AIX® Security Expert disables unsecure commands for High Level Security and Medium
Level Security.
The following commands and daemons are exploited frequently for
finding security loopholes. For High Level Security and Medium Level
Security, these unsecure commands are denied execute permissions and
the daemons are disabled. For Low Level Security, these commands and
daemons are not affected. For AIX Standard Settings, these commands and daemons are enabled for
use.
- rcp
- rlogin
- rsh
- tftp
- rlogind
- rshd
- tftpd
Table 1. AIX Security Expert Disable Remote Services
| Action button name |
Description |
Value set by AIX Security Expert |
Undo |
| Enable unsecure daemons |
If TCB is enabled, sets execute permissions
of the rlogind, rshd, and tftpd daemons, updates the sysck database with the mode
bit changes for these daemons. If TCB is not enabled, execute permissions
on the rlogind, rshd, and tftpd daemons are set. |
- High Level Security
- No effect
- Medium Level Security
- No effect
- Low Level Security
- No effect
- AIX Standard Settings
- No effect
|
Yes |
| Disable unsecure commands |
- If TCB is enabled, removes the execute permissions of the rcp, rlogin, rsh commands
and tftp, and updates the sysck database with the mode bit changes of these commands. If TCB is
not enabled, removes the execute permissions on the rcp, rlogin, and rsh commands.
- Stops the current instances of rcp, rlogin, rsh, tftp, and uftp commands, unless one of these commands
is the parent process of AIX Security Expert.
- Adds tcpip: stanza to /etc/security/config to restrict .netrc usage in ftp and rexec.
|
- High Level Security
- Yes
- Medium Level Security
- No effect
- Low Level Security
- No effect
- AIX Standard Settings
- No effect
|
Yes |
| Enable unsecure commands |
- If TCB is enabled, sets the execute permissions of the rcp, rlogin, rsh,
and tftp commands and updates the sysck database with the mode bit changes of these commands. If TCB is
not enabled, sets the execute permissions on the rcp, rlogin, and rsh commands.
- Removes the /etc/security/config file.
|
- High Level Security
- No effect
- Medium Level Security
- No effect
- Low Level Security
- No effect
- AIX Standard Settings
- Yes
|
Yes |
| Disable unsecure daemons |
- If TCB is enabled, removes execute permissions of the rlogind, rshd, and tftpd daemons and updates the sysck database with the
mode bit changes of these daemons. If TCB is not enabled, removes
the execute permissions of the rlogind, rshd, and tftpd daemons.
- Stops the current instances of the rlogind, rshd, and tftpd daemons, unless one
of these daemons is the parent process of AIX Security Expert.
|
- High Level Security
- Yes
- Medium Level Security
- No effect
- Low Level Security
- No effect
- AIX Standard Settings
- No effect
|
Yes |
| Stop NFS daemon |
- Removes all NFS mounts
- Disables NFS
- Removes NFS startup script from /etc/inittab
|
- High Level Security
- Yes
- Medium Level Security
- No effect
- Low Level Security
- No effect
- AIX Standard Settings
- No effect
|
Yes |
| Enable NFS daemon |
- Exports all entries listed in /etc/exports
- Adds an entry to /etc/inittab to run /etc/rc.nfs on system restart
- Runs /etc/rc.nfs immediately
|
- High Level Security
- No effect
- Medium Level Security
- No effect
- Low Level Security
- No effect
- AIX Standard Settings
- Yes
|
Yes |