AIX Security Expert Miscellaneous group
AIX® Security Expert provides miscellaneous security settings for High, Medium, and Low Level Security.
Action button name | Description | Value set by AIX Security Expert | Undo |
---|---|---|---|
Remove dot from path root | Checks the $HOME/.profile, $HOME/.kshrc, $HOME/.cshrc, and $HOME/.login files for dots (.) in
the PATH environment variable, and removes them if they exist. Note: Removing the dots occurs only when the entry in the
file begins with the PATH environment variable and contains dots (.).
The file is not changed if the PATH environment variable contains
other variables or is set to the value returned from a program that
is called from a script. An example of a path that would not be changed
follows, where pathprog is a program that returns
a path string:
In this path, the dots are removed from the path before the content
of the variable pathprog is resolved, so any dots
that exist in the returned path are not removed. |
|
Yes |
Limit system access | Ensures that root is the only user permitted to run cron jobs. |
|
Yes |
Remove dot from /etc/environment | Removes dots (.) from PATH environment variable in /etc/environment file. |
|
Yes |
Remove dot from non-root path | Removes dots (.) from the PATH environment variable from the $HOME/.profile, $HOME/.kshrc, $HOME/.cshrc, and $HOME/.login files of all non-root
users. Note: Removing the dots occurs only when the
entry in the file begins with the PATH environment variable and contains
dots (.). The file is not changed if the PATH environment variable
contains other variables or is set to the value returned from a program
that is called from a script. An example of a path that would not
be changed follows, where pathprog is a program
that returns a path string:
In this path, the dots are removed from the path before
the content of the variable pathprog is resolved,
so any dots that exist in the returned path are not removed. |
|
No |
Add root user in /etc/ftpusers file | Add root user name to /etc/ftpusers file to disable remote root ftp. |
|
Yes |
Remove root user in /etc/ftpusers file | Remove root entry from /etc/ftpusers to enable remote root ftp. |
|
Yes |
Set login herald | Checks /etc/security/login.cfg to ensure that a herald value is not specified. If the default herald
is being used, the herald should be changed. The herald can be changed
only if the system's locale is en_US or another English locale.
If this criteria is met, the herald attribute’s value in the default
stanza of /etc/security/login.cfg file is set
to the following:
Note: The security setting
takes effect only for new sessions. The security setting does not
take effect in the session where the configuration was set.
|
|
Yes |
Remove guest account | For High, Medium, and Low security, removes
the guest account as well as guest's data on the machine. For AIX Standard Settings,
the guest account is created on the system. Note: A system administrator
must set the password for this account explicitly, as AIX Security Expert is not designed
to handle such user interactive tasks.
|
|
Yes |
Crontab permissions | Ensures that root's crontab jobs are owned and writeable only by root. |
|
Yes |
Enable X-Server access | Mandates authentication for access to the X-Server. |
|
No |
Object creation permissions | Sets appropriate value to umask attribute of /etc/security/user, which specifies default object creation permissions. |
|
Yes |
Set core file size | Sets appropriate value to core attribute of /etc/security/limits, which specifies
the core file size for root. Note: The security setting takes effect
only for new sessions. The security setting does not take effect in
the session where the configuration was set.
|
|
Yes |
Enable SED feature | Enables the Stack Execution Disable feature and runs the sedmgr command on the files
specified. Note: System reboot is needed for the rule to take affect.
|
|
|
Root Password Integrity Check | Ensures that the root password is not weak. The dictionlist attribute of root is set to /etc/security/aixpert/dictionary/English, so that passwd command can ensure that the root password being set is not weak. |
|
Yes |