UNIX/AIX GENERAL CONTROLS AUDIT PROGRAM
Purpose:
To help audit project teams evaluate the system of controls over UNIX/AIX operating system installations.
Background:
This work plan applies to audits involving this platform. AIX is the IBM version of UNIX. Many versions of UNIX exist, and there are areasusing environments other than AIX RS6000. However, much of this work program should still serve as a guide for audits being performed on non-AIX environments..
Contents:
Section Topic
1 Access Security
1a identification/authentication
1b resource access control
1c accountability/audibility
1d security administration
2 System Initialization Security
3 Operations/Scheduling
4 Program Change Control
5 Backup and Recovery
6 Physical & Environmental Controls
Glossary UNIX commands
Key sources referenced:
Books: Introduction to UNIX -- Beginner's Guide to UNIX Basics
Elements of AIX Security: R3.1 -- IBM technical support
papers: AIX Security Checklist -- AIT Business Continuity
UNIX Security Auditing -- AT&T Auditing -- audit
considerations and recommendations
UNIX Security Checklist -- Entellus Technology Group,
Inc.
RS6000 AIX Audit Program -- unknown source
General UNIX Security Audit Program -- MIS Training
Institute
Security and Business Standards documents
note: IAD should work with the system administrator to execute sections of this work plan requiring system access. Commands requiring system administrator authority will be represented in this work program in italics.
note: Prior to starting the evaluation, review permanent audit file work papers covering prior UNIX/AIX general control reviews. Ascertain what exceptions were noted, recommendations made and status thereof
1. ACCESS SECURITY
Objective: Verify that controls exist which ensure that only authorized
individuals can access the UNIX/AIX operating system, that
resources can be restricted on a needs-to-have basis, and
that critical operating system transactions can be traced
1a. -- Identification/Authentication
Objective Ensure that all users are uniquely identified to the system,
: and that each user's identity is uniquely validated prior to
gaining access to the system resources.
Evaluation Criteria: Verify that UNIX/AIX supports the following attributes:
Note: The following reports were not run on RSP1: file find, user account integrity, Suspcious files, User Startup files, User ownership/permission, password check.
Evaluation Criteria AIX Control technique
Each user has a unique AIX user IDs are required for each user that logs on.
ID The UID file ensures the next available uid is
assigned. The administrator runs TCL which ensure
unique user names.
RAXCO Test Modules: RAXCO Test:
system/file attribute - Verify the protection over the etc/security/ids
system/file find file. - - (Account Integrity) Verify ids and groups
user/account integrity are unque and uptodate.
User IDs can be Each user id has a profile parameter which can be set
disabled, reactivated, to reject all log-on attempts. Use the SMIT (System
with the status of the Management Interface Tool) or chuser command to
user ID available perform this function.
User IDs shall be AIX does not provide an automatic disable function.
disabled if the ID has System administrator can create script programs to
not been used for a set scan the password /lastlogin date and disable IDs,
period of time (for however.
example, 60 days).
A manual administration process is in place.
RAXCO Test Modules:
user/account integrity RAXCO TEST: Identify users who have not logged on the
system for 60 days.
User IDs shall be An expiration date & time can be set in the users
immediately disabled file.
for terminated
employees, or for Security standard for terminated employees is defined
non-Company employees in Security Awareness COMTEC guide.
whose assignments have RAXCO TEST: See the previous test
been completed. Test: Validate Utility ids defined to the production
RAXCO Test Modules: machines are current. Have TAS run support ids
user/account integrity against HRMS file.
User ID changes are Only a system administrator with administrative
restricted to a limited authority(root) can change ID privileges.
group of authorized
administrators Test: Identify the people who have root access.
Verify it is limited to appropriate personnel.
Follow-up on the audit trail of root users.
User IDs can be Each user ID has a group associated with it. A user
assigned to groups. ID can be assigned to multiple groups.
All group members can be listed with the SMIT
interface, or using the lsgroup -c ALL command.
Test: Ensure users are grouped properly in Unidata.
For example, business users should not be in groups
that allow system prompt access. Support users should
not be in business user groups.
All users (including By default, AIX requires that all user IDs provide a
remote) must always password at log on time (including root).
identify before gaining Test: Walkthrough the identified access paths to
access to AIX ensure id and password are required. (SNA, TCP/IP,
dial-in)
User IDs must always be User IDs are not logged onto AIX until the correct
authenticated by at password is successfully input.
least one mechanism
(password, smartcard) note: Program calls such as getlogin, getpass,
before performing any getuscrpw can be used to automatically log a user in
actions. (use should be discouraged)
Test-- verify that such program calls are not used
RAXCO Test Modules: with system admin. Verify through review of .profile.
user/startup file RAXCO Test: Evaluate the use of .netrc file.
