Originally posted by: shargus
We are planning a migration to AIX 6.1. I am looking to use aixpert to simplify and standardize the security hardening.
I have a prototyping system set up to test out settings. I have it loaded with AIX6.1 TL3 SP1. I am having a few issues and was wondering if I am doing something wrong:
1). After selecting aixpert -l h -p, I noticed /usr/sbin/tftpd is still enabled with 555 permissions. After much digging through aixpert's scripts, it looks like disrmtdmns is expecting tftpd, rshd, and rlogind to all be registered in TCB. rshd and rlogind are, but tftpd is not.
I figured out a workaround by doing:
tcbck -a /usr/sbin/tftpd
cktcb on /usr/sbin/tftpd
(i.e. manually putting tftpd into the TCB), then rerunning aixpert.
2). After doing the above workarounds, I run aixpert -c and it reports no failed rules:
-
aixpert -c
Processedrules=111 Passedrules=111 Failedrules=0 Level=AllRules
Input file=/etc/security/aixpert/core/appliedaixpert.xml
However, the check_report.txt shows this:
"comntrows.sh: Daemon/Script/String:lpd: should have status disabled, however its entry is not found in file /etc/inittab
""rctcpip.sh: Daemon dipid2's status should be "cominetdconf.sh: Service dtspc should have status d, however its entry is missing from /etc/inetd.conf
""cominetdconf.sh: Service ttdbserver should have status d, however its entry is missing from /etc/inetd.conf
""cominetdconf.sh: Service cmsd should have status d, however its entry is missing from /etc/inetd.conf
"#
I want to be able to run aixpert -c on a regular basis and notify when there is a problem.
a) Is it possible that if an entry is not found, it is the same as "disabled", so it doesn't generate a log entry?
b) The log entry from rctcpip.sh is incomplete, and is merged with the log entry from cominetdconf.sh.
c) Is there an easier way to tell if aixpert -c finds an error? The return code is 0 in either case. It looks like I need to take the output of aixpert, look for "FailedRules" and notify if it does not equal 0...
#AIX-Forum