AIX Security: Support for external benchmark recommendations

Question & Answer

Question

Our security tools report warnings, based on external security benchmark recommendations.

Can AIX tell me how to resolve these issues?
Does AIX support the recommendations?

Answer

Benchmarks from non-IBM sources provide security recommendations, but they are not necessarily default AIX settings. IBM AIX does not restrict the operating system based on external recommendations.

Common benchmark sources:

Payment Card Industry (PCI)
US Department of Defense (DoD)
Health Insurance Portability and Accountability Act(HIPPA)
Center for Internet Security (CIS)

Important Considerations:

Security hardening requirements vary for AIX customer environments, so default settings might need to be modified to meet these requirements.
There is no inherent restriction in AIX to prevent applying common security hardening benchmark recommendations. However, some changes might alter default system behavior.
AIX support does not make specific recommendations to harden your system. Security configuration involves comprehensive features, which require advanced review and planning by administrators who are familiar with all of their system requirements.
Customers are encouraged to explore security products such as IBM Power SC to ease the task of security and compliance.
- https://www.ibm.com/products/powersc

The following examples are from the Center for Internet Security CISv2.0 benchmark. The AIX default settings, and configuration comments are listed for each test.

This example does not imply endorsement, or recommendation of this benchmark.

1) Recommendation 3.5.3 General Permissions Management - world writable directories

Directories should only be world writable when absolutely necessary, and only with the so-called SVTX bit set. This protects users files from being deleted or renamed.

TEST:
# find / $ -fstype jfs -o -fstype jfs2 $ -type d -perm -o+w ! -perm -1000 -ls

AIX RESULT: The default IBM AIX directories with world-write permissions have the sticky bit set.

2) Recommendation 3.5.4 General Permissions Management - world writable files

An audit should be performed on the system to search for the presence of world writable files. Files should only be world writable when absolutely necessary.

TEST:
# find / $ -fstype jfs -o -fstype jfs2 $ -type f -perm -o+w -ls

AIX RESULT: No world-writable files are provided by the AIX base installation

3) Recommendation 3.6.8.1.2 Home directory must deny write to all except owner

All user home directories must not have group write or world writable access.

TEST:
** NOTE: This script is provided as an "audit" example in the CIS V2. This script locks accounts that have no home directory. Administrators can modify this script, if they do not want the chuser command to be run during the audit test. #!/usr/bin/ksh -e lsuser -R files -a id home ALL \| while read name ids homes rest; do uid_check=$(echo ${ids} \| cut -f2 -d =) if [[ ${uid_check} -ge 200 ]]; then home=$(echo ${homes} \| cut -f2 -d =) if [[ ${home} == "/dev/null" ]]; then continue elif [[ ! -d ${home} ]]; then /usr/bin/printf "%-32s does not exist; locking account named [%s]\n" ${home} ${name} chuser -R files account_locked=true $name else [[ ${home} != "/" && ${home} != "/dev/null" ]] /usr/bin/perl -e '$f=$ARGV[0]; $m=((stat $f)[2] & 0022); \ printf("%s has group or world write mode::", $f) if $m; exit($m)' ${home} \|\| ls -led ${home} fi fi done

TEST:

** NOTE: This script is provided as an "audit" example in the CIS V2. This script locks accounts that have no home directory. Administrators can modify this script, if they do not want the chuser command to be run during the audit test.

#!/usr/bin/ksh -e
lsuser -R files -a id home ALL | while read name ids homes rest;
do
uid_check=$(echo ${ids} | cut -f2 -d =)
if [[ ${uid_check} -ge 200 ]]; then
home=$(echo ${homes} | cut -f2 -d =)
if [[ ${home} == "/dev/null" ]]; then
continue
elif [[ ! -d ${home} ]]; then
/usr/bin/printf "%-32s does not exist; locking account named [%s]\n" ${home} ${name}
chuser -R files account_locked=true $name
else [[ ${home} != "/" && ${home} != "/dev/null" ]]
/usr/bin/perl -e '$f=$ARGV[0]; $m=((stat $f)[2] & 0022); \
printf("%s has group or world write mode::", $f) if $m; exit($m)' ${home} || ls -led ${home}
fi
fi
done

AIX RESULT: The default AIX mkuser.sys creates /home/$user and calls chmod -R 755

4) Recommendation 3.6.8.1.6 /var/adm/ras

The /var/adm/ras directory contains log files which contain sensitive information such as login times and IP addresses. The log files in the /var/adm/ras directory can contain sensitive information such as login times and IP addresses, which may be altered by an attacker when removing traces of system access. All files in this directory must be secured from unauthorized access and modifications.

