Front cover - IBM Redbooks

Tightening system default login parameters
The etc/security/login.cfg file should be edited to set up base defaults for many
login parameters, such as those that might be set up for a new user (for example,
number of login retries, login re-enable, and login internal).
Removing unnecessary default user accounts
During installation of the AIX operating system, a number of default user and
group IDs are created. Depending on the applications that are running on the AIX
server and where the AIX server is located in the network, some of these user
and group IDs can become security weaknesses, vulnerable to exploitation. If
these users and group IDs are not needed, they can be removed to minimize the
security risks associated with them.
Table 9-3 lists the most common default user IDs that you might want to remove.
Table 9-3 Potentially removable default user IDs
User ID Description
uucp, nuucp Owner of hidden files used by uucp protocol
lpd Owner of files used by printing subsystem
imnadm IMN search engine (used by Documentation Library Search)
guest Allows access to users who do not have access to accounts
Similarly, Table 9-4 lists common group IDs that might not be needed.
Table 9-4 Potentially removable common group IDs
Group ID Description
uucp Group to which uucp and nuucp users belong
printq Group to which lpd user belongs
imnadm Group to which imnadm user belongs
There might be additional user and group IDs that are not be needed; analyze
the system to identify other IDs that can be removed. Before the system goes
into production, perform a thorough evaluation of available IDs.
9.5.3 Defining access to the trusted communication path
The Trusted Computing Base (TCB) is the part of the system that is responsible
for enforcing system-wide information security policies. By installing and using
Chapter 9. Server hardening 405