CIS Benchmark AIX Compliance Check

Ensuring your IBM AIX servers meet CIS (Center for Internet Security) benchmarks can be challenging. There are many settings to verify, including services, file permissions, logging, auditing, and user accounts. Doing this manually takes time and is prone to mistakes.

To simplify this, you can use a Bash script that automates most of the checks while clearly marking items that need manual review. This post explains how the script works, how to run it, and what results to expect.

Why Use a Script for CIS Compliance?
AIX servers have critical security settings that must be checked regularly:

Services that should be disabled
Permissions on important system files
Logging and auditing configurations
User account and home directory verification

Manually checking all of these can take hours. A script can:

Automate routine CIS benchmark checks
Highlight items requiring manual review
Produce a color-coded report showing Pass, Fail, and Manual checks

How the Script Works
The script is organized into seven sections, covering key CIS areas:

Initial Setup – Check OS version and patch level (manual review).
Services – Verify insecure services like Telnet, RSH, FTP are disabled.
Network – Review Bluetooth, wireless interfaces, IPv6, and network parameters.
Host-Based Firewall – Check firewall services and configuration rules.
Access Control – Validate SSH root login, sudo installation, password policies, and empty passwords.
Logging and Auditing – Ensure audit services and system logs are active.
System Maintenance – Verify file permissions, check for world-writable files/directories, and confirm home directories exist.

Each check is reported as:
[PASS] – Compliant with CIS benchmark
[FAIL] – Not compliant
[MANUAL] – Requires human review

How to Use the Script
Save the script as cis_aix_check.sh on your AIX server.

===========================================================================================================

#!/bin/bash

# CIS IBM AIX Compliance Script (Sections 1–7)

# -------------------------------

# Colors

# -------------------------------

RED='\033[0;31m'

GREEN='\033[0;32m'

YELLOW='\033[1;33m'

NC='\033[0m' # No Color

# -------------------------------

# Logging & Counters

# -------------------------------

REPORT="/var/log/cis_aix_report.log"

> $REPORT

PASS=0

FAIL=0

MANUAL=0

log_pass() { echo -e "${GREEN}[PASS]${NC} $1" | tee -a $REPORT; ((PASS++)); }

log_fail() { echo -e "${RED}[FAIL]${NC} $1" | tee -a $REPORT; ((FAIL++)); }

log_manual() { echo -e "${YELLOW}[MANUAL]${NC} $1" | tee -a $REPORT; ((MANUAL++)); }

# -------------------------------

# Helper Functions

# -------------------------------

check_file_perm() {

local file=$1

local perm=$2

if [ ! -e "$file" ]; then

log_fail "$file does not exist"

return

# AIX-compatible permission check

actual_perm=$(ls -l "$file" | awk '{k=0;for(i=1;i<=3;i++)k=k*8+((substr($1,i+1,1)~/[rwx]/)?(2^(3-i)):0);print k}')

[ "$actual_perm" == "$perm" ] && log_pass "$file permissions ($perm) correct" || log_fail "$file permissions ($actual_perm) incorrect, should be $perm"

}

check_service_disabled() {

local svc=$1

if lssrc -s "$svc" 2>/dev/null | grep -q "active"; then

log_fail "$svc is active"

else

log_pass "$svc disabled"

}

check_package_installed() {

local pkg=$1

if lslpp -L 2>/dev/null | grep -q "^$pkg"; then

log_pass "$pkg installed"

else

log_fail "$pkg not installed"

}

# -------------------------------

# SECTION 1 – Initial Setup

# -------------------------------

echo -e "${YELLOW}==== SECTION 1 – Initial Setup ====${NC}" | tee -a $REPORT

log_manual "Check AIX OS level, updates, and security patches (oslevel, instfix)"

# -------------------------------

# SECTION 2 – Services

# -------------------------------

echo -e "${YELLOW}==== SECTION 2 – Services ====${NC}" | tee -a $REPORT

services_to_disable=(autofs sendmail inetd ftp telnet tftp rpc rlogin rsh)

for svc in "${services_to_disable[@]}"; do

check_service_disabled "$svc"

done

# Cron and At services

check_service_disabled "cron"

check_service_disabled "atd"

# -------------------------------

# SECTION 3 – Network

# -------------------------------

echo -e "${YELLOW}==== SECTION 3 – Network ====${NC}" | tee -a $REPORT

check_service_disabled "bluetooth"

log_manual "Verify wireless interfaces manually (if any exist)"

log_manual "Check IPv6 configuration manually (lsattr -El inet0)"

log_manual "Check IP forwarding, packet redirects, ICMP settings in /etc/rc.tcpip and via 'no' command"

# -------------------------------

# SECTION 4 – Host-Based Firewall

# -------------------------------

echo -e "${YELLOW}==== SECTION 4 – Host-Based Firewall ====${NC}" | tee -a $REPORT

check_service_disabled "ipfilter"

check_service_disabled "iptables"

log_manual "Ensure firewall rules configured via ipsec/iptables/ipfilter"

