A18 Whats New in AIX Security

STG Technical Conferences
AIX 6.1 Security Enhancements Overview
Ravi Shankar
AIX Security Architect
© 2007 IBM Corporation

Agenda
 AIX 6.1 Security Enhancements Overview

 Details of Select Features
– Trusted Execution
– Long Password Support
– Trusted AIX (Multi Level Security)
– LDAP Policy Enhancements
2 © 2007 IBM Corporation

AIX Security Roadmap

Business value Future
 Help Customer secure their business environments
through better security features
 Simplify Security Administration
 Assure Security through certifications 2008
 Enable Compliance capabilities to address
customer pain points
 Position Series P for Federal Market
2007
Role Based Access Control

2006  Encrypted File System
AIX 6.1  Secure/Trusted Execution
 Trusted AIX (MLS)
2005
 Long Pass Phrases
 AIX Security Expert
 Secure by Default
 Stack Execution Disable
 Active Directory Client Support CAPP, LSPP, RBPP EAL4+
AIX 5.3  IPSec: AES Support Certification (AIX, WPAR, VIOS)
 TCP Wrappers
CAPP, LSPP EAL4+
Certification AIX 5.2/5.3

Trusted Execution: Integrity & Execution Monitor

From CERT: http://www.cert.org/stats/vulnerability_remediation.html
Trusted Execution provides customer
tools to protect and monitor system 9000
8000
integrity. 7000
6000
5000
4000
 Need: Attacks on the raise 3000

2000
–Financial motive 1000
0
–CERT statistics and FBI surveys 1995 1997 1999 2001 2003 2005 2007
–Customer issue last year

–System integrity critical
• Base line system status and compare
• Stop malicious executions/kernel extension loads
 Signature based Integrity Verification

Execute malicious code
Baseline
 Ability to stop execution of malicious code Insert Trojans
Modify System State
–First OS to implement execution checks
 Protect system modification

–Supports policies to lock down system Attacker
 Extensible to all software on the system

Encrypted File System: Data Protection

Credit card numbers
Encrypting File System provides a Social Security numbers
…..
transparent method for encrypting
Files
information on disk.
Directory
 Need: Protect critical data access

– Encrypt and protect against intruders
File System
– Key compliance requirement
• PCI: Visa and Master insist credit card numbers to be
encrypted
– Loss of data leads to multiple issues  What’s at risk?  Customer trust
– Disclosure of sensitive data
 Granular support for encryption – Service interruption
 Reputation and Brand
 Privacy
– Encryption at file, directory and file system level – Corruption of operational data
 Integrity of Information
– Fraud and ID Theft
 First Unix OS to enable EFS – User
Theft of services  Group
Legal and Regulatory Action
 Competitive Advantage
– HP supports encrypted volumes
– HP EVFS comparison in the backup
 Backup in encrypted form

 Tivoli Storage Manager being enabled for
EFS support Intruder
– DB2 enablement being planned

Role Based Access Control (RBAC): Simplified Administration

Role Based Access Control enables
Hospital
customer to simplify system
administration by defining roles based
on job responsibilities and qualification.
Billing Admit
Doctor Nurse
Clerk Clerk
 Need: Easing Enterprise administration
complexity
– Most IT infrastructure management difficult
 Flexible infrastructure for Role management

– Create, delete, reassign roles
– Employee shifts, responsibility changes, organizational DB2 admins
changes etc managed with ease
 AIX OS enabled for RBAC

LDAP
– 700+ commands could be managed in RBAC
– 150+ fine granular controls Printer admin
 Open Framework for all software to be

managed
 Centralized policy administration for AIX
Network admin
systems

Multi Level Security (MLS): Label based security

AIX 6.1 supports MLS form of security
as an install time option.
 Provides for label based resource

control, printing, networking.
– Access control based on labels
– Policies institution based
• Army and Navy might have different policies
• US-NATO interaction policy might be different
– Mandatory Access Control
 Label Security important Defense & IA

– Label aspects to be important to commercial
sector

Role Based Access Control - Demo
1. User bob is a normal user

System admin/
2. He will not be able to create a file system bob Policy manager
– crfs -v jfs2 -g rootvg -m /usr/new -a
size=16M
– ksh: crfs: 0403-006 Execute permission Assign fs_manager role
denied.
√
3. System administrator creates a role for file Create File
system administration called fs_manager
and assigns the same to bob. (can be done
through the GUI, download to kernel)
X
system
/usr/new
Assume role
fs_manager
4. Now bob assumes the role fs_manager

using swrole and invokes crfs. He is able to
create the file system successfully.

