STG Technical Conferences

AIX 6.1 Security Enhancements Overview

Ravi Shankar
AIX Security Architect

© 2007 IBM Corporation

STG Technical Conferences

Agenda

 

AIX 6.1 Security Enhancements Overview Details of Select Features
– Trusted Execution – Long Password Support – Trusted AIX (Multi Level Security) – LDAP Policy Enhancements

2

© 2007 IBM Corporation

STG Technical Conferences

AIX Security Roadmap
Business value
 Help Customer secure their business environments through better security features  Simplify Security Administration  Assure Security through certifications  Enable Compliance capabilities to address customer pain points  Position Series P for Federal Market 2007 Role Based Access Control 2006  Encrypted File System 2008 Future

AIX 6.1
2005

 Secure/Trusted Execution  Trusted AIX (MLS)  Long Pass Phrases

AIX 5.3

AIX Security Expert  Stack Execution Disable  Active Directory Client Support  IPSec: AES Support  TCP Wrappers CAPP, LSPP EAL4+ Certification AIX 5.2/5.3

 Secure by Default CAPP, LSPP, RBPP EAL4+ Certification (AIX, WPAR, VIOS)

3

© 2007 IBM Corporation

STG Technical Conferences

Trusted Execution: Integrity & Execution Monitor
Trusted Execution provides customer tools to protect and monitor system integrity.
 Need: Attacks on the raise
–Financial motive –CERT statistics
From CERT: http://www.cert.org/stats/vulnerability_remediation.html
9000 8000 7000 6000 5000 4000 3000 2000 1000 0 1995 1997 1999 2001 2003 2005 2007

and FBI surveys

–Customer issue last year –System integrity critical • Base line system status and compare • Stop malicious executions/kernel extension loads

 Signature based Integrity Verification  Ability to stop execution of malicious code
–First OS to implement execution checks
Execute malicious code Insert Trojans Modify System State

Baseline

 Protect system modification
–Supports policies to lock down system

Attacker

 Extensible to all software on the system

4

© 2007 IBM Corporation

STG Technical Conferences

Encrypted File System: Data Protection
Encrypting File System provides a transparent method for encrypting information on disk.
Credit card numbers Social Security numbers
…..

Files

Directory

 Need: Protect critical data access
– – Encrypt and protect against intruders Key compliance requirement
• PCI: Visa and Master insist credit card numbers to be encrypted

File System

Loss of data leads to multiple issues

What’s at risk?
– – – – – Disclosure of sensitive data Service interruption Corruption of operational data Fraud and ID Theft Theft of services

     

Customer trust Reputation and Brand Privacy Integrity of Information

 Granular support for encryption
– Encryption at file, directory and file system level

 First Unix OS to enable EFS
– – HP supports encrypted volumes HP EVFS comparison in the backup

User

Legal and Regulatory Action Competitive Advantage

Group

 Backup in encrypted form  Tivoli Storage Manager being enabled for EFS support

5

Intruder
© 2007 IBM Corporation

DB2 enablement being planned

STG Technical Conferences

Role Based Access Control (RBAC): Simplified Administration
Role Based Access Control enables customer to simplify system administration by defining roles based on job responsibilities and qualification.
Doctor Nurse Hospital

Billing Clerk

Admit Clerk

 Need: Easing Enterprise administration complexity
– Most IT infrastructure management difficult

 Flexible infrastructure for Role management
– Create, delete, reassign roles – Employee shifts, responsibility changes, organizational changes etc managed with ease
DB2 admins

 AIX OS enabled for RBAC
– 700+ commands could be managed in RBAC – 150+ fine granular controls
Printer admin

LDAP

 Open Framework for all software to be managed  Centralized policy administration for AIX systems
6
Network admin

© 2007 IBM Corporation

STG Technical Conferences

Multi Level Security (MLS): Label based security
AIX 6.1 supports MLS form of security as an install time option.

 Provides for label based resource control, printing, networking.
– – Access control based on labels Policies institution based
• • Army and Navy might have different policies US-NATO interaction policy might be different

Mandatory Access Control

 Label Security important Defense & IA
– Label aspects to be important to commercial sector

7

© 2007 IBM Corporation

STG Technical Conferences

Role Based Access Control - Demo
1. 2. User bob is a normal user He will not be able to create a file system – – 3. crfs -v jfs2 -g rootvg -m /usr/new -a size=16M ksh: crfs: 0403-006 Execute permission denied.
Create File system /usr/new
Assign fs_manager role

bob

System admin/ Policy manager

System administrator creates a role for file system administration called fs_manager and assigns the same to bob. (can be done through the GUI, download to kernel) Now bob assumes the role fs_manager using swrole and invokes crfs. He is able to create the file system successfully.