Validate /.rhost is not used.
Users must exception noted -- There is no time-out feature in
re-authenticate after a UNIX/AIX. However, the xlock command should be used
specific period of to freeze the session when an individual leaves a
non-use: workstation unattended, and must re-authenticate
him/herself to thaw the session. An automatic
time-out will take place after a certain period of no
activity, where applicable. Field office test.
User IDs must be - By default, AIX re-initiates the log-on process
disconnected after a (re-enter both user-ID and password) after 3
maximum number of unsuccessful password attempts. However, the user ID
log-on attempts, and is not suspended.
the system
administrator must be Test: Ensure /etc/security/login.cfg maxlogin
notified parameter is set at 3)
Procedural control -- System administrator should
review /etc/security/failedlogin on a daily basis.ref
issue list
No default IDs exist By default, all user ID profiles require valid
that allow passwords.
unauthenticated system RAXCO test: AIX generic ids are disabled for log-on
access by setting password = * in the etc/security/passwd.
RAXCO Test Modules: Raxco identifies accounts with no passwords.
user/account integrity
Verify that the AIX provides that user ID passwords can expire upon
password of all new initial log-on.
user IDs (set by the Verify that the system administrator sets up all new
system administrator) ID's using this feature.
expire upon initial
log-on, and are changed
by the owner of the
user ID
passwords should be Passwords are stored by default in encrypted form in
encrypted and not /etc/security/passwd.
available to
non-privileged users
passwords should not be The log-on process suppresses the display of
displayed on screen characters while entering a password.
ref issues list
passwords should not be AIX does not give any indication that a password may
shared be in use by another user ID.
COMTEC security awareness standard is not to share
passwords.
passwords must be a Test: Ensure that /etc/security/login.cfg file has
minimum length of 6 minlpha = 6.
customer-specific exception noted -- there is no 'string' checking
passwords must not be feature for password content.
used
passwords can be reset A system administrator can reset a password from the
by the system command line, passwd, or from SMIT.
administrator
password changes are Password expiration can be forced every xx days
forced using maxage.
Test: Verify that maxage parameter is set to 60 days
or less. (note: Minage can prevent password
changing until xx days elapse (not recommended)).
passwords can be AIX passwd command requires a user to re-authenticate
changed by the user him/herself with the old password prior to accepting
a password change
users notified of exception noted -- A user is prompted to change
pending password his/her password only when the password expires.
expiration There is no message indicating time left until
password expiration
passwords must be exception noted -- Only the minimum length can be
reasonably resistant to specified for passwords. In addition repeated
brute force guessing guessing does not suspend user IDs.
(no repeating
characters, no password Test: mindiff, minrepeats can be set to disallow the
re-use) same characters from being shared with the expiring
and new password
RAXCO Test: checks passwords strength against english
RAXCO Test Modules: dictionary.
user/password strength Procedural control -- Verify that system
administrator performs a daily review of
/etc/security/failedlogin.(ref issues lists)
generated passwords are exception noted -- AIX does not provide the
easy to remember and capability to generate passwords randomly
random
Additional Testing: None
1b. -- Resource Access Control
Objective: Ensure that controls restrict access to UNIX/AIX system
resources on a needs-to-have basis
Evaluation Criteria: Security standards (version 2.0) for access control facilities.
Evaluation Criteria AIX Control technique
Verify that all users SMIT provides the capability to identify the status of
and remote machines any ID (active, inactive, revoked).
with access to the
system can be listed
Access can be exception noted: UNIX resources cannot provide
restricted by day, this. However, scripts can be added to users.profile
time, calendar date, to provide this functionality
method of entry, or
location.
Minimum access rights User accounts can be configured by resource using SMIT
can be assigned to or the login.cfg file.
critical resources Distribution of any access rights needs to be enforced
procedurally and given on a needs-to-have basis.
Warning messages are exception noted: This does not occur by default.
displayed upon entry However, the /etc/login.cfg file can include warning
regarding unauthorized text.
use and possible Test: Evaluate the login message provided for COMTEC
consequences computers.
