Dashboard

AIX OS: Security And Hardening

Learn enterprise AIX security, hardening, compliance, trusted execution and vulnerability protection.

Overview TCB Trusted Execution aixpert Password Policy SSH Security Audit VAPT FLRTVC

What is AIX Security Hardening?

Security hardening is the process of securing an AIX operating system by reducing vulnerabilities, disabling unnecessary services, enforcing password policies and implementing compliance controls.

By default, AIX does not include antivirus software, therefore administrators must configure native AIX security features.

Hardening improves confidentiality, integrity and availability of enterprise production systems. 
Security Goals:

1. Protect System Files
2. Restrict Unauthorized Access
3. Prevent Malware Execution
4. Monitor User Activity
5. Apply Security Patches
6. Maintain Compliance

Trusted Computing Base (TCB)

TCB is a native AIX security architecture used to secure system administration. It provides Role Based Access Control (RBAC) and separates security duties.

In Trusted AIX, root direct login is disabled for improved accountability.

TCB Administrative Roles

isso = Information System Security Officer
sa   = System Administrator
so   = Security Officer

Each role has limited permissions to reduce misuse of privileged access. 

isso Responsibilities:

- Password Policies
- Security Configuration
- Audit Configuration
- User Clearance

sa Responsibilities:

- User Creation
- Filesystem Management
- Printer Configuration
- Routine Administration

so Responsibilities:

- System Shutdown
- Backups
- Error Logging
- Workload Management

Switch Role to Security Officer

$ su - so
$ swrole so
$ shutdown -Fr

Disable TCB

odmget -q attribute=TCB_STATE PdAt | \
sed 's/tcb_enabled/tcb_disabled/' | \
odmchange -o PdAt -q attribute=TCB_STATE

Enable TCB

odmget -q attribute=TCB_STATE PdAt | \
sed 's/tcb_disabled/tcb_enabled/' | \
odmchange -o PdAt -q attribute=TCB_STATE
TCB can only be fully enabled during OS installation.

Trusted Execution (TE)

Trusted Execution protects AIX systems against malware and unauthorized file modifications.

It verifies binaries and scripts using the Trusted Signature Database (TSD).

TE validates whether files are trusted before execution.

Enable Trusted Execution

trustchk -p TE=ON

Enable Binary Verification

trustchk -p CHKEXEC=ON

Enable Script Verification

trustchk -p CHKSCRIPT=ON

Block Untrusted Execution

trustchk -p STOP_UNTRUSTD=ON

Important TE Components:

TSD = Trusted Signature Database
trustchk = Integrity Verification Tool

aixpert - AIX Security Expert

aixpert is an AIX hardening utility used to apply predefined enterprise security policies.

Hardening Levels

low    = Basic Security
medium = Moderate Security
high   = Maximum Security

Low Level Security

Medium Level Security

High Level Security

Apply Security Profiles

aixpert -l low
aixpert -l medium
aixpert -l high

Check Current Security Level

aixpert -t
aixpert rules are cumulative and may remain active even after manually enabling services.

Password Hardening

Password policies help prevent unauthorized access and brute-force attacks. 

Important Password Controls:

minage
maxage
minlen
histsize
maxexpired
loginretries

View User Security Attributes

lsuser -a minage maxage minlen histsize root

Modify Password Policy

chuser minlen=12 histsize=5 maxage=8 root

SSH Security Hardening

SSH should be used instead of insecure remote access services like Telnet. 

Secure SSH Configuration:

PermitRootLogin no
Protocol 2
MaxAuthTries 3
AllowUsers admin

Restart SSH Service

stopsrc -s sshd
startsrc -s sshd
Always take backup of sshd_config before making changes.

Audit Configuration

Auditing records system activities for security monitoring and compliance. 

Audit Records Include:

- Login Attempts
- Failed Access
- File Modifications
- Administrative Actions

Audit Commands

audit start
audit shutdown
audit query

Vulnerability Assessment and Penetration Testing (VAPT)

VAPT is performed to identify vulnerabilities and security weaknesses in enterprise systems. 

VAPT Process:

1. Vulnerability Scan
2. Risk Analysis
3. Penetration Testing
4. Remediation
5. Compliance Verification
VAPT reports help organizations strengthen security posture.

IBM FLRTVC

FLRTVC stands for Fix Level Recommendation Tool Vulnerability Checker.

It identifies missing security patches, unsupported filesets and HIPER vulnerabilities. 

Common Checks:

- Missing Security Fixes
- End of Support Risks
- Vulnerable Filesets
- HIPER APARs
FLRTVC should be executed regularly in production environments.
🛡️ Start Security Hardening Quiz