AIX Security Guide

AIX OS Hardening and Security

Learn how IBM AIX provides enterprise-grade security using Trusted Computing Base (TCB), Trusted Execution (TE), aixpert hardening, and vulnerability assessment tools.

By Ashutosh Kumar Singh 8 min read AIX Security

Security hardening is one of the most critical responsibilities of an AIX administrator in enterprise environments.

IBM AIX provides multiple native security mechanisms that help protect systems against unauthorized access, malware, privilege misuse, insecure services, and configuration vulnerabilities.

Unlike many operating systems, AIX includes several enterprise-grade hardening and compliance tools directly within the OS.

Important:
  • By default, no antivirus is enabled in AIX.
  • Security hardening must be planned and implemented manually.
  • Production systems should always follow organization security policies.

1. Native Security Features in AIX

IBM AIX includes several built-in security technologies:

  • Trusted Computing Base (TCB)
  • Trusted Execution (TE)
  • aixpert Security Expert
  • Role Based Access Control (RBAC)
  • Vulnerability Assessment and Patch Validation

2. Trusted Computing Base (TCB)

Trusted Computing Base (TCB) is one of the core security frameworks available in AIX.

TCB focuses on protecting critical operating system components and controlling who can modify sensitive files, commands, configurations, and system resources.

It also introduces Role Based Access Control (RBAC) using predefined administrative roles.

Default TCB Roles:
  • isso – Information System Security Officer
  • sa – System Administrator
  • so – Security Officer

TCB Administrative Roles

Each TCB role has specific responsibilities.

  • isso: Handles password policies, audit setup, user clearance, and enterprise security configuration.
  • sa: Performs routine administration such as file system management, printer management, and standard user operations.
  • so: Responsible for reboot, shutdown, backup operations, workload management, and security-sensitive operations.

Working with TCB

Set passwords for TCB administrative users: 

passwd isso
passwd sa
passwd so

Example of shutdown using the security officer role: 

su - so
swrole so
shutdown -Fr

In TCB-enabled systems, direct root login is restricted. 

Service not available from system accounts.

Disable and Re-enable TCB

Disable TCB: 

odmget -q attribute=TCB_STATE PdAt | \
sed 's/tcb_enabled/tcb_disabled/' | \
odmchange -o PdAt -q attribute=TCB_STATE

Re-enable TCB: 

odmget -q attribute=TCB_STATE PdAt | \
sed 's/tcb_disabled/tcb_enabled/' | \
odmchange -o PdAt -q attribute=TCB_STATE
Important: TCB can only be fully enabled during OS installation. Existing systems require a Preservation Installation to enable complete TCB support.

3. Trusted Execution (TE)

Trusted Execution acts as an integrity verification and anti-malware mechanism for AIX systems.

TE maintains a Trusted Signature Database (TSD) containing digitally signed binaries and trusted files.

Whenever binaries or scripts are executed, AIX verifies them against the trusted database.

Enable Trusted Execution

trustchk -p TE=ON

Enable verification of executable binaries: 

trustchk -p CHKEXEC=ON

Enable verification of scripts: 

trustchk -p CHKSCRIPT=ON

Block execution of untrusted binaries/scripts: 

trustchk -p STOP_UNTRUSTD=ON
Trusted Execution is extremely useful in environments requiring strict compliance and malware protection.

4. aixpert Security Expert

aixpert is the native AIX hardening framework used to apply predefined enterprise security profiles.

It automates security configurations based on different hardening levels.

Hardening Levels

  • Low: Basic password complexity and disabling unnecessary services.
  • Medium: Stronger password policies, restricted access to system configuration files, and IP forwarding disabled.
  • High: Legacy insecure services like Telnet, FTP, rlogin, and TFTP are disabled completely.

Apply aixpert Profiles

Apply low security profile: 

aixpert -l low

Apply medium security profile: 

aixpert -l medium

Apply high security profile: 

aixpert -l high

Check currently applied profile: 

aixpert -t
aixpert configurations are cumulative. Applying a new profile layers additional security settings instead of removing previous ones.

5. Vulnerability Assessment and Penetration Testing (VAPT)

Vulnerability Assessment and Penetration Testing (VAPT) is used to identify weaknesses within AIX systems.

During VAPT:

  • Security vulnerabilities are identified.
  • Misconfigurations are detected.
  • Missing patches are reported.
  • Risk levels are evaluated.

Based on assessment results, organizations then apply hardening, patching, and remediation measures.

6. IBM FLRTVC Tool

IBM provides the FLRTVC (Fix Level Recommendation Tool Vulnerability Checker) script for AIX security analysis.

FLRTVC helps administrators identify:

  • Missing security fixes
  • HIPER fixes
  • Outdated filesets
  • End-of-support risks

The tool compares installed filesets against IBM security databases and generates detailed reports.

FLRTVC is widely used during enterprise patching, compliance audits, and vulnerability remediation activities.

7. Security Best Practices for AIX

  • Disable unused services and ports.
  • Use SSH instead of Telnet or rlogin.
  • Apply regular security patch updates.
  • Enable auditing and logging.
  • Implement least privilege access.
  • Use RBAC wherever possible.
  • Perform regular VAPT assessments.
  • Monitor integrity using Trusted Execution.

Conclusion

IBM AIX provides strong native security capabilities designed for enterprise and mission-critical environments.

Technologies such as TCB, Trusted Execution, aixpert, and FLRTVC help administrators build highly secure and compliant systems.

Proper hardening, patch management, and continuous monitoring are essential for maintaining a secure AIX infrastructure.

Back to Articles