Only system Only System administrators (root access) can modify
administrators can security profiles Test: Related test above in
create, change or evaluating who uses root.
delete user security
profiles
Time, date, and The /bin/login process displays has log-on and failed
location of last log-on attempt information
successful log-on Test-- verify that this is used
should be displayed
upon log-on
Access to resources is All access control is based on user ID or group
restricted by access.
individuals or to RAXCO Test: evaluates access to user startup files,
groups with specific system startup files, systems security files, system
access rights startup files, and user files. Identifies suspicious
files(e.g. hidden directories)
Manual test:
RAXCO Test Modules: - Identify application critical datasets. Identify
system/file attribute access to those datasets, through AIX security. owner,
system/file find group etc..
system/file access - Evaluate access provided through Unidata access
user/startup groups including access to the unix prompt.
user/suspicious files - Evaluate vendor access to the Unix machine.
Verify modems are turned off.
- Verify users cannot break out of Unidata to the unix
command.
System administrator TCBCK allows the system to report all security
can list which users information on resources
are authorized to a
resource by authority
type
(read/write/execute)
Authorization rules are All access/authorization is based upon user ID.
verified prior to
granting rights to a
resource
By default, only the By default, the system default mask recognizes only
owner/creator has the creator as the owner of a resource.
access to a resource
when it is created.
User ID access rights All access is based upon user ID
take precedence over
access rights specified
by group membership.
Access to security data Access to security files is limited to system
is protected. administrators by default.(root access)
RAXCO Test Modules: Non-administrator owners can also be established.
system/file attribute This should be discouraged.
system/file find RAXCO Test: Evaluate access protection over security
files.
All security parameters acledit and TCBCK can be used to identify security
can be reviewed via access parameters.
status reports
Separate privileges are Only System administrators can perform security
required to perform operations.(root access)
security relevant
operations
Privileges that permit AIX does not allow this by default. Root authority
users to override or bypasses all security. Best practice is to have a
bypass security shall system administrator id perform only security
be distinct and functions. System administrators should have a
separate from all other separate ID to perform non-security operations
privileges.
Test-- verify that this segregation occurs.
Additional testing: - Evaluate who can update the .profile file. Obtain a
listing of the system .profile to evaluate the default
log-on parameters.
RAXCO Test Modules RAXCO Test:
user/account integrity - Account intregrity: login restrictions to accounts,
users with no shell, no home dir.
1c. -- Accountability/Auditability
Objective: Ensure that the ability exists to trace critical
transactions/changes within the UNIX/AIX operating system to
specific IDs
Evaluation Criteria: Security standards (version 2.0) for accountability/auditability
include commands needed to check appropriate system settings (journalling . . .)
Evaluation Criteria AIX Control technique
The following should be
recorded:
Valid and invalid user Recorded in a file specified by the
authentication attempts /etc/security/audit/events file
Logons and Logoffs
Activities of Test: Evaluate what events are being audited and
privileged users (root, monitored. Look at the Events file.
system administrators)
Unsuccessful
transactions
Successful access to
system-critical
resources
changes to users
security profiles
changes to access
rights of resources
changes to system
security configuration
The ability should
exist to record:
creation and deletion Recorded in a file specified by the
of resources /etc/security/audit/events file
data access additional security events can be defined in
program execution /etc/security/audit/events
on-line command Test: See previous step.
execution
customer-defined
events
For each recorded
event, the audit record
shall identify:
date/time of event Test: Obtain a dump of the audit trail. Verify listed
user identification events are recorded in audit trail log.
and physical point of
access
type of event
name of resources
accessed
success or failure of
transaction
Password should not be Passwords are not recorded
recorded in audit Test: Review sample of log.
trails
Audit control data All events recorded in /etc/security/audit are
shall survive system unaffected by system failure & restart
restarts
System administrator Error messages are sent to the system console at the
notified if can't rate of 1 per minute in the event that audit logging
record audit records cannot write
Test: (verify that console is periodically monitored
to respond to messages received).
System administrator in a file specified by the /etc/security/audit/events
actions recorded file
Test: Review sample of audit log.
Audit trails protected By default, only system administrator ID's (root) can
from unauthorized delete the audit trail records.
access RAXCO test: Access to systems resources.
Audit tools available AUDITPR can be used to create output reports
which produce exception xref issues lists.
reports, summary
reports, and detailed
reports which are
periodically reviewed
System administrator AUDITPR can be used to create output reports
can independently and
selectively review
actions of any user
System shall be able AUDITPR can be used to create output reports
to provide a report of
all modifications to a
named or
user-accessible system
resource
Audit trails should be Logs should be procedurally controlled
archived Test: Verify the audit logs are backed up regularly
and archived..
System can flag and AIX does not have real-time monitoring capabilities.
report on-line, However, events can be configured to send messages to
significant security the system console (and procedurally reviewed by the
events System Administrator).
