|AIX security commands: Part 2
Management of system administration is always a tedious task. Various tools and methods are available to handle administrative activities on a system. AIX 6.1 provides different security features that help to manage user and group administration and maintain integrity on a system. This articles provides a list commands which are enabled using these features.
|Articles||25 Oct 2011|
|AIX security commands: Part 1
Security is an important aspect of the AIX operating system. Follow along with this quick reference guide on AIX Security commands to learn more.
|Articles||22 Jul 2008|
|Elevate cloud security with privilege delegation
In this article, the author discusses the needs that drive migration of data centers into the cloud, details the role of virtualization in both public and private cloud infrastructures, and outlines the security and compliance implications of cloud computing in order to provide insight into the protection of sensitive data in the cloud through "administrative access" and "privileged delegation."
|Articles||14 Dec 2011|
|Security authentication mechanism in AIX
Authentication mechanism verifies which users are allowed to access a system. Administrator can define authentication protocol; based on that protocol, users' credentials are verified, and users are given access to the system. AIX provides several authentication and identification modules. A user's authentication and identification are done based on the user's attributes on AIX. This article covers the user's authentication and identification attributes, load modules available in AIX, and a new authentication attribute introduced AIX 6.1 Tl07 and AIX 7.1 Tl1 releases.
|Articles||15 Nov 2011|
|AIX security: Learn the basics
Get a comprehensive introduction on how to lock down your AIX environment, including LDAP servers.
|Knowledge paths||07 Oct 2011|
|Security considerations over distributed environment using DCE security framework
Most of the businesses today are running over a distributed environment. Security and integrity of the data flowing over the network is, therefore, of utmost importance for the business units. The DCE security framework essentially does the same for such business needs. Most of the present day distributed environment based business services are using the basics of DCE security. Primarily the DCE security service, with additional new services and facilities, is based on the Kerberos system. This article is targeted to understand the basic concepts and implementation of security mechanisms being used in distributed environment and how the whole idea of DCE security is related to Kerberos.
|Articles||15 Jun 2010|
|AIX V6.1 security and regulatory compliance
IBM AIX Version 6.1 is packed with security enhancements. Many of these features can be mapped with the security requirements laid by the regulatory compliances for federal, financial, and health care sectors. This article looks at AIX V6.1 security features and their mapping with the security criteria that can be derived from some of the compliances. The article helps security practitioners to get a compartmentalized view of the features and why AIX V6.1 can be a system to consider for a compliance-driven industry.
|Articles||12 Jan 2010|
|Beat the AIX Security Expert gotchas
The AIX Security Expert (AIXPert) makes implementing security a breeze, but it does have some traps for the uninitiated. Once you're aware of them, AIXPert is a natural choice for security hardening. So, if you want to secure your system without leaving yourself locked out in the rain, this article is for you.
|Articles||19 Apr 2011|
|A comparison of security subsystems on AIX, Linux, and Solaris
Learn how to apply a strategy for implementing a single identification and authentication (I and A) framework across a heterogeneous, multi-platform environment. An I and A system provides a layer of abstraction between a user application and the implementation of any authentication or identification functions it needs to perform.
|Articles||13 Oct 2005|
|Multi-security mechanisms with multifactor authentications
Authentication is a key component of security-based solutions. This article discusses the risk associated with the use of the same security mechanisms in multifactor authentication systems and the use of GSS-API as a suitable option for achieving the multi-security mechanism with multifactor authentication for enhanced security for solutions designed over UNIX.
|Articles||10 Mar 2009|
|Using AIX Security Expert
AIXPert is an all-purpose GUI and command-line security tool that incorporates over 300 security configuration settings. Learn about recent enhancements implemented with AIX V6.1, including SOX auditing support, and go through real scenarios to show how AIXPert can be used from the command line, smit, and the GUI.
|Articles||09 Dec 2008|
|Getting started with SSH security and configuration
Are you a new UNIX(R) administrator who needs to be able to run communication over a network in the most secure fashion possible? Brush up on the basics, learn the intricate details of SSH, and delve into the advanced capabilities of SSH to automate securely your daily system maintenance, remote system management, and use within advanced scripts to manage multiple hosts.