X √

Assume role fs_manager

4.

8

© 2007 IBM Corporation

STG Technical Conferences

Encrypted File System - Demo
1. User bob has a file in his home directory called personal. This file has all of bob’s secret information such as passwords, credit card numbers etc Root can access this information overriding any OS restrictions around the access controls. Login in as root and do cat of the file. Now bob creates a directory called secret in his home directory Then sets up that this directory be encrypted. “efsmgr –E efs_test” Move the file personal to secret directory now go to secret directory and show that the file personal is encrypted. “ls –U personal” Now go to the other window and cat personal as root. It will indicate that the file can not be opened.

bob
Personal Password …. Credit Card Number

System admin/ Intruder

2.

√ X

3. 4. 5. 6. 7.

secret (encrypted)
Personal Password …. Credit Card Number

9

© 2007 IBM Corporation

STG Technical Conferences

Application 1

Kernel ext 1

Kernel ext 2

Operating System (Trusted Execution)

Trusted Execution

10

© 2007 IBM Corporation

STG Technical Conferences

System Integrity : Trusted Execution (AIX 6.1)
– Without system integrity
• difficult to detect if an exploit has occurred • Next to impossible to perform comprehensive cleanup (short of complete OS and application reinstall)
Crypto Hashes, Signatures,

Baseline (Good state)

Current System State

– Baseline
• File attributes: Crypto Hashes, Signatures, Ownership, Privileges and other attributes.

Compare Reports

11

© 2007 IBM Corporation

STG Technical Conferences

System Integrity : Trusted Execution (AIX 6.1) …
– Trusted Execution
• Signature Based Integrity Verification
– SHA256 Hashes signed with IBM AIX private key

• Execution Time integrity
– Load only if hash matches – Lock the database – Lock all the files in the database

Execute

Baseline

Trojans Attacker

Modify

12

© 2007 IBM Corporation

STG Technical Conferences

Trusted Execution
 Signature Based System Verification
– System Integrity Verification
• System Integrity Checker: eg: Run once a day through cron • Execution time integrity checking

 Configurable Policies
– Monitor all executions (& libraries) and loads of files in signature database – Monitor only loads of kernel extensions – Lock the signature database. Even root cannot write to database – Disable trusted file opens for write

13

© 2007 IBM Corporation

STG Technical Conferences

Trusted Execution
System Integrity Check
Install Time population (Entries can be added later)

Run Time Integrity Check
Executable/ Module

Signature Database

Certificates Database Calculate Hash Hash/ Signature Database Policy Engine
Eg: Disallow loads on non-match

Hash File

Integrity Checker Tool

Memory
System Integrity Status Trojan Horse Detection

Signature database can be customized
– Add entries for custom software – Customer’s private/certificate key pair used

14

© 2007 IBM Corporation

STG Technical Conferences

Trusted Execution: Signature Creation & Deployment

Fileset.sec.S
Build buildsecattr instsecattr

/usr/bin/chuser: owner = root ….. size = cert_tag = signature = hash_value = process ….

Install Hash/ Signature Database instsecattr

Packaging process RBAC databases

Fileset.sec Package

Other Security databases
15 © 2007 IBM Corporation

∙ ∙

STG Technical Conferences

Trusted Execution: trustchk Command
 Trusted execution (TE) managed by trustchk command
– – – Setting up TE policies Verifying integrity verification Updating signature database

Add/delete entries to Trusted signature database
– – – – -a and –d options, could add entries captured in a text file using –a –f option trustchk –p will show the current policies trustchk –p policy could be used to setup policies.
• Trustchk –p CHKKERNEXT=ON will setup for verification of kernel extensions

To check the integrity of the system: trustchk –n ALL

Comparison of tcbck and trustchk
tcbck Mainly integrity measurement Based on checksum only Needed a separate install option No trustchk Additional policies such as execution time controls and lockdown concepts. Based on signatures Already installed and ready to use as part of the regular AIX install Yes

Feature Policies Integrity hash measurement Feature availability ISV support to ship signatures

16

© 2007 IBM Corporation

STG Technical Conferences

Long Password (Pass phrase) Support

17

© 2007 IBM Corporation

STG Technical Conferences

Longer Password Support & non-Crypt Hash support
 Support for greater than 8 character password  Support for storing password using non-crypt hash mechanisms
–Traditional Unix Crypt algorithm has 8 character limit –Framework to support new hashing algorithms

