I wouldn't like to generalize, but it seems that installing operating systems with default settings is such a common practice bigger than one could admit.
Tight schedules, bad planning, leaving for later or not enough security awareness are among the causes (or excuses) that can be argued for not hardening a new operating system.
Keeping an OS up and running has to be considered art. It involves good resources management skills from the sys admin: network configuration & performance, SAN troubleshooting, I/O throughput, CPU & memory consumption, logical volume manager issues, monitoring disk space usage, managing user ids (creation, modification, deletion, privileges), patch management, reassing priorities to processes, add or delete resources, etc.
Sys admin have to have an overall picture of what it is happening on their systems. They must be guardians of the systems under their charge. But I wonder, why security is often a forgotten and ignored entity?
It is common to find new installed systems with obsolete and vulnerable services running on them: FTP or Telnet (among others equal or more vulnerable) leaving practically the doors open for some potential hacker to eavesdrop network communications and capture user ids and passwords.
An easy way to avoid putting an AIX system vulnerable is to prepare a hardened image and put it available on the NIM master. This image would be the only approved one to be used for new installations. If images are already created based on some application profiles, why not cover also the security part?
A tool that helps tremendously on performing this task is the AIX Security Expert, which is a system security hardening tool. According to the documentation available at http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/aix_sec_expert.htm
"It is part of the bos.aixpert fileset. AIX Security Expert provides simple menu settings for High Level Security, Medium Level Security, Low Level Security, and AIX Standard Settings security that integrate over 300 security configuration settings while still providing control over each security element for advanced administrators. AIX Security Expert can be used to implement the appropriate level of security, without the necessity of reading a large number of papers on security hardening and then individually implementing each security element.
AIX Security Expert can be used to take a security configuration snapshot. This snapshot can be used to set up the same security configuration on other systems. This saves time and ensures that all systems have the proper security configuration in an enterprise environment."
It provides flexibility by allowing to configure the system into different security levels:
- High Level Security
- Medium Level Security
- Low Level Security
- Advanced Security (Custom user-specified security)
- AIX Standard Settings (Original system default security)
- Check Security (Provides a detailed report of current security settings)
The security level will depend on the characteristics of the environment: e.g. a development server might have lower level of security than a production server.
But independently of the characteristics, don't leave systems widely open to the world by not hardening them. Because security is often a forgotten and ignored entity, but wildly remembered and painly missed if something bad happens.