SECURITY CONFIGURATION  - Created Monday 20 October 2014

 

INFO

syscheck called by root

AIX Enhanced RBAC: Home
 

INFO

Enhanced RBAC is active

Active OS security methods: Home

Sequence: 1420  - Command: /usr/bin/lsauthent

Kerberos 5
Standard Aix
		
Kernel security configuration: Home

Sequence: 421  - Command: lsattr -EHl sys0 -a chown_restrict

attribute  value  description  user_settable 
chown_restrict  true  Chown Restriction Mode  True 

Sequence: 421  - Command: lsattr -El sys0 -a autorestart

attribute  value  description  user_settable 
autorestart  true  Automatically REBOOT OS after a crash  True 

Sequence: 421  - Command: lsattr -EHl sys0 -a conslogin

attribute  value  description  user_settable 
conslogin  enable  System Console Login   False 

Sequence: 421  - Command: lsattr -El sys0 -a cpuguard

attribute  value  description  user_settable 
cpuguard  enable  CPU Guard  True 

Sequence: 421  - Command: lsattr -EHl sys0 -a fullcore

attribute  value  description  user_settable 
fullcore  true  Enable full CORE dump  True 

Sequence: 421  - Command: lsattr -EHl sys0 -a nfs4_acl_compat

attribute  value  description  user_settable 
nfs4_acl_compat  secure  NFS4 ACL Compatibility Mode  True 

Sequence: 421  - Command: lsattr -EHl sys0 -a maxuproc

attribute  value  description  user_settable 
maxuproc  4096  Maximum number of PROCESSES allowed per user  True 
System auditing status: Home
 

INFO

Auditing active - Note auditing can use a lot of system resources.

 

INFO

Auditing running in streams mode

List system audit records (Last 20 entries): Home
 

INFO

Use: lsaudrec to examine all the entries

Sequence: 423  - Command: lsaudrec

09/27/14 11:13:32      CLOG Info     [_HCD] 2655-049 The following error message was returned by function init
 
                                     .

09/29/14 08:53:07      CLOG Info     [_DMD] 2655-063 Could not obtain a license for CSM. The scaling limit is 
 
09/29/14 08:53:10      CLOG Info     [_DMD] 2655-075 Unable to list the nodes in the domain because the licens
 
09/29/14 08:53:10      CLOG Info     [_HCD] 2655-049 The following error message was returned by function init
 
                                     .

10/15/14 10:36:52      CLOG Info     [_DMD] 2655-063 Could not obtain a license for CSM. The scaling limit is 
 
10/15/14 10:36:54      CLOG Info     [_DMD] 2655-075 Unable to list the nodes in the domain because the licens
 
10/15/14 10:36:54      CLOG Info     [_HCD] 2655-049 The following error message was returned by function init
 
                                     .

		
Processor folding and SMT: Home
 

INFO

Processor folding enabled. This means that the system hypervisor will try to dynamically enable or disable processor (cores) if they are not more or less than 49% busy.

 

INFO

SMT is currently enabled

System resource controller: Home
 

INFO

srcmstr is started in (default) protected mode (ignores remote requests)

 

INFO

srcmstr process is running

Syslog remote messages: Home
 

INFO

The syslog daemon is running with the "-r" option, and so is ignoring remote syslog messages.

Sequence: 1425  - Command: ps -ef | grep "[s]yslogd" | grep "\-r"

syslogd not secure
		
Syslog deamon processes (and flags): Home

Sequence: 092  - Command: ps -elf | grep syslog

UID  PID  PPID  PRI  NI  ADDR  SZ  WCHAN  STIME  TTY  TIME  CMD 
240001  root  3801206  3211426  60  20  828265400  772  Oct  15  0:09  /usr/sbin/syslogd -r  
240001  root  6357180  60  20  860ccc400  680  Oct  15  0:00  /usr/sbin/syslogd -n -f /etc/chroot00.conf -p /var/chroot00/dev/log -d  
40001  root  7471112  60  20  800ca0400  600  Oct  15  0:00  /usr/sbin/syslogd -f /etc/chroot00.conf -p /dev/log  

Syslog logging socket:

 

INFO

This socket is created when syslogd starts. You cannot create it yourself

Sequence: 092  - Command: ls -l /dev/log

Perms  Link  Owner  Group  Size  MM  DD  HH:MM  Filename 
srw-rw-rw-  root  system  Oct  15  10:31  /dev/log 
Syslog daemon config: Home
 

INFO

Use the "rotate" and "compress" options to manage your logfiles

Sequence: 093  - Command: cat /etc/syslog.conf

Alert  Destination  Options           
*.alert  errlog             
*.warn  /var/adm/log/error.log  rotate  size  8m  compress  files 
auth,authpriv.info  /var/adm/log/auth.log  rotate  size  8m  compress  files 
lpr.info  /var/adm/log/lpr.log  rotate  size  8m  compress  files 
mail.info  /var/adm/log/mail.log  rotate  size  8m  compress  files 
news.info  /var/adm/log/news.log  rotate  size  8m  compress  files 
syslog.info  /var/adm/log/syslog.log  rotate  size  8m  compress  files 
uucp.info  /var/adm/log/uucp.log  rotate  size  8m  compress  files 
daemon.info  /var/adm/log/daemon.log  rotate  size  500k  files  compress 
local0.info  /var/adm/log/wrappers.log  rotate  size  8m  compress  files 
local1.*  /var/adm/log/kerberos.log  rotate  size  8m  compress  files 
local7.info  /var/adm/log/sftp-server.log  rotate  size  8m  compress  files 
mark.*  /var/adm/log/mark.log  rotate  size  8m  compress  files 
*.debug  /var/adm/log/messages.log  rotate  size  8m  compress  files 
aso.notice  /var/log/aso/aso.log  rotate  size  128k  time  7d   
aso.info  /var/log/aso/aso_process.log  rotate  size  1024k  files   
aso.debug  /var/log/aso/aso_debug.log  rotate  size  8m  compress  files 
mark.debug  /var/adm/log/mark.log  rotate  size  8m  compress  files 
Syslog daemon status: Home

