" ]; then
echo "Removing $HOME/.rhosts"
rm -f "$HOME/.rhosts"
fi
done
Discussion:
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
# Remove users
LIST="uucp nuucp lpd guest printq"
for USERS in $LIST; do
rmuser -p $USERS
rmgroup $USERS
done
# Remove groups
LIST="uucp printq"
for USERS in $LIST; do
rmgroup $USERS
done
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
Discussion:
User ID Description
uucp, nuucp Owner of hidden files used by uucp protocol.
The uucp user account is used for the UNIX-to-UNIX Copy
Program, which is a group of commands, programs, and
files, present on most AIX systems, that allows the user to
communicate with another AIX system over a dedicated
line or a telephone line.
lpd Owner of files used by printing subsystem
guest Allows access to users who do not have access to
accounts
Group ID Description
uucp Group to which uucp and nuucp users belong
printq Group to which lpd user belongs
Note: You may get one or more errors stating the group or
user does not exist. This is harmless and may be ignored.
AIX9 Warning banners prior to user 9.1 Create warnings for network and physical access Warning banners prior to user logon
logon. services may assist the prosecution of
Edit the banner currently in /etc/motdas required by your trespassers on the computer system.
Enterprise. The following
script is a template taken from the Bastille Linux project:
cd /etc
# Remember to enter name of your company here:
COMPANYNAME="its owner"
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
cat <<EOM \
| sed -e "s/its owner/${COMPANYNAME}/g" > /etc/motd
********************************************************
NOTICE TO USERS
Any or all uses of this system and all files on this system
may be intercepted, monitored, recorded, copied, audited,
inspected, and disclosed to your employer, to authorized
site, government, and law enforcement personnel, as well
as authorized officials of government agencies, both
domestic and foreign.
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
for file in /usr/dt/config/*/Xresources; do
dir=`dirname $file | sed s/usr/etc/`
mkdir -p $dir
if [ ! -f $dir/Xresources ]; then
cp $file $dir/Xresources
fi
WARN="Authorized uses only. All activity may be
monitored and reported."
echo "Dtlogin*greeting.labelString: $WARN"
>>$dir/Xresources
echo "Dtlogin*greeting.persLabelString: $WARN"
>>$dir/Xresources
done
chown root:sys /etc/dt/config/*/Xresources
chmod 644 /etc/dt/config/*/Xresources
CID Control Activity Review Procedures (with CIS Benchmark Ref. #’s) Expected Results
Authorized uses only. All activity may be monitored and
reported
EOF
AIX10 Additional security notes to further SN.1 Create symlinks for dangerous files The system is further protected from
harden the system configuration. for FILE in /.rhosts /.shosts /etc/hosts.equiv \ unauthorized or inappropriate
access and/or activity.
/etc/shosts.equiv; do
[ -e $FILE ] && rm -f $FILE
ln -s /dev/null $FILE
done