AIX操作系统安装配置规范
1) 设置密码规范
? 规范要求:
10次无效登录后锁定帐户,该策略对root用户不起作用,因此不对root实施 ? 修改方法:
chuser loginretries=’10’ {USERNAME} ? 检查方法:
lsuser {USERNAME} ? 恢复方法:
chuser loginretries=’0’ {USERNAME} ? 单个用户的解锁方法:
chsec -f /etc/security/lastlog -a \{USERNAME}
2) 锁定系统默认账号
? 规范要求:
锁定的以下系统默认账户:daemon,bin,sys,adm,uucp,guest,nobody,lpd,lp,invscout,snapp,ipsec,nuucp ? 修改方法:
chuser account_locked=true daemon chuser account_locked=true bin chuser account_locked=true sys chuser account_locked=true adm chuser account_locked=true uucp chuser account_locked=true guest chuser account_locked=true nobody chuser account_locked=true lpd chuser account_locked=true lp chuser account_locked=true invscout chuser account_locked=true snapp chuser account_locked=true ipsec
1
chuser account_locked=true nuucp ? 检查方法:
lsuser {USERNAME} ? 恢复方法:
chuser account_locked=false daemon chuser account_locked=false bin chuser account_locked=false sys chuser account_locked=false adm chuser account_locked=false uucp chuser account_locked=false guest chuser account_locked=false nobody chuser account_locked=false lpd chuser account_locked=false lp chuser account_locked=false invscout chuser account_locked=false snapp chuser account_locked=false ipsec chuser account_locked=false nuucp
3) 超时设置
? 规范要求:
10分钟无任何操作,自动退出登录 ? 修改方法:
在/etc/profile中增加以下内容: export TMOUT=600 ? 检查方法:
env | grep TMOUT ? 恢复方法:
在/etc/profile中删除以下内容: export TMOUT=600
4) 关闭不必要的服务端口
? 规范要求:
关闭以下服务端口:finger,systat,netstat,tftp,talk,ntalk,daytime,time,kshell,klogin,echo,discard,chargen,imap2,pop3
2
? 修改方法:
在/etc/inetd.conf文件中注释以下各项内容:
#kshell stream tcp nowait root /usr/sbin/krshd krshd #klogin stream tcp nowait root /usr/sbin/krlogind krlogind #finger stream tcp nowait nobody /usr/sbin/fingerd fingerd #systat stream tcp nowait nobody /usr/bin/ps ps -ef #netstat stream tcp nowait nobody /usr/bin/netstat netstat -f inet #tftp dgram udp6 SRC nobody /usr/sbin/tftpd tftpd -n #talk dgram udp wait root /usr/sbin/talkd talkd #ntalk dgram udp wait root /usr/sbin/talkd talkd #echo stream tcp nowait root internal #discard stream tcp nowait root internal #chargen stream tcp nowait root internal #daytime stream tcp nowait root internal #time stream tcp nowait root internal #echo dgram udp wait root internal #discard dgram udp wait root internal #chargen dgram udp wait root internal #daytime dgram udp wait root internal #time dgram udp wait root internal #imap2 stream tcp nowait root /usr/sbin/imapd imapd #pop3 stream tcp nowait root /usr/sbin/pop3d pop3d 执行refresh -s inetd重新加载inetd服务。 ? 检查方法:
lssrc –s inetd ? 恢复方法:
在/etc/inetd.conf文件中取消以下各项内容的注释符号:
#kshell stream tcp nowait root /usr/sbin/krshd krshd #klogin stream tcp nowait root /usr/sbin/krlogind krlogind #finger stream tcp nowait nobody /usr/sbin/fingerd fingerd #systat stream tcp nowait nobody /usr/bin/ps ps -ef #netstat stream tcp nowait nobody /usr/bin/netstat netstat -f inet #tftp dgram dp6 SRC nobody /usr/sbin/tftpd tftpd -n #talk dgram udp wait root /usr/sbin/talkd talkd #ntalk dgram udp wait root /usr/sbin/talkd talkd
确认inetd服务正常
3