AIX (Advanced Interactive eXecutive) is a Unix-based operating system developed by IBM. It is designed to run on IBM’s hardware platforms such as IBM Power Systems. AIX is built on the UNIX System V architecture, with enhancements and features developed by IBM over time.
In this article, we’re going to be looking at setting up AIX in a virtual environment for testing, and reviewing some of it’s unique security features.
Installing AIX
We will install AIX 7.2 in a virtual environment. To start, install the PowerPC version of QEmu.
sudo apt install qemu-system-ppc
Create a virtual disk using the qemu-img command.
qemu-img create -f qcow2 hdisk0.qcow2 20G
We will configure bridge networking to allow the AIX system to communicate with the rest of the network. Create a bridge interface linked to your actual network interface (in this case enp37s0).
sudo ip link add name br0 type bridge
sudo ip link set br0 up
sudo ip link set enp37s0 master br0
Next, create a tap interface that links to the bridge.
sudo ip tuntap add dev tap0 mode tap user $(whoami)
sudo ip link set tap0 up
sudo ip link set tap0 master br0
The bridge interface should receive an IP address.
ip addr show dev br0
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 1e:e6:a8:79:f1:d2 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.83/24 brd 172.16.1.255 scope global dynamic noprefixroute br0
valid_lft 85527sec preferred_lft 85527sec
inet6 fe80::bcec:9c38:29dd:64d7/64 scope link noprefixroute
valid_lft forever preferred_lft forever
In which case, you can remove the IP address from the physical interface, and the existing default route.
sudo ip route del default via 172.16.1.1 dev enp37s0
sudo ip addr del 172.16.1.82 dev enp37s0
Start the operating system install with the following command.
qemu-system-ppc64 \
-cpu POWER8 \
-machine pseries \
-m 4096 \
-serial stdio \
-drive file=hdisk0.qcow2,if=none,id=drive-virtio-disk0 \
-device virtio-scsi-pci,id=scsi \
-device scsi-hd,drive=drive-virtio-disk0 \
-cdrom aix_7200-04-02-2027_1of2_072020.iso \
-prom-env "boot-command=boot cdrom:" \
-prom-env "input-device=/vdevice/vty@71000000" \
-prom-env "output-device=/vdevice/vty@71000000"
During the setup, you may want to select to install a SSH client and daemon.
Installation and Settings
Either type 0 and press Enter to install with current settings, or type the
number of the setting you want to change and press Enter.
1 System Settings:
Method of Installation.............New and Complete Overwrite
Disk Where You Want to Install.....hdisk0
2 Primary Language Environment Settings (AFTER Install):
Cultural Convention................English (United States)
Language ..........................English (United States)
Keyboard ..........................English (United States)
Keyboard Type......................Default
3 Security Model.......................Default
4 More Options (Software install options)
5 Select Edition.......................standard
>>> 0 Install with the current settings listed above.
+-----------------------------------------------------
88 Help ? | WARNING: Base Operating System Installation will
99 Previous Menu | destroy or impair recovery of ALL data on the
| destination disk hdisk0.
>>> Choice [0]: 4
Install Options
11. Graphics Software................................................ Yes
12. System Management Client Software................................ Yes
13. OpenSSH Client Software.......................................... Yes
14. OpenSSH Server Software.......................................... Yes
15. Enable System Backups to install any system...................... Yes
(Installs all devices)
>>> 6. Install More Software
0 Install with the current settings listed above.
88 Help ?
99 Previous Menu
>>> Choice [6]:
The install process typically takes around 45 minutes.
Once the install is completed, it will likely go into a boot loop, where the following banner is repeated.
