Monday, August 29, 2011

AIX Security Expert (aixpert)

One of an important activity of a system administrator is to keep the server's secured. That includes complying health monitoring checks and other scans.

It would be complicated to define base line security settings for your current environment. Using base line security settings on newly created systems seems to be a difficult job for a system admin.

The Base line security includes
  1. User Settings
  2. Network settings
  3. Services and Daemons
  4. Root access
  5. File permissions

Creating a baseline security setting for the above mentioned list is a tedious work to be done and a lot of time and man power to be spent.
Rather we could now use aixpert a simple system hardening utility can be found free on AIX 5.3 ML 03 and later.

In this document I'm gonna go through setting up aixpert, creating a base line security for your system and gathering the proof for audit and logs for aixpert.

What is aixpert?
aixpert is a AIX hardening utility which help's us secure the system and do the checks with the help of predefined scripts. aixpert can be used by using commands, smit or websmaixpert has 300 and more AIX Standard Settings defined with four level high, medium, low or default setting.

Notable things in aixpert
            It can create baseline security in an xml file which can be passed to other servers and implemented there
            When we implement aixpert it will create an undo xml file by which we can go back the original settings before aixpert is implemented.
            A security check on the baseline security can be performed and identify any compromises.


            -l sets the security level to {high|medium|low|default}
            -n the associated security level settings are written to a file(-o needs to be specified to mention the file)
            -o stores the security output to a file
            -u undo the security settings (uses undo.xml created in the core directory)
            -c checks for failed baseline security settings and write to the check_report.txt

What Security Setting's to be used and when.

            When the server is exposed to internet, incase of web server and other application servers which are connected to internet. ftp, telnet
are disabled.
            Server connected to the internal network only without a highly secured firewall.
            Server connected to local network only and connected to the WAN with the highly secured firewall. ftp, telnet are enabled.
            This is the default settings that come with the AIX.


aixpert –l high –n –o /tmp/high_security.xml

Now you can edit the file /tmp/high_security.xml and remove the security settings which are not required to you environments. The security settings under the xml file will have the description and the script it will use to implement the security setting.

Once you have completed the editing you can consider it as a baseline security for your system.

Now apply the security setting to your system by

aixpert –f /tmp/high_security.xml

If you find something gone wrong, you could undo all the changes by

aixpert –u

Now to put a check every day to find the security is not compromised you can use

aixpert –c

You can find a log in the default directory /etc/security/aipert/check_report.txt which shows all the compromised security settings.

cat check_report.txt Network option extendednetstats's value should be 1, but it is 0 now User attribute rlogin in stanza root, should have value false, but its value is NULL now Process ps is still running