|Articles||01 Feb 2011|
|Network File System Version 4 security: Kerberos and LIPKEY mechanisms
Use the enriched security features of Network File System (NFS) Version 4 to pave your way to public key technology. In this article, you'll examine the NFS Version 4 built-in security schemes, and how to use the existing Kerberos authentication database in a LIPKEY security mechanism. You'll also find out how to take the first steps for a migration or extension from Kerberos to the LIPKEY security mechanism.
|Articles||26 Apr 2006|
|AIX security reporting
Generating IBM AIX security reports should reflect the current security model overview of your system, and these reports can then be presented to managers or audit to show how your AIX system is managed with regards to security. In this article, I will demonstrate what type of attributes could be collected and why.
|Articles||03 Sep 2012|
|High scalability and availability of AIX secldapclntd using the Tivoli Directory
The secldapclntd daemon provides and manages connection between the AIX security LDAP load module of the local host and an LDAP server, and handles transactions from the LDAP load module to the LDAP server. Simple configuration steps do not allow us to specify highly available and scalable LDAP servers at the back end. This article lists the steps to configure a highly available and scalable back-end LDAP for the secldapclntd daemon using the Tivoli Directory Server proxy.
|Articles||01 Sep 2009|
|Getting grips with fpm
Using the File Permissions Manager (fpm) allows you to trim down the programs that should not be SUID or SGID enabled in your view. Thus, allowing only privileged users to run these programs. This use of fpm is part of the ever-growing IBM AIX security policy to help system administrators in hardening their system.
|Articles||07 Aug 2012|
|More locks for your SSH door
Security isn't an exact science, so the more difficulties you can put in a hacker's way, the better. This article considers how to enhance Secure Shell (SSH) access by eliminating passwords and using public/private key pairs instead. The article also explores how to recognize and block possible attacks, including brute-force and dictionary attacks, by denying server access to origins that are identified as unsafe.
Also available in: Spanish
|Articles||27 Sep 2011|
|Deploying OpenSSH on AIX
This tutorial is designed for administrators of IBM RS/6000 systems who wish to improve the security and integrity of their servers running AIX by replacing standard insecure network services with those provided by the OpenSSH implementation of the Secure Shell protocol.
|Tutorial||01 Jun 2001|
|Securing AIX Network Services
Better understand the network services in AIX and the impact each one has on system security. Administrators responsible for RS/6000s connected in some way to a public network can use the information in this tutorial to achieve the necessary balance between functionality and security.
|Tutorial||24 Dec 2001|
|Tcsh shell variables
Tcsh is one of the most popular UNIX shells. Learn how you can use tcsh shell variables to make your work easier and take advantage of tcsh's advanced security features.
|Articles||26 Aug 2008|
|IBM AIX TCP Traffic Regulation
IBM AIX TCP Traffic Regulation (TR), introduced in IBM AIX 6.1 TL2, provides centralized port-based regulation of TCP connection resource utilization. TCP firewall profiles, customized by a security administrator, can now be loaded into the AIX kernel for active mitigation of TCP-based Denial-of-Service (DoS) attacks.
|Articles||01 Dec 2009|
|Understanding the Trusted Execution environment in AIX V6
This article covers the advanced security features of IBM AIX V6.1, Trusted Execution environment. It educates AIX system administrators on how to ensure system integrity at run-time as well as at stand-by time. This article, which acts as a starting point to learn about the Trusted Execution environment, also covers the most commonly used commands and examples.
|Articles||08 Jul 2008|
|Implement two-factor authentication for AIX using Kerberos
In the ever-growing need for higher security systems, multi-factor authentication is preferred for network security. Since Kerberos is one of the most popular network authentication mechanisms, learn how to design a multi-factor authentication over the Kerberos protocol. Understand the use of One-Time Password (OTP) and GSS-API to achieve this.
|Articles||04 Nov 2008|
|Use auditing to track reads and writes in a file
In this article, discover how to track several events on AIX(R) with auditing, a major feature of AIX security, and learn how to use auditing to keep track of the read and write operations on a file. Also examine commands, such as ls or istat, to check a file's time stamp.