Sequence: 094  - Command: lssrc -ls syslogd

Subsystem  Group  PID  Status         
syslogd  ras  3801206  active         
Syslogd  Config  *.alert  errlog         
Syslogd  Config  *.warn  /var/adm/log/error.log  rotate  size  8m  compress 
Syslogd  Config  auth,authpriv.info  /var/adm/log/auth.log  rotate  size  8m  compress 
Syslogd  Config  lpr.info  /var/adm/log/lpr.log  rotate  size  8m  compress 
Syslogd  Config  mail.info  /var/adm/log/mail.log  rotate  size  8m  compress 
Syslogd  Config  news.info  /var/adm/log/news.log  rotate  size  8m  compress 
Syslogd  Config  syslog.info  /var/adm/log/syslog.log  rotate  size  8m  compress 
Syslogd  Config  uucp.info  /var/adm/log/uucp.log  rotate  size  8m  compress 
Syslogd  Config  daemon.info  /var/adm/log/daemon.log  rotate  size  500k  files 
Syslogd  Config  local0.info  /var/adm/log/wrappers.log  rotate  size  8m  compress 
Syslogd  Config  local1.*  /var/adm/log/kerberos.log  rotate  size  8m  compress 
Syslogd  Config  local7.info  /var/adm/log/sftp-server.log  rotate  size  8m  compress 
Syslogd  Config  mark.*  /var/adm/log/mark.log  rotate  size  8m  compress 
Syslogd  Config  *.debug  /var/adm/log/messages.log  rotate  size  8m  compress 
Syslogd  Config  aso.notice  /var/log/aso/aso.log  rotate  size  128k  time 
Syslogd  Config  aso.info  /var/log/aso/aso_process.log  rotate  size  1024k  files 
Syslogd  Config  aso.debug  /var/log/aso/aso_debug.log  rotate  size  8m  compress 
Syslogd  Config  mark.debug  /var/adm/log/mark.log  rotate  size  8m  compress 
Syslog files check: Home

Sequence: 095  - Command: cat /etc/syslog.conf

LevelFilenameStatus
*.alert errlog
*.warn /var/adm/log/error.log
auth,authpriv.info /var/adm/log/auth.log
lpr.info /var/adm/log/lpr.log
mail.info /var/adm/log/mail.log
news.info /var/adm/log/news.log
syslog.info /var/adm/log/syslog.log
uucp.info /var/adm/log/uucp.log
daemon.info /var/adm/log/daemon.log
local0.info /var/adm/log/wrappers.log
local1.* /var/adm/log/kerberos.log
local7.info /var/adm/log/sftp-server.log
mark.* /var/adm/log/mark.log
*.debug /var/adm/log/messages.log
aso.notice /var/log/aso/aso.log
aso.info /var/log/aso/aso_process.log
aso.debug /var/log/aso/aso_debug.log
mark.debug /var/adm/log/mark.log

Suppressed error messages: Home

Sequence: 089  - Command: errpt -t -F log=0

None
		
 

WARNING

There are 8 suppressed error report messages

Sequence: 1089  - Command: errpt -t -F report=0

Id  Label  Type  CL  Description  
184D77EF  FWADUMP_SUSPEND  INFO  Firmware-assisted system dump temporaril  
1850F542  MINIDUMP_INFO  INFO  NVRAM WAS RE-INITIALIZED  
33EED8E1  FWADUMP_RESTART  INFO  Firmware-assisted system dump restarted  
45E4E066  DUPCHECK_OFF  TEMP  Duplicate checking turned off  
86DC0701  DUPCHECK_ON  TEMP  Duplicate checking turned on  
B0787F02  NVRAM_ERRDATA  UNKN  CORRUPT DATA DETECTED  
DF9BDB86  FWADUMP_LOWMEM  PERM  Firmware-assisted system dump initializa  
Cron deamon configuration "/etc/cronlog.conf": Home

Sequence: 426  - Command: cat /etc/cronlog.conf

Parameter  Value 
logfile  /var/adm/cron.log 
size  100K 
rotate 
archive  /usr/home 
compress   
Potentially unsafe services in "/etc/inittab": Home

Sequence: 427  - Command: lsitab -a

None
		
Network time synchronisation (xntpd): Home
 

INFO

xntpd is running

 

INFO

Clock is insane, check your NTP config

Sequence: 428  - Command: lssrc -s xntpd

remote  refid  st  when  poll  reach  delay  offset  disp 
win-jir4mbrd2a9  0.0.0.0  16  64  0.00  0.000  16000.0 
ntp.bbln.org  0.0.0.0  16  64  0.00  0.000  16000.0 
ntp.luna.nl  0.0.0.0  16  64  0.00  0.000  16000.0 
server01.coloce  0.0.0.0  16  64  0.00  0.000  16000.0 
ntp4.bit.nl  0.0.0.0  16  64  0.00  0.000  16000.0 
LDAP status: Home
 

INFO

LDAP is active on this system

 

WARNING

This LDAP is configured for non-SSL binds which means that LDAP traffic is transmitted in clear

Sequence: 429  - Command: /usr/sbin/ls-secldapclntd

ldapservers=win-jir4mbrd2a9.BlueFinch.local
current ldapserver=win-jir4mbrd2a9.BlueFinch.local
ldapport=389
active connections=1
ldapversion=3
usercachesize=1000
usercacheused=22
groupcachesize=100
groupcacheused=17
usercachetimeout=300
groupcachetimeout=300
heartbeat interval=300
numberofthread=10
connectionsperserver=10
authtype=UNIX_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
serverschematype=SFUR2
userbasedn=OU=AIX,DC=BlueFinch,DC=local
groupbasedn=OU=AIX,DC=BlueFinch,DC=local
userobjectclass=user,person,organizationalperson
groupobjectclass=group
		
SNMP daemon encryption status: Home
 

WARNING

The SNMP daemon is running at version 3 (unencrypted). The encrypted version is available from the "Expansion Pack CD/DVD"

 

INFO

Log file: "/usr/tmp/snmpdv3.log" exists

 

WARNING

Using "public" as your SNMP community name is unsafe!

Sequence: 2432  - Command: ls -l /usr/sbin/snmpd

VACM_GROUP group1 SNMPv1  public  -
VACM_VIEW defaultView        internet   		- included -
VACM_VIEW defaultView        1.3.6.1.4.1.2.2.1.1.1.0    - included -
VACM_VIEW defaultView        1.3.6.1.4.1.2.6.191.1.6    - included -
VACM_VIEW defaultView        snmpModules		- excluded -
VACM_VIEW defaultView        1.3.6.1.6.3.1.1.4          - included -   
VACM_VIEW defaultView        1.3.6.1.6.3.1.1.5          - included -  
VACM_VIEW defaultView        1.3.6.1.4.1.2.6.191	- excluded -
VACM_ACCESS  group1 - - noAuthNoPriv SNMPv1  defaultView - defaultView -
NOTIFY notify1 traptag trap -
TARGET_ADDRESS Target1 UDP 127.0.0.1       traptag trapparms1 - - -
TARGET_PARAMETERS trapparms1 SNMPv1  SNMPv1  public  noAuthNoPriv -
COMMUNITY public    public     noAuthNoPriv 0.0.0.0 	0.0.0.0 	-
DEFAULT_SECURITY no-access - -
logging         file=/usr/tmp/snmpdv3.log       enabled
logging         size=100000                     level=4
smux            1.3.6.1.4.1.2.3.1.2.1.2         gated_password  # gated
VACM_GROUP director_group SNMPv2c public -
VACM_ACCESS director_group - - noAuthNoPriv SNMPv2c defaultView - defaultView -
 
