Aix 6 Security June 19
-
Upload
methukupally -
Category
Documents
-
view
174 -
download
8
Transcript of Aix 6 Security June 19
AIX Security Tools AIX Security Tools
AIX Users’ Group – Thurs. June, 19 2008AIX Users’ Group – Thurs. June, 19 2008
Marija MijalkovicPower Systems Technical SalesIBM [email protected]
2
Agenda
Introduction
AIX Security Expert (aixpert)
Secure by Default (SbD)
File Permission Manater (fpm)
Trusted Execution (TE)
Role Based Access Control (RBAC)
Encrypted Filesystems (EFS)
Trusted AIX (MLS)
Other new features
3
Introduction ...Introduction ...
Computer security ... Dynamic and changing world
Enterprises must be diligent to integrate many mechanisms to address threats.
Have to understand strengths and weaknesses, value of assests and source of threats.
OS is the foundation upon which the rest of the software stack builds its security
Historically AIX has provided solid security; new features only build on that.
A complete security model is a combination of technologies, business A complete security model is a combination of technologies, business practices and social engineering!practices and social engineering!
5 © 2008 IBM Corporation
AIX Security Features – What Do I really need?AIX Security Features – What Do I really need?
Feature Who Should Use itAIX Security Expert EVERYONE!!! Hardening scripts can be added as additional rules
and invoked by AIX SE.
Secure By Defualt Users who want minimal filesets installed and want strict control on what is added to the os. Network connectivity is disabled.
File Permission Mgr If you want to minimize programs with setuid bits on.
Role Bases Access Control
Organizations with many admins who don’t want to give them all root access and abilities.
Encrypted Filesystem Customers who want extra protection by encrypting files. Organizations required by legislation to encrypt sensitive data.
Trusted Execution Customers who want integrity checking on AIX os files and other customer specific files.
Workload Partitions Those who want added system isolation for applications/ environments; prevent them from interfering with one another
Trusted AIX Customers whose data has different security classification levels and want to remove the concept of an all powerful root id.
Long Passphrase Support Organizations that want to use longer passwords.
6 © 2008 IBM Corporation
AIX V6.1 Security Expert
Go Green & Save
Allows for new ways to efficiently manage security across multiple AIX systems
Realize Innovation
Can reduce the cost and complexity of security administration by allowing federated management of security profiles across multiple servers
Enables a more secure IT infrastructure by reducing the effort of maintaining system security
“Check” functionality can provide additional security by validating that the security profile for each system matches the actual security settings
Manage Growth, Complexity & Risk
A centralized security management tool that can control over 300 security settings from a single console
Administrators can start from a “Low”, “Medium”, “High” or “Sarbanes-Oxley” security template and customize settings to met business requirements
Security settings can be exported and imported as a security profile to multiple systems
On AIX V6.1, security profiles can be stored in an LDAP directory for ease of distribution
AIX Security Expert was first included in AIX V5.3 TL5
How it can help? What is it?
7
AIX Security Expert (aixpert) Introduced in AIX 5.3TL05 (53H)
Standardized Security Hardening Tool for AIX
Before settings via commands and SMIT panels
► Admins hardened systems with home grown scripts
Provides consistent view of a system's security configuration
► TCP/IP
► IPSec
► Auditing
► Logging
► Weak Password Checking (root only)
► File Permission Manager (s-bits)
Security Rules defined in XML via GUI
► check box style settings
► can be stored centralized in LDAP repository
► one template can be deployed on many machines
8
Standardized security settings invoked early in boot, before network vulnerability
undo option (reset, recursive)
Consistency checking – aixpert command builds file that can be used to check system settings at a later time
Stringent checks of weak root passwords
► dictionary checks (US English is provided, others can be created)
► Popular feature: default password rules based on industry best practicesbest practices
Previewing and audit logging now supported
► writing rules and policy to a file first, without altering the system
► any change made is logged to the audit subsystem, when enabled
Be careful when applying security level "high"
► telnetd and all r-cmds get disabled
► direct root login gets disabled (local and remote), enforcing 'su'
► strong password rules disable current root pw if it's too old
=> don't lock root out by accident!
