温柔的IT民工~
分类:
2010-09-04 10:01:30
|
CID |
Control Activity |
Review Procedures (with CIS Benchmark Ref. #’s) |
Expected Results |
|
AIX1 |
Ensure Patches, Packages and Initial Lockdown of the system is appropriate. |
1.1 Apply latest OS patches Installing up-to-date vendor patches and developing a procedure for keeping up-to-date with vendor patches are critical for the security and reliability of the system. 1.2 Configure SSH Ensure both the ssh client and ssshd server are configured to use only SSH protocol 2, as security vulnerabilities have been found in the first SSH protocol. 1.3 Install TCP wrappers package Download pre-complied TCP Wrappers package from (TCP Wrappers is installed in this section and configured in section 2.2) |
The system has up-to-date patches and packages, and the system is locked-down to reduce the number of vulnerabilities. |
|
AIX2 |
Minimize xinetd network services to disable standard services. |
2.1 Disable standard services for SVC in ftp telnet shell kshell login klogin exec \ echo discard chargen daytime time ttdbserver dtspc; do echo "Disabling $SVC TCP" chsubserver -d -v $SVC -p tcp done for SVC in ntalk rstatd rusersd rwalld sprayd pcnfsd \ echo discard chargen daytime time cmsd; do echo "Disabling $SVC UDP" chsubserver -d -v $SVC -p udp done refresh -s inetd 2.2 Configure TCP Wrappers to limit access 1. Create /etc/hosts.allowand /etc/hosts.deny per available documentation and to suit your particular environment. Configuring TCP Wrappers is beyond the scope of this Benchmark. Note: Do not deny access to your system without allowing access. 2. Modify /etc/inetd.conf: cd /etc awk '($3 ~ /^tcp/) && ($6 !~ /(internal|tcpd)$/) \ { $7 = $6; $6 = "/usr/local/bin/tcpd" }; \ { print }' inetd.conf > inetd.conf.with_tcp_wrappers cp inetd.conf.with_tcp_wrappers inetd.conf chown root:system inetd.conf chmod 644 inetd.conf inetd.conf.with_tcp_wrappers Test your configuration now by using the /usr/local/bin/tcpdchkcommand and by logging in remotely. |
Standard services that do not meet a specific business need are disabled. |
|
AIX3 |
Minimize boot services to disable unused system daemon. |
3.1 Disable login prompts on serial ports AIX5L only: for i in `grep ^tty /etc/inittab | cut -f1 -d:`; do echo "Disabling login from port /dev/$i" chitab "$i:2:off:/usr/sbin/getty /dev/$i" done 3.2 Disable inetd, if possible if [ `grep -Evc '^[ \t]*(#|$)' /etc/inetd.conf` -eq 0 ]; then echo "Turning off inetd" chrctcp -d inetd stopsrc -s inetd fi If the actions in Section 2 of this benchmark resulted in all inetd-based services being disabled, there is no point in running inetdat boot time. 3.3 Disable email server, if possible stopsrc -s sendmail chrctcp -d sendmail cd /var/spool/cron/crontabs crontab -l > root.tmp if [ `grep -c "sendmail -q" root.tmp` -eq 0 ]; then echo "0 * * * * /usr/sbin/sendmail -q" >> root.tmp crontab root.tmp fi rm -f root.tmp This will make sendmail run the queue once an hour, sending out any mail that may have accumulated on the machine (from cronjobs, etc). 3.4 Disable Use the SMIT fast-path smit remove to remove the bos.net.nis.serverfileset or use the command: [ `lslpp -L bos.net.nis.server 2>&1 | \ grep -c "not installed"` -eq 0 ] && \ /usr/lib/instl/sm_inst installp_cmd -u \ -f'bos.net.nis.server' 3.5 Disable Use the SMIT fast-path smit remove to remove the bos.net.nis.clientfileset or use the command: [ `lslpp -L bos.net.nis.client 2>&1 | \ grep -c "not installed"` -eq 0 ] && \ /usr/lib/instl/sm_inst installp_cmd -u \ -f'bos.net.nis.client' 3.9 Turn off services which are not commonly used (AIX 4.3.3): for SVC in routed gated named timed rwhod \ snmpd dpid2 lpd portmap ndpd-router ndpd-host; do echo "Turning off $SVC" stopsrc -s $SVC chrctcp -d $SVC done for SVC in piobe httpdlite pmd writesrv; do echo "Turning off $SVC" rmitab $SVC done (AIX 5): for SVC in routed gated named timed rwhod mrouted \ snmpd hostmibd dpid2 lpd portmap autoconf6 \ ndpd-router ndpd-host; do echo "Turning off $SVC" stopsrc -s $SVC chrctcp -d $SVC done for SVC in piobe i4ls httpdlite pmd writesrv; do echo "Turning off $SVC" stopsrc -s $SVC rmitab $SVC done 3.11 Only enable SNMP if absolutely necessary chrctcp -a snmpd chrctcp -a dpid2 chrctcp -a hostmibd Note: Make sure the community name is changed from default Public 3.12 Only enable portmap if absolutely necessary chrctcp -a portmap 3.13 Only enable IPv6 if absolutely necessary chrctcp -a autoconf6 chrctcp -a ndpd-router chrctcp -a ndpd-host 3.15 Only enable i4ls and NCS if absolutely necessary mkitab -i cron "i4ls:2:wait:/usr/bin/startsrc -swritesrv" chrctcp -a writesrv 3.16 Only enable writesrv, pmd, httpdlite if absolutely necessary writesrv mkitab -i cron "writesrv:2:wait:/usr/bin/startsrc -swritesrv" chrctcp -a writesrv pmd mkitab -i cron "pmd:2:wait:/usr/bin/pmd > /dev/console 2>&1 # Start PM daemon" chrctcp -a pmd httpdlite mkitab -i cron "httpdlite:2:once:/usr/IMNSearch/httpdlite/httpdlite -r /etc/IMNSearch/httpdlite/httpdlite.conf & >/dev/console 2>&1" chrctcp -a httpdlite |
Unused boot services disabled to maximize system performance, and it greatly reduces the chance that the machine will be running a vulnerable daemon. |
|
AIX4 |
Kernel tuning to harden the system configuration. |
4.1 Disable core dumps Edit /etc/security/limits and change the core value in the default stanza to: core 0 Add the following line below it: core_hard = 0 Execute these commands: echo "# Added by CISecurity Benchmark" >> /etc/profile echo "ulimit -c 0" >> /etc/profile chdev -l sys0 -a fullcore=false 4.2 Network parameter modifications cat < #!/bin/ksh # Deal with SYN-flood attacks as best we can. /usr/sbin/no -o clean_partial_conns=1 # Do not allow SMURF broadcast attacks. /usr/sbin/no -o directed_broadcast=0 # Don't allow other machines to reset our netmask /usr/sbin/no -o icmpaddressmask=0 # Ignore redirects, don't send them ourselves. # ICMP Redirect is a poor excuse for a routing protocol. /usr/sbin/no -o ipignoreredirects=1 /usr/sbin/no -o ipsendredirects=0 # Refuse to have anything to do with source-routed packets. /usr/sbin/no -o ipsrcrouteforward=0 /usr/sbin/no -o ipsrcrouterecv=0 /usr/sbin/no -o ipsrcroutesend=0 /usr/sbin/no -o nonlocsrcroute=0 EOF chmod +x /etc/rc.net-tune mkitab -i rctcpip "rcnettune:2:wait:/etc/rc.net-tune > \ /dev/console 2>&1" 4.3 Restrict NFS Client requests to privileged ports cat < # Require NFS to use privileged ports /usr/sbin/nfso -o portcheck=1 -o nfs_use_reserved_ports=1 EOF |
A more secure system. |
|
AIX5 |
System logging in order to keep track of activity on the system. |
5.1 Capture messages sent to syslog (especially the AUTH facility) printf "### Following lines added by CISecurity \ AIX Benchmark Section 5.1\n\ auth.info\t\t/var/adm/authlog\n\ *.info;auth.none\t\t/var/adm/syslog\n" \ >> /etc/syslog.conf touch /var/adm/authlog /var/adm/syslog chown root:system /var/adm/authlog chmod 600 /var/adm/authlog chmod 640 /var/adm/syslog stopsrc -s syslogd startsrc -s syslogd 5.2 Configure syslogd to send logs to a remote loghost In the script below, replace loghost with the proper name (FQDN, if necessary) of your loghost. printf "### Following lines added by CISecurity \ AIX Benchmark Section 5.2\n\ auth.info\t\t@loghost *.info;auth.none\t\t@loghost *.emerg\t\t@loghost\n\ local7.*\t\t@loghost\n" >> /etc/syslog.conf stopsrc -s syslogd startsrc -s syslogd 5.3 Prevent Syslog from accepting messages from the network chssys -s syslogd -a "-r" stopsrc -s syslogd startsrc -s syslogd 5.4 Enable sar accounting Install the bos.acct fileset as it is required when making use of the sar utility. Note: The following crontabentries are an example only. You need to adjust the times of the report and the period the data is collected. Refer to sar documentation. lslpp -i bos.acct >/dev/null 2>&1 if [ "$?" != 0 ]; then echo "bos.acct not installed, cannot proceed" else su -adm -c "crontab -l > /tmp/crontab.adm" cat << EOF >> /tmp/crontab.adm 0 8-17 * * 1-5 /usr/lib/sa/sa1 1200 3 & 0 * * * 0,6 /usr/lib/sa/sa1 & 0 18-7 * * 1-5 /usr/lib/sa/sa1 & 5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 3600 -A & EOF mkdir -p /var/adm/sa chown adm:adm /var/adm/sa chmod 755 /var/adm/sa su -adm -c "crontab /tmp/crontab.adm" fi 5.5 Enable kernel-level auditing To activate auditing: audit on To start auditing automatically at next boot: mkitab -i cron "audit:2:once:/usr/sbin/audit start 2>&1 > /dev/console" telinit q echo "audit shutdown" >> /usr/sbin/shutdown 5.6 Confirm Permissions On System Log Files for FILE in \ /smit.log \ /var/adm/cron/log \ /var/tmp/dpid2.log \ /var/tmp/hostmibd.log \ /var/tmp/snmpd.log \ /var/adm/ras/* /var/ct/RMstart.log do if [ -f $FILE ]; then echo "Fixing log file permissions on $FILE" chmod o-rw $FILE fi done |
Secured logging of system activity. |
|
AIX6 |
File/directory permissions/access are restricted to authorized users and regularly reviewed. |
6.1 Verify passwd and group file permissions chown -R root:security /etc/passwd /etc/group /etc/security chown -R root:audit /etc/security/audit chmod 644 /etc/passwd /etc/group chmod 750 /etc/security chmod -R go-w,o-r /etc/security 6.2 World-writable directories should have their sticky bit set Administrators who wish to obtain a list of these directories may execute the following commands: for part in `mount | grep dev | awk '{print $2}' | \ grep -Ev 'cdrom|nfs'`; do echo "Searching $part" find $part -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print done 6.3 Find unauthorized world-writable files Administrators who wish to obtain a list of the world-writable files currently installed on the system may run the following commands: for part in `mount | grep dev | awk '{print $2}' | \ egrep -v 'cdrom|nfs'`; do echo "Searching $part" find $part -xdev -type f \ \( -perm -0002 -a ! -perm -1000 \) -print done There should be no entries returned. 6.4 Find unauthorized SUID/SGID system executables Administrators who wish to obtain a list of the set-UID and set-GID programs currently installed on the system may run the following commands: for part in `mount | grep dev | awk '{print $2}' | \ egrep -v 'cdrom|nfs'`; do echo "Searching $part" find $part \( -perm -04000 -o -perm -02000 \) \ -type f -xdev -ls Done 6.5 Find “unowned” files and directories Administrators who wish to locate these files on their system may run the following command: find / \( -nouser -o -nogroup \) -ls |
System access is available only to authorized users with appropriate file/directory permissions. |
|
AIX7 |
System access, authentication, and authorization privileges are restricted to authorized user accounts and regularly reviewed. |
7.1 Remove /etc/hosts.equiv [ -f /etc/hosts.equiv ] && rm -f /etc/hosts.equiv 7.2 Create /etc/ftpusers lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read NAME; do if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -lt 200 ]; then echo "Adding $NAME to /etc/ftpusers" echo $NAME >> /etc/ftpusers.new fi done sort -u /etc/ftpusers.new > /etc/ftpusers rm /etc/ftpusers.new chown root:system /etc/ftpusers chmod 600 /etc/ftpusers 7.3 Disable XDMCP port if [ ! -f /etc/dt/config/Xconfig ]; then mkdir -p /etc/dt/config cp /usr/dt/config/Xconfig /etc/dt/config fi cd /etc/dt/config awk '/Dtlogin.requestPort:/ \ { print "Dtlogin.requestPort: 0"; next } \ { print }' Xconfig > Xconfig.new mv Xconfig.new Xconfig chown root:bin Xconfig chmod 444 Xconfig 7.4 Prevent X Server from listening on port 6000/tcp if [ -f /etc/dt/config/Xservers ]; then file=/etc/dt/config/Xservers else file=/usr/dt/config/Xservers fi awk '/Xsun/ && !/^#/ && !/-nolisten tcp/ \ { print $0 " -nolisten tcp"; next }; \ { print }' $file > $file.new mkdir -p /etc/dt/config mv $file.new /etc/dt/config/Xservers chown root:bin /etc/dt/config/Xservers chmod 444 /etc/dt/config/Xservers 7.6 Remove empty crontab files and restrict file permissions cd /var/spool/cron/crontabs for file in *; do lines=`grep -Ev '^[ \t]*#' $file | wc -l | sed 's/ //g'` if [ $lines -eq 0 ]; then echo "Removing $file" rm $file fi done chgrp -R cron /var/spool/cron/crontabs chmod -R o= /var/spool/cron/crontabs chmod 770 /var/spool/cron/crontabs 7.7 Restrict at and cron to authorized users cd /var/adm/cron rm -f cron.deny at.deny echo root > cron.allow echo root > at.allow ls /var/spool/cron/crontabs | grep -v root >> cron.allow ls /var/spool/cron/atjobs | grep -v root >> at.allow chown root:sys cron.allow at.allow chmod 400 cron.allow at.allow cat at.allow cat cron.allow cat at.deny cron.deny # this should fail 7.8 Restrict root logins to system console chuser rlogin=false login=true su=true sugroups=system root |
