aixpert - aix security expert

AIX 6.1 Security Expert

May 2011

AIXpert

© Copyright 2010 by Mt Xia Inc, All rights reserved. mxase-2

AIX V6.1 Security Expert

A new capability of AIX V6.1 that allows privileged administration tasks to be delegated to non-privileged users

Access to system resources are associated with roles that are assigned to non-privileged users

Many roles are predefined which can reduce the effort of implementing RBAC

Roles can also be associated with programs


Authorizations– Mechanism to grant access to commands or certain

functionality.– Context aware.

Roles– A container for authorizations that can be assigned to a

user.

Privileges– Process attribute that allows a process to bypass a

security restriction. – Not context aware.

Authorizations vs. Privileges– Auths exist only outside of kernel, Privs only inside– Auths enable access to commands, Privs enable execution

of single functions– e.g. "run mkuser" vs. "PV_DAC_W"

Role Based Access Control (RBAC)


Role Based Access Control (RBAC)

Separation of duties through roles:

Main pre-defined AIX Roles:– ISSO Information Systems Security Officer

• Establishes and maintains security policy– SA System Administrator

• Creates user accounts, groups, etc.• Installs software packages

– SO System Operator• Archives file system• Manages line printer• Shuts down system

– Additional pre-defined AIX Roles:• AccountAdmin, BackupRestore, DomainAdmin,

FSAdmin, SecPolicy, SysBoot, SysConfig.


A centralized security management tool that can control over 300 security settings from a single console.

Administrators can start from a “Low”, “Medium”, “High” or “Sarbanes-Oxley” security template and customize settings to meet business requirements.

Security settings can be exported and imported as a security profile to multiple systems.

On AIX V6.1, security profiles can be stored in an LDAP directory for ease of distribution.

AIX Security Expert was first included in AIX V5.3 TL5.

AIX V6.1 Security Expert: How it can help?


AIX 6 introduces three new security installation options– Trusted AIX (MLS)– Multi-Level Security– LSPP/EAL4+– Labeled Security Protection Profile and Evaluation

Assurance Level 4+– SbD - Secure by Default

SbD is new default security option– Installs a minimal set of software– Deletes components that use weak authorization

(bos.net.tcp.client|server) and runs AIX Security Expert to apply hardening for level "high"

– Additional software installed on as-needed basis

Secure by Default (SbD)


"Bottom Up" Approach– Reverses traditional "Top Down" approach of full install

followed by hardening

Thorough planning strongly suggested– Can all applications' requisites be fulfilled by this install

template?

Secure by Default (SbD) (Continued)


Based on OpenSSL– needed to setup and handle keys and certificates

ftp and ftpd are secured using TLS protocol– Command channel and data channel are encrypted

Nice add-on to OpenSSH's 'scp' and 'sftp'– e.g. data exchange with legacy systems not offering SSH

Client usage is 'ftp -s …'– TLS stuff is configured in user’s ~/.ftpcnt file

Server usage is implicit– TLS stuff is configured in /etc/ftpd.cnf

Secure FTP


Automatically encrypt data in a JFS2 filesystem

Data can be protected from access by privileged users

Backup in encrypted or clear formats

Automated key management– key store open on login, integrated into AIX security

authentication

Each file encrypted with a unique key

No keys stored in clear in kernel memory

A variety of AES, and RSA cryptography keys supported

AIX V6.1 Encrypting Filesystem


Embedded in JFS2, not stacked, for performance and reliability– all JFS2 operations can be performed with an EFS

• mounting and unmounting, increasing and decreasing size, defragmenting, removing, …

• but no NFS or GPFS support– In stacked FSs, data may be lost through strong encryption

when crypto meta data write and data write are out of sync

Each file is encrypted with a separate key (stored in its Eas)

AIX V6.1 Encrypting Filesystem


Encryption/Decryption happens in memory, not on storage– hence no DIO/CIO

User keystore gets opened by login password or separate pw– login pw is distinct from keystore pw– holds user's private and public key (asymmetric encryption,

RSA)– public key is used to access shared secret for file

en/decryption (symmetric encryption, AES)– hybrid approach for the sake of performance (e.g. like TLS)

AIX V6.1 Encrypting Filesystem (Continued)


Prereqs– CryptoLite in C (CLiC) library and kernel extension must be

installed and loaded– Enhanced RBAC must be enabled (default in AIX6)– EFS must be explicity enabled (can be done at any time

using 'efsenable')