AIX Security Expert (aixpert)
9 © 2008 IBM Corporation
AIX Security Expert Hardening GroupingsAIX Security Expert Hardening Groupings
Policy Grouping
Description
Password Aging, lengh, reset, expiration and valid characters
/etc/inetd.conf Disables programs such as tftp, telnet, UCP echo, rshd, and rexd
/etc/tcpip settings Disables many TCP apps in high security
Setuid Policy Removes setuid bits with fpm
/etc/inittab Disables programs like qdaemon, lpd, and piobe
Audit Policy Enables audit if not running
usr/group passwd def Passwords must be set and inobvious
Network Security Port scan detection and installs ipsec
SOX-COBIT config assist Sets policy to improve record keeping for audits
Password Checking Stringent dictionary checks for eliminating weak passwords
Check settings at a later time
Verify that the initial settings are still valid
10
Secure by Default (SbD)
Installation option
SbD is new default security option
► Installs a minimal set of software
► Does not allow network programs to be active before os is hardened
► Deletes components that use weak authorization (bos.net.tcp.client/server) and runs AIX Security Expert to apply hardening for level "high"
► Admin has to go back and install software on as-needed basis
"Bottom Up" Approach
► Reverses traditional "Top Down" approach of full install followed by hardening
Thorough planning strongly suggested
► Can all applications' requisites be fulfilled by this install template?
11
Secure by Default (SbD)
SbD Approach
Minimal AIX InstallEnhanced AIX
Capabilites
Full AIX InstallReduced AIX Capabilites
Hardening Process
Explicitly install and enable whats
needed
Traditional Approach
12
File Permission Manager (fpm)
New command fpm to reduce setuid and setgid binaries on AIX
► Best Practice for reducing trojan horses
► AIX has been around for a long time – setuid bits on many system programs has not been modified; tool replaces the need for customers to write their own scripts to reduce setuid and setguid programs
Stand-alone tool, backported to recent AIX 5.3 and 5.2 TLs
Using the tool
► Removes setuid and/or setgid bits on programs owned by privileged users
► Creates logfile of prior permissions for selective and recursive rollback / undo or default/factory settings
► fpm –l low/med/high for desired environment
► fpm –l default to restore default settings
► List of bits removed is stored in /usr/lib/security/fpm/data/xxx_fpm_data
► To create custom list of files modify /usr/lib/security/fpm/custom/xxx_fpm_data
13
Trusted Execution (TE) Signature Based Operating System Integrity Verification (SHA-256)
► create signature database at install time – Trusted Signature Database TSD
► verify system state by comparing important file attributes with TSD
► Uses secure hash algorithm with 256 bit key SHA-256 to calculate signature
► offline, e.g. check everyday through a cron job (much like 'tcbck')
► Run time, i.e. integrity checking at program execution
► system and customer specified files
► Replaces Trusted Computing Base (TCB)
Policy-driven► Monitor all executions and loadings of files listed in signature database
► Lock the signature database so even root cannot write to database
► Lock all "trusted files" to prevent alteration
Single command: 'trustchk'
14
Trusted Execution (TE) TSD is a stanza file; Add entries to it with trustchk –a
► After all changes are made, put TSD in lockdown mode; to get out of it reboot is necessary
Types of Files to keep in TSD
► Kernel and kernel extensions
► All setuid root programs
► Any program run only by root
► Important config files
► Any program that may alter system config files
All system files of this type are put in TSD by default; customer created files of above type should be added
Will block attemps to execute malicious code and important system file tampering (trojan horses)
15
Executable/
Module
Memory
Run Time Integrity Check
Hash/
Signature
Database
Calculate
Hash
Policy EngineEg: Disallow loads on non-match
System Integrity Check
Certificates
Database
Integrity Checker
Tool
System Integrity Status
Trojan Horse Detection
Signature
Database
**Install Time population**
vs.
