Solved

sensitive files/folders on AIX IBM

Posted on 2014-02-12
2
596 Views
Last Modified: 2014-02-12
can anyone give any pointers on highly sensitive default files/folders on an AIX IBM folder that should be restricted from unauthorised access, for part of an audit review. Common areas on other OS or server apps include files thst hold password hashes etc. Be useful to get a similar list of those files for AIX IBM, and the content of those files/risk of unauthorised access.
0
Comment
Question by:pma111
2 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 39852908
The most "sensitive" folder in AIX is /etc/security.

It contains the password hashes, LDAP , AUDIT and IPSEC configuratons, the limits file, passwords history, the login configuration, user parameters (password policy per user) and much more.

Best walk through the files in that folder and you'll see.

By the way, the whole /etc tree is somewhat sensitive and should be protected.

While /etc/security contains configurations and actual data, /usr/lib/security contains security methods, e.g. the PAM, Kerberos, LDAP modules, ACL methods and the ciphers.

In a properly setup system there shouldn't be any other place to contain OS related security information, but of course you must always take good care to protect your binary repositories from unauthorized write access, namely /bin, /sbin, /usr/bin and /usr/sbin, as well as /usr/lib!

You can create an XML file by means of "aixpert" which contains (depending on the level chosen) all security hardening checks and measures which would be performed/taken by aixpert in a "real" run:

aixpert -l high -n -o /tmp/aixperthigh

It's hard to read (XML!) but rather informative nonetheless.
0
 
LVL 20

Expert Comment

by:tfewster
ID: 39852941
You can download the Center for Internet Security benchmarks for AIX from here:
https://benchmarks.cisecurity.org/downloads/multiform/index.cfm

For each potential issue, they describe the problem, how to check it and the resolution.  It's more than just files/folders permissions, but you can take out of it what you want.

To be fair, many of the defaults are secure already, so it's just a matter of checking they haven't been changed.

You can also use IBMs "aixpert" tool to audit and resolve many of the issues, though the CIS benchmark is more comprehensive.

More importantly though, check your systems are patched up to date and check the integrity of the installed software - if an attacker has replaced a valid suid program such as `passwd` with a bad one, they can bypass any restrictions.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question