-------------------------------------------------------------------------------
Welcome to AIX.
boot image timestamp: 16:47:29 06/08/2020
processor count: 1; memory size: 4096MB; kernel size: 45422126
boot device: /vdevice/v-scsi@71000003/disk@8200000000000000:\ppc\chrp\bootfile.exe
AIX vm,uuid property contains invalid data
processing splpar characteristic: MaxEntCap
processing splpar characteristic: DesMem
processing splpar characteristic: DesProcs
processing splpar characteristic: MaxPlatProcs
processing splpar characteristic: HostThrs
AKVM: hcall-multi-tce detected but overridden, allow with "multce" boot argument
-------------------------------------------------------------------------------
Terminate execution using Ctrl+C, and boot using the following command.
sudo qemu-system-ppc64 \
-cpu POWER8 \
-machine pseries \
-m 4096 \
-serial mon:stdio \
-drive file=hdisk0.qcow2,if=none,id=drive-virtio-disk0 \
-device virtio-scsi-pci,id=scsi \
-device scsi-hd,drive=drive-virtio-disk0 \
-cdrom aix_7200-04-02-2027_1of2_072020.iso \
-prom-env "boot-command=boot disk:" \
-net nic,macaddr=56:44:45:30:31:31 \
-net tap,script=no,ifname=tap0 \
-nographic
After booting, you will be asked to select a terminal type. Select vt100.
Set Terminal Type
The terminal is not properly initialized. Please enter a terminal type
and press Enter. Some terminal types are not supported in
non-English languages.
ibm3101 tvi912 vt330 aixterm
ibm3151 tvi920 vt340 dtterm
ibm3161 tvi925 wyse30 xterm
ibm3162 tvi950 wyse50 lft
ibm3163 vs100 wyse60 sun
ibm3164 vt100 wyse100
ibmpc vt320 wyse350
+-----------------------Messages-----------------------
| ERROR: Undefined terminal type. Please try again.
88 Help ? |
| If the next screen is unreadable, press Break (Ctrl-c)
| to return to this screen.
>>> Choice []: vt100
After accepting licenses, you may arrive at the following screen.
COMMAND STATUS
Command: OK stdout: no stderr: no
Before command completion, additional instructions may appear below.
F1=Help F2=Refresh F3=Cancel Esc+6=Command
Esc+8=Image Esc+9=Shell Esc+0=Exit /=Find
n=Find Next
Hold the escape key and press the zero key until you return to the main install assistant.
Installation Assistant
Move cursor to desired item and press Enter.
Set Date and Time
Set root Password
Configure Network Communications
Install Software Applications
System Workload Partition Software Maintenance
Using SMIT (information only)
Tasks Completed - Exit to Login
F1=Helpssing F2=Refresh F3=Cancel Esc+8=Image
Esc+9=Shell Esc+0=Exit Enter=Do
Set a root password then login.
AIX Version 7
Copyright IBM Corporation, 1982, 2020.
Console login: root
root's Password:
*******************************************************************************
* *
* *
* Welcome to AIX Version 7.2! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
# uname
AIX
# uname -a
AIX localhost 2 7 000000000000
Checking Patch Levels
The oslevel command can be used to check the version of AIX installed.
oslevel -s
7200-04-02-2027
The above output translates to AIX 7.2, Technology Level 4, Service Pack 2.
The lslpp command can be used to enumerate installed filesets.