Trusted Execution (TE)
16
AIX V6.1 Role Based Access Control (RBAC)
Go Green & Save
Allows for new ways to delegate administration duties between system administrators and non-administrative users
Realize Innovation
Can reduce the cost and complexity of security administration by allowing secure delegation of administrative tasks to non-privileged users
Enables a more secure IT infrastructure by reducing the need for so many privileged administrators
Assigning roles to programs can reduce the need for security exposures such as the use of setuid for programs
Manage Growth, Complexity & Risk
A new capability of AIX V6.1 that allows privileged administration tasks to be delegated to non-privileged users
Access to system resources are associated with roles that are assigned to non-privileged users
Many roles are predefined which can reduce the effort of implementing RBAC
Roles can also be associated with programs
How it can help? What is it?
UsersUsers Roles
DBA
BACKUP
AIX Resources
AIX Resources
17
Role Based Access Control (RBAC)
The ancient problem: Unix and the root user
► Unique user in the operating system with all privileges
► System administration tasks
● Install, backup/restore, user management, etc.
► Root necessary, but security concerns
● e.g. hijacking of process owned by root
► Reliance on a single trusted admin
● Otherwise passwords need to be shared => security issue
Before
► DAC – discretionary access rwx
RBAC requires planning but is a lower risk strategy!
18
Role Based Access Control (RBAC)
Starting with AIX 4.2 rudimental (legacy) RBAC controls were implemented using "authorizations" (s-bits) and role verification to de-escalate root's singular power
► new roles could be created but not new authorizations
AIX 6 introduces Enhanced RBAC with fully customizable authorizations maintained in separate (ASCII) files
► all files reside in /etc/security
► accessed directly by commands, SMIT
Mode selectable through system configuration, reboot required
► chdev -l sys0 -a enhanced_RBAC=true (default)
► enhanced_RBAC system environment variable
LDAP and WPARs supported
The end of 'sudo' ?
19
Role Based Access Control (RBAC)
Authorizations► Mechanism to grant access to commands or certain functionality.
► System defined or user defined
Roles► A group of authorizations that can be assigned to a user.
► Users switch into and out of roles to perform
perform priviledged operations
Privileges► Process attribute that allows process to bypass a security restriction.
Authorizations vs. Privileges► Auths exist only outside of kernel, Privs only inside
► Auths enable access to commands, Privs enable execution of single functions
► Authorizations are the keys that give access to priviledged commands
20
21
RBAC Infrastructure
Infrastructure to create and track authorization, roles and priviledges are stored in separate databases
► Authentication DB
► Role DB
► Priviledged command DB
► Privileged device DB
► Privledged File DB
22
Role Based Access Control (RBAC)
Authorizations are defined locally in /etc/security/authorizations
Authorization name may be up to 63 printable characters
Hierarchical naming support
► Dotted notation denotes hierarchy
● aix.system.boot.info► 9 levels of hierarchy allowed
► Parent authorization is superset of children
Authorization management commands:
► mkauth – Create authorizations
► chauth – Modify authorizations
► lsauth – List authorizations
► rmauth – Remove authorizations
Use 'tracepriv' on unknown commands to get a list of their requirements on privileges
23
No
Yes
Yes
No Does ProcessHave File SystemAccess Rights?
Execution Allowed
Is Commandin the
Database?
Is userAuthorized?
No
Raise Privilege to Bypass Access Rights Checks
Yes
Start
Execution Fails
Color Key
Historic Behavior
New Decisions
Role Based Access Control (RBAC)Privileged command execution decisions:
24
Main pre-defined AIX Roles:
ISSO Information Systems Security Officer► Establishes and maintains security policy
SA System Administrator► Creates user accounts, groups, etc.► Installs software packages
SO System Operator► Archives file system► Manages line printer► Shuts down system
Additional pre-defined AIX Roles:
AccountAdmin, BackupRestore, DomainAdmin, FSAdmin, SecPolicy, SysBoot, SysConfig.
Separation of duties through roles:
Role Based Access Control (RBAC)
25
Each invocation of swrole creates a new role session
► Roles not inherited from previous session
User may exit role session to return to previous role session
Role Based Access Control (RBAC)Role session transition:
26
$ rolelist -erolelist: 1420-062 There is no active role set.$ bootinfo -rksh: bootinfo: 0403-006 Execute permission denied.$ swrole SysBootfoo's Password: $ rolelist -eSysBoot System Boot Administration$ bootinfo -r524288$ ^D$ rolelist -erolelist: 1420-062 There is no active role set.
