SECURING AIX AFTER IPL Chuck Geigner "mongoose" Unix Hobbyists' Administrators' & Coders' Club (Presented, 13 April 2005) IBM's AIX is a robust, stable System V Unix. But like all every other server you will set up, you need to adjust and tweak it before putting it out in the wild. This primer is aimed at guiding the beginning admin to all the places that he or she will need to look when securing an AIX _server_ using runlevel 3 (text-mode only). (NOTE: For this primer I will be focusing on AIX 4.3 - 5.3) Partial listing of all services we might start or see running: http://publib.boulder.ibm.com/infocenter/pseries/index.jsp?topic=/com.ibm.aix.doc/aixbman/security/common_aix_services.htm /etc/inittab Your inittab file is filled with directives for what stuff your system will start at each given runlevel. The default version may come with some interesting stuff started, including a web server (httpdlite), the CDE login program (dtlogin), a server that facilitates the "write" facility (writesrv), and many more things that you'll probably want to comment out (the hash ("#") character WILL NOT comment out a line in inittab; use a colon at the line beginning instead). Here's an idea: : you probably want to start TCPIP services... rctcpip:2:wait:/etc/rc.tcpip > /dev/console 2>&1 # Start TCP/IP daemons : ...but not NFS, unless you are putting it on a private net. :rcnfs:2:wait:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons : No queue daemon, this isn't a print server :qdaemon:2:wait:/usr/bin/startsrc -sqdaemon init:2:initdefault: brc::sysinit:/sbin/rc.boot 3 >/dev/console 2>&1 # Phase 3 of system boot powerfail::powerfail:/etc/rc.powerfail 2>&1 | alog -tboot > /dev/console # Power Failure Detection mkatmpvc:2:once:/usr/sbin/mkatmpvc >/dev/console 2>&1 atmsvcd:2:once:/usr/sbin/atmsvcd >/dev/console 2>&1 load64bit:2:wait:/etc/methods/cfg64 >/dev/console 2>&1 # Enable 64-bit execs rc:2:wait:/etc/rc 2>&1 | alog -tboot > /dev/console # Multi-User checks fbcheck:2:wait:/usr/sbin/fbcheck 2>&1 | alog -tboot > /dev/console # run /etc/firstboot :We want SRC to run... srcmstr:2:respawn:/usr/sbin/srcmstr # System Resource Controller :No netware, thanks :rcnetw:2:wait:/etc/rc.netware #start Netware cnsview:2:wait:/usr/bin/cnsview -c "daemon start" >/dev/console 2>&1 # Start cnsview daemon rctcpip:2:wait:/etc/rc.tcpip > /dev/console 2>&1 # Start TCP/IP daemons :NO NFS, we're in the DMZ... :rcnfs:2:wait:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons cron:2:respawn:/usr/sbin/cron : no print i/o backend :piobe:2:wait:/usr/lib/lpd/pio/etc/pioinit >/dev/null 2>&1 # pb cleanup qdaemon:2:wait:/usr/bin/startsrc -sqdaemon :no write... :writesrv:2:wait:/usr/bin/startsrc -swritesrv uprintfd:2:respawn:/usr/sbin/uprintfd logsymp:2:once:/usr/lib/ras/logsymptom # for system dumps :Ugh, we don't want to start this little http server... :httpdlite:2:once:/usr/IMNSearch/httpdlite/httpdlite -r /etc/IMNSearch/httpdlite/httpdlite.conf & >/dev/console 2>&1 diagd:2:once:/usr/lpp/diagnostics/bin/diagd >/dev/console 2>&1 :no :imnss:2:once:/usr/IMNSearch/bin/imnss -start imnhelp >/dev/console 2>&1 :no :imqss:2:once:/usr/IMNSearch/bin/imq_start >/dev/console 2>&1 pmd:2:wait:/usr/bin/pmd > /dev/console 2>&1 # Start PM daemon :THIS IS CDE (X windowing env) no way jose... :dt:2:wait:/etc/rc.dt cons:0123456789:respawn:/usr/sbin/getty /dev/console :The below entries were added by IBM to make AIX more palatable & familiar :to Linux folks - but since there is nothing in these dirs and :we are in hardcore AIX mode, we'll disable em. :l2:2:wait:/etc/rc.d/rc 2 :l3:3:wait:/etc/rc.d/rc 3 :l4:4:wait:/etc/rc.d/rc 4 :l5:5:wait:/etc/rc.d/rc 5 :l6:6:wait:/etc/rc.d/rc 6 :l7:7:wait:/etc/rc.d/rc 7 :l8:8:wait:/etc/rc.d/rc 8 :l9:9:wait:/etc/rc.d/rc 9 You get the idea - turn off the crud you aren't using, especially NFS and httpdlite. Technically, changes or deletions may be made to inittab using the "chitab" and "rmitab" commands, but I've used vi too - just depends on how comfy you are with that. Now, remember - some directives in here are set to respawn automagically. So if you comment out a service like that, killing it will just cause it to respawn. Use "init q" instead - this causes AIX to re-read it's inittab file. More AIX /etc/inittab hardening info may be gotten from: http://ist.uwaterloo.ca/security/howto/2001-01-15/inittab.html http://publib.boulder.ibm.com/infocenter/pseries/index.jsp?topic=/com.ibm.aix.doc/files/aixfiles/inittab.htm SRC and /etc/rc.tcpip AIX comes with a special superdaemon of its own called the System Resource Controller, or SRC. It can be viewed in the process list as a proc called "srcmstr." SRC is used most commonly to start certain daemons such as inetd, sendmail, gated, named, lpd, portmap, syslogd, and others. (other TCP services may also be retrofitted to run under SRC, see my example at http://www2.potsdam.edu/ezproxy/tips/aixsrc.html) So