# lslpp -L
Fileset Level State Type Description (Uninstaller)
----------------------------------------------------------------------------
ICU4C.rte 7.2.4.0 C F International Components for
Unicode
Java8_64.jre 8.0.0.605 C F Java SDK 64-bit Java Runtime
Environment
Java8_64.sdk 8.0.0.605 C F Java SDK 64-bit Development
Kit
X11.adt.bitmaps 7.2.0.0 C F AIXwindows Application
Development Toolkit Bitmap
Files
X11.adt.imake 7.2.0.0 C F AIXwindows Application
Development Toolkit imake
X11.adt.include 7.2.3.0 C F AIXwindows Application
Development Toolkit Include
Files
X11.adt.lib 7.2.1.0 C F AIXwindows Application
Development Toolkit Libraries
X11.apps.aixterm 7.2.3.15 C F AIXwindows aixterm Application
X11.apps.clients 7.2.4.0 C F AIXwindows Client Applications
X11.apps.config 7.2.3.15 C F AIXwindows Configuration
Applications
X11.apps.custom 7.2.0.0 C F AIXwindows Customizing Tool
X11.apps.msmit 7.2.0.0 C F AIXwindows msmit Application
X11.apps.rte 7.2.1.0 C F AIXwindows Runtime
Configuration Applications
X11.apps.util 7.2.0.0 C F AIXwindows Utility
Applications
X11.apps.xdm 7.2.3.15 C F AIXwindows xdm Application
X11.apps.xterm 7.2.3.15 C F AIXwindows xterm Application
X11.base.common 7.2.0.0 C F AIXwindows Runtime Common
Directories
X11.base.lib 7.2.4.1 C F AIXwindows Runtime Libraries
X11.base.rte 7.2.4.1 C F AIXwindows Runtime Environment
X11.base.smt 7.2.3.15 C F AIXwindows Runtime Shared
...
System Administration
The smitty command is used for systems administration tasks, and provides a simple menu driven interface.
System Management
Move cursor to desired item and press Enter.
[TOP]
Software Installation and Maintenance
Software License Management
Manage Editions
Devices
System Storage Management (Physical & Logical Storage)
Security & Users
Communications Applications and Services
Workload Partition Administration
Print Spooling
Advanced Accounting
Problem Determination
Manage the AIX Cryptographic Framework
Performance & Resource Scheduling
System Environments
Processes & Subsystems
[MORE...4]
F1=Help F2=Refresh F3=Cancel F8=Image
F9=Shell F10=Exit Enter=Do
AIXPert
The aixpert utility can be used to configure security baselines on the system. By default, AIX runs a number of unencrypted services, such as telnet.
# netstat -an | grep LISTEN
tcp4 0 0 *.13 *.* LISTEN
tcp 0 0 *.21 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp 0 0 *.23 *.* LISTEN
tcp4 0 0 *.25 *.* LISTEN
tcp4 0 0 *.37 *.* LISTEN
tcp 0 0 *.111 *.* LISTEN
tcp 0 0 *.199 *.* LISTEN
tcp 0 0 *.513 *.* LISTEN
tcp 0 0 *.543 *.* LISTEN
tcp4 0 0 *.544 *.* LISTEN
tcp 0 0 *.657 *.* LISTEN
tcp4 0 0 *.1334 *.* LISTEN
tcp 0 0 *.6181 *.* LISTEN
tcp 0 0 *.32768 *.* LISTEN
tcp 0 0 *.32769 *.* LISTEN
tcp 0 0 *.16191 *.* LISTEN
To check the current security level, run the following command.
# aixpert -t
Applied Profiles:MLS
The below table shows the profiles that can be configured.
| Profile | Meaning |
|---|---|
| LLS | Low Level Security |
| MLS | Medium Level Security |
| HLS | High Level Security |
| DLS | Default AIX Security |
| SCBPS | SOX-COBIT Best Practices Security |
| Custom | User-defined aixpert profile |
Whilst we have ascertained that the medium security level should have been applied, manual modifications to the system could have led to configuration drift. You can use the following command to check policy compliance.
# aixpert -c -p
Processing mls_minage_006E6947 :done.
Processing mls_maxage_006E6947 :done.
Processing mls_maxexpired_006E6947 :done.
Processing mls_minlen_006E6947 :done.
Processing mls_minalpha_006E6947 :done.
Processing mls_minother_006E6947 :done.
Processing mls_mindiff_006E6947 :done.
Processing mls_histexpire_006E6947 :done.
Processing mls_histsize_006E6947 :done.
Processing mls_pwdwarntime_006E6947 :done.
Processing mls_usrck_006E6947 :done.
Processing mls_pwdck_006E6947 :done.
Processing mls_grpck_006E6947 :done.
Processing mls_loginretries_006E6947 :done.
Processing mls_logindelay_006E6947 :done.
Processing mls_logindisable_006E6947 :done.