		
IPSec security status: Home

Sequence: 431  - Command: ipsecstat -d

IPSec Devices:
   ipsec_v4 Available
   ipsec_v6 Available

		
IPSec tunnel status: Home

Sequence: 1431  - Command: lstun


Start list IBM tunnel for IPv4


No IBM tunnel found for IPv4

End of IBM tunnel for IPv4

Start list manual tunnel for IPv4


No manual tunnel found for IPv4

End of manual tunnel for IPv4

Start list manual tunnel for IPv6


No manual tunnel found for IPv6

End of manual tunnel for IPv6
		
EFS status: Home
 

INFO

EFS is installed and enabled (See helpfile):

Sequence: 432  - Command: efsenable -q

List  of  supported  algorithms  for  keystores: 
RSA_1024         
RSA_2048         
RSA_4096         
           
List  of  supported  ciphers  for  files: 
AES_128_CBC         
AES_192_CBC         
AES_256_CBC         
AES_128_ECB         
AES_192_ECB         
AES_256_ECB         

Users and groups with a keystore:

Sequence: 432  - Command: find /var/efs \( -fstype jfs -o -fstype jfs2 \) -name keystore

Filename  Perms  Owner  Group 
/var/efs/efs_admin/keystore  -rw-------  root  system 
/var/efs/groups/dbsysadm/keystore  -rw-------  root  system 
/var/efs/groups/security/keystore  -rw-------  root  system 
/var/efs/users/aixguest/keystore  -rw-------  root  system 
/var/efs/users/co1217/keystore  -rw-------  root  system 
/var/efs/users/invscout/keystore  -rw-------  root  system 
/var/efs/users/ldapdb2/keystore  -rw-------  root  system 
/var/efs/users/pmpolicy/keystore  -rw-------  root  system 
/var/efs/users/postgres/keystore  -rw-------  root  system 
/var/efs/users/root/keystore  -rw-------  root  system 
/var/efs/users/test/keystore  -rw-------  root  system 
/var/efs/users/uptime/keystore  -rw-------  root  system 
/var/efs/users/was/keystore  -rw-------  root  system 

Files with ACLs or EFS attributes

Sequence: 432  - Command: find / -ea -exec ls -Ud {} \;

Perms  Links  Owner  Group  Size  DD  MM  YY  Filename 
-rw-------+  root  system  12  Jul  18  2013  /tmp/andrew 
drwx------+  root  system  256  Dec  02  2013  /tmp/test 
drwx------+  root  system  256  Dec  02  2013  /tmp/test/1 
drwx------+  root  system  256  Dec  02  2013  /tmp/test/1/2 
drwx------+  root  system  256  Dec  02  2013  /tmp/test/1/2/3 
DHCP status: Home

Sequence: 433  - Command: lssrc -a | egrep "dhcpcd6|dhcpsdv6"

Subsystem  Group  PID  Status 
dhcpcd6  tcpip  inoperative   
dhcpsdv6  tcpip  inoperative   
Print spooler status: Home
 

INFO

"/etc/qconfig" exists

 

WARNING

qdaemon is not running. Print jobs will be queued but not sent to the printer

Sequence: 2434  - Command: lssrc -a | grep qdaemon

Subsystem  Group  PID  Status 
qdaemon  spooler  inoperative   
Potentially risky inetd processes: Home
 

WARNING

There are 8 risky service(s) configured in "/etc/inetd.conf". Remove them and restart the inetd daemon asap!

Sequence: 435  - Command: cat /etc/inetd.conf

ServiceStatus
bootps
chargen
cmsd
comsat
daytime
discard
dtspc
echo
exec
finger
ftp
login
netstat
ntalk
pcnfsd
rquotad
rstatd
rusersd
rwalld
shell
smtp
sprayd
spseccfg
systat
talk
telnet
tftmtp
tftp
time
ttdbserver
uucp
walld

Core compression status: Home

Sequence: 436  - Command: lscore -d

NOTE: Core compression is active
		
Modified restricted tunables: Home
 

WARNING

Restricted Tunables should not be changed unless you are sure you know what you are doing

Sequence: 437  - Command: grep "RESTRICTED not" /etc/tunables/lastboot

Parameter  Value 
kernel_psize   "4096" 
mbuf_heap_psize   "4096" 
relalias_nlocks   "32" 
vm_mmap_areload   "0" 
vmm_mpsize_support   "3" 
j2_nBufferPerPagerDevice   "1024" 
pv_min_pbuf   "1024" 
lockd_debug_level   "-1" 
statd_debug_level   "-1" 
statd_max_threads   "-1" 
Shutdown logfile check: Home
 

INFO

"/etc/shutdown.log" records many useful system messages generated during shutdown

 

INFO

"/etc/shutdown.log" exists. This is produced when the "-l" flag is added to the shutdown command and can contain important information

Console file check: Home
 

INFO

The device file "/dev/console" is vital for trapping some system messages

Sequence: 439  - Command: ls -l /dev/console

Perms  Link  Owner  Group  Size  MM  DD  HH:MM  Filename 
crw--w--w-  root  system  4,  Sep  26  20:31 
 

INFO

Login is enabled at the system console

Default user limits: Home
 

INFO

These are the limits applied to a user account unless there is a specific setting to override it.

Sequence: 440  - Command: grep -p default: /etc/security/limits

default:
	fsize = 2097151
	core = 2097151
	cpu = -1
	data = 262144
	rss = 65536
	stack =	65536
	nofiles = 2000

		
Compare Default user settings against policy: Home
 

WARNING

There are 6 default parameter(s) configured in "/etc/security/users" that differ from the policy settings.

Sequence: 1440  - Command: diff /usr/local/bin/parameters/user_defs /etc/security/user

ParameterCurrent SettingPolicy Setting
admintruefalse
admgroupsmqm
registryfilesLDAP
SYSTEMcompat"KRB5LDAPORLDAPORfiles"
loginretries05
efs_allowksmodechangebyusertrueyes

Default user settings: Home
 

INFO

These are the settings applied to a user account unless there is a specific setting to override it.

