AIX Audit Program.docx
《AIX Audit Program.docx》由会员分享,可在线阅读,更多相关《AIX Audit Program.docx(13页珍藏版)》请在冰豆网上搜索。
AIXAuditProgram
AIXCHECKLIST
By:
FrankW.Lyons
PresidentofEntellusTechnologyGroup,Inc.
407-774-8397
EntellusFL@
I.PreliminarySteps
A.Obtainanorganizationalchartofthegroupresponsiblefortheoperatingenvironment.
B.Obtainanyexistingsecurityandcontrolprocedures
C.Obtainadescriptionofthenetworkconfiguration
D.Obtainalistingofthevarioussystems(applications)supportedbytheoperatingsystem
E.ObtainajobdescriptionoftheSystemAdministrator
II.InstallationAuditSteps
A.Reviewanydesigncriteriaforsystemsecurity.
B.Determinewhethertheuseraccessiscontrolledthroughtheoperatingsystem,thedatabasemanagementsystem,ortheapplicationfront-endmenusystem.
C.Determinewhatdocumentationstandardsexistandwhethertheyarebeingfollowed.
D.DeterminewhoactsastheSecurityAdministratorfortheoperatingenvironment.
E.Determinethestandardsforpasswordmanagementandconstruction.
F.Reviewanyexistingsecurityguidelinesforusers,groups,andfunctions.
III.PhysicalSecurity
A.Reviewthenetworkconfigurationtoensurethatallnetworkcomponentsarephysicallysecured.
TheseincludeFileServers,Bridges,Routers,Hubs/Concentrators,Gateways,TerminalServers,andModems.
B.Determinewhoisresponsibleandwhatdocumentationisrequiredforconfigurationchangestothephysicalnetwork.
Aretheseprocedureseffective?
Arethechangestothenetworkdocumented?
Areusersandotherimpactedpartiesproperlynotified?
C.EnsurethatonlytheSystemAdministratororotherauthorizedpersonnelhavephysicalaccesstothefileserverconsoleasthesystemcanberebootedfromthe‘A’driveandanewrootpasswordcanbesupplied.
IV.SystemAdministration
A.IdentifyalltheSystemAdministrators.
$grep:
0:
/etc/passwd
B.Determinethateachadministratorrequiresthislevelofauthority.
C.Determinethechangecontrolproceduresoverchangestousers,programs,menus,authorities,userscripts,hardwareandsystemsoftware.
D.Determinethattheproperpersonorgroupisresponsibleformonitoringthenetworkthatsupportthefileserver.
E.Determinethattheproperpersonorgroupisresponsibleforsystemshutdownandbackups.
F.DetermineiftheSystemAdministratorissupportedbyabackuporataminimumtheiruserid/passwordarekeptinasecuredlocationincaseofanemergency.
G.Determinewhoisresponsibleformaintaininglicenseagreementsandifallagreementsarebeingmet.
V.SystemSecurity
TheSystemAdministrator’sinterfacefortheAIXsystemistheSystemManagementInterfaceTool(smit).
Youcaninvokesmitbykeyingsmitattheoperatingsystemprompt.
A.DuringtheinitialinstallationdidtheSystemAdministratorcreateauditchecksumfiles.ThesefileswillallowtheSecurityAdministratortoverifythatnochangeshavebeenmadesincetheinstallationofthesystem.
Theauditchecksumfilesshouldcontainasingle-lineentryforeachfilehavingthefollowinginformation:
(See/etc/security/sysck.cfg)
fieldcomments
aclcontainsbothbaseandextendedaccesscontrollistdataforthefile
classalogicalgrouptowhichthisfilebelongs
pathnameAbsolutepathname
ownerEthersymbolicornumericID
groupEithersymbolicornumericID
modeSymbolicrepresentationasdisplayedbythels-lcommand
sizeSizeofthefileinbytes.Majorandminornumbersarelistedfordevices
linksNumberofhardlinkstopathname
versionNumericvalue,reportedbywhat
(1).
checksumFilecontentscomputedbyachecksumalgorithm.Thisfieldreflectsthe
slightestchangetoafile,evenasinglecharacter.
symlinksIndicateswhetherthefilehassymbolicorhardlinks
programtheassociatedcheckingprogram
sourcethesourcefileforthisfile
typethetypeoffile
Producingthesefilesshouldbeasimpletask.Theresultingfilesshouldresideinasecureddirectory.
Dynamicsecurityroutinesshouldberunonaperiodicbasistoensurethatthesecriticalfileshavenotbemodifiedwithoutproperapproval.
B.Determineifthesystemisrunninginasecured(trusted)mode.
/etc/security/passwdForthepasswordfile
Atrustedenvironmentformatstheprimarypasswordfile’sencryptedpassword/etc/passwdtothe/etc/security/passwdfileandreplacesthepasswordfieldinthe/etc/passwdwithan‘!
’.
Inaddition,itforcesallusertousepasswords,createsanauditIDnumberforeachuser,setstheauditflagonforallexistingusers,andconvertstheat,batch,andcrontabfilestousethesubmitter’sauditID.
C.Determineifauditinghasbeenenabled.Usethefollowingfiletolookatdefinedauditevents:
/etc/security/audit/events
Determineifminimalsetofauditableeventsisbeingrecorded.
Auditingisenabledbyentering/etc/auditstart
FilesusedbyAudit
/etc/security/audit/configconf