fpm Command

Purpose

Manages the permissions on commands and daemons owned by privileged users with setuid or setgid permissions.

Syntax

fpm [ -l level [ -f file ] [ [ -c ] [ -p ] ] [ -v ] ] | [ -s ] | [ -q ] | [ -? ]

Description

The fpm command allows administrators to harden their system by disabling the setuid and setgid bits on many commands in the operating system. This command is intended to remove the setuid permissions from commands and daemons owned by privileged users, but you can also customize it to address the specific needs of unique computer environments.

The setuid programs on the base AIX® operating system have been grouped to allow for levels of hardening. This grouping allows administrators to choose the level of hardening according to their system environment. Additionally, you can use the fpm command to customize the list of programs that need to be disabled in your environment. You must review the levels of disablement and choose the right level for your environment.

Changing execution permissions of commands and daemons with the fpm command affects non-privileged users, denying their access to these commands and daemons or functions of the commands and daemons. Additionally, other commands that call or depend on these commands and daemons can be affected. Any user-created scripts that depend on commands and daemons with permissions that were altered by the fpm command cannot operate as expected when run by non-privileged users. Give full consideration to the effect and potential impact of modifying default permissions of commands and daemons.

You must perform appropriate testing before using this command to change the execution permissions of commands and daemons in any critical computer environment. If you encounter problems in an environment where execution permissions have been modified, restore the default permissions and recreate the problem in this default environment to ensure the issue is not due to lack of appropriate execution permissions.

The fpm command provides the capability to restore the original AIX installation default permissions using the -l default flag.

Additionally, the fpm command logs the permission state of the files prior to changing them. The fpm log files are created in the /var/security/fpm/log/date_time file. If necessary, you can use these log files to restore the system's file permissions recorded in a previously saved log file.

When the fpm command is used on files that have extended permissions, it disables the extended permissions, though any extended permission data that existed prior to the fpm invocation is retained in the extended ACL.

Customized configuration files can be created and enacted as part of the high, medium, low, and default settings. File lists can be specified in the /usr/lib/security/fpm/custom/high/* directory, the /usr/lib/security/fpm/custom/medium/* directory, and the /usr/lib/security/fpm/custom/default/* directory. To take advantage of this feature, create a file containing a list of files that you want to be automatically processed in addition to the fpm commands internal list. When the fpm command is run, it also processes the lists in the corresponding customized directories. To see an example of the format for a customized file, view the /usr/lib/security/fpm/data/high_fpm_list file. The default format can be viewed in the /usr/lib/security/fpm/data/default_fpm_list.example file. For the customization of the -l low flag, the fpm command reads the same files in the /usr/lib/security/fpm/custom/medium directory, but only removes the setgid permissions, whereas the -l medium flag removes both the setuid and setgid permissions.

The fpm command cannot run on TCB-enabled hosts.

Flags

Item Description
-l level Specifies that the file permissions are changed according to the level specified.
-l high
High-level security. This flag removes the setuid and setgid permissions for computer systems that fall into the category of high-level security. This flag uses the list of files in the /usr/lib/security/fpm/data/high_fpm_list file and the /usr/lib/security/fpm/custom/high/*.* file as input by default, but an alternate input file can be selected with the -f flag.
-l medium
Medium-level security. This flag removes the setuid and setgid permissions for computer systems that fall into the category of medium-level security. This flag uses the list of files in the /usr/lib/security/fpm/data/med_fpm_list file and the /usr/lib/security/fpm/custom/med/*.* file as input by default. An alternate input file can be selected with the -f flag.
-l low
Low-level security. This flag removes only the setuid permission for computer systems that fall into the category of low-level security. This flag uses the list of files in the /usr/lib/security/fpm/data/med_fpm_list file and the /usr/lib/security/fpm/custom/med/*.* file as input by default. An alternate input file can be selected with the -f flag.
-l default
Returns the system commands previously modified by the fpm command to their default out-of-the-box permissions, if the commands were previously altered using the level of high, medium or low. This option reads the /usr/lib/security/fpm/custom/default/*.* file and sets the permissions defined in the file.
-s Displays the status of the changes last made by the fpm command. The status is written in the /usr/lib/security/fpm/data/status_fpm file. The security level is represented as a whole integer from 1-5 (inclusive).
-f file Allows the specification of a file list to override the default input file, where the file parameter is a file name containing the list of files to be used as input. This flag must be used along with the -l high|medium|low|default or the -c flag. When using a level of high, medium or low, the input file format is as follows:

full_path/filename

For example, /usr/sbin/foo.

