Aix Hardening Example Script
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Aix Hardening Example Script as PDF for free.
More details
- Words: 884
- Pages: 3
#!/usr/bin/ksh # Purpose: # Owner: #
AIX Hardening Script Reference. Abstract Initiative, LLC. http://www.AbstractInitiative.com/ LICENSE
# This script and its contents are the property of Abstract Initiative, LLC. # License is granted to use, modify, enhance, and share to everyone. # Selling or marketing this script or its contents without written and signed # permission by an Abstract Initiative, LLC managing member is in violation of # this license and the party or parties at fault agree to consideration payable # to Abstract Initiative, LLC for the amount of twice the advertised or contracted # sale price in addition to legal fees incurred by Abstract Initiative, LLC in # pursuit of protecting its properties. # # Abstract Initiative, LLC can not and will not be held responsible for any # damage, risk, or liability incurred as the result of using this script. By # using, modifying, enhancing, or sharing this script, you assume this # responsibility. Please test in a non impactful environment first. # # echo ".oO Increasing /var to 2GB" chfs -a size=2G /var # echo ".oO Setting login header" chsec -f /etc/security/login.cfg -s default \ -a herald="Unauthorized use of this system is strictly prohibited\n\n\rlogin:" # echo ".oO Setting /etc/security/login.cfg settings" chsec -f /etc/security/login.cfg -s default -a sak_enabled=false chsec -f /etc/security/login.cfg -s default -a logindisable=3 chsec -f /etc/security/login.cfg -s default -a logininterval=60 chsec -f /etc/security/login.cfg -s default -a loginreenable=30 chsec -f /etc/security/login.cfg -s default -a logindelay=5 # echo "TMOUT=3600; TIMEOUT=3600; export readonly TMOUT TIMEOUT" >> /etc/security/.profile # echo ".oO Removing /etc/rc.dt" rm /etc/rc.dt # echo ".oO Restricting xwd, xwud, and xhost" find /usr -type f -name xwd -exec chown root {} \; find /usr -type f -name xwud -exec chown root {} \; find /usr -type f -name xhost -exec chown root {} \; find /usr -type f -name xwd -exec chmod go-rwx {} \; find /usr -type f -name xwud -exec chmod go-rwx {} \; find /usr -type f -name xhost -exec chmod go-rwx {} \; # echo ".oO Restricting /etc/security/user defaults and restricting root remote login" cp -p /etc/security/user /etc/security/user_orig chsec -f /etc/security/user -s default -a admin=false
chsec -f /etc/security/user -s default -a auth1=SYSTEM chsec -f /etc/security/user -s default -a auth2=none chsec -f /etc/security/user -s default -a daemon=false chsec -f /etc/security/user -s default -a login=true chsec -f /etc/security/user -s default -a rlogin=false chsec -f /etc/security/user -s root -a rlogin=false chsec -f /etc/security/user -s default -a su=true chsec -f /etc/security/user -s default -a umask=027 chsec -f /etc/security/user -s default -a loginretries=3 chsec -f /etc/security/user -s default -a dictionlist=/usr/share/dict/words chsec -f /etc/security/user -s default -a histexpire=26 chsec -f /etc/security/user -s default -a histsize=4 chsec -f /etc/security/user -s default -a maxage=13 chsec -f /etc/security/user -s default -a maxexpired=2 chsec -f /etc/security/user -s default -a maxrepeats=3 chsec -f /etc/security/user -s default -a minage=0 chsec -f /etc/security/user -s default -a minalpha=4 chsec -f /etc/security/user -s default -a mindiff=3 chsec -f /etc/security/user -s default -a minlen=8 chsec -f /etc/security/user -s default -a minother=2 chsec -f /etc/security/user -s default -a pwdwarntime=14 # echo ".oO Removing unnecessary users" rmuser -p uucp rmuser -p nuucp rmuser -p lpd rmuser -p lp rmuser -p imnadm rmuser -p guest echo ".oO Removing unnecessary groups" rmgroup uucp rmgroup printq rmgroup imnadm rmgroup lp # echo ".oO Removing .netrc files" find / -type f -name ".netrc" -exec rm -f {} \; # echo ".oO Creating a list of setuid files in /tmp/setuid.list" find / -perm -04000 > /tmp/setuid.list echo ".oO Creating a list of setgid files in /tmp/setgid.list" find / -perm -02000 > /tmp/setgid.list # echo ".oO Commenting out /etc/inetd.conf" cp -p /etc/inetd.conf /etc/inetd.conf.orig cat /etc/inetd.conf | sed -e 's/^/\#/g' > /tmp/inetd.conf.good cp /tmp/inetd.conf.good /etc/inetd.conf touch -r /etc/inetd.conf.orig /etc/inetd.conf # echo ".oO Stopping the inetd SRC" stopsrc -s inetd # echo ".oO Removing /etc/hosts.equiv" rm /etc/hosts.equiv # echo ".oO Removing piobe, qdaemon, writesrv, and uprintfd from /etc/inittab" rmitab piobe rmitab qdaemon
rmitab writesrv rmitab uprintfd echo "***An SSH Server Should Be Installed If One Isn't Already" # no echo ".oO Setting /usr/sbin/no options" /usr/sbin/no -p -o bcastping=0 /usr/sbin/no -p -o clean_partial_conns=1 /usr/sbin/no -p -o icmpaddressmask=0 /usr/sbin/no -p -o ip6srcrouteforward=0 /usr/sbin/no -p -o ipforwarding=0 /usr/sbin/no -p -o ipignoreredirects=1 /usr/sbin/no -p -o ipsendredirects=0 /usr/sbin/no -p -o ipsrcrouteforward=0 /usr/sbin/no -p -o ipsrcrouterecv=0 /usr/sbin/no -p -o nonlocsrcroute=0 /usr/sbin/no -p -o tcp_pmtu_discover=0 /usr/sbin/no -p -o udp_pmtu_discover=0 # NFS echo ".oO NFS Security (put in /etc/rc.local)" echo "/usr/sbin/nfso -o portcheck=1" >> /etc/rc.local chown root /etc/rc.local chmod 755 /etc/rc.local mkitab "rclocal:2:once:/etc/rc.local" # /etc/rc.tcpip echo ".oO Cleaning up /etc/rc.tcpip. Original file is backed up at /etc/rc.tcpip.ORIG" cp -p /etc/rc.tcpip /etc/rc.tcpip.ORIG cat /etc/rc.tcpip | sed -e 's/start \/usr\/sbin\/ndpd-host/#start \/usr\/sbin\/ndpd-host/g' |\ sed -e 's/start \/usr\/sbin\/autoconf6/#start \/usr\/sbin\/autoconf6/g' |\ sed -e 's/start \/usr\/sbin\/binld/#start \/usr\/sbin\/binld/g' |\ sed -e 's/start \/usr\/sbin\/dhcpcd/#start \/usr\/sbin\/dhcpcd/g' |\ sed -e 's/start \/usr\/sbin\/dhcprd/#start \/usr\/sbin\/dhcprd/g' |\ sed -e 's/start \/usr\/sbin\/dhcpsd/#start \/usr\/sbin\/dhcpsd/g' |\ sed -e 's/start \/usr\/sbin\/dpid2/#start \/usr\/sbin\/dpid2/g' |\ sed -e 's/start \/usr\/sbin\/gated/#start \/usr\/sbin\/gated/g' |\ sed -e 's/start \/usr\/sbin\/hostmibd/#start \/usr\/sbin\/hostmibd/g' |\ sed -e 's/start \/usr\/sbin\/inetd/#start \/usr\/sbin\/inetd/g' |\ sed -e 's/start \/usr\/sbin\/lpd/#start \/usr\/sbin\/lpd/g' |\ sed -e 's/start \/usr\/sbin\/mrouted/#start \/usr\/sbin\/mrouted/g' |\ sed -e 's/start \/usr\/sbin\/named/#start \/usr\/sbin\/named/g' |\ sed -e 's/start \/usr\/sbin\/ndpd-router/#start \/usr\/sbin\/ndpd-router/g' |\ sed -e 's/start \/usr\/sbin\/pxed/#start \/usr\/sbin\/pxed/g' |\ sed -e 's/start \/usr\/sbin\/routed/#start \/usr\/sbin\/routed/g' |\ sed -e 's/start \/usr\/sbin\/rwhod/#start \/usr\/sbin\/rwhod/g' |\ sed -e 's/start \/usr\/sbin\/snmpd/#start \/usr\/sbin\/snmpd/g' |\ sed -e 's/start \/usr\/sbin\/timed/#start \/usr\/sbin\/timed/g' |\ > /tmp/rctcp cp /tmp/rctcp /etc/rc.tcpip touch -r /etc/rc.tcpip.ORIG /etc/rc.tcpip echo ".oO Complete." exit 0
AIX Hardening Script Reference. Abstract Initiative, LLC. http://www.AbstractInitiative.com/ LICENSE
