Securing AIX 5L from Scratch<zt>

我爱臭豆腐

今天在网上看到的，虽然是有一点老。但是还是很不错的。有一定的借鉴作用：）



Many documents are written to describe how to secure a UNIX-based server. Not very many are written to deal with AIX, and the ones that are are somewhat vague and seem to require a lot of knowledge of the OS. It has been my experience that people with a lot of knowledge of the OS already know how to secure the machine. Plus I like checklists for securing things.

This document assumes you know SOMETHING about AIX & UNIX, and can handle installing the OS from scratch (real tough -- boot from CD, watch status for a while, reboot).

I used AIX 5L 5.1 to build this. Just FYI. These steps aren't necessarily in any sort of order, but if you get to the end you'll be okay. You can do a lot of this through SMIT, but I list the command line options here.

STEP 1

Once you're staring at the initial system configuration menu, assign a decent root password. Configure TCP/IP communications but then pull the machine off the network, unless you are absolutely sure your network is safe & sound (twelve year old haX0r free).

STEP 2

Change the filesystem sizes to something useful. The defaults are small and that's fine, but they do not leave much room to work. Obviously you can adjust these as you'd like.

/usr/sbin/chfs -a size='262144' /
/usr/sbin/chfs -a size='262144' /var
/usr/sbin/chfs -a size='524288' /tmp
/usr/sbin/chfs -a size='524288' /home

STEP 3

Alter /etc/security/login.cfg to change the console herald. Add the folloing line in the "default" section:

herald = "rn** UNAUTHORIZED ACCESS PROHIBITED **rnlogin: "

STEP 4

Change the properties of sys0 so that it limits the number of processes a user can have:

/usr/sbin/chdev -l sys0 -a maxuproc='4096'

If you're on a machine that supports CPU Guard, or dynamic CPU deallocation, turn that on. It is not on by default. This isn't really a security feature but you'll find out the hard way if its off:

/usr/sbin/chdev -l sys0 -a cpuguard='enable'

STEP 5

Shut NFS server services off:

/usr/sbin/rmnfs -B

STEP 6

Disable just about everything in /etc/inetd.conf.

STEP 7

Increase syslogging.

mail.debug /var/adm/maillog
mail.none /var/adm/maillog
auth.notice /var/adm/authlog
lpr.debug /var/adm/lpd-errs
kern.debug /var/adm/messages
*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/messages

STEP 8

Disable services in /etc/rc.tcpip.

STEP 9

Set user password defaults.

STEP 10

Add an /etc/ftpusers file.

Change the FTP banner to not show the OS information.

STEP 11

Disable some network-based attacks.

STEP 12

Install SSH, sudo, TCP wrappers.

原文来自：

http://bob.plankers.com/other/aix/securing.html