The following is a checklist of security actions to perform on a newly installed or existing system.
Although this list is not a complete security checklist, it can be used as a foundation to build a security checklist for your environment.
- When installing a new system, install AIX® from secure base media.
Perform the following procedures at installation time:
- Do not install desktop software, such as CDE, GNOME, or KDE, on servers.
- Install required security fixes and any recommended maintenance and technology level fixes. See the IBM® System p eServer™ Support Fixes website (http://www.ibm.com/support/fixcentral) for the newest service bulletins, security advisories, and fix information.
- Back up the system after the initial installation and store the system backup in a secure location.
- Establish access control lists for restricted files and directories.
- Disable unnecessary user accounts and system accounts, such as daemon, bin, sys, adm, lp, and uucp. Deleting accounts is not recommended because it deletes account information, such as user IDs and user names, which may still be associated with data on system backups. If a user is created with a previously deleted user ID and the system backup is restored on the system, the new user might have unexpected access to the restored system.
- Review the /etc/inetd.conf, /etc/inittab, /etc/rc.nfs, and /etc/rc.tcpip files on a regular basis and remove all unnecessary daemons and services.
- Verify that the permissions for the following files are set correctly:
-rw-rw-r-- root system /etc/filesystems -rw-rw-r-- root system /etc/hosts -rw------- root system /etc/inittab -rw-r--r-- root system /etc/vfs -rw-r--r-- root system /etc/security/failedlogin -rw-rw---- root audit /etc/security/audit/hosts
- Disable the root account from being able to remotely log in. The root account should be able to log in only from the system console.
- Enable system auditing. For more information, see Auditing overview.
- Enable a login control policy. For more information, see Login control.
- Disable user permissions to run the xhost command. For more information, see Managing X11 and CDE concerns.
- Prevent unauthorized changes to the PATH environment variable. For more information, see PATH environment variable.
- Disable telnet, rlogin, and rsh. For more information, see TCP/IP security.
- Establish user account controls. For more information, see User account control.
- Enforce a strict password policy. For more information, see Passwords.
- Establish disk quotas for user accounts. For more information, see Recovering from over-quota conditions.
- Allow only administrative accounts to use the su command. Monitor the su command's logs in the /var/adm/sulog file.
- Enable screen locking when using X-Windows.
- Restrict access to the cron and at commands to only the accounts that need access to them.
- Use an alias for the ls command to show hidden files and characters in a file name.
- Use an alias for the rm command to avoid accidentally deleting files from the system.
- Disable unnecessary network services. For more information, see Network services.
- Perform frequent system backups and verify the integrity of backups.
- Subscribe to security-related e-mail distribution lists.