Scribd Logo
Upload

Welcome to Scribd!

  • 1K views

    AIX Hardening Example Script

    Uploaded by

    Abstract Initiative, LLC
    This is a simple script (loosely based on some of NIST 800-53) that you can/should edit to suit your individual needs. No warranty or guarantee express or implied - also - Abstract Initiative, LLC can not/will not assume any responsibility for your actions. If you make any changes to this script that make it better, send a copy to me so I can update it here! Thank you.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd

    AIX Hardening Example Script

    Uploaded by

    Abstract Initiative, LLC
    1K views3 pages
    This is a simple script (loosely based on some of NIST 800-53) that you can/should edit to suit your individual needs. No warranty or guarantee express or implied - also - Abstract Initiative, LLC can not/will not assume any responsibility for your actions. If you make any changes to this script that make it better, send a copy to me so I can update it here! Thank you.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This is a simple script (loosely based on some of NIST 800-53) that you can/should edit to suit your individual needs. No warranty or guarantee express or implied - also - Abstract Initiative, LLC can not/will not assume any responsibility for your actions. If you make any changes to this script that make it better, send a copy to me so I can update it here! Thank you.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    1K views3 pages

    AIX Hardening Example Script

    Uploaded by

    Abstract Initiative, LLC
    This is a simple script (loosely based on some of NIST 800-53) that you can/should edit to suit your individual needs. No warranty or guarantee express or implied - also - Abstract Initiative, LLC can not/will not assume any responsibility for your actions. If you make any changes to this script that make it better, send a copy to me so I can update it here! Thank you.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    of 3

    #!

    /usr/bin/ksh

    # Purpose: AIX Hardening Script Reference.


    # Owner: Abstract Initiative, LLC. http://www.AbstractInitiative.com/

    # LICENSE

    # This script and its contents are the property of Abstract Initiative, LLC.
    # License is granted to use, modify, enhance, and share to everyone.
    # Selling or marketing this script or its contents without written and signed
    # permission by an Abstract Initiative, LLC managing member is in violation of
    # this license and the party or parties at fault agree to consideration payable
    # to Abstract Initiative, LLC for the amount of twice the advertised or
    contracted
    # sale price in addition to legal fees incurred by Abstract Initiative, LLC in
    # pursuit of protecting its properties.
    #
    # Abstract Initiative, LLC can not and will not be held responsible for any
    # damage, risk, or liability incurred as the result of using this script. By
    # using, modifying, enhancing, or sharing this script, you assume this
    # responsibility. Please test in a non impactful environment first.
    #

    #
    echo ".oO Increasing /var to 2GB"
    chfs -a size=2G /var
    #
    echo ".oO Setting login header"
    chsec -f /etc/security/login.cfg -s default \
    -a herald="Unauthorized use of this system is strictly prohibited\n\n\rlogin:"
    #
    echo ".oO Setting /etc/security/login.cfg settings"
    chsec -f /etc/security/login.cfg -s default -a sak_enabled=false
    chsec -f /etc/security/login.cfg -s default -a logindisable=3
    chsec -f /etc/security/login.cfg -s default -a logininterval=60
    chsec -f /etc/security/login.cfg -s default -a loginreenable=30
    chsec -f /etc/security/login.cfg -s default -a logindelay=5
    #
    echo "TMOUT=3600; TIMEOUT=3600; export readonly TMOUT TIMEOUT" >>
    /etc/security/.profile
    #
    echo ".oO Removing /etc/rc.dt"
    rm /etc/rc.dt
    #
    echo ".oO Restricting xwd, xwud, and xhost"
    find /usr -type f -name xwd -exec chown root {} \;
    find /usr -type f -name xwud -exec chown root {} \;
    find /usr -type f -name xhost -exec chown root {} \;

    find /usr -type f -name xwd -exec chmod go-rwx {} \;


