Solved

AIX Tools

Posted on 2013-05-21
17
826 Views
Last Modified: 2013-06-06
Has anyone had any experience in doing security audits of Servers running AIX 6.1 O/S?

If so can you recommend any free vulnerability scanners/best practice analyzers in the mould of Microsoft Baseline Security Analyzer for computers running Windows Server?
0
Comment
Question by:pma111
  • 7
  • 7
  • 2
  • +1
17 Comments
 
LVL 22

Accepted Solution

by:
rickhobbs earned 167 total points
ID: 39186336
Qualsys has one you can use as long as you have some Internet Browser installed:

http://www.qualys.com/forms/freescan/?leadsource=360598&kw=vulnerability%20scanners

You could try a free eval of Beyond Security's AVDS PEN tester:

http://www.beyondsecurity.com/vulnerability-assessment.html?ad=sec004

Or the LazySystemAdmin free vulnerability scanner:

http://www.lazysystemadmin.com/2010/05/nessus-vulnerability-and-port-scanner.html
0
 
LVL 3

Author Comment

by:pma111
ID: 39186706
I didnt think Nessus was free in corporate nevironments, is this a limited version?
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 167 total points
ID: 39186923
As a first approach you could use the native AIX tool "aixpert".

It is basically a tool designed for hardening your system, but can also be used to generate a first report.
Run the below commands only if you don't use "aixpert" yet. We don't want to overwrite an existing file!

1. Create a set of rules according to the desired security level and write it to a file.
Example for high level security ("-l h"):

aixpert -l h -n -o /etc/security/aixpert/core/appliedaixpert.xml

2. Run the check

aixpert -c -p

3. Review the report /etc/security/aixpert/check_report.txt

4. Remove the rulesetf file. It does not actually contain "applied" rules, and we don't want to confuse the aixpert.

rm /etc/security/aixpert/core/appliedaixpert.xml


As I wrote above, "aixpert" is in the first place a hardening tool.

Consult "man aixpert" and this article: http://www.ibm.com/developerworks/aix/library/au-aixsecurity/ if you want to use the tool for its original purpose.
0
 
LVL 3

Author Comment

by:pma111
ID: 39187017
Does AIX support samba like other *nix distrobutions? I always wonder the overall risk if you misconfigure the linux equivalent of a network "share", and whether theres opportunities for AD accounts to access an AIX share were its security lapse, like you could a share on a windows server.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39187034
There is Samba (server) for AIX, and there is CIFS (client) for AIX.

Samba: http://pware.hvcc.edu/download/aix61/pware61.samba.3.5.8.0.bff.gz (3.5.8, installp)
and http://www.perzl.org/aix/index.php?n=Main.Samba (3.6.15, rpm)
CIFS: Base install DVD, bost.cifs_fs.rte, bos.cifs_fs.smit
0
 
LVL 3

Author Comment

by:pma111
ID: 39187042
So in theory its possible for a naive admin to expose data on the servers (if samba or cifs enabled) to windows (AD) users?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39187046
That's what Samba can do, yes.
0
 
LVL 3

Author Comment

by:pma111
ID: 39187061
So (totally new to AIX and Linux) does an out the box installation of Linux not "share" directories to external users, do you have to enable CIFS or Samba if requried? Is it common for Linux servers to not have either CIFS or Samba enabled?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39187080
Neither Samba nor the cifs client come preinstalled with AIX.

Samba isn't even part of the AIX distribution.

Many Linux distributions contain Samba, but it's generally not installed/activated by default.
0
 
LVL 3

Author Comment

by:pma111
ID: 39187088
>>Many Linux distributions contain Samba, but it's generally not installed/activated by default.

Is that because due to the server role, theres nothing they need to share to users outside those with a local account to access the System?

Can you elaborate slightly on what CIFS is? What is the difference between CIFS and Samba, why would one enable CIFS and not Samba? Sorry for the basic questions just need a degree of knowledge in this area, not expert.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39187113
CIFS is just the name of the protocol (formerly: SMB), and under AIX the pure client fileset is called bos.cifs_fs.

Samba is the name of a free CIFS protocol implementation on Unix/Linux providing server and client functionality.

Under Unix/Linux Samba (CIFS) is just one way to share files (and not the one native to these OSes).

The common file sharing method is NFS (Network File System) which is part of each and every Linux/Unix distribution.

Because NFS is ubiquitous file sharing between Unix servers is mostly done using this protocol, and because Windows did not have NFS in the early years one had to port the native Windows file sharing protocol (SMB/CIFS) to Unix - that's Samba.
0
 
LVL 3

Author Comment

by:pma111
ID: 39187125
Ah.... so modern Windows OS ship with NFS "compatibility", do you know if client Windows OS do as well, or just Server grade windows OS?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39187146
NFS server comes with the Windows server versions.

NFS client comes with SFU. For Windows 7 and up only in Ultimate or Business.

There are free NFS ports for Windows. Search the web for "NFS Server Windows"
0
 
LVL 3

Author Comment

by:pma111
ID: 39187182
Ok thanks, but I am struggling to see how a windows client essentially maps to a linux share via NFS, do they have to supply a linux username/password pair? I appreciate on Linux Samba share you probably assign an ACL with domain groups, but on an NFS share, what aside from knowing the full path, does the windows user need to supply before they can access the data on the NFS share (I assume its a password and usernmae of a local linux account). Where on the NFS Share do they (the admin) define which users can access these files remotely.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39187198
I think these new questions are far away from the original subject.

Try to get familiar with the concepts of NFS and CIFS by reading the appropriate literature or by asking new questions here at EE.

Thanks!
0
 
LVL 61

Assisted Solution

by:btan
btan earned 166 total points
ID: 39187457
AIX Security Toolkit @ http://ps-2.kev009.com/rootvg/downloadssec.html

Something which may be of interest -  It provides assistance in five areas: Basic security issues, Software patch (apar) and efix management, Enhanced user management and Security audit requirements.

The old forum may have something but not much http://archive.rootvg.net/aixsecurity/index.html

However, I do think nist will have something as below (e.g. AIX 6.1 STIG ) - XCCDF is supported by SCAP scanner tool and it helps for automated checks with OVAL code. Download the xsl, xml then double click the xml to see the list of rule as form of config checklist

http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=427

Another "long" list is from IBM Tivoli Endpoint Manager Security Configuration Management - sort of like "Windows" check

https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/SCM%20Checklists
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 39189671
BTW,from the original part of your question,
the LazySystemAdmin free vulnerability scanner at:

http://www.lazysystemadmin.com/2010/05/nessus-vulnerability-and-port-scanner.html
 
says nothing about not being free in any environment.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now