[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Guide for Hardening AIX.
>As mentioned above, I need a guide for AIX in >particular. Thanks. Here are notes I've gathered from IBM's RedBooks. For the full document see the referenced document. ----------------------------------------------------------------------- NOTES for CP VPN-1/FW-1 ON IBM AIX platforms. Notes compiled by: Amin Tora, ePlus Technology Inc. for Secure+ use. (All notes Referenced from: "Check Point VPN-1/FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions" by Axel Bucker, Rob Middleton, Rahul Patel, Anthony Michalakopoulos RedBooks: http://www.ibm.com/redbooks ) ------------<Begin AIX OS section>-------------------------- -AIX: Installation Base Install /w Trusted Computing Base Add following: *bos.acct 4.3.3.0 {needed for vmstat, iostat, etc.} *bos.dosutil 4.3.3.0 {needed for dosread/doswrite of floppy disks} *bos.net.tcp.server 4.3.3.0 {needed for tcpdump and iptrace} *bos.sysmgmt.trace 4.3.3.0 {needed for trace command} *bos.adt.syscalls 4.3.3.0 {needed for CP VPN-1/FW-1} --<man pages: install if really necessary, not recommended>--- *bos.data 4.3.3.0 {needed for man pages} *bos.txt.tfs 4.3.3.0 {txt formatting, needed for man pages} -SMITTY smitty tcpip {setting default gateway, routes, etc...} smitty inet {configure network adapters} smitty crcdrfs {mounting CD's} smitty crjfs {mount FileSystems} smitty chgtok {change token ring settings} -Mounting cdrom fs #mkdir /cdrom #smitty crcdrfs F4 in smitty Select CD device Enter mount point Mount Auto on Restart? (y/n) F10 to exit #mount /cdrom {to mount immediately...} -Making /usr/local mount point #mkdir /usr/local #smitty crjfs Select Add a Standard Journaled File System select rootvg for Volume Groups Enter SIZE for file system in 512byte blocks {1mb = 2,000 512byte blocks, 300mb=600,000 blocks} Enter /usr/local for MOUNT POINT Mount Auto to Restart? (y/n) F10 to exit #mount /usr/local (to mount immediately...) -Download AIX Program Temporary Fixes (PTFs),patches Download from IBM: http://service.software.ibm.com/cgi-bin/support/rs6000.support/downloads *OR* Use the FIXDIST utility (download from): ftp://service.software.ibm.com Copy PTFs to /usr/local/aixptfs PREVIEW Install of PTFS: #smitty update_all Enter dir /usr/local/aixptfs in INPUT device To run PREVIEW (without install) set PREVIEW only to YES set COMMIT software updates to NO set VERIFY install and check file sizes to YES set DETAILED output to YES Press ENTER twice to to PREVIEW When PREVIEW is complete use search key (/) to search for 'fail' and 'failure' Also, press ESC key and then the > key to get to the end of the output. All patches should have passed verification To INSTALL patches, press F3 and then set PREVIEW only? to NO press ENTER twice. -Viewing which physical adapters map to symbolic adapter names #lsdev -Cc adapter {look for slot numbers, etc...} -Setting default gateway #smitty tcpip Choose Minimum Configuration & Startup Choose external network interface Move cursor to Default GATEWAY address and enter IP Change Start Now OPTION to YES (to enable now) -Configure HOSTS file make file /etc/hosts with a text editor OR use: #cat > /etc/hosts <enter text> CTRL-D # -------------------<End AIX OS Section>--------------------------- -------------------<Begin VPN-1/FW-1 section>--------------------- -Copying CP files to /usr/local/fw1 #cd/ # mount /cdrom # mount /usr/local # mkdir /usr/local/fw1 # cp -r /cdrom/aix /usr/local/fw1 # umount /cdrom -DNS: not recommended /etc/netsvc.conf should include line "hosts=local" /etc/resolv.conf should not exist (rename to .old) -Installing VPN-1/FW-1 Make sure that the *bos.adt.syscalls 4.3.3.0 package is installed: Insert AIX cdrom #mount /cdrom #smitty install_all enter /cd0 in INPUT dev/dir press F4 for software press / and enter syscalls to find bos.adt.syscalls package hit ENTER to install #smitty install_latest enter /usr/local/fw1/aix/CPfw1-41 in INPUT dev/dir press F4 to show available software arrow down to Check Point VPN-1/FireWall-1 for AIX and press F7 press ENTER [to PREVIEW set PREVIEW to YES, else set to NO and COMMIT to YES to install] -Setting environment variables set in .profile file: FWDIR=/usr/lpp/CPfw1-41 ; export FWDIR PATH=$PATH:$FWDIR/bin:/usr/local/bin ; export PATH MANPATH=$MANPATH:$FWDIR/man ; export MANPATH -Configuring Check Point run cpconfig -Licensing alias trick You can alias an IP to the loopback interface (lo0): echo "/usr/sbin/ifconfig lo0 alias 10.1.1.1" >> /etc/rc.local chmod +x /etc/rc.local {allow rc.local to be executed} /etc/rc.local {running script to apply what we entered above} doing an "ifconfig -a" should now show lo0 interface with above IP You can license CP software to this address {makes it a bit more flexible if you change IP's, etc.