|Articles||07 Aug 2007|
|Kerberos authentication for AIX Version 5.3 Network File System Version 4
Find out how to use application programming interfaces (APIs) when writing your own custom Kerberos-based authentication applications. Network File System Version 4 (NFS V4), the up and coming enterprise file system, uses the Kerberos security mechanism to address privacy, authentication, and integrity requirements. In this article, you'll examine different Kerberos credential cache name formats that AIX(R) NFS V4 supports and are required for authentication purposes. You'll also look at different methods of obtaining the Kerberos credential.
|Articles||05 Dec 2006|
|Tunneling with SSH
Use OpenSource tools, such as Secure Shell (SSH), PuTTY, and Cygwin, to create secure connections to almost any resource you need to access. Current information on SSH tunneling and setup is fragmented and limited to specific applications, or it is written at a system administrator's level. With increasing security needs, the addition of boundary firewalls, and tightening of the number of allowed network ports, users need a method that is simple to configure, easy to operate and, above all, secure to accomplish day-to-day tasks and access the services that they have become accustomed to. This article describes the setup of a simple SSH client connecting to an AIX(R)- or Linux(R)-based SSH server that allows a typical, technically literate individual the ability to set up, configure, and operate a flexible means of tunneling data and services over the SSH service.
|Articles||17 Oct 2006|
|Three locks for your SSH door
Security always requires a multi-layered scheme. SSH is a good example of this. Methods range from simple sshd configuration through the use of PAM to specify who can use SSH, to application of port-knocking techniques, or to hide the fact that SSH access even exists. Applying these techniques can make life much harder for possible intruders, who will have to go past three unusual barriers.
|Articles||31 Aug 2010|
|Extending the capability of secldap to authenticate from multiple data sources
The secldapclntd daemon establishes connection between an LDAP server and the AIX security LDAP module. Usual steps to configure a secldapclntd daemon with LDAP server allows us to provide multiple replicated LDAP server details during configuration. However, there can be a situation when the information for all the users is not available in only one LDAP server. In such a scenario, configuring just one active LDAP server details might not be sufficient. To resolve this limitation, this article demonstrates the usage of the pass-through authentication feature in IBM Tivoli Directory Server. The steps listed in this article can be followed to configure a setup such that AIX security module will be able to seek authentication information from multiple data sources and yet hide the backend server details from the client, hence ensuring abstraction and security.
|Articles||01 Jun 2010|
|IBM AIX 7
The IBM AIX operating system is an open standards-based UNIX operating system. It provides a highly scalable IT infrastructure for client workloads ranging from small department systems to enterprise-class workloads, such as data mining, database, transaction processing, and high-performance computing. The latest version, AIX 7.1, includes significant new capabilities for virtualization, security features, availability features, and manageability. AIX V7.1 is the first generally available version of AIX 7.
|Articles||07 Sep 2010|
|Is your AIX environment secure?
Are you concerned about protecting your AIX system from intruders? The author tells ways to maintain system integrity and highlights security tools you can use to diagnose an AIX system and identify potential security lapses.
|Articles||20 Dec 2002|
|Understanding advanced AIX features: Role-based access control in simple steps
Security is a major concern of operating systems. This article series provides an understanding of the new features on AIX, role-based access control and multi-level security. Part 1 of this series discusses AIX role-based access control (RBAC) and how roles, responsibilities, and the authorization of a root user can be delegated to more than one user.
|Articles||23 Jun 2009|
|Secure file transfer in a heterogeneous environment
File transfer is an essential and important activity in the day-to-day computing world. Security lapses during file transfer can invite leak important data to the external world. As a result, securing FTP is of primary importance. Hence, in AIX V6.1, IBM has introduced a secure flavor of FTP (and ftpd), based on OpenSSL, using Transport Layer Security (TLS) to encrypt both the command and the data channels of file transfer. This article shows the advantage of using this AIX V6.1 feature and its usage between AIX and other heterogeneous systems that already support this feature. This article focuses on AIX secure FTP with a Windows server.
|Articles||14 Apr 2009|
|Take a closer look at OpenBSD 4.3
OpenBSD provides a UNIX distribution with a primary emphasis on security and cryptography. If you're looking for a UNIX distribution to deploy in the most critical nexus in your network infrastructure, look no further than OpenBSD. The recent release of OpenBSD -- version 4.3 -- includes several new features and bug fixes that this article reviews.