When used with the -l default flag, the input file format is as follows:

octet_permissions full_path/filename

There must be a space between the octet_permissions variable and the full_path variable. For example, 0750 /usr/sbin/foo.

The -f format allows for the specific control of the list of files being affected.

-c Checks the files permissions, but takes no action. The fpm command returns 0 if no files were found out of compliance. If one or more files contain non-compliant permissions, this option lists the non-compliant file(s) and returns 1. This flag must be used with the -l level option. For example, if the -c and the -l high flags are used together, the fpm command checks the files listed in the /usr/lib/security/fpm/data/high_fpm_list file and removes their setuid and setgid permissions. The -f file flag can also be used with the -c option.
-v Verbose output.
-p Previews the changes the fpm command is to make, but takes no action. This flag must be used in conjunction with the -l level flag.
-q Quit mode, which minimizes output and suppresses warnings.
-? Prints the usage statement.

Exit Status

Item Description
0 Success.
Non-zero Failure or partial failure. Use the -v flag for more details.

Security

The fpm command reduces the number of commands with setuid and setgid permissions.

Examples

  1. To apply the fpm command's low level security settings, enter: 
    fpm –l low
    This command also processes any file list in the /usr/lib/security/fpm/custom/med/ directory.
  2. To check if the system commands are presently set to fpm low-level permissions, enter: 
    fpm –c –l low
    This command reports any file with permissions out of conformance.
  3. To restore the traditional out-of-the-box default permissions, enter: 
    fpm –l default
    This command also processes any file list in the /usr/lib/security/fpm/custom/default/ directory.
  4. To list, or give a preview of what permission changes are to be done to make the system compliant with the fpm command's high-level security without changing any file permissions, enter: 
    fpm -l high –p
    This command also previews any file list in the /usr/lib/security/fpm/custom/high/ directory.
  5. To apply the fpm command's high level security settings, enter: 
    fpm –l high
    This command also processes any file list in the /usr/lib/security/fpm/custom/high/ directory.
  6. To list the current status of the system as changed through the fpm command, enter: 
    fpm –s
  7. If the fpm -l level command was run on 7 January 2007 at 8:00 a.m., then the permission state of the affected files was captured by the fpm command before it made any changes. To restore the file permissions to their state of 7 January 2007 at 8:00 a.m., enter: 
    fpm –l default –f /var/security/fpm/log/01072007_08:00:00

Files

Item Description
/usr/lib/security/fpm/data/default_list_example Contains the default out-of-the-box permissions and files.
/usr/lib/security/fpm/data/high_fpm_list Contains the list of files whose permissions can be changed with the -l high flag.
/usr/lib/security/fpm/data/med_fpm_list Contains the list of files whose permissions can be changed with the -l medium or -l low flag.
/usr/lib/security/fpm/custom/high/* Files in this directory can be used as user-configured input when the -l high level is selected. These files must contain a list of files, from which the fpm command removes setuid and setgid permissions.
/usr/lib/security/fpm/custom/medium/* Files in this directory serve the same function as the high-level directory, but are used with the -l medium flag and the -l low flag.
/usr/lib/security/fpm/custom/default/* Files in this directory serve the same function as the high-level directory, but are used with the -l default flag.
Note: These files must be in the same format as the /usr/lib/security/fpm/data/default_list_example file.
/usr/lib/security/fpm/data/status_fpm Contains the status of the file permissions changed from the last run of the fpm command.
/var/security/fpm/log/date_time Contains the list of files changed by the fpm command corresponding to the data and the time at which the command was run. This file can be used as the input file of the -f flag to restore permissions to this instance.