Authorized user accounts have system access, authentication and authorization to access the system. |
|
AIX8 |
User accounts and environment secured and reviewed regularly. |
8.1 Block system accounts for user in daemon bin sys adm uucp nuucp printq guest nobody lpd sshd; do chuser rlogin=false login=false "$user" done 8.2 Set password and account expiration on active accounts Action (AIX 4.3.3): chsec -f /etc/security/user -s default -a maxage=13 chsec -f /etc/security/user -s default -a minlen=8 chsec -f /etc/security/user -s default -a minage=1 chsec -f /etc/security/user -s default -a pwdwarntime=28 8.3 Verify there are no accounts with empty password fields pwdck -n ALL 8.4 Verify no legacy '+' entries exist in passwd, and group files The command: grep ^+: /etc/passwd /etc/group should return no lines of output. 8.5 Verify no UID 0 accounts exist other than root The command: lsuser -a id ALL | grep "id=0" | awk '{print $1}' should return only the word "root". 8.6 No '.' or group/world-writable directory in root's $PATH To find ‘.’ in $PATH: echo $PATH | grep -E '(^|:)(\.|:|$)' To find group- or world-writable directories in $PATH: find `echo $PATH | tr ':' ' '` -type d \ \( -perm -002 -o -perm -020 \) -ls These commands should produce no output. 8.7 User home directories should be mode 750 or more restrictive NEW_PERMS=750 lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read NAME; do if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -ge 200 ]; then HOME=`lsuser -a home $NAME | cut -f 2 -d =` echo "Changing $NAME homedir $HOME" chmod $NEW_PERMS $HOME fi done if [ `grep -c "chmod $NEW_PERMS $1" \ /usr/lib/security/mkuser.sys` -eq 0 ]; then sed -e "s/mkdir \$1/mkdir \$1 \&\& chmod $NEW_PERMS \$1/g" \ /usr/lib/security/mkuser.sys > /tmp/mkuser.tmp mv /tmp/mkuser.tmp /usr/lib/security/mkuser.sys chmod 750 /usr/lib/security/mkuser.sys fi 8.8 No user dot-files should be world-writable lsuser -a home ALL |cut -f2 -d= | while read HOMEDIR; do echo "Examining $HOMEDIR" if [ -d $HOMEDIR ]; then ls -a $HOMEDIR | grep -Ev "^.$|^..$" | \ while read FILE; do if [ -f $FILE ]; then echo "Adjusting $FILE" chmod go-w $FILE fi done else echo "No home dir for $HOMEDIR" fi done 8.9 Remove user .netrc and .rhosts files find / -name .netrc find / -name .rhosts Stop!!! Read the discussion before proceeding. lsuser -a home ALL |cut -f2 -d= | while read HOME; do if [ -e "$HOME/.netrc" ]; then echo "Removing $HOME/.netrc" rm -f "$HOME/.netrc" fi if [ -e "$HOME/.rhosts" ]; then echo "Removing $HOME/.rhosts" rm -f "$HOME/.rhosts" fi done Discussion: .netrc files may contain unencrypted passwords which may be used to attack other systems. While the above modifications are relatively benign, making global modifications to user home directories without alerting your user community can result in unexpected outages and unhappy users. If the first command returns any results, carefully evaluate the ramifications of removing those files before executing the remaining commands as you may end up impacting an application that has not had time to revise its architecture to a more secure design. 8.10 Set Default umask for users Change existing users lsuser -a home ALL | awk '{print $1}' | while read user; do chuser umask=077 $user done Change default profile To set a system-wide default, edit the file /etc/security/userand replace the default umask value in the umaskline entry for the default stanza with 077. 