Encrypted File System - Demo
1. User bob has a file in his home directory called

personal. This file has all of bob’s secret
information such as passwords, credit card System admin/
bob Intruder
numbers etc
Personal
2. Root can access this information overriding any Password …. √
OS restrictions around the access controls. Credit Card Number
Login in as root and do cat of the file. X
3. Now bob creates a directory called secret in secret (encrypted)
his home directory
Personal
4. Then sets up that this directory be encrypted. Password ….
“efsmgr –E efs_test” Credit Card Number
5. Move the file personal to secret directory

6. now go to secret directory and show that the
file personal is encrypted. “ls –U personal”
7. Now go to the other window and cat personal
as root. It will indicate that the file can not be
opened.

Application 1 Kernel ext 1 Kernel ext 2
Operating System
(Trusted Execution)
Trusted Execution

System Integrity : Trusted Execution (AIX 6.1)

– Without system integrity Crypto Hashes, Signatures,
• difficult to detect if an exploit has Baseline Current

occurred System
(Good state)
State
• Next to impossible to perform
comprehensive cleanup (short of
complete OS and application reinstall)
– Baseline Compare
• File attributes: Crypto Hashes,
Signatures, Ownership, Privileges and Reports
other attributes.

System Integrity : Trusted Execution (AIX 6.1) …

– Trusted Execution
• Signature Based Integrity
Verification
– SHA256 Hashes signed with
IBM AIX private key Execute Baseline
• Execution Time integrity
– Load only if hash matches
– Lock the database
– Lock all the files in the database
Trojans
Attacker
Modify

Trusted Execution
 Signature Based System Verification

– System Integrity Verification
• System Integrity Checker: eg: Run once a day through cron
• Execution time integrity checking
 Configurable Policies
– Monitor all executions (& libraries) and loads of files in signature
database
– Monitor only loads of kernel extensions
– Lock the signature database. Even root cannot write to database
– Disable trusted file opens for write

Trusted Execution
Run Time Integrity Check
System Integrity Check Install Time population
(Entries can be added later)
Executable/
Module
Signature Certificates
Database Database
Hash/
Calculate
Signature
Hash
Integrity Checker Database
Tool
Hash Policy Engine
Eg: Disallow loads on non-match
File
Memory
System Integrity Status
Trojan Horse Detection  Signature database can be customized
– Add entries for custom software
– Customer’s private/certificate key pair used

Trusted Execution: Signature Creation & Deployment
/usr/bin/chuser:
owner = root
…..
Fileset.sec.S size =
cert_tag = Install
signature =
Build process hash_value = Hash/
….
Signature
Database
buildsecattr
instsecattr
instsecattr
Packaging process
RBAC
databases
Fileset.sec
Package
∙
∙
Other Security databases

Trusted Execution: trustchk Command

 Trusted execution (TE) managed by trustchk command
– Setting up TE policies
– Verifying integrity verification
– Updating signature database
 Add/delete entries to Trusted signature database

– -a and –d options, could add entries captured in a text file using –a –f option
– trustchk –p will show the current policies
– trustchk –p policy could be used to setup policies.
• Trustchk –p CHKKERNEXT=ON will setup for verification of kernel extensions
– To check the integrity of the system: trustchk –n ALL
 Comparison of tcbck and trustchk
Feature tcbck trustchk

Policies Mainly integrity measurement Additional policies such as execution time
controls and lockdown concepts.
Integrity hash measurement Based on checksum only Based on signatures
Feature availability Needed a separate install option Already installed and ready to use as part of the
regular AIX install
ISV support to ship signatures No Yes

Long Password (Pass phrase) Support

Longer Password Support & non-Crypt Hash support
 Support for greater than 8 character password

 Support for storing password using non-crypt hash
mechanisms
–Traditional Unix Crypt algorithm has 8 character limit
–Framework to support new hashing algorithms

User Management: Support for Long Pass phrases
 Pre AIX 6.1 Password store support

–Up to 8 character passwords, crypt only
 AIX 6.1, AIX 5.3 TL07
–Supports up to 255 character pass
phrases {hash_algorithm}_passwordInfo
•“My favorite vacation place is ….”

