Edit: Still worth considering.
Originally posted January 27, 2015 on AIXchange
Although many of us like to assert that AIX running on Power hardware is a secure operating system, we must be aware of methods that might be used to try to compromise the systems we maintain. Just because the AIX user base is smaller than their Windows or Linux counterparts, we shouldn’t assume that AIX systems cannot be breached and aren’t being targeted. These systems typically run software for hospitals, banks, manufacturers, etc., industries where uptime and performance are critical and data privacy is essential.
With that in mind, this recently released document, entitled AIX for Penetration Testers, examines the delicate balance between providing user access and maintaining system security:
“AIX is a widely used operating system by banks, insurance companies, power stations and universities. The operating system handles various sensitive or critical information for these services. There is limited public information for penetration testers about AIX hacking, compared the other common operating systems like Windows or Linux. When testers get user level access in the system the privilege escalation is difficult if the administrators properly installed the security patches. Simple, detailed and effective steps of penetration testing will be presented by analyzing the latest fully patched AIX system. Only shell scripts and the default installed tools are necessary to perform this assessment. The paper proposes some basic methods to do comprehensive local security checks and how to exploit the vulnerabilities.
“The reconnaissance process is the most important task. If an auditor has enough information about the target system, applications and the administrator, it can lead to privilege escalation. After getting user level access on an AIX system, start by finding and exploiting operation issues caused by the administrator.”
Based on information in the document, here are some basic security questions to ask and answer:
* sudo: it is properly configured?
* umask settings: have they been changed from defaults?
* exploitable SUID/SGID binaries: do they exist on the system?
* the PATH: has it been set up properly?
“This methodology defines key local vulnerable points of AIX system. Auditors can make their own vulnerability detection scripts to decrease the time of the investigation based on this methodology. The suggested test steps are information gathering, exploit operation bugs, checking 3rd party software and finally the core system. Valuable information and great ideas are hidden in system guides, developer documentation and man pages. This methodology only describes quick and useable techniques. There are many other vulnerability assessment concepts worth the research, including syscall, signal or file format fuzzing.
“System administrators and auditors can apply useful hardening solutions from the vendor [IBM]. There is a secure implementation of the AIX system called Trusted AIX (IBM, 2014). The mentioned hardening features and guides can increase the local security level of the operating system. Hardening supplemented by professional penetration testing is the proper way to do security.”
Although many organizations like to think that being behind a firewall makes them secure, they forget that trusted users are behind many successful attacks.
What are you doing to protect your systems from unauthorized access and privilege escalation?