New and existing FShttp://www.tecmint.com/linux-server-hardening-security-tips/s can be encrypted

– smitty crfs -> "Enable EFS? [yes]"– 'crfs' or 'chfs' along with "-a efs=yes"– not to be applied on "/", /usr, /var and /opt since keystore

can't be opened during boot– but that's OK, since EFS' main focus is on

protectinguser/application data– encrypted files can be identified by 'ls -U'

Encrypted File System (EFS)


# ls -U file*

-rw-r--r--- 1 root system 0 May 14 13:22 file1

-rw-r--r--e 1 root system 0 May 14 13:22 file2

User key management is provided with 'efskeymgr' command

Performance penalty is said to be low*)– best practice: use it selectively where needed, not

everywhere e.g. on sensitive filesystems only, selected DB columns, etc.



Two keystore protection modes– Root Admin Mode

• Pro: Root can reset user and group key store access passwords

• Con: Root might be able to gain access to a user's key store and encrypted files

– Root Guard Mode• Pro: Root cannot reset user and group key store

access passwords• Con: Root cannot gain access to a user's key store

and encrypted files, even when necessary!

EFS backup Best Practices– Backup raw encrypted form– Backup the file owner's keystore– The file owner's keystore password must also be "saved" or

files must be re-encrypted in a timely manner when keystore pw changes



A new web based management tool that provides easy access to common system administration tasks

Administrators can access Systems Management Interface Tool (SMIT) menus from a browser

Graphical user interface is fast and consistent with IBM Systems Director look and feel

All necessary components for the Console are included in AIX

The Distributed Command Execution Manager (DCEM) feature of the Console allows an administrative task to run on multiple systems at once

AIX V6.1 Systems Director Console for AIX


Remote AIX management from a web browser– Verify Fileset installation

# lslpp -h sysmgt.pconsole.rte

Use SRC to control the director console# lssrc -s pconsoleSubsystem Group PID Status pconsole pconsole 319644 active

Stop and start with startsrc and stopsrc

Access from your browser– http://HostName:5335/ibm/console

View and save commands like smit

Config file– /pconsole/lwi/conf/overrides/config.properties

IBM Systems Director Console


From global LPAR use the -@ flag to designate WPAR

# ps -ef -@ ec08

WPAR UID PID PPID C STIME TTY TIME CMD

ec08 root 217128 389182 0 15:00:58 - 0:00 /usr/sbin/rsct/b

ec08 root 266398 389182 0 15:00:21 - 0:00 /usr/sbin/rsct/b

ec08 root 278634 389182 0 15:00:20 - 0:00 /usr/sbin/rpc.lo

ec08 root 290942 389182 0 15:00:18 - 0:00 /usr/sbin/biod 6

WPAR command support


From WPAR use normal commands

# ps -ef

UID PID PPID C STIME TTY TIME CMD

root 217128 389182 0 15:00:58 - 0:00 /usr/sbin/rsct/bin/IBM.Sensor

root 266398 389182 0 15:00:21 - 0:00 /usr/sbin/rsct/bin/rmcd -a IB

root 278634 389182 0 15:00:20 - 0:00 /usr/sbin/rpc.lockd -d 0

root 290942 389182 0 15:00:18 - 0:00 /usr/sbin/biod 6

root 1 0 0 15:00:04 - 0:00 /etc/init



Some commands are not supported from WPAR

# netstat -rn

Routing tables

Destination Gateway Flags Refs Use If Exp Groups

netstat : Permission error, unable to continue.



Network adapters are alias on global partition

# ifconfig en0

en0: flags=1e080863,480<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,...

inet 9.19.51.153 netmask 0xffffff00 broadcast 9.19.51.255

inet 9.19.51.154 netmask 0xffffff00 broadcast 9.19.51.255

tcp_sendspace 262144 tcp_recvspace 262144 rfc1323 1



AIX Security Expert– AIX 5.3 TL5

Secure By Default– AIX 6.1

File Permission Manager– AIX 5.2, 5.3, 6.1

Role-base Access Cntl– AIX 6.1

Encrypted File System– AIX 6.1

Trusted Execution– AIX 6.1

Trusted AIX– AIX 6.1

AIX Security Feature Release Schedule


Long Passphrase– AIX 5.2, 5.3, 6.1

Configurable Password Algorithms– AIX 5.3, 6.1

Enhancements for LDAP R2 Support– AIX 5.3, TL 6

AIX Security Feature Release Schedule


Support for extended base DN format

Support for multiple base DN definitions

AIX LDAP Client support against Microsoft Active Directory

LDAP


Enable AIX client to use Active Directory (AD) LDAP– Support AD similar to any RFC 2307 compliant LDAP

server.