Ensure that a product such as Netview/6000 or Systems
Monitor/6000 is used to monitor terminal activity. Ref
issues list
Additional testing: None
1d. -- Security Administration
Objective: Ensure that roles, responsibilities, and procedures exist in
order to maintain protection over UNIX/AIX operating system
resources, and that security deviations are detected and
corrected.
Evaluation Criteria: Security standards (version 2.0)
Evaluation Criteria AIX Control technique Authentication and System administrator access is to be procedurally access security controlled and should be given only on a needs-to-have functions are clearly basis. defined and documented Test: Review security awareness manual. (add, change, delete user ID and access privileges) Segregation of duties Procedurally controlled. Separate system administrator in granting, denying, ID should exist and be used only for administrative or changing access purposes privileges Ref admin process flowchart. Possible issue Formal documentation Procedurally controlled process to request Ref admin process flowchart access to the system Test: Trace selected support users access back to a resources user request. User requests are Procedurally controlled authorized by the Test: Reveiw selection of support user request and business owner validate they are authorized by appropriate person. User requests are Procedurally controlled retained for audit Test: Verified through two previous test mentionted. purposes Access to the system is Procedurally controlled reviewed on a periodic Test: See above(in authentication) basis Number of privileged Procedurally controlled access users is Test: See Access control, authentication controlled and monitored Documented process to Review of /etc/security/audit/events file must be monitor access security periodically performed by system administrator. violations and event Ref issues list. resolution System business manager Review of /etc/security/audit/events file must be reviews system periodically performed by system administrator. administration Ref issues list. modification to audit trail Additional testing: None
2. SYSTEM STARTUP PROCESSING
Objective: Ensure that the UNIX startup process protects the integrity
of the operating system and restricts read and write access
to startup files and tables to all user IDs except root.
Evaluation Criteria
source -- IBM Elements of AIX Security, RS6000 AIX Audit program (final)
Evaluation Criteria AIX Control technique Initialization files Verify that only root can read and write to should only be readable /etc/inittab, /ect/rc* and writeable by root. RAXCO Test Modules: RAXCO TEST: Verify protection over system files. system/file attribute system/file find system/startup files The operating system FSCK command should be run during startup to ensure shall provide a file systems integrity is preserved when starting AIX. utility for checking Procedurally controlled (should be run at startup). file system and disk Verify this is in their procedures. integrity Anti-virus software is VIRSCAN comes with AIX. Procedurally controlled to run to protect be run periodically. operating system from Verify they use virusscan. corruption Workstations must be Test: Verify terminals directly connected to the AIX configured so that computer have passwords for single-user mode. single-user mode RAXCO (by-passes access security controls) cannot be accessed without entering a password. Bootup process (which defaults to single user mode) must also be password protected. Additional testing: none at this time
3. OPERATIONS & SCHEDULING
Objective: Ensure that UNIX operating systems are available to process
both batch and on-line data as required by the business owner
of the data
Evaluation Criteria AIX Control technique
Workload scheduling Determine whether scheduling software is used.
must ensure that both Identify processes used to resolve abends timely.
batch and on-line (e-fix process, call lists)
processing can occur in Determine whether business requirements for data are
a fashion which meets being met.
business requirements.
Procedures and Procedurally Controlled. Obtain documentation or
responsibilities must other evidence that these procedures are documented
be defined for starting and adhered to.
and terminating
production resources
(whether it be an
environment such as
batch/on-line or jobs
in the environment).
Resource limits (CPU Review the /etc/security/limits for constraints
seconds and storage established for each user. Not used.
limits) can be limited
by user.
Determine whether the Ref performance/capacity wps.
following are evaluated We identified the process
against defined Ref issues lists
benchmarks:
CPU usage
I/O time
memory management
storage (DASD, tape)
usage
completion of schedule
Abnormally terminated Ensure that the /etc/getty program is being run as it
sessions must not removes all prior port session rights prior to
reassign the prior allowing access to the next user to login.
session's rights to the Automatic
next user.
(During network The ftpusers file can be used to control/deny file
processing) inbound and transfer privileges across networks.
outbound file transfers
can be controlled.
RAXCO Test Modules:
network/internet
utilities
Data shall be sent exception noted: While AIX encrypts data; its
across communications algorithm is well known. Evaluate the need for (and
channels in an use of) add-on encryption software.
encrypted format.
Daily accounting and AIX automatically runs cleanup jobs at 3 am. If the
cleanup processing system is powered down each night, these processes
functions must be run must be manually scheduled when the system is up.
to keep AIX operating TEST: Verify cleanup jobs are being run.
efficiently.
Additional testing: Ref detail control flows for scheduling:
- Validate Top Secret access over the TSO Jobtic
dataset.