–Support for MD5, Blowfish,
SHA1/256/512
LIBS/LIBC
–Support for 5.3 as well as 6.1
–Easy hash algorithm switch LPA
•Old passwords still supported crypt MD5 SHA1 ∙∙∙∙

User Management: Support for Pass phrases (Contd..)

 System wide controls
– Hashing algorithm (default is crypt)
• List the value: lssec –f /etc/security/login.cfg -s usw –a pwd_algorithm
• Set the value to ssha256: chsec -f /etc/security/login.cfg -s usw -a /etc/security/login.cfg
pwd_algorithm=ssha256
 Maximum password size
– Algorithm specific, traditional minlen and such controls could usw:
be used.
………
 LPA: Loadable Password Algorithms
………
 Guidelines for deployment
– Customers need to carefully design per their environment pwd_algorithm=ssha256
• No mismatch of AIX release systems
• Will be enabled for Local files (compat) and LDAP
• No NIS support
 Password transition supported in lazy mode
– Until the password is changed, it will be in the old form
– Admin can mandate that users change the password during
next login
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha256
/etc/security/pwdalg.cfg

Trusted AIX: Multi Level Security (MLS)

Government security requirements (Defense)
 Control of confidentiality is paramount in

government/military
 Security Policies should be institution wide
– Mandatory access control
 Requirements for Role separation for privileged
operations
 Rest of commercial space security requirements
– I&A, Audit, etc

Multi Level Security: Supreme Security

Trusted Network
 In-System as well as external labeling
 Flexible infrastructure for rule definition
 CIPSO and RIPSO support
Label Based Access Controls

 Labels for subjects and resources
 Mandatory Access Control (MAC)
 System wide policy based access control File System Security
 Separation of duties through roles  Multi Level Directory
 Partition Directory
Traditional Security
 Audit and Monitor Assurance
 Strong Authentication and Identification  Labeled Security Protection Profile
EAL 4+
Labeled Printing
 Printing with Labels
 Headers, footers per MLS specs
 Label based printer controls

Access Control: Discretionary Access Control (DAC)
 Discretionary Access Control

– Traditional UNIX permission bits (r/w/x)
– Controls read, write, execute access
– Allows owner of object to give access to other users on the system.
– Based on Process User ID and group(s)
• Special attribute programs to access restricted files (setuid/setgid programs)
• Root/Superuser has access to all data.
Control by the User
c t DAC
b e
j ss) DAC c t
Su rocceess Access O bje
p rPo
(
Such an access control is not sufficient for organizations which deal with sensitive data.

Mandatory Access Control (MAC)
 Mandatory Access Control

– Access controls based on a sitewide/institution wide policy
– Based on level of security, represented by a Sensitivity Label (SL)
– Each subject and object is labeled.
– Labels cannot be modified by owner of file. Only authorized users allowed to
modify labels
Control by the System
t MAC DAC
ec
j s) t
b DAC DAC c
Su rocceesss Access O bje
ro
P
(p

Mandatory Access Control (MAC)

 System enforces access
 Based on level of security,
represented by a Sensitivity Label (SL)
– Every subject has an SL
– Every object has an SL
– SLs indicate level of security
 System compares subject SL with object SL to determine access
– Higher-level SLs dominate lower-level SLs

Sensitivity Labels Structure

 Security level: classification
– e.g., SECRET, PUBLIC
 Zero or more compartments

– e.g., admin, technical, management
Classification Compartmentsadmin
tech
mgt
Secret

Dominance
 SL1 dominates SL2 if

1. SL1 class > = SL2 class
—and—
2. SL1 compartments include
all SL2 compartments
SL1 SL2
Secret A B Public B

Equality
 Equality is special case of dominance

 Classifications equal and compartments equal
 Equal SLs dominate each other
SL1 SL2
Secret A B Secret A B