anyway, our excercise will be to open /etc/rc.tcpip and scan its entries to determine which services we want, and which services we don't. A live entry will look something like this: #Start the print server, yo. start /usr/sbin/lpd "$src_running" Start commenting out entries to disable their advertised services. To stop the running services you just commented out you need to issue a stopsrc command: # stopsrc -s lpd To start a service that you want to run, issue a startsrc command: # startsrc -s lpd NOTE: sendmail is usually started by default out of the SRC via /etc/rc.tcpip. If you need a sendmail SMTP daemon running, I highly recommend that you NOT use the one that IBM ships. Build your own. See the special section on sendmail below for details. /etc/inetd.conf Your inetd.conf file is a bit more ubiquitous than the /etc/inittab and /etc/rc.tcpip, but that doesn't preclude our discussion of how important it is to edit this file. After all, if you don't take a look, you could end up launching some winners like rexecd or telnetd Here's an example excerpt of what you might see ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd telnet stream tcp6 nowait root /usr/sbin/telnetd telnetd -a shell stream tcp6 nowait root /usr/sbin/rshd rshd kshell stream tcp nowait root /usr/sbin/krshd krshd login stream tcp6 nowait root /usr/sbin/rlogind rlogind klogin stream tcp nowait root /usr/sbin/krlogind krlogind exec stream tcp6 nowait root /usr/sbin/rexecd rexecd bootps dgram udp wait root /usr/sbin/bootpd bootpd /etc/bootptab tftp dgram udp6 SRC nobody /usr/sbin/tftpd tftpd -n And I guess the bottom line here is this: You should NOT start all these services. In fact, most of these services provide crackers just what they are like - a service running open wide, unconfigured, un-wrappered, un patched, and unbeknownst to the box owner. Ugh! - don't do this. I usually delete all of the defaults and add entries back in from scratch. This way I, the admin, am acutely aware of what my server is doing. I also install TCP wrappers for services running out of inetd.conf. TCP wrappers provide us a means by which we can weed out connection attempts before they ever touch the running service (via an ACL set named /etc/hosts.allow and /etc/hosts.deny), thereby protecting it better. (see more info on this at: http://www.stanford.edu/group/itss-ccs/security/unix/tcpwrappers.html) I also discourage the use of plain-text services such as telnetd and ftpd due to authentication credentials going over the wire in plaintext, juicy buffer-overflow exploits, and a host of other problems. Instaed, I suggest using sshd with sftpd. An example /etc/inetd.conf file with sshd/sftpd using TCP wrappers would look like this: # One service only, all others shut off ssh stream tcp nowait root /usr/local/sbin/tcpd sshd Restart inetd when done tweaking by doing a kill -HUP $INETD_PID SENDMAIL - Turn Off or Rebuild! I am a big sendmail fan, except when it comes to the version shipped with AIX. It includes a binary-only daemon and a prebuilt config that comes complete with FEATURE(promiscuous_open_relay) enabled. If you're not familiar with that feature, it's the one that allows anyone to relay mail through your SMTP server, including spammers, Nigerian 419 scam artists, the Russian mafia, etc etc. So we have 3 choices here: 1) Disable sendmail completely in /etc/rc.tcpip 2) Download the sendmail source, recompile and then build a proper sendmail.cf via the m4 macro preprocessor 3) Disable sendmail in /etc/rc.tcpip and put "sendmail -q" in root's crontab to process the outgoing mail queue (NOTE, I know that IBM ships a m4 macro file to define and rebuild the sendmail config file anew. It is /usr/samples/tcpip/sendmail/cf/aix(433|50[123]).mc. But due to certain vulnerabilities, you should be running a more current sendmail anyway, that's my take.) LOGGING - make sure you have some! /etc/syslog.conf contains your logging entries. Make sure that you are logging security and critical system events by checking what's being logged and at what level (debug-crit). Here's a sample: mail.debug /var/adm/maillog auth.notice /var/adm/authlog kern.debug /var/adm/messages *.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/messages Remember that whatever files you have syslogd logging to must exist first, so if you define a new file in the config, make sure you touch that file off before activating or refreshing syslogd. CHECK, CHECK, 1, 2, CHECK. Hey, even if we've gone and fixed all of our service-launching configs, we still need to remember to check and see what we're are running right now. We do so by running the following commands: lsof -i netstat -a OR portscan your box from another machine on the network: nmap If you see something running that you don't intend, go and nuke it (use methods above to determine where it started from.