RBAC example of some regular user:
# lsuser -f foofoo: id=203 pgrp=staff groups=staff home=/home/foo shell=/usr/bin/ksh login=true su=true rlogin=true[...] roles=SysBoot
27
AIX V6.1 Encrypting Filesystem
Go Green & Save
Provides the capability for additional security for applications that may have security design exposures
Realize Innovation
Enables improved security by reducing unauthorized access to data, even by privileged users
Secure backups reduces the exposure of data compromised when backup media is taken outside of secure facilities
Automatic management of protection keys can reduce the administrative effort of using encrypted data
Manage Growth, Complexity & Risk
The capability to automatically encrypt data in a JFS2 filesystem
Data can be protected from access by privileged users
Backup in encrypted or clear formats
Automated key management - key store open on login, integrated into AIX security authentication
Each file encrypted with a unique key
No keys stored in clear in kernel memory
A variety of AES, and RSA cryptography keys supported
How it can help? What is it?
Always encrypted on disk
Data in clear in memory.
VMM
J2
Filesystem
CLiC
Crypto Lib
User and Group Key Stores
Crypto Kernext
Kernel ucred open key store
Login Authentication Module
Key Store
Mgt Cmds
BOS Cmds
Backup/Restore
Cp, mv, crfs, etc
28
Encrypted File System (EFS) Embedded in JFS2, not stacked, for performance and reliability
► all JFS2 operations can be performed with an EFS
● mounting and unmounting, increasing and decreasing size, defragmenting, removing, ...
● No NFS or GPFS support► Transparent to users and sysadmins
Each file is encrypted with a separate key (stored in its meta data)
Encryption/Decryption happens in memory, not on storage
User keystore gets opened and loaded by login password or separate pw
► login pw is distinct from keystore pw
► Keystore holds user's private and public key (asymmetric encryption, RSA)
► Access to data via symmetric encryption (AES)
► Access to keys for symmetric encryption via asymmetric (RSA) encryption
► RSA wraps the symmetric key used for encrypting files
29
Encrypted File System (EFS) Prereqs
► CryptoLite in C (CLiC) library and kernel extension must be installed and loaded
► Enhanced RBAC must be enabled (default in AIX6)
► EFS must be explicity enabled (can be done at any time using 'efsenable')
► ‚‘efsenable‘ creates the EFS keystore
New and existing FSs can be encrypted
► smitty crfs -> "Enable EFS? [yes]"
► 'crfs' or 'chfs' along with "-a efs=yes"
► not to be applied on "/", /usr, /var and /opt since keystore can't be opened during boot
● but that's OK, since EFS' main focus is on protecting user/application data
► encrypted files can be identified by 'ls -U'
● # ls -U file*-rw-r--r--- 1 root system 0 May 14 13:22 file1-rw-r--r--e 1 root system 0 May 14 13:22 file2
User key management is provided with 'efskeymgr' command
Performance penalty is said to be low
► best practice: use it selectively where needed, not everywheree.g. on sensitive filesystems only, selected DB columns, etc.
30
Encrypted File System (EFS)Encrypted File System (EFS)
Key Cache
Encrypted
File
File System Layer
Clear File accessEdit abcLogs in
KeystoreMemory
password generates access key,
access key opens keystore
keystore contains user's private and public key (RSA 1, 2, 4K)
(current and old ones)
each file's datablocks are encrypted symmetrically using individual keys, stored in their EAs, AES (128, 192, 256 CBC+ECB)
those symm. keys are "enveloped" with authorized users' public keys
PKCS#12
31
Encrypted File System (EFS)Encrypted File System (EFS)
Two keystore protection modes
► Root Admin Mode
● Pro: Root can reset user and group key store access passwords● Con: Root might be able to gain access to a user’s key store and
encrypted files► Root Guard Mode
● Pro: Root cannot reset user and group key store access passwords
● Con: Root cannot gain access to a user’s key store and encrypted files, even when neccessary!
