COBIT control objectives supported by AIX Security Expert

AIX® Security Expert supports the SOB-COBIT Best Practices Security level in addition to the High, Medium, Low, AIX Default and Advanced Security settings.

The United States Congress enacted the 'Sarbanes-Oxley Act of 2002' to protect investors by improving the accuracy and reliability of financial information disclosed by corporations. The COBIT control objectives feature will help System Administrators to configure, maintain, and audit their IT systems for compliance with this law. The SOX Configuration Assistant is accessed through the aixpert command line. The feature assists with the SOX section 404 of the Sarbanes-Oxley Act, but The AIX Security Expert SOX Configuration Assistant automatically implements security settings commonly associated with COBIT best practices for SOX Section 404, Internal Controls. Additionally, the AIX Security Expert provides a SOX audit feature which reports to the auditor whether the system is currently configured in this manner. The feature allows for the automation of system configuration to aid in IT SOX compliance and in the automation of the audit process.

Since SOX does not offer guidance on how IT must comply with section 404, the IT industry has focused on the existing governance detailed by www.isaca.org/. More specifically, the IT governance covered by Control Objectives for Information and related Technology (COBIT).

AIX Security Expert supports the following control objectives:
  • Password policy enforcement
  • Violation and Security Activity Reports
  • Malicious software prevention, detection and correction, and unauthorized software
  • Firewall architecture and connections with public networks

AIX Security Expert does not support all of the attributes specified under each control objective. The supported attributes and their respective control objectives are summarized in the following tables:

Password policy enforcement

Description Security setting
Maximum password age maxage=13
Enforce password history histsize=20
Minimum password age minage=1
Minimum password length minlen=8
Contains at least 6 characters Minalpha=6
Similarity to old password mindiff=4
Password expiration warning days pwdwarntime=14

Security violations and activity report

Description Security setting Remarks
Auditing Enabled yes  
No direct root logins yes  
Enable auditing for priviledge escalation yes AIXpert leverages the USER_SU audit event. Please ensure this event is turned on.

Malicious software detection and correction

AIX Security Expert leverages the AIX trusted software execution feature to ensure that the software is not tampered with by anyone. The trustchk command checks the consistency of the objects that are registered in the Trusted Software database.

Firewall setup

AIX Security Expert turns on IPSec and enables filter rules to avoid port scans. The ports that are shunned are listed in the following table:

Service Description
Tcp/11, udp/11 Systat
Tcp/13, udp/13 Daytime
(RFC 867) Tcp/19, udp/19 Character Generator
Tcp/25 Simple Mail Transfer (SMTP)
Tcp/43, udp/43 Who Is (nickname)
Tcp/63, udp/63 Whois++
Tcp/67, udp/67 Bootstrap protocol server (bootps)
Tcp/68, udp/68 Bootstrap protocol client (bootpc)
Tcp/69, udp/69 Trivial file transfer
(tftp) Tcp/79, udp/79 Finger
Tcp/87 Private Terminal Link
Tcp/110 Post office protocol – version 3 (POP3)
Udp/111 SUN Remote Procedure Call
Tcp/113 Authentication Service (auth)
Udp/123 Network Time Protocol
Udp/161 SNMP
Udp/162 SNMPTRAP
Tcp/194 Internet Relay chat Protocol
Tcp/443 http protocol over TLS/SSL
Tcp/511 PassGo
Tcp/514 Cmd (shell)
Tcp/520 Extended file name server (efs)
Tcp/540 Uucpd (uucp)
Tcp/546 DHCPv6 Client
Tcp/547 DHCPv6 Server
Tcp/555 Dsf
tcp/559 TEEDTAP
tcp/593 HTTP RPC Ep Map
udp/635 RLS Dbase
tcp/666 Mdqs
tcp/777 Multiling HTTP
tcp/901 SNMPNSMERES
tcp/902 IDEAFARM-CHAT
tcp/903 IDEAFARM-CATCH
tcp/1024 Reserved