Processing mls_logininterval_006E6947 :done.
Processing mls_loginreenable_006E6947 :done.
Processing mls_logintimeout_006E6947 :done.
...
Processing mls_rootpwdintchk_006E6947 :done.
Processing mls_ipsecpermit_006E6947 :done.
Processedrules=78 Passedrules=78 Failedrules=0 Level=MLS
Input file=/etc/security/aixpert/core/appliedaixpert.xml
The following command can be used to create a medium security configuration file.
# aixpert -l medium -n -o /tmp/medium_security.xml
Reviewing the contents of the file, we can see the types of rules being configured.
head /tmp/medium_security.xml
<?xml version="1.0" encoding="UTF-8"?>
<AIXPertSecurityHardening>
<AIXPertEntry name="prereqbinaudit" function="prereqbinaudit">
<AIXPertRuleType type="Prereq"/>
<AIXPertDescription catalog="aixpert.cat" setNum="101" msgNum="1">Prereq rule for binaudit: Checks whether auditing is running or not.</AIXPertDescription>
<AIXPertPrereqList></AIXPertPrereqList>
<AIXPertCommand>/etc/security/aixpert/bin/prereqbinaudit</AIXPertCommand>
<AIXPertArgs></AIXPertArgs>
<AIXPertGroup></AIXPertGroup>
</AIXPertEntry>
The following command will apply the configuration changes.
# aixpert -f /tmp/medium_security.xml
do_action(): rule(mls_tcbupdate): warning.
do_action(): Warning: Prereq failed for prereqtcb
do_action(): rule(mls_rootrlogin): warning.
do_action(): Warning: Prereq failed for prereqrrl
do_action(): rule(mls_loginherald): warning.
do_action(): Warning: Prereq failed for prereqlh
do_action(): rule(mls_xhost): warning.
do_action(): Warning: Prereq failed for X11.Dt.ToolTalk
do_action(): rule(mls_ISSServerSensorFull): warning.
do_action(): Warning: Prereq failed for prereqRSSSFull
do_action(): rule(mls_ISSServerSensorLite): warning.
do_action(): Warning: Prereq failed for prereqRSSSLite
Processedrules=84 Passedrules=78 PrereqFailedrules=6 Failedrules=0 Level=MLS
Input file=/tmp/medium_security.xml
After running this, you should see a number of insecure services have been disabled.
netstat -an | grep LISTEN
tcp6 0 0 *.22 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp 0 0 *.111 *.* LISTEN
tcp 0 0 *.657 *.* LISTEN
tcp 0 0 *.1058 *.* LISTEN
tcp 0 0 *.1059 *.* LISTEN
tcp4 0 0 *.1334 *.* LISTEN
tcp 0 0 *.6181 *.* LISTEN
tcp 0 0 *.32769 *.* LISTEN
tcp 0 0 *.16191 *.* LISTEN
Putting the system in “high” security mode will require a lot of regression testing. When I’ve attempted it, the systems IP configuration was removed 🙁
Trusted Execution
Trusted Execution (TE) is an AIX security feature that helps detect unauthorised changes to files by maintaining a database of trusted file attributes and verifying them before execution. We can determine if it’s enabled using the trustchk command.
trustchk -p
TE=OFF
CHKEXEC=OFF
CHKSHLIB=OFF
CHKSCRIPT=OFF
CHKKERNEXT=OFF
STOP_UNTRUSTD=OFF
STOP_ON_CHKFAIL=OFF
LOCK_KERN_POLICIES=OFF
TSD_FILES_LOCK=OFF
TSD_LOCK=OFF
TEP=OFF
TLP=OFF
Enabling Trusted Execution monitoring with the following command.
trustchk -p TE=ON CHKEXEC=ON CHKSHLIB=ON CHKSCRIPT=ON CHKKERNEXT=ON
The integrity of files can then be checked by the trustchk command.
