Document No.

: MSB/IS/004
Issue No.: 01
Revision No.: 00
Minimum Security Baseline for AIX Effective Date: December 15, 2017
Page 1 of 5

1. Objective
The objective of this document is to provide minimum security baseline for AIX operating
system at Engro Foods Limited.

2. Minimum Security Baseline

2.1 Physical & Environmental Controls
All servers hosting AIX should be placed in a physically secure environment; access
should be restricted to authorized personnel only.
Adequate monitoring controls such surveillance cameras/ security guards etc. should be
in place to detect any unusual activity which may threaten the server’s physical security
as compensatory control.
The servers should have appropriate backup power support.

2.2 Unnecessary or default accounts

Disable unnecessary user accounts and system accounts, such as guest.
Deleting accounts is not recommended because it deletes account information, such as
user IDs and user names, which may still be associated with data on system backups.

2.3 Identification and Authentication

Named accounts should be created for users in AIX. Every active user account should
require a password. Password should be encrypted (!) and stored in shadow file
(/etc/security/passwd).
Authentication parameters in /etc/security/user file should be configured in accordance
with the corporate policy for named users except for root/ service accounts:

Parameter Description Recommendatio

n
Defines the minimum length of a
MINLEN 8
password.
Defines the minimum number of
characters that are required in a new
MINDIFF 1
password which were not in the old
password.
Defines the minimum number of weeks
MINAGE 1
before a password can be changed.
Defines the maximum number of weeks
MAXAGE 8
that a password is valid.
Defines the period of time in weeks that a
HISTEXPIRE 60
user will not be able to reuse a password.
HISTSIZE Defines the number of previous 5
 Document No.: MSB/IS/004
Issue No.: 01
Revision No.: 00
Minimum Security Baseline for AIX Effective Date: December 15, 2017
Page 2 of 5

passwords that a user may not reuse.

Defines the number of attempts a user
LOGINRETRIES has to login to the system before their 5
account is disabled.
Defines the minimum number of
MINALPHA 1
alphabetic characters in a password.
Defines the number of characters within a
MINOTHER 2
password which must be non-alphabetic.
Defines the number of days before the
PWDWARNTIM
system issues a warning that a password 5
E
change is required.

Authentication parameters in /etc/security/user file should be configured for root:

Parameter Description Recommendatio

n
Defines the minimum length of a
MINLEN 8
password.
Defines the minimum number of
MINALPHA 1
alphabetic characters in a password.
Defines the number of characters within a
MINOTHER 2
password which must be non-alphabetic.

2.4 Privileged Account Security

All users should have a unique UID. In particular the only user on the system to have a
UID of 0 should be the root user.
All access to the root account should be via su or sudo to provide an audit trail. All other
users must also have a unique UID to ensure that file and directory security is not
compromised.
SUDO is preferred method as user must be setup in the /etc/sudoers file and only
assumes the responsibilities of the account as explicitly defined in the /etc/sudoers file.
Set the rlogin option in the etc/security/user file for root to false to ensure that the root
user cannot remotely log into the system. In case the best practice cannot be
implemented, and ‘rlogin’ is set to true, then such access be restricted to limited
authorized terminals only.

The rexec, rlogin and rsh services are vulnerable services as the username and
passwords are passed over the network in clear text. It is recommended to comment out
rexec, rlogin and rsh in etc/inetd.conf file service and use Secure Shell (SSH) instead.

2.5 Unnecessary or vulnerable services

Function Service Recommendation
Telnet inetd/telnet Supports remote login sessions, but the password and ID
are passed unprotected.
Insecure services/ protocol should be disabled. Secure Shell
 Document No.: MSB/IS/004
Issue No.: 01
Revision No.: 00
Minimum Security Baseline for AIX Effective Date: December 15, 2017
Page 3 of 5

should be used instead.

Service runs as root user, gives out information about
Finger inetd/finger systems and users.
Therefore it should be disabled.
An obsolete service, runs as root, provides opportunity for
Daytime inetd/daytime Denial of Service PING attacks.
It is recommended to disable it.
Service is obsolete and used in Denial of Service attacks.
Discard inetd/discard
It is recommended to disable it.
Service is used for testing only and provides an opportunity
inetd/
Chargen for Denial of Service (DOS) attacks.
chargen
It is recommended to disable it.
User id and password are transferred unprotected, thus
allowing them to be snooped.
Disable this service and use a public domain secure shell
suite (where necessary).
In case ftp is not disabled, then the exception should be
approved by Head of IS and /etc/ftpusers file be maintained
which at minimum includes the following accounts, to restrict
File them log into ftp service:
transfer inetd/ftp
protocol  root  nobody  bin
 sys  ldap  nuucp
 guest  lpd  sync
 uucp
 Any other account that should not be copying files
across the network.
Used to echo at someone else to get through a firewall or
Echo inetd/echo start a data storm and could be used in Denial of Service
(DOS) or smurf attacks. It is recommended to disable it.
Outdated service.
Disable only after you have tested your systems
Time inetd/time
(boot/reboot) with this service disabled and have observed
no problems
Establish split screen between two users on the net.
Talk inetd/talk Disable unless you need multiple interactive chat sessions
for UNIX user
Runs as root, allowing users to talk with each other. This is
Ntalk inetd/ntalk not required on production or back room servers.
Disable unless absolutely needed.
Data including user IDs and passwords are passed
rlogin unprotected and are susceptible to be sniffed.
inetd/login
service It is recommended to use secure shell instead of this
service.
remote inetd/exec Runs as root user
executio Requires that you enter a user ID and password, which are
 Document No.: MSB/IS/004
Issue No.: 01
Revision No.: 00
Minimum Security Baseline for AIX Effective Date: December 15, 2017
Page 4 of 5

passed unprotected
n service This service is highly susceptible to being snooped therefore
it should be disabled.
rsh inetd/shell It is recommended to disable this service (if possible) and
service use Secure Shell instead.
Where the use of this service is necessary, use the TCP
Wrapper to stop spoofing and limit exposures.

2.6 Connection reset and data integrity attack prevention

Set tcp_tcpsecure parameter to 7:
Parameter Description Recommendation
Fake SYN Used to terminate an established connection 1
using SYN packet.
Fake RST Used to terminate an established connection 2
using RST packet.
Fake data A hacker may inject fake data into an 4
established connection.

2.7 Permissions and ownership

Permission over following directories and files should be appropriately restricted to root,
or a specific application program:
 /
 /etc
 /etc/security
 /bin
 /usr
 /var
 /sbin
 /etc/group
 /etc/shadow
 Any other directories that contain financially significant programs or data
Permissions of each file in the /var/spool/cron/crontabs directory is restricted to root or
appropriate user.

2.8 Business Continuity & Disaster Recovery

Backup should be taken before any change is made and at least on quarterly basis.
 Document No.: MSB/IS/004
Issue No.: 01
Revision No.: 00
Minimum Security Baseline for AIX Effective Date: December 15, 2017
Page 5 of 5

3. Classification & Distribution

This is classified as internal (private) document and has been issued solely for the use of
Engro Foods Limited. The contents of this shall not be used for any other purposes and
disclosed to any employee or third party without the consent of General Manager
Information Systems.

4. Change Log
Revision Date Handled by Comments
0 5 Dec 2017 Syeda Aeman Shujaat Initial write up of baseline.

Prepared Syeda Aeman Shujaat December 5, 2017

by: (Name & Signature) (Date)

Approved Muhammad Bilal Khan

by: (Name & Signature) (Date)