Health Checking Commands
1.Userids that are defined as having Security & System Administrative Authority:
- Users with access to the 'root' user account
- Usuries in the 'system' or 'security' groups
Is there a process in place to verify that these users have a valid business need?
grep -i system /etc/group
grep -i security /etc/group
grep -i root /etc/group
2.Do only approved users have root authority?
lsuser -a sugroups ALL | grep "sugroups=suroot" | pg
3.Do only approved users have access to the system group?
lsuser -a groups ALL | grep system | pg
4.Are only approved users’ members of the security group?
lsuser -a groups ALL | grep security | pg
5. If Anonymous write is allowed, the -u option on /etc/ftpd must be used.
Is this true?
NA -Anonymous not used.
6. Does only one uid of 0 exist? lsuser -a id ALL | grep "id=0" | pg
7. TO check whether NFS is running in the server? ps –ef | grep nfsd , after this we need to check more /etc/exports
8. To check whether anonymous users are present in /etc/passwd?
grep – i anonymous /etc/passwd
9. To log in to the server with other id using ssh :- ssh - i id server name
10. POP daemons must be configured to require users to authenticate.Confirm POP daemons not used grep pop /etc/inetd.conf
11. NNTP must be configured to require authentication and identification of all users if any of the newsgroups on the server are classified confidential.Confirm NNTP not used.
grep nntp /etc/inetd.conf
12. Confirm TFTP disabled. grep tftp /etc/inetd.conf
13. NIS maps must not be used to store confidential data, including user passwords or other authentication credentials in any form. Confirm NIS maps not used.
lssrc -g yp & lslpp -l | grep -i nis
14. The following file may be world-writeable :socket (s) Is this the case?
find / -type s | more & then ls -ld file name
15. The following file may be world-writeable :named pipe (p) Is this the case?
find / -type p | more & then ls –ld filename
16. The following file may be world-writeable :block special file (b) Is this the case?
find / -type b | more & then ls –ld filename
17. The following file may be world-writeable :character special file (c) Is this the case?
find / -type c | more & then ls –ld filename
18. The following file may be world-writeable :symbolic links (l) Is this the case?
find / -type l | more & then ls –ld filename
19. To find if any users have non expiring passwords.
'lsuser -a maxage ALL|grep 0'
20. Confirm that the Business Use Notice is displayed to users during the identification and authentication process ?
cat /etc/motd'
21. The Common Desktop Environment must use dthello program to display the Business Use Notice. Is this the case?
ls –ld /usr/dt/bin/dthello
22. To get a list of users with UMASK not equal to x77
'lsuser -a umask ALL|grep -v "=77"
23. For OSR File type *.o , the setting for other must be r-x or more stringent. Is this the case?
Find / -name *.a –print
24. A password must be assigned to the ‘root’ userid is this the case?
grep root /etc/passwd
25.To check rlogin for root.
lsuser –a rlogin root
26. Does only one uid of 0 exist
lsuser -a id ALL | grep "id=0" | pg
27. Do only approved users have root authority
lsuser -a sugroups ALL | grep "sugroups=suroot" | pg
28. Do only approved users have access to the system group?
Command Tips lsuser -a groups ALL | grep system | pg
29. Are only approved users members of the security group
lsuser -a groups ALL | grep security | pg
30.To check anonymous FTP
ftp 0 21 ; name – anonymous
(or)
Grep anonymous /etc/passwd
31. For User default home directory /$HOME the permission setting is not defined.
Is this the case?
all IN and GB users home directory permission should be 700 . apart from normal users we should not change database users directories and the application users directories. we need to confirm with them. ls -ld /$HOME
32. .netrc files, file permissions must grant access only to the owner of the file.
Is this the case?
ls -lrt /.netrc
33. /.rhosts must have read and write access only by root. Is this the case?
ls –lrt /.rhosts
AIX is short for Advanced Interactive eXecutive. AIX is the UNIX operating system from IBM for RS/6000, pSeries and the latest p5 & p5+ systems. Currently, it is called "System P". AIX/5L the 5L addition to AIX stands for version 5 and Linux affinity. AIX and RS/6000 was released on the 14th of February, 1990 in London. Currently, the latest release of AIX is version 6. AIX 7 beta will be released in Aug 2010, along with the new POWER7 hardware range.
Tanti Technology
- sandeep tanti
- Bangalore, karnataka, India
- Multi-platform UNIX systems consultant and administrator in mutualized and virtualized environments I have 4.5+ years experience in AIX system Administration field. This site will be helpful for system administrator in their day to day activities.Your comments on posts are welcome.This blog is all about IBM AIX Unix flavour. This blog will be used by System admins who will be using AIX in their work life. It can also be used for those newbies who want to get certifications in AIX Administration. This blog will be updated frequently to help the system admins and other new learners. DISCLAIMER: Please note that blog owner takes no responsibility of any kind for any type of data loss or damage by trying any of the command/method mentioned in this blog. You may use the commands/method/scripts on your own responsibility. If you find something useful, a comment would be appreciated to let other viewers also know that the solution/method work(ed) for you.
No comments:
Post a Comment