Sequence: 441  - Command: grep -p default: /etc/security/user

default:
	admin = false
	login = true
	su = true
	daemon = true
	rlogin = true
	sugroups = ALL
	admgroups = 
	ttys = ALL
	auth1 = SYSTEM
	auth2 = NONE
	tpath = nosak
	umask = 77
	expires = 0
	registry = LDAP      
	SYSTEM = "KRB5LDAP OR LDAP OR files"     
	logintimes = 
	pwdwarntime = 5 
	account_locked = false
	loginretries = 5
	histexpire = 26
	histsize = 4 
	minage = 1
	maxage = 52
	maxexpired = 8
	minalpha = 2
	minother = 2
	minlen = 8
	mindiff = 4
	maxrepeats = 2
	dictionlist = /etc/security/aixpert/dictionary/English
	pwdchecks = 
	default_roles = 
	efs_keystore_access = file
	efs_adminks_access = file
	efs_initialks_mode = admin
	efs_allowksmodechangebyuser = yes
	efs_keystore_algo = RSA_1024
	efs_file_algo = AES_128_CBC
	core_compress = on

		
Users with a custom password dictionary: Home
 

INFO

A custom dictionary is used to prevent a user from using certain obvious word such as the company name.

Sequence: 1441  - Command: lsuser -a dictionlist ALL

Username  Dictionary list 
p520  /etc/security/aixpert/dictionary/English 
tester  /etc/security/aixpert/dictionary/English 
root  /etc/security/aixpert/dictionary/English 
daemon  /etc/security/aixpert/dictionary/English 
bin  /etc/security/aixpert/dictionary/English 
sys  /etc/security/aixpert/dictionary/English 
adm  /etc/security/aixpert/dictionary/English 
#This is a comment  /etc/security/aixpert/dictionary/English 
invscout  /etc/security/aixpert/dictionary/English 
esaadmin  /etc/security/aixpert/dictionary/English 
lpd  /etc/security/aixpert/dictionary/English 
sshd  /etc/security/aixpert/dictionary/English 
lp  /etc/security/aixpert/dictionary/English 
co1217  /etc/security/aixpert/dictionary/English 
pconsole  /etc/security/aixpert/dictionary/English 
snapp  /etc/security/aixpert/dictionary/English 
ipsec  /etc/security/aixpert/dictionary/English 
keytest  /etc/security/aixpert/dictionary/English 
was  /etc/security/aixpert/dictionary/English 
ga0112  /etc/security/aixpert/dictionary/English 
andrew  /etc/security/aixpert/dictionary/English 
mqm  /etc/security/aixpert/dictionary/English 
andrew2  /etc/security/aixpert/dictionary/English 
radiusd  /etc/security/aixpert/dictionary/English 
idsldap  /etc/security/aixpert/dictionary/English 
www  /etc/security/aixpert/dictionary/English 
wwwadm  /etc/security/aixpert/dictionary/English 
ldapdb2  /etc/security/aixpert/dictionary/English 
sftp  /etc/security/aixpert/dictionary/English 
nobody  /etc/security/aixpert/dictionary/English 
nagios  /etc/security/aixpert/dictionary/English 
pmclient  /etc/security/aixpert/dictionary/English 
pmpolicy  /etc/security/aixpert/dictionary/English 
uptime  /etc/security/aixpert/dictionary/English 
lpar2rrd  /etc/security/aixpert/dictionary/English 
postgres  /etc/security/aixpert/dictionary/English 
user1  /etc/security/aixpert/dictionary/English 
dasusr1  /etc/security/aixpert/dictionary/English 
db2inst1  /etc/security/aixpert/dictionary/English 
db2fenc1  /etc/security/aixpert/dictionary/English 
idsinst  /etc/security/aixpert/dictionary/English 
mysql  /etc/security/aixpert/dictionary/English 
p520  /etc/security/aixpert/dictionary/English 
tester  /etc/security/aixpert/dictionary/English 
rrdcache  /etc/security/aixpert/dictionary/English 
cdat  /etc/security/aixpert/dictionary/English 
Available login shells: Home
 

INFO

These are the programs that can be specified when creating a new user

 

WARNING

"/usr/bin/false" should be added to shells= in "/etc/security/login.cfg" and should be the standard shell for users such as "bin".

Sequence: 442  - Command: cat /etc/shells

 

/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/psh
/usr/bin/tsh
/usr/bin/bsh
/opt/freeware/bin/bash
/opt/freeware/bin/bash_64

			

Sequence: 442  - Command: lssec -f /etc/security/login.cfg -s usw -a shells

usw shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/b
		
User creation defaults: Home

These are the default properties given to any new local users:

Sequence: 443  - Command: cat /usr/lib/security/mkuser.default

user:
	pgrp = staff
	groups = staff
	shell = /usr/bin/ksh
	home = /home/$USER	
	auditclasses = general               

admin:
	pgrp = system
	groups = system
	shell = /usr/bin/ksh
	home = /home/$USER	

		
Known user security methods: Home

These are the types of security that AIX can use to authenticate users.

Sequence: 444  - Command: cat /usr/lib/security/methods.cfg


LDAP:
	program = /usr/lib/security/LDAP
	program_64 =/usr/lib/security/LDAP64

NIS:
	program = /usr/lib/security/NIS
	program_64 = /usr/lib/security/NIS_64
	
DCE:
	program = /usr/lib/security/DCE

PAM:
        program = /usr/lib/security/PAM

PAMfiles:
        options = auth=PAM,db=BUILTIN

KRB5:
	program = /usr/lib/security/KRB5
	program_64 = /usr/lib/security/KRB5_64
	options = authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes

KRB5LDAP:
	options = auth=KRB5,db=LDAP

KRB5A:
	program = /usr/lib/security/KRB5A
	program_64 = /usr/lib/security/KRB5A_64
	options = authonly,is_kadmind_compat=no,tgt_verify=no

KRB5Afiles:
	options = db=BUILTIN,auth=KRB5A
	program = /usr/lib/security/KRB5A
	program_64 = /usr/lib/security/KRB5A_64

		
Password algorithms: Home

Sequence: 445  - Command: cat /etc/security/pwdalg.cfg

smd5:
	lpa_module = /usr/lib/security/smd5

ssha1:
	lpa_module = /usr/lib/security/ssha
	lpa_options = algorithm=sha1

ssha256:
	lpa_module = /usr/lib/security/ssha
	lpa_options = algorithm=sha256

ssha512:
	lpa_module = /usr/lib/security/ssha
	lpa_options = algorithm=sha512

sblowfish:
	lpa_module = /usr/lib/security/sblowfish
		
Auto create home directory: Home
 

WARNING

Home directories are not automatically created at first login

 

INFO

This function only works with telnet, or SSH {if useLogin=true}

Echo username during login: Home
 

INFO

You can increase system security by obscuring the username and password during login The default behaviour is only to hide the password Use: chsec -f /etc/security/login.cfg -s default -a usernameecho=false

 

INFO

Username is echoed during login

Members of the security group: Home
 

WARNING

Members of the "security" group can perform some privileged operations such as password resets, without switching to root

