COBIT control objectives supported by AIX Security Expert
AIX® Security Expert supports the SOB-COBIT Best Practices Security level in addition to the High, Medium, Low, AIX Default and Advanced Security settings.
The United States Congress enacted the 'Sarbanes-Oxley Act of 2002' to protect investors by improving the accuracy and reliability of financial information disclosed by corporations. The COBIT control objectives feature will help System Administrators to configure, maintain, and audit their IT systems for compliance with this law. The SOX Configuration Assistant is accessed through the aixpert command line. The feature assists with the SOX section 404 of the Sarbanes-Oxley Act, but The AIX Security Expert SOX Configuration Assistant automatically implements security settings commonly associated with COBIT best practices for SOX Section 404, Internal Controls. Additionally, the AIX Security Expert provides a SOX audit feature which reports to the auditor whether the system is currently configured in this manner. The feature allows for the automation of system configuration to aid in IT SOX compliance and in the automation of the audit process.
Since SOX does not offer guidance on how IT must comply with section 404, the IT industry has focused on the existing governance detailed by www.isaca.org/. More specifically, the IT governance covered by Control Objectives for Information and related Technology (COBIT).
- Password policy enforcement
- Violation and Security Activity Reports
- Malicious software prevention, detection and correction, and unauthorized software
- Firewall architecture and connections with public networks
AIX Security Expert does not support all of the attributes specified under each control objective. The supported attributes and their respective control objectives are summarized in the following tables:
Password policy enforcement
| Description | Security setting |
|---|---|
| Maximum password age | maxage=13 |
| Enforce password history | histsize=20 |
| Minimum password age | minage=1 |
| Minimum password length | minlen=8 |
| Contains at least 6 characters | Minalpha=6 |
| Similarity to old password | mindiff=4 |
| Password expiration warning days | pwdwarntime=14 |
Security violations and activity report
| Description | Security setting | Remarks |
|---|---|---|
| Auditing Enabled | yes | |
| No direct root logins | yes | |
| Enable auditing for priviledge escalation | yes | AIXpert leverages the USER_SU audit event. Please ensure this event is turned on. |
Malicious software detection and correction
AIX Security Expert leverages the AIX trusted software execution feature to ensure that the software is not tampered with by anyone. The trustchk command checks the consistency of the objects that are registered in the Trusted Software database.
Firewall setup
AIX Security Expert turns on IPSec and enables filter rules to avoid port scans. The ports that are shunned are listed in the following table:
| Service | Description |
|---|---|
| Tcp/11, udp/11 | Systat |
| Tcp/13, udp/13 | Daytime |
| (RFC 867) Tcp/19, udp/19 | Character Generator |
| Tcp/25 | Simple Mail Transfer (SMTP) |
| Tcp/43, udp/43 | Who Is (nickname) |
| Tcp/63, udp/63 | Whois++ |
| Tcp/67, udp/67 | Bootstrap protocol server (bootps) |
| Tcp/68, udp/68 | Bootstrap protocol client (bootpc) |
| Tcp/69, udp/69 | Trivial file transfer |
| (tftp) Tcp/79, udp/79 | Finger |
| Tcp/87 | Private Terminal Link |
| Tcp/110 | Post office protocol – version 3 (POP3) |
| Udp/111 | SUN Remote Procedure Call |
| Tcp/113 | Authentication Service (auth) |
| Udp/123 | Network Time Protocol |
| Udp/161 | SNMP |
| Udp/162 | SNMPTRAP |
| Tcp/194 | Internet Relay chat Protocol |
| Tcp/443 | http protocol over TLS/SSL |
| Tcp/511 | PassGo |
| Tcp/514 | Cmd (shell) |
| Tcp/520 | Extended file name server (efs) |
| Tcp/540 | Uucpd (uucp) |
| Tcp/546 | DHCPv6 Client |
| Tcp/547 | DHCPv6 Server |
| Tcp/555 | Dsf |
| tcp/559 | TEEDTAP |
| tcp/593 | HTTP RPC Ep Map |
| udp/635 | RLS Dbase |
| tcp/666 | Mdqs |
| tcp/777 | Multiling HTTP |
| tcp/901 | SNMPNSMERES |
| tcp/902 | IDEAFARM-CHAT |
| tcp/903 | IDEAFARM-CATCH |
| tcp/1024 | Reserved |