18

© 2007 IBM Corporation

STG Technical Conferences

User Management: Support for Long Pass phrases
 Pre AIX 6.1 Password store support
–Up to 8 character passwords, crypt only

 AIX 6.1, AIX 5.3 TL07
–Supports up to 255 character pass phrases
•“My favorite vacation place is ….”
{hash_algorithm}_passwordInfo

–Support for MD5, Blowfish, SHA1/256/512 –Support for 5.3 as well as 6.1 –Easy hash algorithm switch
•Old passwords still supported
crypt LIBS/LIBC

LPA
MD5 SHA1

∙∙∙∙

19

© 2007 IBM Corporation

STG Technical Conferences

User Management: Support for Pass phrases (Contd..)
 System wide controls – Hashing algorithm (default is crypt)
• List the value: lssec –f /etc/security/login.cfg -s usw –a pwd_algorithm • Set the value to ssha256: chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha256

/etc/security/login.cfg
usw: ……… ……… pwd_algorithm=ssha256

Maximum password size – Algorithm specific, traditional minlen and such controls could be used. LPA: Loadable Password Algorithms Guidelines for deployment – Customers need to carefully design per their environment
• No mismatch of AIX release systems • Will be enabled for Local files (compat) and LDAP • No NIS support

 

Password transition supported in lazy mode – Until the password is changed, it will be in the old form – Admin can mandate that users change the password during next login
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha256

/etc/security/pwdalg.cfg

20

© 2007 IBM Corporation

STG Technical Conferences

Trusted AIX: Multi Level Security (MLS)

21

© 2007 IBM Corporation

STG Technical Conferences

Government security requirements (Defense)
 Control of confidentiality is paramount in government/military  Security Policies should be institution wide
– Mandatory access control

 Requirements for Role separation for privileged operations  Rest of commercial space security requirements
– I&A, Audit, etc

22

© 2007 IBM Corporation

STG Technical Conferences

Multi Level Security: Supreme Security
Trusted Network
 In-System as well as external labeling  Flexible infrastructure for rule definition  CIPSO and RIPSO support

Label Based Access Controls
 Labels for subjects and resources
 Mandatory Access Control (MAC)  System wide policy based access control  Separation of duties through roles

File System Security
 Multi Level Directory
 Partition Directory

Traditional Security
 Audit and Monitor
 Strong Authentication and Identification

Assurance
 Labeled Security Protection Profile EAL 4+

Labeled Printing
 Printing with Labels
 Headers, footers per MLS specs  Label based printer controls

23

© 2007 IBM Corporation

STG Technical Conferences

Access Control: Discretionary Access Control (DAC)
 Discretionary Access Control
– – – – Traditional UNIX permission bits (r/w/x) Controls read, write, execute access Allows owner of object to give access to other users on the system. Based on Process User ID and group(s)
• • Special attribute programs to access restricted files (setuid/setgid programs) Root/Superuser has access to all data.

Control by the User

t ec s) bj ss Su roce s ce o prP (

DAC
DAC

Access

O

ct bje

Such an access control is not sufficient for organizations which deal with sensitive data.

24

© 2007 IBM Corporation

STG Technical Conferences

Mandatory Access Control (MAC)
 Mandatory Access Control
– – – – Access controls based on a sitewide/institution wide policy Based on level of security, represented by a Sensitivity Label (SL) Each subject and object is labeled. Labels cannot be modified by owner of file. Only authorized users allowed to modify labels

Control by the System
t ec s) bj ss e Su roce s oc prP (
25

MAC DAC
DAC DAC

Access

O

ct bje

© 2007 IBM Corporation

STG Technical Conferences

Mandatory Access Control (MAC)
 System enforces access  Based on level of security, represented by a Sensitivity Label (SL) – Every subject has an SL – Every object has an SL – SLs indicate level of security  System compares subject SL with object SL to determine access – Higher-level SLs dominate lower-level SLs

26

© 2007 IBM Corporation

STG Technical Conferences

Sensitivity Labels Structure
 Security level: classification – e.g., SECRET, PUBLIC  Zero or more compartments – e.g., admin, technical, management

Classification Compartments
admin tech mgt Secret

27

© 2007 IBM Corporation

STG Technical Conferences

Dominance
 SL1 dominates SL2 if
1. SL1 class > = SL2 class —and— 2. SL1 compartments include all SL2 compartments

SL1
Secret AB Public

SL2
B

28

© 2007 IBM Corporation

STG Technical Conferences

Equality
   Equality is special case of dominance Classifications equal and compartments equal Equal SLs dominate each other