- Review list of Comtec system problems(Infoplex).
Cannot perform this - Obtain a copy of the unix system log for one night
test because Unix does of batch processing. Obtain a copy of the jobtic and
not provide the exception processing forms for that same day. Compare
necessary audit trail. the actual processing to jobtic and exception
processing forms. Validate eoj status and problems are
recorded.(e.g. jobtic, infoplex)
4. PROGRAM CHANGE CONTROL
Objective: Ensure that all changes to the UNIX/AIX operating system are
authorized, accurate and complete, tested for negative
impacts, traceable and can be backed out.
Evaluation Criteria:
Evaluation Criteria AIX Control technique Determine if a formal Procedurally controlled. Obtain/document and review program change control program change process process is defined and adhered to. Verify that all Procedurally controlled. Ensure that all changes are operating system authorized, complete and accurate (evidence that program changes are testing strategy is thorough), that the process authorized by business promotes a segregation of duties, and that the prior owner version of the software is archived prior to tested for impacts migration in case the new changes need to be backed migrated by personnel out. other than the ones who Perform walkthrough. coded and tested the change can be backed-off in the event that testing reveals unsatisfactory results Procedures shall exist Run lppchk to valid AIX system software versions. which make it possible Identify and determine the reason for any exceptions. to verify that the Test: Verify this output collates to change currently installed management records.??? software has remained consistent with the delivered/intended version. Additional testing: none
5. BACKUP & RECOVERY
Objective: Ensure that backup & recovery procedures exist so that
recovery from UNIX/AIX operating system failures occur within
a time frame that is acceptable to the owners of the data
being processed on the operating system.
Evaluation Criteria:
source -- Company Business Continuity standards for business requirements, backup
Evaluation Criteria AIX Control technique Business processes and Procedurally controlled.\ functions shall be identified and documented. I/T hardware and Procedurally controlled. software resources needed to support business processes shall be identified and documented. Information about Procedurally controlled. staff/skill sets required to recover and sustain business functions shall be identified and documented. Workplace requirements Procedurally controlled shall be documented Vendors, customers, and Procedurally controlled. other critical personnel information shall be identified and documented. Files, documents, Procedurally controlled manuals and forms required to support business functions shall be identified and documented. Backup procedures shall Procedurally controlled be identified and Ref: for procedures documented. Backup of critical data Procedurally controlled. AIX provides, via SMIT, a (business data and system backup routine that creates a bootable image of operating system) shall the operating system resources. be conducted on an as Note: -- obtain evidence that backups of the needed basis as operating system are taken prior to all operating determined by the system software changes business owner and/or Test: Verify the retention criteria meets the business resource manager. needs. Backup media shall be Procedurally controlled. stored offsite or in a Review process/inventory to ensure backup media exists secure environment to and is safeguarded. ensure availability at Test: Validate the existence of backup tapes in the the time of disruption. Windsor vault. Verify the tapes are the right tapes. Recovery procedures Procedurally controlled. shall be identified and TEST: Follow-up on evidence that they tested the documented. recovery. Additional testing none steps:
6. PHYSICAL & ENVIRONMENTAL CONTROLS
Objective: Ensure UNIX/AIX hardware is safeguarded from unauthorized
access, loss of power, adverse temperature, and humidity
levels which would cause hardware to fail or process
improperly.
Evaluation Criteria:
source -- Elements of AIX Security (IBM manual)
Evaluation Criteria AIX Control technique The UNIX system, Procedurally controlled. servers and workstations should be located in a physically secure environment. Media is locked up Use of keyboard lock facilities; physical security when an operator is not present. Processing devices Procedurally controlled. should be backed up via UPS (uninterruptible power source) device. Workstations must be Test: Verify existence of password. configured so that single-user mode (by-passes access security controls) cannot be accessed without entering a password. Bootup process (which defaults to single user mode) must also be password protected. Keyswitch should be Procedurally controlled. set to secure (and key test: Visually inspect RS6000 keyswitch. removed) if RS6000 is unattended or in a physically accessible environment Additional testing: none
GLOSSARY
The following UNIX/AIX commands may be of use while conducting the audit:
Man to obtain help on a subject
pwd displays the current working directory
cat displays a file
cp copies a file
cd change directory
ls-la list all protected files
ls list files
ls -l will not list files with a '.' before them
ls -ld list protected directories
cd $HOME brings you to the home directory
mkdir make directory
grep search
SMIT (System Management Interface Tool)
TCB Trusted Computing Base
Note: the # of responses after attempting to execute a command indicate that root privilege is needed to run that command. Assistance from the system administrator will be needed to run them.