EFS backup Best Practices
► Backup raw encrypted form
► Backup the file owner’s keystore
► The file owner’s keystore password must also be "saved" or files must be reencrypted in a timely manner when keystore pw changes
32
Trusted AIX (MLS)
Integrated Multi Level Security Model
► DAC - traditional Discretionary Access Control (user defined)
► MAC - Bell-LaPadula's Mandatory Access Control (system defined)
► MIC - Biba's Mandatory Integrity Control (system defined)
► Role definition and separation of duty
● e.g. user creation by security officer: SO and User login enablement by Information System Security Officer: ISSO
► Labels on objects, subjects, labeled printing, labeled networking
► Trusted operating system: integrity checker, trusted path
=> a system's policy defines and enforces rights and permissions, not some user (at their discretion)
Installtime-only option
Meet or exceed government standards for maximum security
33
MAC and MIC are additionallayers to DAC
All checks have to bepassed to get access
Default settingsprovide theusual "look and feel"
DAC
MAC
MIC Object
Subject
DAC
MAC
MIC
Trusted AIX (MLS)
34
Long Password / Passphrase Support Support for > 8 character user passwords
Loadable Password Algorithms (LPAs) introduced 5.3 and 5.2
No additional filesets needed
Default is still 'crypt'
Configured in /etc/security/login.cfg and /etc/security/pwdalg.cfg
► can be activated and deactivated (fallback to crypt) any time
► replaces passwords once they're set or changed
► existing passwords remain unchanged
► Store passwords with algorithms MD5, SHA{1,256,512} and blowfish
► Up to 255 characters
► Passphrase support <<My vacation to Hawaii‚>>
usw: shells = /bin/sh,/bin/bsh,[...] maxlogins = 32767 logintimeout = 60 maxroles = 8 auth_type = STD_AUTH pwd_algorithm = ssha512
Example
35
Miscellaneous new features (many already available in 53...)
LDAP Enhancements
► e.g. 'lsldap' and Microsoft Active Directory support for AIX clients
IPSec enhanced w/ AES
Secure ftp
TCP Wrappers
► open source programs that allow access control on TCP connections
ipfilter
► Open Source IP filter tool and NAT (network address translation)
► multi-platform; one set of rule for heterogeneous environment
SED - Stack Execution Disable
► general buffer overflow exploit prevention
► Buffer overflows still most common security exploits
Cryptographic Accelerator PCI-X adapter with support for CCA and PKCS#11
36
ResourcesResources
Redbook SG24-7430 "AIX 6 Advanced Security Features: Introduction and Configuration"► http://www.redbooks.ibm.com/abstracts/sg247430.html?Open
● Excellent reference, good overview and intros to various topics, e.g. cryptography, I/T security in general, etc.
● May not be 100% technically accrate due to late changes in beta code
The AIX 6.1 Security Guide► http://publib.boulder.ibm.com/infocenter/pseries/v6r1/topic/
com.ibm.aix.security/doc/security/security.pdf● Deep dive reference as part of the system documentation in InfoCenter
37
Role Based Access Control (RBAC)
aix
device
fs
network
proc
ras
security
system
wpar
boot
config
install
stat
create "Create Boot Image"
halt "Halt the System"
info "Display Boot Information"
reboot "Reboot the System"
shutdown "Shutdown the System"
aix.system.boot.info
Naming convention for authorizations: hierarchical
/usr/sbin/bootinfo: accessauths = aix.system.boot.info innateprivs = PV_DAC_R,PV_DAC_W,PV_DEV_CONFIG,PV_KER_RAS
Example
38
MAC: Bell-LaPadula Confidentiality Model► Access control security attributes:
● Hierarchical security levels● Non Hierarchical categories
► Emphasis on leakage of information and the access control► Focus on data
write same
read sameobject(HIGH SL)
subject(HIGH SL)
read same
write same
subject(LOW SL)
object(LOW SL)
writedown
readdown
readup
writeup
Trusted AIX (MLS)
39
write same
read sameobject(HIGH IL)
subject(HIGH IL)
read same
write same
subject(LOW IL)
object(LOW IL)
writedown
readdown
writeup
readup
MIC: Biba Integrity Model
► Access control security attributes:
● Hierarchical integrity levels
● Non hierarchical integrity categories
► Emphasis on modification of information and thus ensuing integrity issues
► Focus on execution
Trusted AIX (MLS)