Sequence: 448  - Command: lsgroup -a users security

root groups=system,bin,sys,security,cron,audit,lp,dbsysadm,mqm,idsldap
		
Duplicate User IDs in "/etc/passwd": Home

Sequence: 449  - Command: sort /etc/passwd

None
		
Home directory check: Home
 

WARNING

23 home directory errors found

Sequence: 2452  - Command: cat /etc/passwd

UsernameHome directoryStatus
root/home/root Ownership correct
daemon/etc Checks skipped
bin/bin Checks skipped
sys/usr/sys Wrong owner: bin perhaps it should belong to: sys Wrong group : bin perhaps it should belong to: sys
potentially unsafe access permissions: 775, ideally it should be 0750 or 0700
adm/var/adm Wrong owner: root perhaps it should belong to: adm Wrong group : system perhaps it should belong to: adm
potentially unsafe access permissions: 775, ideally it should be 0750 or 0700
invscout/var/adm/invscout Wrong owner: root perhaps it should belong to: invscout Wrong group : system perhaps it should belong to: invscout
esaadmin/var/esa Ownership correct
lpd/ "/" is a mountpoint
sshd/home/sshd Ownership correct
lp/var/spool/lp Home directory "/var/spool/lp" does not exist
co1217/home/co1217 Ownership correct
pconsole/var/adm/pconsole Wrong group : pconsole perhaps it should belong to: system
potentially unsafe access permissions: 700, ideally it should be 0750 or 0700
snapp/usr/sbin/snapp Wrong owner: root perhaps it should belong to: snapp Wrong group : system perhaps it should belong to: snapp
ipsec/etc/ipsec Wrong group : ipsec perhaps it should belong to: staff
keytest/home/keytest Ownership correct
was/opt/WebSphere70 "/opt/WebSphere70" is a mountpoint
ga0112/home/ga0112 Ownership correct
andrew/home/andrew Ownership correct
mqm/var/mqm Ownership correct
potentially unsafe access permissions: 2775, ideally it should be 0750 or 0700
andrew2/home/andrew2 Ownership correct
radiusd/home/radiusd Home directory "/home/radiusd" does not exist
idsldap/home/idsldap Ownership correct
www/home/www Ownership correct
wwwadm/home/wwwadm Ownership correct
ldapdb2/home/ldapdb2 Ownership correct
potentially unsafe access permissions: 775, ideally it should be 0750 or 0700
sftp/var/chroot00/./home/sftp Wrong owner: root perhaps it should belong to: sftp Wrong group : system perhaps it should belong to: sftp
nobody/ "/" is a mountpoint
nagios/home/nagios Ownership correct
pmclient/var/opt/quest/qpm4u/pmclient Ownership correct
potentially unsafe access permissions: 700, ideally it should be 0750 or 0700
pmpolicy/var/opt/quest/qpm4u/pmpolicy Ownership correct
potentially unsafe access permissions: 700, ideally it should be 0750 or 0700
uptime/home/uptime Home directory "/home/uptime" does not exist
lpar2rrd/home/lpar2rrd Ownership correct
postgres/home/postgres Ownership correct
user1/home/user1 Ownership correct
dasusr1/home/dasusr1 Ownership correct
db2inst1/home/db2inst1 Ownership correct
db2fenc1/home/db2fenc1 Ownership correct
idsinst/home/idsinst Ownership correct
potentially unsafe access permissions: 775, ideally it should be 0750 or 0700
mysql/home/mysql Ownership correct
p520/home/p520 Ownership correct
tester/home/tester Ownership correct
rrdcache/home/rrdcache Ownership correct
cdat/home/cdat Ownership correct

Desktop login profile check: Home
 

INFO

INFO: Uncomment "# DTSOURCEPROFILE=true" to execute the user's .profile when you open a shell window from the graphical desktop.
The default editor for the desktop is "dtpad", so you have to add in "/home/root/.profile": export EDITOR=/usr/bin/vi. to be able to use the shell history inline editing feature
"/etc/dt/config/Xsession.d/motd" can be used to display a custom logo whenever a user logs-in to CDE

Sequence: 451  - Command: find / -type f \( -fstype jfs -o -fstype jfs2 \) -name '*.dtprofile'

Contents of desktop login profile: /home/root/.dtprofile:

 
Contents of desktop login profile: /usr/dt/config/sys.dtprofile:

 
		
User GECOS check: Home
 

INFO

All users should have some valid GECOS info, however you should never include things such as phone-numbers that could be used in a social engineering attack

 

WARNING

4 local users have no GECOS information:

Sequence: 452  - Command: lsuser -R files -a gecos ALL

adm
bin
daemon
sys
		
Users with admin privileges: Home
 

INFO

15 local users have the setting "admin=true" which means their passwords cannot be changed by members of the security group

Sequence: 453  - Command: lsuser -R files -a admin ALL

adm
bin
co1217
daemon
esaadmin
ga0112
invscout
lpd
nagios
nobody
pconsole
postgres
root
sshd
sys
		
System user login shells: Home
 

WARNING

There are 6 users that require their shells updating

Sequence: 454  - Command: lsuser -R files -a shell ALL

UsernameShellStatus
daemon/usr/bin/ksh
bin/usr/bin/ksh
sys/usr/bin/ksh
adm/usr/bin/ksh
invscout/usr/bin/ksh
lpd/usr/bin/ksh
lp/bin/false