|Articles||12 Aug 2008|
Safeguard your data with the Encrypted File System (EFS), a new AIX(R) 6.1 security feature, and get a comprehensive picture on the configuration of EFS and its usage. EFS can store the content of a file in an encrypted format at the file system level. If you’re new to EFS, this article is a good starting point for reviewing the need for EFS, its features, and most commonly used commands.
|Articles||29 Jan 2008|
|Configuring Network Information Service server and client on AIX
Security and user and group management are important aspects with respect to any operating system. In distributed networks, one of the most important tasks is to maintain the user and group information. For centralized management, many customers use Network Information Service (NIS). This article provides an overview of NIS and the steps to install and configure NIS as a server and client.
|Articles||27 Nov 2007|
|Systems Administration Toolkit: Network scanning
Discover how to scan your network for services and how to regularly monitor your services to keep uptimes to a maximum. A key way of ensuring the security of your network is to know what is on your network and what services individual machines are at risk of exposure. Unauthorized services, such as Web servers or file sharing solutions, not only degrade performance, but others can use these services as routes into your network. In this article, learn how to use these same techniques to ensure that genuine services remain available.
|Articles||04 Dec 2007|
|Install and configure NIS+
Ease your system administration tasks and use Network Information Service plus (NIS+) to quickly handle maintenance and security issues for information. NIS+ is a network-wide naming and administration service that works on a client-server model. The server maintains all the details of the users and clients in a central database. In this article, get step-by-step instructions on how to install, configure, and administer NIS+.
|Articles||28 Aug 2007|
|Heterogeneous IPSec solution between AIX and Windows
Internet security is a major concern. Internet Protocol Security (IPSec) is a framework for a set of protocols that helps you implement security at the IP packet level. IPSec works across heterogeneous environments to create secure tunnels for safer transactions. This article talks about what you can gain from configuring IPSec to a heterogeneous environment between AIX and Windows.
|Articles||24 Aug 2010|
|Take a closer look at OpenBSD
OpenBSD is quite possibly the most secure operating system on the planet. Every step of the development process focuses on building a secure, open, and free platform. UNIX(R) and Linux(R) administrators take note: Without realizing it, you probably use tools ported from OpenBSD every day. Maybe it's time to give the whole operating system a closer look.
|Articles||08 Aug 2006|
|Securing your DB2 file systems with EFS
From AIX 6.1 onwards, user created filesystems can now be encrypted, which is implemented at the file system level. This approach allows for some applications to be encrypted, with not much overhead maintenance. One such product that can be used for data encryption is DB2. The need to encrypt application data is becoming more common, especially if backups are taken and are moved off site, or the application resides on external sites. SOX even recommends that to maintain the confidentially of the data, encryption should be strongly considered. This article demonstrates how to create a DB2 database and encrypt it under AIX and looks at common EFS commands.
|Articles||25 Oct 2011|
|Changing UIDs and GIDs
It's important to know what happens to file ownership in AIX once you make a UID or GID change. If you don't understand the results of altering a UID or GID, you could cause serious issues to your server and environment.
|Articles||04 Mar 2008|
|Improve your memory programming
Are you tired of spending countless hours devoted to fixing memory faults? Do you find yourself constantly being bogged down in programs that leak memory, violate memory bounds, use uninitialized data, and devote an excessive amount of run time to memory management? Use this article to help you conquer these pesky memory defects.
|Articles||04 May 2007|
|Planning a two-node IBM PowerHA SystemMirror cluster: Six must-know items
This knowledge path will identify and describe several must-know items to properly plan and implement a basic two-node IBM PowerHA® SystemMirror cluster. Relevant educational courses will be identified in the final step.
|Knowledge paths||11 Sep 2012|
|AIX V6.1 Remote Login Session Management
Regulatory compliances require systems to implement automatic logoff of sessions to enable secure environment. UNIX based solutions tend to make extensive use of utilities like FTP, TELNET and SSH whose sessions are required to be configured for automatic timeout. This article explains the relationship between automatic logoff and various regulatory compliances. Subsequently, it steps through the administrative procedure required to configure it for FTP, TELNET and SSH over AIX V6.1.