    find /usr -type f -name xwud -exec chmod go-rwx {} \;
    find /usr -type f -name xhost -exec chmod go-rwx {} \;
    #
    echo ".oO Restricting /etc/security/user defaults and restricting root remote
    login"
    cp -p /etc/security/user /etc/security/user_orig
    chsec -f /etc/security/user -s default -a admin=false
    chsec -f /etc/security/user -s default -a auth1=SYSTEM
    chsec -f /etc/security/user -s default -a auth2=none
    chsec -f /etc/security/user -s default -a daemon=false
    chsec -f /etc/security/user -s default -a login=true
    chsec -f /etc/security/user -s default -a rlogin=false
    chsec -f /etc/security/user -s root -a rlogin=false
    chsec -f /etc/security/user -s default -a su=true
    chsec -f /etc/security/user -s default -a umask=027
    chsec -f /etc/security/user -s default -a loginretries=3
    chsec -f /etc/security/user -s default -a dictionlist=/usr/share/dict/words
    chsec -f /etc/security/user -s default -a histexpire=26
    chsec -f /etc/security/user -s default -a histsize=4
    chsec -f /etc/security/user -s default -a maxage=13
    chsec -f /etc/security/user -s default -a maxexpired=2
    chsec -f /etc/security/user -s default -a maxrepeats=3
    chsec -f /etc/security/user -s default -a minage=0
    chsec -f /etc/security/user -s default -a minalpha=4
    chsec -f /etc/security/user -s default -a mindiff=3
    chsec -f /etc/security/user -s default -a minlen=8
    chsec -f /etc/security/user -s default -a minother=2
    chsec -f /etc/security/user -s default -a pwdwarntime=14
    #
    echo ".oO Removing unnecessary users"
    rmuser -p uucp
    rmuser -p nuucp
    rmuser -p lpd
    rmuser -p lp
    rmuser -p imnadm
    rmuser -p guest
    echo ".oO Removing unnecessary groups"
    rmgroup uucp
    rmgroup printq
    rmgroup imnadm
    rmgroup lp
    #
    echo ".oO Removing .netrc files"
    find / -type f -name ".netrc" -exec rm -f {} \;
    #
    echo ".oO Creating a list of setuid files in /tmp/setuid.list"
    find / -perm -04000 > /tmp/setuid.list
    echo ".oO Creating a list of setgid files in /tmp/setgid.list"
    find / -perm -02000 > /tmp/setgid.list
    #
    echo ".oO Commenting out /etc/inetd.conf"
    cp -p /etc/inetd.conf /etc/inetd.conf.orig
    cat /etc/inetd.conf | sed -e 's/^/\#/g' > /tmp/inetd.conf.good
    cp /tmp/inetd.conf.good /etc/inetd.conf
    touch -r /etc/inetd.conf.orig /etc/inetd.conf
    #
    echo ".oO Stopping the inetd SRC"
    stopsrc -s inetd
    #
    echo ".oO Removing /etc/hosts.equiv"
    rm /etc/hosts.equiv
    #
    echo ".oO Removing piobe, qdaemon, writesrv, and uprintfd from /etc/inittab"
    rmitab piobe
    rmitab qdaemon
    rmitab writesrv
    rmitab uprintfd
    echo "***An SSH Server Should Be Installed If One Isn't Already"
    # no
    echo ".oO Setting /usr/sbin/no options"
    /usr/sbin/no -p -o bcastping=0
    /usr/sbin/no -p -o clean_partial_conns=1
    /usr/sbin/no -p -o icmpaddressmask=0
    /usr/sbin/no -p -o ip6srcrouteforward=0
    /usr/sbin/no -p -o ipforwarding=0
    /usr/sbin/no -p -o ipignoreredirects=1
    /usr/sbin/no -p -o ipsendredirects=0
    /usr/sbin/no -p -o ipsrcrouteforward=0
    /usr/sbin/no -p -o ipsrcrouterecv=0
    /usr/sbin/no -p -o nonlocsrcroute=0
    /usr/sbin/no -p -o tcp_pmtu_discover=0
    /usr/sbin/no -p -o udp_pmtu_discover=0

    # NFS
    echo ".oO NFS Security (put in /etc/rc.local)"
    echo "/usr/sbin/nfso -o portcheck=1" >> /etc/rc.local
    chown root /etc/rc.local
    chmod 755 /etc/rc.local
    mkitab "rclocal:2:once:/etc/rc.local"

    # /etc/rc.tcpip
    echo ".oO Cleaning up /etc/rc.tcpip. Original file is backed up at
    /etc/rc.tcpip.ORIG"
    cp -p /etc/rc.tcpip /etc/rc.tcpip.ORIG
    cat /etc/rc.tcpip | sed -e 's/start \/usr\/sbin\/ndpd-host/#start
    \/usr\/sbin\/ndpd-host/g' |\
    sed -e 's/start \/usr\/sbin\/autoconf6/#start \/usr\/sbin\/autoconf6/g' |\
    sed -e 's/start \/usr\/sbin\/binld/#start \/usr\/sbin\/binld/g' |\
    sed -e 's/start \/usr\/sbin\/dhcpcd/#start \/usr\/sbin\/dhcpcd/g' |\
    sed -e 's/start \/usr\/sbin\/dhcprd/#start \/usr\/sbin\/dhcprd/g' |\
    sed -e 's/start \/usr\/sbin\/dhcpsd/#start \/usr\/sbin\/dhcpsd/g' |\
    sed -e 's/start \/usr\/sbin\/dpid2/#start \/usr\/sbin\/dpid2/g' |\
    sed -e 's/start \/usr\/sbin\/gated/#start \/usr\/sbin\/gated/g' |\
    sed -e 's/start \/usr\/sbin\/hostmibd/#start \/usr\/sbin\/hostmibd/g' |\
    sed -e 's/start \/usr\/sbin\/inetd/#start \/usr\/sbin\/inetd/g' |\
    sed -e 's/start \/usr\/sbin\/lpd/#start \/usr\/sbin\/lpd/g' |\
    sed -e 's/start \/usr\/sbin\/mrouted/#start \/usr\/sbin\/mrouted/g' |\
    sed -e 's/start \/usr\/sbin\/named/#start \/usr\/sbin\/named/g' |\
    sed -e 's/start \/usr\/sbin\/ndpd-router/#start \/usr\/sbin\/ndpd-router/g'
    |\
    sed -e 's/start \/usr\/sbin\/pxed/#start \/usr\/sbin\/pxed/g' |\
    sed -e 's/start \/usr\/sbin\/routed/#start \/usr\/sbin\/routed/g' |\
    sed -e 's/start \/usr\/sbin\/rwhod/#start \/usr\/sbin\/rwhod/g' |\
    sed -e 's/start \/usr\/sbin\/snmpd/#start \/usr\/sbin\/snmpd/g' |\
    sed -e 's/start \/usr\/sbin\/timed/#start \/usr\/sbin\/timed/g' |\
    > /tmp/rctcp
    cp /tmp/rctcp /etc/rc.tcpip
    touch -r /etc/rc.tcpip.ORIG /etc/rc.tcpip

    echo ".oO Complete."


    exit 0

    You might also like