AD users must be UNIX enabled

AD must have UNIX schema support installed

Users can be managed from the AIX LDAP client, but the system administrator should create users in AD.

Transparent to administrators and users– Hide all implementation details– Use 'mksecldap'to configure AIX client to operate with

AD

AIX LDAP Client support against Microsoft Active Directory


Fileset: bos.net.ipsecFirewall

– Packet filtering– Stateful inspection filtering

NAT Support

Virtual Private Network– FTP– IKE/ISAKMP

Port Scan Protection– SSH

Pattern Matching– Supports ClamAV virus DB*

AIX is IPv6 Certified

AES support

IPSEC Suite


IP Filter is also known as IPF.

Open source internet protocol filtering tool

Acts as a firewall

Allows for consistent firewall rules tables in a heterogeneous environment (AIX, HP, Solaris, Linux)

Provides NAT support

IP Filter


OpenSSH– http://sourceforge.net/projects/openssh-aix– Client and server connectivity encryption tool.– Supports Triple DES & Blowfish encryption protocols.– Eliminates clear text passwords and traffic over the

network.– NLS Enablement– Kerberos v5 as an optional authentication method.– New version to ship in November, SSH 4.6

TCP Wrapper– Open source tool that protects access to network

services such as telnet, ftp, r-commands, etc.– It can be configured to explicitly deny or permit remote

hosts attempting to access these services.– Monitors access to services and reports via a log file

and/or can be integrated into the AIX audit utility.

OpenSSH & TCP Wrapper


FIPS 140-2 Level 4 certified

Common Cryptographic Architecture (CCA) and PKCS11 APIs

PCI-X Cryptographic Coprocessor (4764)


On board API functionality:– DES and 3DES encryption and message authentication– RSA digital signatures (up to 2048 bits)– DES, 3DES and RSA key management

Secure Electronic Transaction (electronic commerce functions)

ATM and POS PIN processing.

Key diversification for smart card applications

4764 CCA API Functionality


Banking and finance

Electronic commerce

Certificate Authorities

General purpose encryption services

Custom applications– Limited basis under custom contracts.

CCA Applications


SED protects against the most common and exploited vulnerability:

A stack buffer overflow, usually causes application and/or operating system termination. More sophisticated attackers will use it to escalate their privileges in order to gain control of the system.

Stack Execution Disable (SED)


Stops buffer overflow based vulnerabilities– Disables execution on the stack and heap

• Uses process page level protection• Processor interrupts the OS on exceptions

Control granularity– Off/On (all)– Select– setuid and setgid files

Two modes of operation– Monitor & Operational

Logging– Logged events are sent to the AIX error log

Stack Execution Disable: Administration


Offers system-wide protection of all files when ON– Drawback is Java and GCC, which may legitimately

execute on the stack

Select file protections– Network services– Mission critical applications and services

setuid/getuid permission– Protection against escalation of privileges

Stack Execution Disable: Administration cont.


Virtual IO Server v1.3 Security Enhanced– Common Criteria certified EAL4+ under CAPP & LSPP– Implements AIX Security Expert– Fully customizable set of security policies– Built in firewall– 'viosecure' command enables and alters the state of the

firewall• Default rule is, deny• Limited set of network services permitted

Other System p AIX Offerings


Network and OS hardening tool

Result of hardening and security research

Brings 300+ security settings to a central point of control

Simplifies complex security configuration

Extensible to enterprise specific settings and software

Single system configuration applied to the whole enterprise

AIX Security Expert: Overview


Network and OS Security Hardening Tool

Knowledge of multitude of Unix hardening papers

Brings 300+ Security Settings to Central Control

Simplifies Complex Security configuration

Extensible to Enterprise specific settings and software

Configure one system, and apply template throughout the enterprise.

AIX Security Expert: Bringing the Security Pieces Together


Security Expertise in the Tool

Simple Configuration Settings– High, Medium, Low

Advanced settings

Each settings offers system admin selectable detail of settings.