# trustchk -q /usr/bin/passwd
/usr/bin/passwd:
owner = root
group = security
mode = TCB,SUID,555
type = FILE
hardlinks =
symlinks =
size = 44799
cert_tag = 49424d4149583a31324331342d33314332303a324b3a41
signature = 78839afe0da9e27c32f821942d5a9293abaa806add34867091819379d9b6a35109fcea0171daf9dbf18ece8a798e08fe476f74c7315b9794d96786a7401236dfd1f57d5c8c692aca58c14ae91d575df86823315e4fc050d57f8733e78e97850c35668c4232fe29371307fd77b20998020a19c5e538ac958fb09eea92ee53ffa03e206d57130599a32ddb77f037cd8196ee4a2ff808181bb1d2369c991fb3927d07cbf9d26085dcfbf59adceeac2abb41a26bece87eec2be1a5b12dd38a93c1ac64fd69284d9c227ba972b3e0a7a95b5a9ee9821b68b89e8bda96e9bf6db642640f8e60225f0a39595f3f1c7667bf208450e363702a206afbb563cfd98f9198c8
hash_value = 389b21b98186042c34595cb35be9b5b7a4832a1f140fb718eb9bb41dcb531f78
minslabel =
maxslabel =
intlabel =
accessauths = ALLOW_ALL
innateprivs = PV_AU_ADD,PV_AU_ADMIN,PV_AU_PROC,PV_DAC_R,PV_DAC_W,PV_DAC_X,PV_DEV_CONFIG,PV_DEV_QUERY,PV_TCB,PV_NET_PORT,PV_NET_CNTL
authprivs = aix.security.passwd=PV_DAC_O+PV_DEV_QUERY+PV_FS_CHOWN+PV_FS_CNTL+PV_FS_MKNOD+PV_FS_MOUNT+PV_FS_RESIZE+PV_PROC_CRED+PV_PROC_ENV+PV_PROC_PRIO+PV_PROC_RAC+PV_PROC_RSET+PV_PROC_RTCLK+PV_PROC_SIG+PV_PROC_VARS
inheritprivs =
secflags = FSF_EPS
t_innateprivs = PV_MAC_R,PV_MAC_W,PV_MIC
egid = 0
To ensure enforcement, set the STOP_UNTRUSTD and STOP_ON_CHKFAIL flags on on.
trustchk -p TE=ON CHKEXEC=ON CHKSHLIB=ON CHKSCRIPT=ON CHKKERNEXT=ON STOP_UNTRUSTD=ON STOP_ON_CHKFAIL=ON
Trusted Computing Base
TCB is the older, classic AIX security model. Enabling this feature requires activating it on install. You can check if it’s enabled using the tcbck command.
# tcbck -y ALL
3001-101 The Trusted Computing Base is not enabled on this machine.
To enable the Trusted Computing Base, you must reinstall and
set the 'Install Trusted Computing Base' option to YES.
No checking is being performed.
TCB performs checksum verification of system files (although not use digital signatures). However, it does not have the ability to prevent execution of suspected compromised binaries (unlike TE)
In general, it’s recommended to use the newer Trusted Execution features.
Role Based Access Control
Role-Based Access Control (RBAC) is a security framework that lets administrators assign permissions to roles instead of granting privileges directly to users. It provides more granular control than traditional UNIX permissions and reduces the need to give users full root access.
There are three main components to a role:
Authorisations: An authorisation is permission to perform a specific administrative action.
Privileges: Privileges are kernel-level capabilities that allow processes to perform actions normally restricted to root, such as binding to privileged ports.
Commands: General operating system commands.
Roles can be listed with the lsrole command.