TEST:
# ls -l /var/adm/ras \| awk '{print $1 " " $3 " " $4 " " $9}'

AIX RESULT: There are some files that require read access for other. Administrators can disable the permissions, but some applications might not run as expected with such restrictions. By default, any user on the system can view the error report by using the errpt command. The remediation is described in the following technote:

Restricted access to error reporting
- https://www.ibm.com/support/pages/node/719269

Many of the files with other-read access are installation-related, or exist to provide runtime information for processes. For example, /var/adm/ras/SRCKeyID contains the semaphore key for srcmstr. Restricting this file could impact multiple operations.

Since many applications might write to /var/adm/ras at runtime, AIX Support cannot provide a comprehensive list of all files that might have other-read permissions. If you have questions about particular AIX files, we can provide information based on your request.

Important notes about the Trusted Signature Database (TSD):

Changing file security attributes might cause trustchk errors. The Trusted Signature Database (TSD) is a database of security attributes of the trusted files that are present on the system. The TSD is in the /etc/security/tsd/tsd.dat file. It stores the security attributes of the trusted files that are present on the system. Owner, group, and mode (Permission bits, along with additional parameters specifying whether SETUID, SETGID, TCB, or SVTX bits are set) are defined in the file.

See the complete list of attributes in the trustchk man page
- https://www.ibm.com/docs/en/aix/7.2?topic=t-trustchk-command#trustchk__managetsd

The TSD database gets populated at installation time, so any changes to security attributes might cause trustchk errors, unless the database is updated.

The following steps demonstrate permission changes for the AIX default codepoint.cat file, used by the errpt when there is no codepoint.cat message file in $LOCPATH.

The steps are provided for demonstration purposes. Administrators should carefully review their planned changes, and consider access requirements for non-root users.

1) Check the TSD attributes.

# trustchk -q /var/adm/ras/codepoint.cat| egrep "owner|group|mode"
owner = bin
group = bin
mode = 644

2) Compare current file attributes to database.

# trustchk -n /var/adm/ras/codepoint.cat

(No errors)

3) Use the find command to list files with other-read permissions.

# find /var/adm/ras -fstype jfs -o -fstype jfs2 -type f -perm -o+r -ls | grep codepoint.cat
6 195 -rw-r--r-- 1 bin bin 199152 Sep 10 09:07 /var/adm/ras/codepoint.cat

4) Change permission.

# chmod 640 /var/adm/ras/codepoint.cat

5) Compare new file attributes to database.

# trustchk -n /var/adm/ras/codepoint.cat
trustchk: Verification of attributes failed: /var/adm/ras/codepoint.cat
: mode

6) Update TSD.

Syntax: trustchk -u <file> mode=<new permissions>

# trustchk -u /var/adm/ras/codepoint.cat mode=640

7) Compare new file attributes to updated database.

# trustchk -n /var/adm/ras/codepoint.cat

SUPPORT
AIX Support can provide usage support to extend hardening, when customers have specific questions. Some restrictions might prevent applications from running. In some cases, Role Based Access Control can be used to grant access for particular files or applications. If customers have specific files they want to restrict, they can engage AIX Support to learn about the source and general use of the file. Then, they can then make decisions based on their environment, and requirements for that function. There are fee-based services available for security analysis or consultation: Read more about IBM Technology Services (Formerly Systems Lab Services) https://www.ibm.com/services/infrastructure - See more details about AIX, Linux, and Red Hat OpenShift Security Services https://www.ibm.com/support/pages/node/6584155 If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract. 1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: https://www.ibm.com/mysupport -If you require telephone support, see the web page: https://www.ibm.com/planetwide/ 4. Provide a clear, concise description of the issue. - For more information, see: Working with IBM AIX Support: Describing the problem. 5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For more information, see: Working with IBM AIX Support: Collecting snap data

SUPPORT

AIX Support can provide usage support to extend hardening, when customers have specific questions. Some restrictions might prevent applications from running. In some cases, Role Based Access Control can be used to grant access for particular files or applications. If customers have specific files they want to restrict, they can engage AIX Support to learn about the source and general use of the file. Then, they can then make decisions based on their environment, and requirements for that function.

There are fee-based services available for security analysis or consultation:

Read more about IBM Technology Services (Formerly Systems Lab Services)

https://www.ibm.com/services/infrastructure

- See more details about AIX, Linux, and Red Hat OpenShift Security Services
https://www.ibm.com/support/pages/node/6584155

If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

- For more information, see: Working with IBM AIX Support: Describing the problem.

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

- For more information, see: Working with IBM AIX Support: Collecting snap data

Related Information

IBM Support Community

Learn more about "Getting IBM Support" here

IBM Documentation - AIX: Securing the base operating system

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzhAAA","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Tips

AIX Security: Support for external benchmark recommendations

Question & Answer

Question

Answer

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?