# This script and its contents are the property of Abstract Initiative, LLC. # License is granted to use, modify, enhance, and share to everyone. # Selling or marketing this script or its contents without written and signed # permission by an Abstract Initiative, LLC managing member is in violation of # this license and the party or parties at fault agree to consideration payable # to Abstract Initiative, LLC for the amount of twice the advertised or contracted # sale price in addition to legal fees incurred by Abstract Initiative, LLC in # pursuit of protecting its properties. # # Abstract Initiative, LLC can not and will not be held responsible for any # damage, risk, or liability incurred as the result of using this script. By # using, modifying, enhancing, or sharing this script, you assume this # responsibility. Please test in a non impactful environment first. # # echo ".oO Increasing /var to 2GB" chfs -a size=2G /var # echo ".oO Setting login header" chsec -f /etc/security/login.cfg -s default \ -a herald="Unauthorized use of this system is strictly prohibited\n\n\rlogin:" # echo ".oO Setting /etc/security/login.cfg settings" chsec -f /etc/security/login.cfg -s default -a sak_enabled=false chsec -f /etc/security/login.cfg -s default -a logindisable=3 chsec -f /etc/security/login.cfg -s default -a logininterval=60 chsec -f /etc/security/login.cfg -s default -a loginreenable=30 chsec -f /etc/security/login.cfg -s default -a logindelay=5 # echo "TMOUT=3600; TIMEOUT=3600; export readonly TMOUT TIMEOUT" >> /etc/security/.profile # echo ".oO Removing /etc/rc.dt" rm /etc/rc.dt # echo ".oO Restricting xwd, xwud, and xhost" find /usr -type f -name xwd -exec chown root {} \; find /usr -type f -name xwud -exec chown root {} \; find /usr -type f -name xhost -exec chown root {} \; find /usr -type f -name xwd -exec chmod go-rwx {} \; find /usr -type f -name xwud -exec chmod go-rwx {} \; find /usr -type f -name xhost -exec chmod go-rwx {} \; # echo ".oO Restricting /etc/security/user defaults and restricting root remote login" cp -p /etc/security/user /etc/security/user_orig chsec -f /etc/security/user -s default -a admin=false
chsec -f /etc/security/user -s default -a auth1=SYSTEM chsec -f /etc/security/user -s default -a auth2=none chsec -f /etc/security/user -s default -a daemon=false chsec -f /etc/security/user -s default -a login=true chsec -f /etc/security/user -s default -a rlogin=false chsec -f /etc/security/user -s root -a rlogin=false chsec -f /etc/security/user -s default -a su=true chsec -f /etc/security/user -s default -a umask=027 chsec -f /etc/security/user -s default -a loginretries=3 chsec -f /etc/security/user -s default -a dictionlist=/usr/share/dict/words chsec -f /etc/security/user -s default -a histexpire=26 chsec -f /etc/security/user -s default -a histsize=4 chsec -f /etc/security/user -s default -a maxage=13 chsec -f /etc/security/user -s default -a maxexpired=2 chsec -f /etc/security/user -s default -a maxrepeats=3 chsec -f /etc/security/user -s default -a minage=0 chsec -f /etc/security/user -s default -a minalpha=4 chsec -f /etc/security/user -s default -a mindiff=3 chsec -f /etc/security/user -s default -a minlen=8 chsec -f /etc/security/user -s default -a minother=2 chsec -f /etc/security/user -s default -a pwdwarntime=14 # echo ".oO Removing unnecessary users" rmuser -p uucp rmuser -p nuucp rmuser -p lpd rmuser -p lp rmuser -p imnadm rmuser -p guest echo ".oO Removing unnecessary groups" rmgroup uucp rmgroup printq rmgroup