# lsrole -f ALL
AccountAdmin:
authorizations=aix.security.group,aix.security.user
rolelist=
groups=
visibility=1
screens=*
dfltmsg=User and Group Account Administration
msgcat=role_desc.cat
msgnum=4
msgset=1
auth_mode=INVOKER
id=4
BackupRestore:
authorizations=aix.fs.manage.backup,aix.fs.manage.restore
rolelist=
groups=
visibility=1
screens=*
dfltmsg=Backup and Restore Administration
msgcat=role_desc.cat
msgnum=5
msgset=1
auth_mode=INVOKER
id=5
CacheAdm:
authorizations=cache.device.config,cache.device.manage
rolelist=
groups=
visibility=1
screens=*
dfltmsg=SSD Cache Device Administrator
msgcat=cache_ssd.cat
msgnum=5
msgset=3
auth_mode=INVOKER
id=11
DomainAdmin:
authorizations=aix.security.kerberos,aix.security.ldap,aix.security.nis,aix.security.pki
rolelist=
groups=
visibility=1
screens=*
dfltmsg=Remote Domain Administration
msgcat=role_desc.cat
msgnum=6
msgset=1
auth_mode=INVOKER
id=6
FSAdmin:
authorizations=aix.fs.manage.change,aix.fs.manage.create,aix.fs.manage.debug,aix.fs.manage.defrag,aix.fs.manage.dump,aix.fs.manage.list,aix.fs.manage.mount,aix.fs.manage.quota,aix.fs.manage.recover,aix.fs.manage.remove,aix.fs.manage.snapshot,aix.fs.manage.unmount,aix.fs.object,aix.lvm
rolelist=
groups=
visibility=1
screens=*
dfltmsg=File System Administration
msgcat=role_desc.cat
msgnum=7
msgset=1
auth_mode=INVOKER
id=7
We can create a new user account, and assign them the BackupRestore role using the following:
# mkuser home=/home/alice shell=/usr/bin/ksh alice
# passwd alice
Changing password for "alice"
alice's New password:
Enter the new password again:
# chuser roles=BackupRestore alice
# lsuser -a roles alice
alice roles=BackupRestore
You can view all roles assigned to users with the following.
lsuser -a roles ALL
root roles=
daemon roles=
bin roles=
sys roles=
adm roles=
uucp roles=
nobody roles=
lpd roles=
lp roles=
sshd roles=
invscout roles=
smmsp roles=
snapp roles=
ipsec roles=
nuucp roles=
srvproxy roles=
esaadmin roles=SysConfig
alice roles=BackupRestore
bob roles=
Password Cracking
AIX passwords are stored in /etc/security/passwd file. This is a little different to other UNIX systems.
# cat /etc/security/passwd
root:
password = h0Ge3AMTj1dpw
lastupdate = 1777034168
daemon:
password = *
bin:
password = *
sys:
password = *
adm:
password = *
uucp:
password = *
guest:
password = *
nobody:
password = *
lpd:
password = *
John the Ripper does support AIX password formats.
john --list=formats | grep -i aix-
416 formats (149 dynamic formats shown as just "dynamic_n" here)
tripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256,
aix-ssha512, andOTP, ansible, argon2, as400-des, as400-ssha1, asa-md5,
However, you will first need to use AWK to convert the password file to a format it can understand.
awk '/^[[:alnum:]]*:/ { user=substr($0, 1, index($0, ":") - 1) }
/^ *password *=/ { split($0, elements, " *= *"); print user ":" elements[2] }' \
/etc/security/passwd > aix_hashes.txt
With the hashes in the correct format, you should be able to crack them using John.
┌──(kali㉿kali)-[~]
└─$ cat aix_hashes.txt
root:h0Ge3AMTj1dpw
daemon:*
bin:*
sys:*
adm:*
uucp:*
guest:*
nobody:*
lpd:*
┌──(kali㉿kali)-[~]
└─$ john aix_hashes.txt
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 256/256 AVX2])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Password (root)
1g 0:00:00:00 DONE 2/3 (2026-05-11 16:28) 25.00g/s 333900p/s 333900c/s 333900C/s 123456..Herman1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
In Conclusion
AIX is a relatively niche operating system, primarily because it only runs on very expensive IBM power hardware. I’ve just tried to cover features unique to the operating system here, although applying general Linux/UNIX testing methodologies should work with it.