8.11 Set default umask for the FTP daemon chsubserver -c -v ftp -p tcp "ftpd -l -u077" refresh -s inetd 8.12 Set “mesg n” as the default for all users echo "mesg n" >> /etc/profile echo "mesg n" >> /etc/csh.login 8.13 Removing unnecessary default user accounts Note: Read discussion first!!! # Remove users LIST="uucp nuucp lpd guest printq" for USERS in $LIST; do rmuser -p $USERS rmgroup $USERS done # Remove groups LIST="uucp printq" for USERS in $LIST; do rmgroup $USERS done Discussion: User ID Description uucp, nuucp Owner of hidden files used by uucp protocol. The uucp user account is used for the UNIX-to-UNIX Copy Program, which is a group of commands, programs, and files, present on most AIX systems, that allows the user to communicate with another AIX system over a dedicated line or a telephone line. lpd Owner of files used by printing subsystem guest Allows access to users who do not have access to accounts In addition, these group ID's may be removed if your system does not need them: Group ID Description uucp Group to which uucp and nuucp users belong printq Group to which lpd user belongs Note: You may get one or more errors stating the group or user does not exist. This is harmless and may be ignored. |
Local administrator regularly reviews user account and environment. Documentation of the review is created and maintained for at least one year. |
|
AIX9 |
Warning banners prior to user logon. |
9.1 Create warnings for network and physical access services Edit the banner currently in /etc/motdas required by your script is a template taken from the Bastille Linux project: Important: You need to change “The Company” in the text below to an appropriate value for your organization cd /etc # Remember to enter name of your company here: COMPANYNAME="its owner" cat < | sed -e "s/its owner/${COMPANYNAME}/g" > /etc/motd ******************************************************** NOTICE TO USERS This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. *********************************************************** EOM chown bin:bin /etc/motd chmod 644 /etc/motd 9.2 Create warnings for GUI-based logins for file in /usr/dt/config/*/Xresources; do dir=`dirname $file | sed s/usr/etc/` mkdir -p $dir if [ ! -f $dir/Xresources ]; then cp $file $dir/Xresources fi WARN="Authorized uses only. All activity may be monitored and reported." echo "Dtlogin*greeting.labelString: $WARN" >>$dir/Xresources echo "Dtlogin*greeting.persLabelString: $WARN" >>$dir/Xresources done chown root:sys /etc/dt/config/*/Xresources chmod 644 /etc/dt/config/*/Xresources 9.3 Create warnings for telnet daemon chsec -f /etc/security/login.cfg -s default -a herald="Authorized uses only. All activity may be monitored and reported\n\r\nlogin: " 9.4 Create warnings for FTP daemon dspcat -g /usr/lib/nls/msg/en_US/ftpd.cat > /tmp/ftpd.tmp sed "s/\"\%s FTP server (\%s) ready.\"/\"\%s Authorized uses only. All activity may be monitored and reported\"/" \ /tmp/ftpd.tmp > /tmp/ftpd.msg gencat ftpd.cat /tmp/ftpd.msg AIX 5.1 and later: echo “herald: /etc/ftpmotd” >> /etc/ftpaccess.ctl cat << EOF >> /etc/ftpmotd Authorized uses only. All activity may be monitored and reported EOF |
Warning banners prior to user logon may assist the prosecution of trespassers on the computer system. |
|
AIX10 |
Additional security notes to further harden the system configuration. |
SN.1 Create symlinks for dangerous files for FILE in /.rhosts /.shosts /etc/hosts.equiv \ /etc/shosts.equiv; do [ -e $FILE ] && rm -f $FILE ln -s /dev/null $FILE done SN.2 Change default greeting string for sendmail cd /etc/mail awk '/O SmtpGreetingMessage=/ \ { print "O SmtpGreetingMessage=mailer ready"; next} { print }' sendmail.cf > sendmail.cf.new mv -f sendmail.cf.new sendmail.cf chown root:bin sendmail.cf chmod 444 sendmail.cf SN.4 Limit number of failed login attempts chsec -f /etc/security/user -s default -a loginretries=3 |
The system is further protected from unauthorized or inappropriate access and/or activity. |