|Articles||22 Jun 2010|
|POSIX file capabilities: Parceling the power of root
Linux has been using capabilities for years, but has recently acquired POSIX file capabilities. POSIX file capabilities split root user powers into smaller privileges, such as the ability to read files or to trace processes owned by another user. By assigning capabilities to a file, you can enable an unprivileged user to execute the file with those specified privileges. In this article, learn how to program using capabilities and how to switch on the ability of your system setuid root binaries to use file capabilities.
|Articles||16 Oct 2007|
|Make UNIX work with Windows XP and Mac OS X
Learn about using a UNIX(R) system as a primary domain controller (PDC) and file repository, including an anonymous, read-only shared area accessible by anyone with a Web browser. To be a good citizen on your local network, you need to integrate your favorite UNIX system with the networking features of client systems, generally running Windows(R) XP or Mac OS X. This makes it easier for the users of those workstations to take advantage of the centralized authentication and storage facilities you can provide.
|Articles||18 Apr 2006|
|Perform uniform mounting with generic NFS
To efficiently achieve uniform mounting in the presence of multiple, simultaneous NFS version exports, you need a generic NFS mount utility. Learn how a generic NFS mount utility can help reduce handling multiple NFS versions and simplify the management of those versions. The article describes the concept of the generic NFS mount, outlines the advantages and applications of the system, and gives some overall design details.
|Articles||11 Feb 2009|
|Secure communication with Kerberized OpenSSH on AIX Version 5.3 using Windows Kerberos service
Discover how you can configure the Kerberized Open Secure Shell (OpenSSH) on AIX(R) Version 5.3 machines that have Microsoft(R) Active Directory Server to act as the Key Distribution Center (KDC). OpenSSH encrypts traffic, including passwords, to eliminate eavesdropping, taking over your connection, or peeking into your data. If you work in a hybrid environment with multi-vendor solutions on AIX Version 5.3 systems, then you'll find this article extremely useful.
|Articles||13 Jun 2006|
|Get the latest version of OpenSSH for AIX
OpenSSH is a free software tool that supports SSH1 and SSH2 protocols. It's reliable and secure and is widely accepted in the IT industry to replace the r-commands, telnet, and ftp services, providing secure encrypted sessions between two hosts over the network. Get information in this article about OpenSSH version 3.4p1.
|Articles||10 Feb 2006|
|Use free software within commercial UNIX
Increase your productivity and take advantage of the free software that is currently available for the UNIX(R) platform. Tools like GCC (GNU gcc and gcc-c++ compilers), Emacs, and even core utilities like BASH and file utilities (ls, find, and so forth) started their life as free software alternatives under UNIX. In this article, you'll look at the development of some of these tools, as well as licensing, usability issues, and how best to install and integrate this free software into your commercial UNIX operating system.
|Articles||09 Feb 2006|
|10 tips for sensible systems administration
Benjamin Franklin: scientist, scholar, statesman, and . . . systems administrator? Yes, 200 years or so before the birth of UNIX, Franklin scribed sage advice to keep systems humming. Here are 10 of Franklin's more notable tips.
|Articles||10 Mar 2009|
|Securing the Hardware Management Console
Get step-by-step instructions for things you should do during installation of the Hardware Management Console (HMC), measures you can take after installation, and maintenance guidelines to ensure that a secure system stays secure. The HMC, which plays a central role in the IBM virtualization strategy, controls hardware, configures logical partitions (LPAR), and assigns both physical and virtual devices. It is vital to systems management in a virtualized environment.
|Articles||06 Feb 2007|
|Get to know NetBSD
NetBSD runs on more hardware platforms than any other UNIX(R) derivative due to smart design decisions and a commitment to portable code. Whether you're porting an operating system to a proprietary embedded system or looking for stability and compatibility across hardware platforms in the lab, NetBSD and its open license is a compelling alternative to Linux(R) and the GNU Public License (GPL).
|Articles||29 Aug 2006|
|IBM AIX system administration, part 1: Installation
This knowledge path series introduce how to install IBM AIX (using CDs or online), create a virtualized environment, and configure console management.
|Knowledge paths||10 Jan 2013|