Undo option– Recursive undo of settings

Consistent Security Option for Enterprise

AIX Security Expert


AIX Security Hardening Groupings– Password Administration– Login Policy– Audit– /etc/inittab– /etc/rc.tcpip– /etc/inetd.conf– remove SUID (remove bit from r-cmds)– Network Tunning (‘no’ security options)– IP Security (firewall) port scans– Misc

AIX Security Expert


Simple Solid Design

Core engine never changes

Engine has no knowledge of High, Med, Low, Advanced, Undo

All security setting described in xml rules

Undo xml built dynamically

AIX Security Expert


Xml fomat /etc/security/aixpert/core/aixpertall.xml

<AIXPertEntry name="minagehls">

<AIXPertRuleType> 1 </AIXPertRuleType>

<AIXPertRuleState>Desired</AIXPertRuleState>

<AIXPertDescription> Specifies the minimum number of weeks to

1 week, before a password can be changed

</AIXPertDescription>

<AIXPertPrereqList> bos.rte.date, bos.rte.commands,

bos.rte.security, bos.rte.shell, bos.rte.ILS </AIXPertPrereqList>

<AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand>

<AIXPertArgs>minage= 1 ALL minagehls</AIXPertArgs>

</AIXPertEntry>

AIX Security Expert


Security Configuration Saved in– /etc/security/aixpert/core/appliedaixpert.xml

Configure one system, stamp appliedaixpert.xml on rest of enterprise, for uniform security settings

– After configuring one system, the settingsimplemented on that system are saved in appliedaixpert.xml file

– Via a secure out of band method, copy this file to other systems

– Run a single command to implement these exact settings on other systems

– /usr/sbin/aixpert –f appliedaixpert.xml

AIX Security Expert


Check Security compares current system configuration with

– /etc/security/aixpert/core/appliedaixpert.xml

Check Security; has anything changed?

AIX Security Expert


Security Hardening at install time with Config Assist

AIX Security Expert can be accessed at install time via Config Assist

AIX security settings unchanged unless user selects the Configure Security from the Config Assist menu

– Default Config Assist Security Level is Low Level Security

NIM Post Install script to automatically configure Security

– /etc/security/aixpert/core/appliedaixpert.xml

AIX Security Expert


More on High, Medium, and Low Level Security

High– Security is paramount– On an unsafe network

Medium– Safe network– Clear text passwords over network is OK

Low– Common non-disruptive security settings

Standard AIX

AIX Security Expert


Enhanced AIX Security Expert

Multilevel Security (MLS)

Role-based Access Control

Trusted Execution

Encrypted File System

AIX 5L 6.1 Security Features


appliedaixpert.xml distributed through LDAP– No need for sneaker-net or secure copy

Performance boost– XML parsing via C library routines

"Secure by Default"– Initial installation is a minimal install– High security level is applied during install

File Permission Manager

SOX/Cobit Compliance Assistant– Wizard for setting up system to comply with SOX

requirements

Enhanced AIX Security Expert


#name program arguments

ftp /usr/sbin/ftpd ftpd

telnet /usr/sbin/telnetd telnetd -a

shell /usr/sbin/rshd rshd

login /usr/sbin/rlogind rlogind

exec /usr/sbin/rexecd rexecd

comsat /usr/sbin/comsat comsat

uucp /usr/sbin/uucpd uucpd

bootps /usr/sbin/bootpd bootpd /etc/bootp

finger /usr/sbin/fingerd fingerd

systat /usr/bin/ps ps -ef

netstat /usr/bin/netstat netsta -f inet

tftp /usr/sbin/tftpd tftpd -n

Secure by Default


#name program arguments

talk /usr/sbin/talkd talkd

ntalk /usr/sbin/talkd talkd

rquotad /usr/sbin/rpc.rquotad rquotad 100011 1

rexd /usr/sbin/rpc.rexd rexd 100017 1

rstatd /usr/sbin/rpc.rstatd rstatd 100001 1-3

rusersd /usr/lib/netsvc/rusers/rpc.rusersd rusersd 100002 1-2

rwalld /usr/lib/netsvc/rwall/rpc.rwalld rwalld 100008 1

sprayd /usr/lib/netsvc/spray/rpc.sprayd sprayd 100012 1

pcnfsd /usr/sbin/rpc.pcnfsd pcnfsd 150001 1-2

instsrv /u/netinst/bin/instsrv instsrv -r /tmp/netinstalllog /u/netinst/scripts

Secure by Default (Continued)


STOP giving out root users password

Distribute administration of the system to disparate and unconnected users.