imnadm rmgroup lp # echo ".oO Removing .netrc files" find / -type f -name ".netrc" -exec rm -f {} \; # echo ".oO Creating a list of setuid files in /tmp/setuid.list" find / -perm -04000 > /tmp/setuid.list echo ".oO Creating a list of setgid files in /tmp/setgid.list" find / -perm -02000 > /tmp/setgid.list # echo ".oO Commenting out /etc/inetd.conf" cp -p /etc/inetd.conf /etc/inetd.conf.orig cat /etc/inetd.conf | sed -e 's/^/\#/g' > /tmp/inetd.conf.good cp /tmp/inetd.conf.good /etc/inetd.conf touch -r /etc/inetd.conf.orig /etc/inetd.conf # echo ".oO Stopping the inetd SRC" stopsrc -s inetd # echo ".oO Removing /etc/hosts.equiv" rm /etc/hosts.equiv # echo ".oO Removing piobe, qdaemon, writesrv, and uprintfd from /etc/inittab" rmitab piobe rmitab qdaemon
rmitab writesrv rmitab uprintfd echo "***An SSH Server Should Be Installed If One Isn't Already" # no echo ".oO Setting /usr/sbin/no options" /usr/sbin/no -p -o bcastping=0 /usr/sbin/no -p -o clean_partial_conns=1 /usr/sbin/no -p -o icmpaddressmask=0 /usr/sbin/no -p -o ip6srcrouteforward=0 /usr/sbin/no -p -o ipforwarding=0 /usr/sbin/no -p -o ipignoreredirects=1 /usr/sbin/no -p -o ipsendredirects=0 /usr/sbin/no -p -o ipsrcrouteforward=0 /usr/sbin/no -p -o ipsrcrouterecv=0 /usr/sbin/no -p -o nonlocsrcroute=0 /usr/sbin/no -p -o tcp_pmtu_discover=0 /usr/sbin/no -p -o udp_pmtu_discover=0 # NFS echo ".oO NFS Security (put in /etc/rc.local)" echo "/usr/sbin/nfso -o portcheck=1" >> /etc/rc.local chown root /etc/rc.local chmod 755 /etc/rc.local mkitab "rclocal:2:once:/etc/rc.local" # /etc/rc.tcpip echo ".oO Cleaning up /etc/rc.tcpip. Original file is backed up at /etc/rc.tcpip.ORIG" cp -p /etc/rc.tcpip /etc/rc.tcpip.ORIG cat /etc/rc.tcpip | sed -e 's/start \/usr\/sbin\/ndpd-host/#start \/usr\/sbin\/ndpd-host/g' |\ sed -e 's/start \/usr\/sbin\/autoconf6/#start \/usr\/sbin\/autoconf6/g' |\ sed -e 's/start \/usr\/sbin\/binld/#start \/usr\/sbin\/binld/g' |\ sed -e 's/start \/usr\/sbin\/dhcpcd/#start \/usr\/sbin\/dhcpcd/g' |\ sed -e 's/start \/usr\/sbin\/dhcprd/#start \/usr\/sbin\/dhcprd/g' |\ sed -e 's/start \/usr\/sbin\/dhcpsd/#start \/usr\/sbin\/dhcpsd/g' |\ sed -e 's/start \/usr\/sbin\/dpid2/#start \/usr\/sbin\/dpid2/g' |\ sed -e 's/start \/usr\/sbin\/gated/#start \/usr\/sbin\/gated/g' |\ sed -e 's/start \/usr\/sbin\/hostmibd/#start \/usr\/sbin\/hostmibd/g' |\ sed -e 's/start \/usr\/sbin\/inetd/#start \/usr\/sbin\/inetd/g' |\ sed -e 's/start \/usr\/sbin\/lpd/#start \/usr\/sbin\/lpd/g' |\ sed -e 's/start \/usr\/sbin\/mrouted/#start \/usr\/sbin\/mrouted/g' |\ sed -e 's/start \/usr\/sbin\/named/#start \/usr\/sbin\/named/g' |\ sed -e 's/start \/usr\/sbin\/ndpd-router/#start \/usr\/sbin\/ndpd-router/g' |\ sed -e 's/start \/usr\/sbin\/pxed/#start \/usr\/sbin\/pxed/g' |\ sed -e 's/start \/usr\/sbin\/routed/#start \/usr\/sbin\/routed/g' |\ sed -e 's/start \/usr\/sbin\/rwhod/#start \/usr\/sbin\/rwhod/g' |\ sed -e 's/start \/usr\/sbin\/snmpd/#start \/usr\/sbin\/snmpd/g' |\ sed -e 's/start \/usr\/sbin\/timed/#start \/usr\/sbin\/timed/g' |\ > /tmp/rctcp cp /tmp/rctcp /etc/rc.tcpip touch -r /etc/rc.tcpip.ORIG /etc/rc.tcpip echo ".oO Complete." exit 0
Related Documents
Aix Hardening Example Script
June 2020 5
Aix Hardening Guide
December 2019 16
Script Languages By Example
June 2020 8
Aix
April 2020 12
Aix
July 2020 9
Hardening Debian
November 2019 24More Documents from ""
Viral Grid Computing
June 2020 4
Aix Hardening Example Script
June 2020 5
091104 Ruge_vortrag
July 2020 3
1pediatrics-compilation-of-feedbacks.pdf
June 2020 3
