Assess AIX Security with cnspec
Assess AIX Security with cnspec
Rely on cnspec to ensure your AIX systems follow security best practices, such as securing SSH configuration, enforcing file system permissions, managing user accounts and groups, auditing installed packages, and verifying that unnecessary services are disabled.
Before you begin
- cnspec installed on your workstation
- SSH access to the target AIX system
Scan an AIX asset
cnspec connects to AIX systems remotely over SSH.
Scan a remote machine over SSH
To scan a remote AIX machine using SSH with password authentication:
cnspec scan ssh user@HOSTTo use an SSH key for authentication:
cnspec scan ssh user@HOST -i /path/to/identity_keyTo scan using a specific port:
cnspec scan ssh user@HOST -p 2222Understand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:
✓ Pass: Ensure SSH root login is disabled
✕ Fail: Ensure password authentication is disabled for SSH
✓ Pass: Ensure no user has an empty passwordAt the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
cnspec automatically detects the platform and applies the appropriate security policy. You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
Run cnspec shell ssh user@HOST to open the cnspec interactive shell connected to a remote AIX system. From there you can make checks like the examples below.
Ensure SSH root login is disabled
cnspec> sshd.config.params["PermitRootLogin"] == "no"
[ok] value: "no"Ensure SSH password authentication is disabled
cnspec> sshd.config.params["PasswordAuthentication"] == "no"
[ok] value: "no"Ensure no user has an empty password
cnspec> users.where( name != "nobody" ).all( password.empty == false )
[ok] value: trueEnsure the SSH service is running
cnspec> service("sshd").running
[ok] value: trueList all listening ports and their processes
cnspec> ports.listening { port protocol address process.executable }Ensure strong SSH ciphers are configured
cnspec> sshd.config.ciphers.none( _ == "arcfour" || _ == "arcfour128" || _ == "arcfour256" )
[ok] value: trueThese are just a few examples. You can create your own policies to define the checks that matter most for your AIX environment.
Learn more
-
To learn how to run ad hoc checks interactively, read Create Checks in cnspec Shell.
-
For a list of all the OS resources and fields you can query, read the Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.
-
To learn more about how MQL works, read Write Effective MQL.