Local user non-default settings: Home
 

WARNING

There are 118 non-default user settings

Sequence: 455  - Command: lsuser -R files -a ALL

UsernameSettingValue Default Setting
rootadmintruefalse
daemonadmintruefalse
binadmintruefalse
sysadmintruefalse
admadmintruefalse
invscoutadmintruefalse
esaadminadmintruefalse
lpdadmintruefalse
sshdadmintruefalse
co1217admintruefalse
pconsoleadmintruefalse
ga0112admintruefalse
nobodyadmintruefalse
nagiosadmintruefalse
postgresadmintruefalse
esaadminloginfalsetrue
pconsoleloginfalsetrue
radiusdloginfalsetrue
sftploginfalsetrue
mysqlloginfalsetrue
rrdcacheloginfalsetrue
pconsolesufalsetrue
snappsufalsetrue
esaadminrloginfalsetrue
snapprloginfalsetrue
radiusdrloginfalsetrue
mysqlrloginfalsetrue
rrdcacherloginfalsetrue
rootadmgroupswbpriv,mysql,mqm
snappttysALL
esaadminumask2277
ldapdb2umask2277
idsinstumask2277
daemonexpires01010000700
binexpires01010000700
sysexpires01010000700
lpdexpires01010000700
nobodyexpires01010000700
rootregistryfilesLDAP
esaadminregistryfilesLDAP
snappregistryfilesLDAP
ga0112registryfilesLDAP
andrewregistryfilesLDAP
andrew2registryKRB5filesLDAP
ldapdb2registryfilesLDAP
p520registryKRB5AfilesLDAP
testerregistryKRB5AfilesLDAP
rootSYSTEM"compat""KRB5LDAP OR LDAP OR files"
snappSYSTEM"NONE""KRB5LDAP OR LDAP OR files"
ga0112SYSTEM"compat""KRB5LDAP OR LDAP OR files"
andrewSYSTEM"compat""KRB5LDAP OR LDAP OR files"
andrew2SYSTEM"KRB5files""KRB5LDAP OR LDAP OR files"
ldapdb2SYSTEM"compat""KRB5LDAP OR LDAP OR files"
user1SYSTEM"LDAP""KRB5LDAP OR LDAP OR files"
p520SYSTEM"KRB5Afiles""KRB5LDAP OR LDAP OR files"
testerSYSTEM"KRB5Afiles""KRB5LDAP OR LDAP OR files"
daemonaccount_lockedtruefalse
binaccount_lockedtruefalse
sysaccount_lockedtruefalse
admaccount_lockedtruefalse
invscoutaccount_lockedtruefalse
esaadminaccount_lockedtruefalse
lpdaccount_lockedtruefalse
sshdaccount_lockedtruefalse
lpaccount_lockedtruefalse
snappaccount_lockedtruefalse
ipsecaccount_lockedtruefalse
keytestaccount_lockedtruefalse
mqmaccount_lockedtruefalse
radiusdaccount_lockedtruefalse
sftpaccount_lockedtruefalse
nobodyaccount_lockedtruefalse
rootloginretries05
esaadmindefault_rolesSysConfig
cdatdefault_rolesCdatMaster
rootefs_allowksmodechangebyuseryes
daemonefs_allowksmodechangebyuseryes
binefs_allowksmodechangebyuseryes
sysefs_allowksmodechangebyuseryes
admefs_allowksmodechangebyuseryes
invscoutefs_allowksmodechangebyuseryes
esaadminefs_allowksmodechangebyuseryes
lpdefs_allowksmodechangebyuseryes
sshdefs_allowksmodechangebyuseryes
lpefs_allowksmodechangebyuseryes
co1217efs_allowksmodechangebyuseryes
pconsoleefs_allowksmodechangebyuseryes
snappefs_allowksmodechangebyuseryes
ipsecefs_allowksmodechangebyuseryes
keytestefs_allowksmodechangebyuseryes
wasefs_allowksmodechangebyuseryes
ga0112efs_allowksmodechangebyuseryes
andrewefs_allowksmodechangebyuseryes
mqmefs_allowksmodechangebyuseryes
andrew2efs_allowksmodechangebyuseryes
radiusdefs_allowksmodechangebyuseryes
idsldapefs_allowksmodechangebyuseryes
wwwefs_allowksmodechangebyuseryes
wwwadmefs_allowksmodechangebyuseryes
ldapdb2efs_allowksmodechangebyuseryes
sftpefs_allowksmodechangebyuseryes
nobodyefs_allowksmodechangebyuseryes
nagiosefs_allowksmodechangebyuseryes
pmclientefs_allowksmodechangebyuseryes
pmpolicyefs_allowksmodechangebyuseryes
uptimeefs_allowksmodechangebyuseryes
lpar2rrdefs_allowksmodechangebyuseryes
postgresefs_allowksmodechangebyuseryes
user1efs_allowksmodechangebyuseryes
dasusr1efs_allowksmodechangebyuseryes
db2inst1efs_allowksmodechangebyuseryes
db2fenc1efs_allowksmodechangebyuseryes
idsinstefs_allowksmodechangebyuseryes
mysqlefs_allowksmodechangebyuseryes
p520efs_allowksmodechangebyuseryes
testerefs_allowksmodechangebyuseryes
rrdcacheefs_allowksmodechangebyuseryes
cdatefs_allowksmodechangebyuseryes

User non-default limits: Home
 

WARNING

There are 32 non-default user settings

Sequence: 456  - Command: lsuser -R files -a ALL

UsernameSettingValue Default Setting
rootfsize-12097151
ldapdb2fsize-12097151
lpar2rrdfsize-12097151
postgresfsize-12097151
idsinstfsize-12097151
rootcore02097151
ldapdb2core-12097151
lpar2rrdcore02097151
postgrescore02097151
idsinstcore-12097151
rootdata-1262144
pconsoledata1280000262144
ldapdb2data491519262144
nobodydata524288262144
lpar2rrddata1048576262144
postgresdata-1262144
idsinstdata491519262144
rootrss-165536
ldapdb2rss-165536
lpar2rrdrss-165536
postgresrss-165536
idsinstrss-165536
rootstack-165536
esaadminstack39321665536
ldapdb2stack3276765536
nobodystack26214465536
lpar2rrdstack52428865536
postgresstack-165536
idsinststack3276765536
rootnofiles-12000
lpar2rrdnofiles-12000
postgresnofiles-12000

Users that are members of privileged local groups: Home
 

WARNING

4 local users are members of system groups. Some elevated permissions are controlled by group membership.

Sequence: 457  - Command: lsuser -R files -a admin ALL

esaadmin:
	groups=system,staff

ga0112:
	groups=staff,system

ldapdb2:
	groups=dbsysadm,staff,idsldap,dasadm1

root:
	groups=system,bin,sys,security,cron,audit,lp,dbsysadm,mqm,idsldap

		
Local users with non-standard user registry settings: Home
 

WARNING

There are 40 users with non-standard registry settings. (This can be due to implicit defaults rather than an explicit setting).

Sequence: 458  - Command: lsuser -R files -a registry SYSTEM ALL

Username  Registry  System 
adm  LDAP  KRB5LDAP OR LDAP OR files 
andrew2  KRB5files  KRB5files 
bin  LDAP  KRB5LDAP OR LDAP OR files 
cdat  LDAP  KRB5LDAP OR LDAP OR files 
co1217  LDAP  KRB5LDAP OR LDAP OR files 
daemon  LDAP  KRB5LDAP OR LDAP OR files 
dasusr1  LDAP  KRB5LDAP OR LDAP OR files 
db2fenc1  LDAP  KRB5LDAP OR LDAP OR files 
db2inst1  LDAP  KRB5LDAP OR LDAP OR files 
esaadmin  files  KRB5LDAP OR LDAP OR files 
idsinst  LDAP  KRB5LDAP OR LDAP OR files 
idsldap  LDAP  KRB5LDAP OR LDAP OR files 
invscout  LDAP  KRB5LDAP OR LDAP OR files 
ipsec  LDAP  KRB5LDAP OR LDAP OR files 
keytest  LDAP  KRB5LDAP OR LDAP OR files 
lp  LDAP  KRB5LDAP OR LDAP OR files 
lpar2rrd  LDAP  KRB5LDAP OR LDAP OR files 
lpd  LDAP  KRB5LDAP OR LDAP OR files 
mqm  LDAP  KRB5LDAP OR LDAP OR files 
mysql  LDAP  KRB5LDAP OR LDAP OR files 
nagios  LDAP  KRB5LDAP OR LDAP OR files 
nobody  LDAP  KRB5LDAP OR LDAP OR files 
p520  KRB5Afiles  KRB5Afiles 
pconsole  LDAP  KRB5LDAP OR LDAP OR files 
pmclient  LDAP  KRB5LDAP OR LDAP OR files 
pmpolicy  LDAP  KRB5LDAP OR LDAP OR files 
postgres  LDAP  KRB5LDAP OR LDAP OR files 
radiusd  LDAP  KRB5LDAP OR LDAP OR files 
rrdcache  LDAP  KRB5LDAP OR LDAP OR files 
sftp  LDAP  KRB5LDAP OR LDAP OR files 
snapp  files  NONE 
sshd  LDAP  KRB5LDAP OR LDAP OR files 
sys  LDAP  KRB5LDAP OR LDAP OR files 
tester  KRB5Afiles  KRB5Afiles 
uptime  LDAP  KRB5LDAP OR LDAP OR files 
user1  LDAP  LDAP 
was  LDAP  KRB5LDAP OR LDAP OR files 
www  LDAP  KRB5LDAP OR LDAP OR files 
wwwadm  LDAP  KRB5LDAP OR LDAP OR files 
Local users with remote-commands attribute set: Home
 