– i.e. Human resources creates the user, finance changes the users salary, operations defines authorizations and managements creates roles

The goal of RBAC is to reduce or eliminate the use of "root"

RBAC is installed and active by default– Integrated into the kernel and installed commands

Role-Based Access Control


RBAC was previously provided by PitBull (AIX v5.3)

Limited set of roles

Authorizations are hard-coded into the command code

User “root” cannot be completely removed

Third party applications are required to code authorizations into their commands

Role-Based Access Control: Background v5.3


Distribution of root roles to system users– Gives user “cingram” the authority to create users, but

not give them access to set passwords

More levels of granularity than previously offered– Users can assume a very specific role– System-defined roles and user-defined roles

Integration into LDAP– Authorization tables do not have to be stored locally

Option to eliminate the root user– Removes the "golden egg" from the system

Reduces collaborative attacks from insiders– Least privilege security model reduces exposure and

increases effort

Role-based Access Control


Suited to roles where there are many users managing a single system

Government organizations

Datacenter operations

Database management

RBAC Environments


What is it?– Security through classifications and labels (EAL4+

Labeled Security Protection Profile)– Separate product and will NOT be included with the base

distribution

MLS via PitBull in AIX v5.3

MLS via AIX in v6.1

Expands on RBAC infrastructure

Multi-Level Security (MLS)


MLS details– Add on security enhancement for AIX based on the

Trusted OS model– Protects servers from internal and external attackers– Compartmentalizes and secures applications– Prevents malicious code from damaging systems– Removes administrative (superuser/root) privileges– Meets and exceeds government standards for maximum

security

Multilevel Security (MLS)


Federal government networks and databases (datacenters)

Banks and financial institutions

Healthcare (HIPAA requirements)

Public utilities

Service providers (application, eCommerce)

Large corporate datacenters

Any environment containing sensitive information

Value proposition:– Provides maximum security for an organizations assets– Provides lower overall costs for IT– Permits for a simpler security architecture– Maintains 100% compatibility with AIX applications

MLS Environments


Extension of current Trusted Computing Base

Provides both install time and run time integrity check

Loader verifies signature on files before they are executed

Trusted Execution


Scenario: Hacker replaces the existing /usr/bin/ls with his own:– How do you scan the system to detect this change?– How do you stop execution of the invalid executable?– How do you prevent future modification of trusted

applications?

Scenario: Hacker places a trojan horse "ls" command on system.

– How do you enforce where executables / libraries come from?

The Need for Trusted Execution


Provides Signature Based System Verification– Two modes of integrity checking:

• System: Comparison of current system with stored database.

• Run-time: Validation of binary at execution time.

Cryptographic Hash Mechanism– Supports SHA-1, SHA-256 and SHA-512– Allows for signed hash signatures.

Configurable Policies– Monitor all executions and loads of files in signature

database.– Monitor only loads of kernel extensions.– Monitor only loads of shared libraries.– Lock the signature database. Even root cannot write to

database.– Disable trusted file opens for write.

Trusted Execution


Integrity Checking– TE - System and Run-time checking.– TCB - System checking only.

System Enablement– TE - Enabled at any time.– TCB - Install time option.

Security Database– TE - /etc/security/tsd/tsd.dat– TCB - /etc/security/sysck.cfg

Management Commands– TE – trustchk– TCB - tcbck

Trusted Execution(TE) Comparison to TCB


Transparent to users and system administrators

File level encryption granularity

Centralization of key-store– User key store allocated after successful login

Employs AES symmetric encryption algorithm

Integrated into the user administration– Automatic generation of key-stores for every user– Wraps users private key-store with the users password

Encrypted File System


AIX EFS offers file level encryption– HP EVFS only offers logical volume level encryption

AIX EFS offers unique keying and crypto metadata per file– HP EVFS only offers one key and crypto metadata per

logical volume

AIX EFS has the key-store connected to the users login– HP EVFS requires a separate command

Competitive Analysis: AIX EFS vs. HP EVFS


AIX EFS is integrated into FS commands (i.e.: chmod)– HP EVFS has a separate ‘evfs’ command and then it

only operates on the logical volume

AIX EFS backups are encrypted by default– HP EVFS backups must be re-encrypted

AIX EFS volume groups can be resized as it is done today– HP EVFS volume groups cannot be resized (-F (force)

option results in corrupted data

Competitive Analysis cont.

aixpert - aix security expert

Technology