By default AIX uses NTPv3. This probably works fine for an internal-only situation (I hope), but for a server that also talks with the "outside," I recall that NTP shows up fairly frequently in CVE messages.
Posted: February 16, 2017 |
As I mentioned in a tweet, ZLIB (aka libz) has been updated recently. I expect these sudden updates from version 1.2.8 to 1.2.10 were inspired by an audit performed at the request of MOSS/Secure Open Source.
Posted: January 26, 2017 |
Internet Key Exchange (IKE) has gone through a lot of changes in the last 20 years. The last major change was the introduction of IKEv2 and communication via port 8500 rather than ports 500 and/or 4500 for setting up what is known as Phase 1 Tunnels.
Posted: December 14, 2016 |
There is a good chance you are not using sendmail at all (on AIX) to receive mail. However, if you are,
you should be using sendmail plus ssl. If you are using sendmail and ssl you have probably applied the fix suppiled last August (First Issued: Fri Aug 7 15:15:59 CDT 2015 |Updated: Tue Aug 18 09:19:51 CDT 2015.
Posted: May 12, 2016 |
AIXPERT is an easy to use interface to both harden and verify compliance with one or more standards. A standard can be one published by a third party (e.g., CIS), one from core AIX, one from PowerSC or one of these copied and customised for your situation. The format is XML.
Posted: April 12, 2016 |
A comment from a reader (thanks again) reminded me about the compile/build option of no OpenSSL or libreSSL. And as he comments, this does simplify the maintenance of OpenSSH - one less library to support.
Posted: September 28, 2015 |
In my last blog, I wrote about keeping OpenSSL current via the webpacks. In part, that's because OpenSSL is something to blog about. Please note that there are really important CVEs to be patched - but if you look at the recent Java patches - patches are also needed to fix the following OpenSSL related CVEs:
Posted: August 12, 2015 |
Keeping OpenSSL up-to-date is becoming a chore. And waiting for an update in a service pack may not be the best way to do this - for many reasons.
Posted: August 03, 2015 |
OpenSSH with LibreSSL is now available. I have tested LibreSSH on AIX 5.3 TL7, AIX 6.1 TL7 and AIX 7.1 TL3 and it works on all of them. The starting point in each case is that openssl.base and openssh.base were also installed. The special behavior is that aixtools.libressl.openssh copies the config files and keys from /etc/ssh to /var/openssh/etc and "downgrades" the ciphers and Key Exchange Algorithms (KexAlgorithms) so that they are equivalent (more on that later). This is to be sure you have connectivity with your current clients after installation. Note: the SRC subsystem for sshd is also modified to start "LibreSSH".
Posted: July 06, 2015 |
How about an update on the latest Technology Level on AIX? Why bother updating to the latest TL? Well, hopefully you’re already using aixpert for your basic hardening. If you’re not, I recommend using -- as a starting point -- the CIS benchmark for AIX 6.1 or 7.1.
Posted: June 24, 2015 |