SL1
Secret AB Secret

SL2
AB

29

© 2007 IBM Corporation

STG Technical Conferences

Disjoint

If no dominance, SLs are disjoint or not comparable

SL1
Public A C Public

SL2
B

30

© 2007 IBM Corporation

STG Technical Conferences

MAC Enforcement Rules
 To read, process SL must dominate file SL  To write, process SL must equal file SL  To execute, process SL must dominate file SL (same as for read access)  If SLs disjoint, no access allowed  Remember: DAC access also required

31

© 2007 IBM Corporation

STG Technical Conferences

MAC: Types of Madatory Access Control
 Bell-LaPadula Policy (multilevel security)
– access control security attributes: – Hierarchical security levels – Non Hierarchical categories emphasis on leakage of information and the access control

write same subject (HIGH SL) read same object (HIGH SL)

write down

read down read same object (LOW SL) write same

write up

read up

subject (LOW SL)

32

© 2007 IBM Corporation

STG Technical Conferences

File System Security
  Each object on File System is labeled Directories/Devices – Range of SLs: Maximum and Minimum
• Max SL should dominate Min SL

– One TL  Regular File – One SL ( max SL = min SL) – One TL

Dir Min SL <= File SL <= Dir Max SL Dir Min SL <= File SL <= Dir Max SL
33 © 2007 IBM Corporation

STG Technical Conferences

Partitioned Directories
 Called pdir  Redirects users to subdirectories  Subdirectories at different ESLs  Process accesses only subdirectory with same SL as process  Therefore, all data in pdir subdirectory at same level
– Downgrade path avoided

34

© 2007 IBM Corporation

STG Technical Conferences

Partitioned Directories … Directory Directory
Min SL: U Max SL: SEC

hidden psdir hidden psdir
SL: U

hidden psdir hidden psdir
SL: SEC

FileA FileA
SL: U

FileB FileB
SL: U

FileA FileA
SL: SEC

FileB FileB
SL: SEC

35

© 2007 IBM Corporation

STG Technical Conferences

Trusted Networking : Labeled Networking
 Label based controls – Within OS – External communication

Assigns label to traffic – Incoming: assigns label if not in packet – Outgoing: inserts label into packet if specified to do so

Filters traffic – Determine what is allowed in and out

36

© 2007 IBM Corporation

STG Technical Conferences

Trusted Network Supported Label Protocols
 RIPSO – Revised IP Security Options – RFC 1038, 1988 – RFC 1108, 1991 (RIPSO-2)  CIPSO – Commercial IP Security Option – Also called CSL, Common Security Label
Label placed in IP header

packet

IP Header

TCP Header UDP Header

User Data

optional
37 © 2007 IBM Corporation

STG Technical Conferences

Labeled Printing
 Mandatory Headers, footers per MLS specs  Label based printer controls

Labeled Printing
38 © 2007 IBM Corporation

STG Technical Conferences

Trusted AIX 6.1:
 Provided as an install time option
– Option available for both new and migration installation  Migration one way: uninstall of MLS not supported  Certain APIs and commands would be different in AIX as compared to Pitbull  MLS support is based on conditional runtime check as compared to compile time option

39

© 2007 IBM Corporation

STG Technical Conferences

40

© 2007 IBM Corporation

STG Technical Conferences

New Commands
labck getsecconf setsecconf getsyslab setsyslab getrunmode setrunmode pdlink pdmkdir pdmode pdrmdir Verifies a LabelEncodings file Displays the kernel security flags Changes the Trusted AIX kernel security flags Shows the kernel maximum and minimum labels Sets the kernel maximum and minimum labels Displays the current running mode of the system Switches the running mode of the system Links files across partitioned subdirectories Creates partitioned directories and subdirectories Returns the current partitioned directory access mode or runs a command with specified partitioned directory access mode Removes partitioned directories

41

© 2007 IBM Corporation

STG Technical Conferences

New Commands….
pdset Converts regular directory to partitioned directory and associated partitioned sub directories Verifies that an authorized user is booting the system Changes the user’s clearance attributes Displays the user’s clearance attributes Changes the user’s clearance attributes and port labels Displays the user’s clearance attributes and port labels Checks the attributes of files Displays the label and security flag attributes of files, processes, and IPC objects Changes the label and security flag attributes of files, processes, and IPC objects Initialize Trusted Network Manage Trusted Network rules
© 2007 IBM Corporation

bootauth chuser lsuser chsec lssec trustchk lstxattr settxattr tninit netrule
42

STG Technical Conferences

Miscellaneous
 Archival commands (backup and restore) will store and restore labels by default.
– New options provided to ignore labels by authorized users