INFO

There are no users that allow remote commands.

Local users login time restrictions: Home
 

WARNING

There are 1 users with restricted login times

Sequence: 460  - Command: lsuser -R files -a logintimes ALL

#This restricted is a comment logintimes=
		
Default user session timeout: Home
 

INFO

Example: TMOUT=600 ; export TIMEOUT=600 ; export readonly TMOUT TIMEOUT

 

INFO

Timeout set as: # TMOUT=120

User last password change: Home

Sequence: 462  - Command: grep -p $U /etc/security/passwd

Username  Last password change 
root  Wed Dec 11 16:03:56 2013 
daemon  Never 
bin  Never 
sys  Never 
adm  Never 
#This is a comment  Never 
invscout  Tue Jan 24 08:57:08 2012 
esaadmin  Never 
lpd  Never 
sshd  Never 
lp  Never 
co1217  Fri Jun 13 15:44:26 2014 
pconsole  Never 
snapp  Never 
ipsec  Never 
keytest  Never 
was  Tue Jul 9 14:17:43 2013 
ga0112  Tue Nov 1 13:21:37 2011 
andrew  Wed Oct 1 07:59:47 2014 
mqm  Never 
andrew2  Thu Nov 17 09:11:36 2011 
radiusd  Never 
idsldap  Tue Dec 13 16:15:18 2011 
www  Never 
wwwadm  Never 
ldapdb2  Fri May 9 16:22:31 2014 
sftp  Never 
nobody  Never 
nagios  Never 
pmclient  Thu Dec 20 14:21:45 2012 
pmpolicy  Fri Jan 11 11:50:42 2013 
uptime  Tue Feb 19 13:15:55 2013 
lpar2rrd  Never 
postgres  Fri Jan 31 15:21:28 2014 
user1  Never 
dasusr1  Wed Apr 23 12:57:14 2014 
db2inst1  Wed Apr 23 12:57:26 2014 
db2fenc1  Wed Apr 23 12:57:29 2014 
idsinst  Fri May 9 08:24:53 2014 
mysql  Never 
p520  Never 
tester  Never 
rrdcache  Never 
cdat  Never 
User with password expiry: Home

Sequence: 463  - Command: lsuser -R files -a expires ALL

Username  Expires 
root 
adm 
invscout 
esaadmin 
sshd 
lp 
co1217 
pconsole 
snapp 
ipsec 
keytest 
was 
ga0112 
andrew 
mqm 
andrew2 
radiusd 
idsldap 
www 
wwwadm 
ldapdb2 
sftp 
nagios 
pmclient 
pmpolicy 
uptime 
lpar2rrd 
postgres 
user1 
dasusr1 
db2inst1 
db2fenc1 
idsinst 
mysql 
p520 
tester 
rrdcache 
cdat 
User remote login enabled: Home
 

WARNING

2 users have remote login enabled

Sequence: 464  - Command: lsuser -a login rlogin ALL

User  Login  Rlogin 
root  true  true 
Global search paths: Home

Sequence: 465  - Command: grep PATH /etc/environment

PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java6/jre/bin:/usr/java6/bin:/usr/local/bin:/usr
LOCPATH=/usr/lib/nls/loc
NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat
MANPATH=${MANPATH}:/opt/ibm/director/man
		
Extended history/timestamp check: Home

Sequence: 1465  - Command: grep EXTENDED_HISTORY /etc/environment

EXTENDED_HISTORY=ON
		
Check non-system filesystem mount options: Home

Checking mount options for: "/cdrom"

 

INFO

filesystem mounted using NODEV option

 

INFO

filesystem mounted using NOSUID option


Checking mount options for: "/home"

 

WARNING

The "/home" should not normally be able to execute SETUID programs or to contain device-special-files


Checking mount options for: "/tmp"

 

WARNING

The "/tmp" should not normally be able to execute SETUID programs or to contain device-special-files


System login herald message: Home
 

INFO

This message appears BEFORE login and should contain a legal disclaimer and reveal as little as possible about the system's role and architecture

Sequence: 467  - Command: lssec -f /etc/security/login.cfg -s default -a herald

default herald="Unauthorized use of this system is prohibited.\n\rDon't mess with the Finch!!\n\rlogin: "
		
System message of the day: Home
 

INFO

This message appears AFTER login and should contain a legal disclaimer and reveal as little as possible about the system's role and architecture

Sequence: 468  - Command: cat /etc/motd

*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 6.1!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
* ATTENTION - THERE IS NOW A CRONJOB TO SHUTDOWN THIS SERVER AT 20:00 EVERY   *
* DAY. IF YOU NEED TO LEAVE SOMETHING RUNNING OVERNIGHT THEN PLEASE DISABLE IT*
*******************************************************************************
		
Default FTP banner: Home
 

WARNING

You should not be using ftp as it transfers data in unencrypted form. If you must use then ensure you change the login banner. You should also append the "-l" option to ftpd in "/etc/inetd.conf" and "daemon.info FileName" to "/etc/syslog.conf"

Sequence: 469  - Command: dspcat /usr/lib/nls/msg/EN_US/ftpd.cat 1 9

%s FTP server (%s) ready.
		
