Secure by default

Secure By Default (SbD) is the concept of installing a minimal set of software in a secure configuration.

The AIX® Secure by Default (SbD) installation option installs a lighter version of the TCP client and server filesets, that excludes vulnerable commands and files. The and filesets are part of the SbD installation and contain all commands and files except for any applications that allow for the transmission of passwords over the network in clear text format such as telnet and ftp. In addition, applications that might be used, such as rsh, rcp, and sendmail, are excluded from the SbD filesets.

The final automated process of the SbD install is to impose the AIX Security Expert high-level security configuration settings. You can do this by running the aixpert command from /etc/firstboot script: /usr/sbin/aixpert -f /etc/security/aixpert/core/SbD.xml -p 2>/etc/security/aixpert/log/firstboot.log

It is possible to move the machine out of SbD mode by changing the ODM variable SbD_STATE to sbd_disable, installing the and filesets again, and using the AIX Security Expert to bring the system to its default security level.

It is not possible to use migration install or preservation install to achieve a SbD installed system. SbD is a separate install menu path.
Note: When you update a system that is in SbD mode with a service pack, the updated system is not in SbD mode following the upgrade.

It is possible to have a securely configured system without using the SbD install option. For example, the AIX Security Expert High, Medium, or Low level security options can be configured on a regular installation.

The differences between an SbD-installed system and a regular installation with an AIX Security Expert High Level Security configuration is best illustrated by examining the telnet command. In both cases, the telnet command is disabled. In an SbD installation, the telnet binary or application is never even installed on the system.

When the SbD installation is used, the following services are either not installed on the system at install time or are disabled. With some of these services not installed on the system, it is not possible to access or run these commands from the system. If these commands and programs are needed, do not use the SbD install option. In addition, if any scripts, remote programs, or dependent filesets require these commands and programs, do not use the SbD install option.
Service Program Arguments
bootps /usr/sbin/bootpd bootpd /etc/bootp
comsat /usr/sbin/comsat comsat
exec /usr/sbin/rexecd rexecd
finger /usr/sbin/fingerd fingerd
ftp /usr/sbin/ftpd ftpd
instsrv /u/netinst/bin/instsrv instsrv -r /tmp/netinstalllog /u/netinst/scripts
login /usr/sbin/rlogind rlogind
netstat /usr/bin/netstat netstat -f inet
ntalk /usr/sbin/talkd talkd
pcnfsd /usr/sbin/rpc.pcnfsd pcnfsd
rexd /usr/sbin/rpc.rexd rexd
rquotad /usr/sbin/rpc.rquotad rquotad
rstatd /usr/sbin/rpc.rstatd rstatd
rusersd /usr/lib/netsvc/rusers/rpc.rusersd rusersd
rwalld /usr/lib/netsvc/rwall/rpc.rwalld rwalld
shell /usr/sbin/rshd rshd
sprayd /usr/lib/netsvc/spray/rpc.sprayd sprayd
systat /usr/bin/ps ps -ef
talk /usr/sbin/talkd talkd
telnet /usr/sbin/telnetd telnetd -a
tftp /usr/sbin/tftpd tftpd -n
uucp /usr/sbin/uucpd uucpd