Best Practice AIX Auditing
Tenable typically writes audit policies that can be submitted for certification by the Center for Internet Security. However, at this time CIS does not have a best practice benchmark for AIX 5.3, which is what many of Tenable's AIX customers are using. Since there were significant changes in AIX 5.3 from previous releases, Tenable has updated and applied the type of checks used in older CIS AIX benchmarks to AIX 5.3. The following types of configuration audits are performed:
- Patches and additional software
- Minimize inetd network services
- Minimize Daemon Services
- Kernel tuning
- File/directory permissions/access
- System access, authentication, and authorization
- User Accounts and environment
- Warning Banners
Below is an example screen shot generated by using this type of audit against an AIX 5.3 server:
AIX PCI Auditing
PCI configuration audits are much less comprehensive than a CIS or "best practices" configuration audit. PCI is focused on a few different parameters such as password complexity whereas standards like CIS look at several hundred different audit points. As with other operating systems, Tenable has produced an AIX PCI audit policy for AIX 5.3 systems.
The new AIX PCI audit policy takes its place next to the existing Solaris, Linux and Windows polices specifically designed for PCI configuration auditing testing.
Downloading and Using these Audit Polices
To obtain the new AIX 5.3 audit policies, login to the Tenable Support Portal and click on 'Downloads' and then 'Download Configuration Audit Policies'. The best practices policy is named "Tenable AIX Best Practices" and the PCI audit policy is named "PCI AIX".
To use these with the Nessus scanner, you must be subscribed to the ProfessionalFeed (Direct Feed), have access to the Tenable Support Portal and download one of these polices to your Nessus client. You must also have SSH access to an AIX server you wish to audit. The Nessus Client can be used to build a scan policy which includes an SSH username and password of the root AIX account, or a set of credentials which can take advantage of "su" or "sudo" functionality.
To use with the Security Center, login as a console administrator, upload your desired AIX audit polices and then create one or more vulnerability polices with the proper credentials for your AIX servers. Security Center 3.4.1 does not currently support Nessus "su" and "sudo" functionality, but this will be available in an upcoming release. Security Center users can also perform these audits with their Nessus scanners directly and manually upload them.
For More Information
Tenable has released a wide variety of audit polices for various operating systems, standards and to search for sensitive content. A list of recent previous releases is included below:
- Solaris 10 CIS Audit Policy Available
- Tenable Receives FDCC Certification
- "su" and "sudo" Support for Nessus UNIX Audits