I am getting asked more about security these days than in the previous decade - perhaps there is renewed focus on this area as we hear about hacker groups taking what they want from organisations and companies in the News every day.  Below is an answer I gave to a recent email question on what AIX offers on the security side, spotting vital files being changed and what parts of PowerSC to use for quick wins.

For AIX security the three big hitters for "out of the box" AIX hardening are:

1. Ditch telnet/ftp in the entire computer room
2. The aixpert command
3. RBACs.

1) Ban the use of telnet/ftp = this is fairly obvious as any computer room still using them has no security at all from network packet sniffers! I learnt this when 5 years ago I tried the Open Source Ethereal software and suddenly though "hang on you can see all the ftp and telnet password with no effort at all!"  Just ban them forever - secure ftp and ssh should be the default. ssh is installed with AIX as default in the past couple of years.

2) The aixpert command is a regular AIX tool that uses a policy file to automatically lock down AIX - it has various settings like low, medium, high and SOX/Corbit.  The policy has well over a hundred rules and tools that it runs in all the regular areas like: password aging and lockout on failed log-ins, SUID bit programs, disabling services, blocking port scanning, etc.. The high setting needs care or you might never get to log back in (set the root password just before trying it or it might age out).  It is best to try this on a test machine - then disable rules for thing you do need. For example, I had to enable DNS server and NFS for my webserver as it provides these functions too - you just need to comment out those rules.  This same command is use to get a report of violations to the policy. Once you have sane set of rules you can roll the policy out across many machines and run one command for a consistent hardening.  This is like getting the IBM AIX Security team with decades of experience working for you with regular rule improvements (with AIX upgrades) - this is the only way to cope with large teams of hackers.  See my video for get you started information at http://www.youtube.com/watch?v=L1MmuZOntxI

3) Roll based Access Control (RBAC) was built in to the first AIX 6 release and enhanced since.  This is then use to stop people logging in as root/super-user so you can hand off specific tasks on specific resources to lesser user accounts. This drastically limits the damage that mistakes when using root can cause. See my video for get you started information at http://www.youtube.com/watch?v=CvylFrQX93U  Note: this video does was made before specific resource control was added.

4) On the monitoring of vital file changes, the PowerSC Express Real-Time Compliance (RTC) Alerts extra package will email or SNMP trap when specific files are changed or their RWX permissions change and you can add your own vital files to the list like the famous init.ora file for Oracle settings as an example.  This is handled by direct kernel notifications so we are talking sub-second times to raise alerts not polling or daily cron scripts. This means you catch the mistake or even find out you are being hacked while it happens so you can react. See my video for get you started information at http://www.youtube.com/watch?v=5OFELpnzeFA

PowerSC quick wins - RTC is very quick to understand, implement and get the benefit - like 30 minutes at most. Then roll it out across machines quickly.

Other quick wins from PowerSC are:

• 5) PowerSC Trusted Firewall (short-cut) this is mostly a performance boost item on the virtual networks but can save money (lowers external Firewall devices bandwidth) and drastically reduce network latency. See my video for get you started information at http://www.youtube.com/watch?v=5PT2Ggwu0lg
• 6) PowerSC Trusted Logging - if you don't already remotely ship your AIX logs to a log archive then this feature will ship the logs to your Virtual I/O Servers which is a million times better than doing nothing about your logs. It is easy to setup as it uses your vSCSI VIOS client to VIOS conection over memory. You now have the information that allows you to postmortem analyse what just happened! See my video for get you started information at http://www.youtube.com/watch?v=fQ8hE1NH8CY
• 7) PowerSC Compliance Automation - this automates and adds extra aixpert style profiles to cover further industry standards. It allows Systems Director to roll out the policies and produce reports on many 100's of machines. See the PowerSC Redbook chapter 3 for more information http://www.redbooks.ibm.com/abstracts/sg248082.html

I hope this add a few extra tools for your war against hacking or spurs you into action to get started and to understand the basics are fairly quick to implement and help is at hand.