Detections
Analytics

1.3.4.1 Ensure Secure by Default is selected during the installation

Information

Secure By Default (SbD) is the concept of installing a minimal set of software in a secure configuration.

The AIX Secure by Default (SbD) installation option installs a lighter version of the TCP client and server filesets, that excludes vulnerable commands and files. The bos.net.tcp.client and bos.net.tcp.server filesets are part of the SbD installation and contain all commands and files except for any applications that allow for the transmission of passwords over the network in clear text format such as telnet and ftp. In addition, applications that might be used, such as rsh, rcp, and sendmail, are excluded from the SbD filesets.

The final automated process of the SbD install is to impose the AIX Security Expert high-level security configuration settings. You can do this by running the aixpert command from /etc/firstboot script: /usr/sbin/aixpert -f /etc/security/aixpert/core/SbD.xml -p 2>/etc/security/aixpert/log/firstboot.log

The differences between an SbD-installed system and a regular installation with an AIX Security Expert High Level Security configuration is best illustrated by examining the telnet command. In both cases, the telnet command is disabled. In an SbD installation, the telnet binary or application is never even installed on the system.

Many legacy services send passwords over the network in clear text and as such their use id discouraged. Whilst many of these packages can be uninstalled later, it is preferable that they are not installed on the system in the first place in order to minimise the risk.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

The Secure by Default option can be found under option 3 of the Installation and Settings menu

Installation and Settings

Either type 0 and press Enter to install with current settings, or type the
number of the setting you want to change and press Enter.

 1 System Settings:
 Method of Installation.............New and Complete Overwrite
 Disk Where You Want to Install.....hdisk0

 2 Primary Language Environment Settings (AFTER Install):
 Cultural Convention................English (United States)
 Language ..........................English (United States)
 Keyboard ..........................English (United States)
 Keyboard Type......................Default
 3 Security Model.......................Default
 4 More Options (Software install options)
 5 Select Edition.......................standard
>>> 0 Install with the current settings listed above.

 +-----------------------------------------------------
 88 Help ? | WARNING: Base Operating System Installation will
 99 Previous Menu | destroy or impair recovery of ALL data on the
 | destination disk hdisk0.
>>> Choice [0]:

See Also

https://workbench.cisecurity.org/benchmarks/19066

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: a8bcb17dbb8b064f4547af14388418c2223e61e73ae0becafa7f6f34f9d8d345