TFTP access control: Home

Sequence: 1469  - Command: cat /etc/tftpaccess.ctl

# @(#)05	1.2  src/tcpip/usr/samples/tcpip/tftpaccess.ctl, tcpip_samples, tcpip610 10/17/91 09:25:40
# IBM_PROLOG_BEGIN_TAG 
# This is an automatically generated prolog. 
#  
# tcpip610 src/tcpip/usr/samples/tcpip/tftpaccess.ctl 1.2 
#  
# Licensed Materials - Property of IBM 
#  
# COPYRIGHT International Business Machines Corp. 1985,1989 
# All Rights Reserved 
#  
# US Government Users Restricted Rights - Use, duplication or 
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 
#  
# IBM_PROLOG_END_TAG 
#
# COMPONENT_NAME: tcpip
#
# FUNCTIONS:
#
# ORIGINS: 27
#
# (C) COPYRIGHT International Business Machines Corp. 1985, 1989
# All Rights Reserved
# Licensed Materials - Property of IBM
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
####################################################################
#
#	These are examples on allowing/denying tftp to access 
#	specific directories.  If the /etc/tftpaccess.ctl file exists
#	with permissions -rw-r--r-- (or 644) and it does not contain
#	any uncommented allow lines, then tftp access is denied for
#	the entire system.
#
####################################################################
####################################################################
# 	The following example, when uncommented, only
#	allows access to the Xstations boot files.
####################################################################
#allow:/usr/lpp/x_st_mgr/bin/bootfile
#allow:/usr/lpp/x_st_mgr/bin/bootfile1
#allow:/usr/lpp/x_st_mgr/bin/bootfile2
#
####################################################################
# 	The following example, when uncommented, only
#	allows access to the Diskless Client boot files.
####################################################################
#allow:/tftpboot
#
####################################################################
# 	The following example, when uncommented, allows access to
#	the /tmp and /usr/tmp (which is actually /var/tmp)
#	directories only.
####################################################################
#allow:/tmp
#allow:/usr/tmp
#
####################################################################
# 	The following example, when uncommented, allows access to
#	the entire system with the exemption of the /dev,
#	/etc, /sbin, /usr/bin, /usr/lib, and /usr/sbin directories.
####################################################################
#allow:/
#deny:/dev
#deny:/etc
#deny:/sbin
#deny:/usr/bin
#deny:/usr/lib
#deny:/usr/sbin

allow:/tmp
allow:/tftpboot
		
Is /tftpboot a separate filesystem: Home

Sequence: 1470  - Command: df -g /tftpboot

Filesystem  GB_blocks  %Used  Iused 
/dev/fslv15  0.25  0.25  1% 
Network security parameters: Home
 

WARNING

There are 1 potentially risky network setting(s)! Note: These could be appropriate for your system.

Sequence: 470  - Command: cat /usr/local/bin/parameters/network_params

TunableSettingDefaultStatus
arpt_killc2020
bcastping00
clean_partial_conns11
directed_broadcast00
icmpaddressmask00
ipforwarding00
ipignoreredirects11
ipsendredirects00
ip6srcrouteforward00
ipsrcrouteforward00
ipsrcrouterecv00
ipsrcroutesend00
nonlocsrcroute00
tcp_icmpsecure00
ip_nfrag200200
rfc1122addrchk00
rfc132311
tcp_mssdflt14481448
tcp_recvspace262144262144
sb_max13107201048576
tcp_sendspace262144262144
tcp_tcpsecure55
tcp_pmtu_discover00
udp_pmtu_discover00

Sensitive device parameters: Home

Sequence: 471  - Command: ls -l /dev/*mem /dev/zero /dev/null

Perms  Links  Owner  Group  Major  Minor  DD  MM  YY  Filename 
cr--r-----  root  system  2,  Sep  26  20:31  /dev/kmem 
cr--r-----  root  system  2,  Sep  26  20:31  /dev/mem 
crw-rw-rw-  root  system  2,  Oct  20  12:37  /dev/null 
cr--r-----  root  system  2,  Sep  26  20:31  /dev/pmem 
crw-rw-rw-  root  system  2,  Sep  26  20:31  /dev/zero 
Kerberos configuration: Home

Sequence: 472  - Command: cat /etc/krb5/krb5.conf

[libdefaults]
	ticket_lifetime = 365d 0h 0m 0s
        default_realm = BLUEFINCH.LOCAL
        default_keytab_name = FILE:/etc/krb5/krb5.keytab
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac

        allow_weak_crypto = true
        dns_lookup_kdc = true
        dns_lookup_realm = true

        forwardable=true
        renewable=true


[realms]
        BLUEFINCH.LOCAL = {
                kdc = win-jir4mbrd2a9.bluefinch.local:88
                admin_server = win-jir4mbrd2a9.bluefinch.local:749
                default_domain = bluefinch.local
        }

[domain_realm]
        .bluefinch.local = BLUEFINCH.LOCAL
        bluefinch.local = BLUEFINCH.LOCAL
        win-jir4mbrd2a9.bluefinch.local = BLUEFINCH.LOCAL

[logging]
        kdc = FILE:/var/krb5/log/krb5kdc.log
        admin_server = FILE:/var/krb5/log/kadmin.log
        kadmin_local = FILE:/var/krb5/log/kadmin_local.log
        default = FILE:/var/krb5/log/krb5lib.log

[appdefaults]
        autologin=true
        forward=true
        forwardable=true
        renewable=true
        encrypt=true
		
Netgroups configuration: Home

Sequence: 1472  - Command: grep + $F

/etc/passwd:
/etc/group:
/etc/netgroup:
/.rhosts:
		
User non-standard umask check: Home

Sequence: 1473  - Command: grep umask /etc/profile

umask entries in "/etc/profile"
umask entries in "/home/*/.profile"
umask entries in "/home/*/.bash_profile"
umask entries in "/home/*/.cshrc"
umask entries in "/home/*/.login"
umask entries in "/home/*/.profile"
		
Show portlog statistics: Home
 

INFO

A rapid increase in "unsuccessful_login_times" can indicate an attack.

Sequence: 1474  - Command: cat /etc/security/portlog

*******************************************************************************
* valid port attributes for /etc/security/portlog:
*
* locktime			The time (in seconds since the Epoch) that
*				the given port was locked.  If this value is
*				0, then the port is not locked.
*
* unsuccessful_login_times	A comma separated list of times (in seconds
*				since the Epoch) that unsuccessful login
*				attempts occurred on this port.  This is used
*				in conjunction with logindisable and
*				logininterval in /etc/security/login.cfg to
*				determine when to lock a port.
*
*******************************************************************************

ssh:
	unsuccessful_login_times = 1412252747                                                                        
	locktime = 0         

/dev/lft0:
	unsuccessful_login_times = 1411989575           
		
Systems Director Console (remote access): Home
 

INFO

This service runs from "/etc/inittab" and should be disabled if not required by your administrators.

Sequence: 1475  - Command: lssrc -s pconsole

Subsystem  Group  PID  Status 
pconsole  pconsole  6881504  active 

Licenced to: BlueFinch BV - sales@bluefinch.nl

Return to homepage