- 论坛徽章:
- 1
|
Securing AIX 5L from Scratch
Many documents are written to describe how to
secure a UNIX-based server. Not very many are written to deal
with AIX, and the ones that are are somewhat vague and seem
to require a lot of knowledge of the OS. It has been my experience
that people with a lot of knowledge of the OS already know
how to secure the machine. Plus I like checklists for securing
things. :-)
This document assumes you know SOMETHING about
AIX & UNIX, and can handle installing the OS from scratch (real
tough -- boot from CD, watch status for a while, reboot).
I used AIX 5L 5.1 to build this. Just FYI. These
steps aren't necessarily in any sort of order, but if you get
to the end you'll be okay. You can do a lot of this through
SMIT, but I list the command line options here.
STEP 1
Once you're staring at the initial system
configuration menu, assign a decent root password.
Configure TCP/IP communications but then pull the machine off
the network, unless you are absolutely sure your network is
safe & sound (twelve year old haX0r free).
STEP 2
Change the filesystem sizes to something useful. The defaults
are small and that's fine, but they do not leave much room
to work. Obviously you can adjust these as you'd like.
/usr/sbin/chfs -a size='262144' /
/usr/sbin/chfs -a size='262144' /var
/usr/sbin/chfs -a size='524288' /tmp
/usr/sbin/chfs -a size='524288' /home
STEP 3
Alter /etc/security/login.cfg to change the console herald.
Add the folloing line in the "default" section:
herald = "rn**
UNAUTHORIZED ACCESS PROHIBITED **rnlogin: "
STEP 4
Change the properties of sys0 so that it limits the number
of processes a user can have:
/usr/sbin/chdev -l sys0 -a maxuproc='4096'
If you're on a machine that supports CPU Guard, or dynamic
CPU deallocation, turn that on. It is not on by default. This
isn't really a security feature but you'll find out the hard
way if its off:
/usr/sbin/chdev -l sys0 -a cpuguard='enable'
STEP 5
Shut NFS server services off:
/usr/sbin/rmnfs -B
STEP 6
Disable just about everything in /etc/inetd.conf.
STEP 7
Increase syslogging.
mail.debug /var/adm/maillog
mail.none /var/adm/maillog
auth.notice /var/adm/authlog
lpr.debug /var/adm/lpd-errs
kern.debug /var/adm/messages
*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/messages
STEP 8
Disable services in /etc/rc.tcpip.
STEP 9
Set user password defaults.
STEP 10
Add an /etc/ftpusers file.
Change the FTP banner to not show the OS information.
STEP 11
Disable some network-based attacks.
STEP 12
Install SSH, sudo, TCP wrappers.
原文来自:
http://bob.plankers.com/other/aix/securing.html
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/12/showart_8774.html |
|