 Commands like find, cron modified to support labels.  /etc/inittab has following new entries for MLS
– rc.mls.boot – rc.mls – rc.mls.net – bootauth (in case boot authentication is enabled)

 Libraries used by Trusted AIX commands
– /usr/ccs/lib/libmlsenc.a – /usr/ccs/lib/libmls.a – /usr/lib/libtn.a

43

© 2007 IBM Corporation

STG Technical Conferences

SMIT interfaces

44

© 2007 IBM Corporation

STG Technical Conferences

Centralized Policy Administration: LDAP

45

© 2007 IBM Corporation

STG Technical Conferences

Policy Management
 Provide simplified and centralized policy management
–Ease customer pain points in regards to managing heterogeneous operating environments –Support open standards where available

LDAP

 Consistent tools for uniform policy & user management
–Tools work across databases on local disk, LDAP, Kerberos, Microsoft Active Directory etc

 LDAP based policy management
–Fault Tolerant, RFC 2307

46

© 2007 IBM Corporation

STG Technical Conferences

LDAP Policy Management: AIX 6.1 Enhancements
 Role Based Access Control Policies
– Deploy roles for users consistently across the enterprise

 Multi Level Security
– Manage User Clearances and other MLS information

 Pass phrase support
– Pass phrases and related policies could be stored on LDAP

 AIX Security Expert Policies
– Define different policies for different set of systems

 Pre AIX 6.1 Policies Support
– User, group policies – Network policies: hosts, services – Auto mount policies – Advanced Accounting policies

47

© 2007 IBM Corporation

STG Technical Conferences

Resources
 AIX 6.1 Links – Open Beta: https://www14.software.ibm.com/iwm/web/cc/earlyprograms/ibm/aix6beta – Docs: http://publib.boulder.ibm.com/infocenter/pseries/v6r1/index.jsp – Security guide: http://publib.boulder.ibm.com/infocenter/pseries/v6r1/topic/com.ibm.aix.security/doc/security/security.pdf – WPAR: http://publib.boulder.ibm.com/infocenter/pseries/v6r1/topic/com.ibm.aix.wpar/wpar-kickoff.htm – Security Redbook http://www.redbooks.ibm.com/redpieces/abstracts/sg247430.html?Open pSeries Security

– http://www.ibm.com/eserver/pseries/security
 AIX online publications

– http://www.ibm.com/servers/aix – Technical ‘Redbooks’ PDF/HTML available at http://www.redbooks.ibm.com
• •

SG24-5962-00 AIX 4.3 Elements of Security SG24-5971-00 Additional AIX Security Tools

• SG24-7463-00 AIX 5L Differences Guide Version 5.3 Edition
HMC Security:

– http://www.ibm.com/servers/eserver/pseries/hardware/whitepapers/hmc_security.pdf
 IBM Security

– http://www.ibm.com/security
 Security Information by email.

– https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
 IBM Security Response Alerts

– security-alert@austin.ibm.com

48

© 2007 IBM Corporation

STG Technical Conferences

Resources
 AIX LDAP integration : redbook
– http://www.redbooks.ibm.com/redpieces/pdfs/sg247165.pdf

 AIX LDAP Configuration
– Server • http://www-1.ibm.com/servers/aix/whitepapers/ldap_server.html – Client • http://www-1.ibm.com/servers/aix/whitepapers/ldap_client.pdf

 AIX Virus Scan Software
– http://www-1.ibm.com/servers/eserver/pseries/security/feature/antivirus.html

 SSH DeveloperWorks Articles
– http://www-106.ibm.com/developerworks/eserver/articles/openssh_aix.html – http://www-106.ibm.com/developerworks/eserver/articles/openssh_updated.html

 Service Update Management Assistant(SUMA): tool to monitor for security PTFs. : http://www03.ibm.com/servers/aix/whitepapers/suma.pdf

 AIX user management using Kerberos server
– http://www-03.ibm.com/systems/p/library/wp_aix_lit.html – http://www.ibm.com/servers/aix/whitepapers/aix_kerberos.pdf – http://www.ibm.com/servers/aix/whitepapers/aix_kerberos2.pdf

 NFS4 ACL: http://www.redbooks.ibm.com/redbooks/pdfs/sg246657.pdf

49

© 2007 IBM Corporation

STG Technical Conferences

Questions ?

50

© 2007 IBM Corporation

Sign up to vote on this title
UsefulNot useful