# -------------------------------

# SECTION 5 – Access Control

# -------------------------------

echo -e "${YELLOW}==== SECTION 5 – Access Control ====${NC}" | tee -a $REPORT

ssh_config="/etc/ssh/sshd_config"

if [ -f "$ssh_config" ]; then

grep -q "^PermitRootLogin no" "$ssh_config" && log_pass "SSH root login disabled" || log_fail "SSH root login not disabled"

check_file_perm "$ssh_config" "600"

else

log_fail "$ssh_config does not exist"

check_package_installed "sudo"

log_manual "Check PAM configuration, password policies, and account lockout manually"

# User accounts with empty passwords

if awk -F: '($2=="") {exit 1}' /etc/passwd; then

log_pass "No empty passwords"

else

log_fail "Some accounts have empty passwords"

# -------------------------------

# SECTION 6 – Logging and Auditing

# -------------------------------

echo -e "${YELLOW}==== SECTION 6 – Logging and Auditing ====${NC}" | tee -a $REPORT

check_package_installed "audit"

if lssrc -s auditd 2>/dev/null | grep -q "active"; then

log_pass "auditd enabled"

else

log_fail "auditd disabled"

log_manual "Verify AIDE or Tripwire installation and integrity checks"

if lssrc -s syslogd 2>/dev/null | grep -q "active"; then

log_pass "syslogd enabled"

else

log_fail "syslogd disabled"

# -------------------------------

# SECTION 7 – System Maintenance

# -------------------------------

echo -e "${YELLOW}==== SECTION 7 – System Maintenance ====${NC}" | tee -a $REPORT

declare -A files=(

["/etc/passwd"]="644"

["/etc/passwd.adj"]="644"

["/etc/group"]="644"

["/etc/group.adj"]="644"

["/etc/security/passwd"]="600"

)

for file in "${!files[@]}"; do

check_file_perm "$file" "${files[$file]}"

done

# World-writable files & directories

ww_files=$(find / -type f -perm -2 -exec ls -ld {} \; 2>/dev/null | grep -vE "^/proc|^/dev")

ww_dirs=$(find / -type d -perm -2 -exec ls -ld {} \; 2>/dev/null | grep -vE "^/proc|^/dev")

[ -z "$ww_files" ] && log_pass "No world-writable files" || { echo "$ww_files"; log_fail "World-writable files found"; }

[ -z "$ww_dirs" ] && log_pass "No world-writable directories" || { echo "$ww_dirs"; log_fail "World-writable directories found"; }

log_manual "Review SUID/SGID files: find / -type f \$ -perm -4000 -o -perm -2000 \$ -exec ls -l {} \\;"

# Check home directories exist

awk -F: '($7!="/usr/bin/nologin" && $7!="/usr/sbin/nologin") {print $1":"$6}' /etc/passwd | while IFS=: read user dir; do

[ -d "$dir" ] && log_pass "Home directory exists for $user" || log_fail "Home directory missing for $user"

done

echo -e "${YELLOW}==== CIS IBM AIX Compliance Check Complete ====${NC}" | tee -a $REPORT

echo -e "${GREEN}PASS: $PASS${NC} | ${RED}FAIL: $FAIL${NC} | ${YELLOW}MANUAL: $MANUAL${NC}" | tee -a $REPORT

===========================================================================================================

Make it executable:

$ chmod +x cis_aix_check.sh
Run it as root:

$ sudo ./cis_aix_check.sh
Review the results:
Terminal output: Shows color-coded PASS, FAIL, and MANUAL messages
Log file: /var/log/cis_aix_report.log contains the complete report

Example Output
After running the script, you might see:
[PASS] autofs disabled
[FAIL] telnet is active
[PASS] cron disabled
==== SECTION 5 – Access Control ====
[PASS] SSH root login disabled
[FAIL] Some accounts have empty passwords
[MANUAL] Check PAM configuration and password policies manually
==== CIS IBM AIX Compliance Check Complete ====
PASS: 10 | FAIL: 2 | MANUAL: 5

This gives a clear overview of which areas are compliant and which need attention.

Benefits of This Script

Saves time – Automates many routine CIS checks
Reduces errors – Consistent reporting with clear Pass/Fail results
Easy to understand – Color-coded output and a log file
Focus on critical areas – Highlights items requiring manual review

Final Thoughts
Performing a CIS benchmark compliance check on AIX doesn’t have to be complicated. Using a structured approach with this script allows you to:

Quickly check most CIS benchmarks
Minimize human errors
Focus attention on items that truly need manual review

Regularly running this script helps you maintain secure and compliant AIX servers efficiently.

Unix System Administrator

Welcome to TechSysAdm, your go-to blog for practical insights, troubleshooting tips, and best practices in managing mission-critical enterprise systems. Here, we cover everything from AIX, RHEL, SUSE Linux, Solaris, VMware, and Windows servers to enterprise databases and DevOps environments, helping IT professionals optimize performance, ensure reliability, and solve complex system challenges.

adminCtrlX – Simplifying System Administration

Pages

CIS Benchmark AIX Compliance Check

No comments:

Post a Comment