Secure by default
Secure By Default (SbD) is the concept of installing a minimal set of software in a secure configuration.
The AIX® Secure by Default (SbD) installation option installs a lighter version of the TCP client and server filesets, that excludes vulnerable commands and files. The bos.net.tcp.client and bos.net.tcp.server filesets are part of the SbD installation and contain all commands and files except for any applications that allow for the transmission of passwords over the network in clear text format such as telnet and ftp. In addition, applications that might be used, such as rsh, rcp, and sendmail, are excluded from the SbD filesets.
The final automated process of the SbD install is to impose the AIX Security Expert high-level
security configuration settings. You can do this by running the aixpert command from /etc/firstboot script: /usr/sbin/aixpert -f /etc/security/aixpert/core/SbD.xml
-p 2>/etc/security/aixpert/log/firstboot.log
It is possible to move the machine out of SbD mode by changing the ODM variable SbD_STATE to sbd_disable, installing the bos.net.tcp.client and bos.net.tcp.server filesets again, and using the AIX Security Expert to bring the system to its default security level.
It is possible to have a securely configured system without using the SbD install option. For example, the AIX Security Expert High, Medium, or Low level security options can be configured on a regular installation.
The differences between an SbD-installed system and a regular installation with an AIX Security Expert High Level Security configuration is best illustrated by examining the telnet command. In both cases, the telnet command is disabled. In an SbD installation, the telnet binary or application is never even installed on the system.
Service | Program | Arguments |
---|---|---|
bootps | /usr/sbin/bootpd | bootpd /etc/bootp |
comsat | /usr/sbin/comsat | comsat |
exec | /usr/sbin/rexecd | rexecd |
finger | /usr/sbin/fingerd | fingerd |
ftp | /usr/sbin/ftpd | ftpd |
instsrv | /u/netinst/bin/instsrv | instsrv -r /tmp/netinstalllog /u/netinst/scripts |
login | /usr/sbin/rlogind | rlogind |
netstat | /usr/bin/netstat | netstat -f inet |
ntalk | /usr/sbin/talkd | talkd |
pcnfsd | /usr/sbin/rpc.pcnfsd | pcnfsd |
rexd | /usr/sbin/rpc.rexd | rexd |
rquotad | /usr/sbin/rpc.rquotad | rquotad |
rstatd | /usr/sbin/rpc.rstatd | rstatd |
rusersd | /usr/lib/netsvc/rusers/rpc.rusersd | rusersd |
rwalld | /usr/lib/netsvc/rwall/rpc.rwalld | rwalld |
shell | /usr/sbin/rshd | rshd |
sprayd | /usr/lib/netsvc/spray/rpc.sprayd | sprayd |
systat | /usr/bin/ps | ps -ef |
talk | /usr/sbin/talkd | talkd |
telnet | /usr/sbin/telnetd | telnetd -a |
tftp | /usr/sbin/tftpd | tftpd -n |
uucp | /usr/sbin/uucpd | uucpd |