} -IP Forwarding check: no -a |grep ipforwarding set: no -o ipforwarding=x {x:0,1} Since VPN-1/FW-1 doesn't support IP forwarding control in its fwstart/fwstop scripts, need to make own scripts and disable ones that come from CP: #cd /usr/lpp/CPfw1-41/bin #chmod -x fwstart fwstop #fwstart {should result in ksh error exec perm denied} #fwstop {should result in ksh error exec perm denied} # #cd /usr/local/bin #cat > stop-fw1 {make stop script} /usr/sbin/no -o ipforwarding=0 /usr/sbin/no -a |grep ipforwarding csh -f /usr/lpp/CPfw1-41/bin/fwstop CTRL-D #cat > start-fw1 {make start script} csh -f /usr/lpp/CPfw1-41/bin/fwstart /usr/sbin/no -o ipforwarding=1 /usr/sbin/no -a |grep ipforwarding CTRL-D #chmod 770 stop-fw1 start-fw1 Also, need to put start-fw1 into /etc/rc.local script so fw starts on bootup: #echo "FWDIR=/usr/lpp/CPfw1-41; export FWDIR" >> /etc/rc.local #echo "/usr/local/bin/start-fw1" >> /etc/rc.local #start-fw1 {test start script} #stop-fw1 {test stop script} Make /etc/rc.local run during boot #mkitab "rclocal:2:once:/etc/rc.local >/dev/console 2>&1" -Backing up VPN-1/FW-1 insert tape into tape drive #smitty mksysb enter tape device {i.e. /dev/rmt0} and press ENTER -Patching VPN-1/FW-1 if you copied all contents from CD to /usr/local/fw1 then the directory /usr/local/fw1/patches should contain patches use smitty to install patches #smitty install_latest enter /usr/local/fw1/patches/<patchdir> for INPUT Select patch to install ----------------<end VPN-1/FW-1 section>---------------------- ----------------<Begin Hardening AIX OS section>-------------- -/etc/inittab backup /etc/inittab #cp /etc/inittab /etc/inittab.orig remove unnecessary services #for e in rcnfs piobe qdaemon writesrv uprintfd; do rmitab $e; done [also,deleted/commented out: welcome:2:wait... httpdlite:2:once... imnss:2:once... imqss:2:once... dt:2:wait... pmd:2:wait... ] -/etc/rc.tcpip comment out everything in /etc/rc.tcpip then add inetd and syslogd: #cd /etc #cp rc.tcpip rc.tcpip.orig #sed -e 's/^start /#start /' rc.tcpip.orig > rc.tcpip #cat >> rc.tcpip start /usr/sbin/syslogd "$src_running" start /usr/sbin/inetd "$src_running" CTRL-D # -/etc/inetd.conf remove all startup entries except for ftp and telnet #cd /etc #cp inetd.conf inetd.conf.orig #egrep "/ftp|/telnet" inetd.conf.orig > inetd.conf # manually disable ftp and telnet by commenting them out in inetd.conf -removing unnecessary users and groups #for u in uucp guest lpd; do rmuser -p $u; done #for g in uucp printq; do rmgroup $g; done (see below also...) #usrck -y ALL <will see some messages> #grpck -y ALL #pwdck -y ALL # [also, had to do following rmuser -p nuucp rmgroup uucp also, removed rmuser -p nobody rmgroup nobody ] -making /etc/rc.local.net script to set TCP/IP settings on bootup #cat >> /etc/rc.local.net /usr/sbin/no -o clean_partial_conns=1 {??} /usr/sbin/no -o ipsendredirects=0 {disable ICMP redirects} /usr/sbin/no -o nonlocsrcroute=0 {disable local src routing} /usr/sbin/no -o bcastping=0 {disable broadcast pings} /usr/sbin/no -o tcp_mssdflt=1370 {set default TCP message size} /usr/sbin/no -o icmpaddressmask=0 {don't respond to mask requests} /usr/sbin/no -o udp_pmtu_discover=0 {??} /usr/sbin/no -o tcp_pmtu_discover=0 {??} /usr/sbin/no -o directed_broadcast=0 {don't respond to net directed bcasts} /usr/sbin/no -o ipignoreredirects=0 {something with redirects..??} /usr/sbin/no -o ipsrcroutesend=0 {don't send src route info} /usr/sbin/no -o ipsrcrouterecv=0 {don't accept src route info} /usr/sbin/no -o ipsrcrouteforward=0 {don't route src route info} /usr/sbin/no -o ip6srcrouteforward=0 {don't forward ipv6 src route info} CTRL-D #chmod +x /etc/rc.local.net #/etc/rc.local.net {run script to set...} #mkitab "rclonet:2:once:/etc/rc.local.net > /dev/console 2>&1" # - /etc/motd ; /etc/security/login.cfg ; /etc/security/usr Edit these files and insert Warning Banners !! [ for login banners, you need to edit the login.cfg file in the ":default" section, make an entry for "herald" like so: herald = "login message..." The entire line needs to be ONE LONG STRING OF CHARACTERS. No line breaks. To feed line breaks use \r\n ] {i.e. **WARNING**WARNING**WARNING**WARNING**WARNING**WARNING**WARNING** This system is for AUTHORIZED USE ONLY! All activity may be subject to monitoring! Any unauthorized attempts and access to this system is strictly prohibited. Any unauthorized use of this system is subject to prosecution under the fullest extent of the law! Proceed at your own risk! **WARNING**WARNING**WARNING**WARNING**WARNING**WARNING**WARNING** } -Shutting down the system #shutdown -Fr ------------------------<End Hardening AIX OS Section>------------------ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|