Disjoint
 If no dominance, SLs are

disjoint or not comparable
SL1 SL2
Public A C Public B

MAC Enforcement Rules
 To read, process SL must dominate file SL

 To write, process SL must equal file SL
 To execute, process SL must dominate file SL
(same as for read access)
 If SLs disjoint, no access allowed
 Remember: DAC access also required

MAC: Types of Madatory Access Control

 Bell-LaPadula Policy (multilevel security)
– access control security attributes:
– Hierarchical security levels
– Non Hierarchical categories
– emphasis on leakage of information and the access control
write same
subject object
(HIGH SL) read same (HIGH SL)
write read
write read up up
down down
read same
subject
object
(LOW SL)
(LOW SL) write same

File System Security

 Each object on File System is labeled
 Directories/Devices
– Range of SLs: Maximum and Minimum
• Max SL should dominate Min SL
– One TL
 Regular File
– One SL ( max SL = min SL)
– One TL
Dir
Dir Min
Min SL
SL <=
<= File
File SL
SL <=
<= Dir
Dir Max
Max SL
SL
Partitioned Directories
 Called pdir
 Redirects users to subdirectories
 Subdirectories at different ESLs
 Process accesses only subdirectory with same SL
as process
 Therefore, all data in pdir subdirectory at same
level
– Downgrade path avoided

Partitioned Directories …
Directory
Directory
Min SL: U Max SL: SEC
hidden
hidden psdir
psdir hidden
hidden psdir
psdir
SL: U SL: SEC
FileA
FileA FileB
FileB FileA
FileA FileB
FileB
SL: U SL: U SL: SEC SL: SEC

Trusted Networking : Labeled Networking
 Label based controls

– Within OS
– External communication
 Assigns label to traffic

– Incoming: assigns label if not in packet
– Outgoing: inserts label into packet if specified to do so
 Filters traffic
– Determine what is allowed in and out

Trusted Network Supported Label Protocols

 RIPSO
– Revised IP Security Options
– RFC 1038, 1988
– RFC 1108, 1991 (RIPSO-2)
 CIPSO
– Commercial IP Security Option
– Also called CSL, Common Security Label
Label placed in IP header
packet
TCP Header
IP Header User Data
UDP Header
optional
Labeled Printing
 Mandatory Headers, footers per MLS specs

 Label based printer controls
Labeled Printing

Trusted AIX 6.1:
 Provided as an install time option

– Option available for both new and migration installation
 Migration one way: uninstall of MLS not supported
 Certain APIs and commands would be different in AIX as compared to
Pitbull
 MLS support is based on conditional runtime check as compared to
compile time option


New Commands
labck Verifies a LabelEncodings file

getsecconf Displays the kernel security flags
setsecconf Changes the Trusted AIX kernel security flags
getsyslab Shows the kernel maximum and minimum labels
setsyslab Sets the kernel maximum and minimum labels
getrunmode Displays the current running mode of the system
setrunmode Switches the running mode of the system
pdlink Links files across partitioned subdirectories
pdmkdir Creates partitioned directories and subdirectories
pdmode Returns the current partitioned directory access mode or runs a command with
specified partitioned directory access mode
pdrmdir Removes partitioned directories

New Commands….
pdset Converts regular directory to partitioned directory and associated partitioned sub
directories
bootauth Verifies that an authorized user is booting the system
chuser Changes the user’s clearance attributes
lsuser Displays the user’s clearance attributes
chsec Changes the user’s clearance attributes and port labels
lssec Displays the user’s clearance attributes and port labels
trustchk Checks the attributes of files
lstxattr Displays the label and security flag attributes of files, processes, and IPC objects
settxattr Changes the label and security flag attributes of files, processes, and IPC objects
tninit Initialize Trusted Network
netrule Manage Trusted Network rules

Miscellaneous
 Archival commands (backup and restore) will store and restore labels by default.
– New options provided to ignore labels by authorized users
 Commands like find, cron modified to support labels.

 /etc/inittab has following new entries for MLS
– rc.mls.boot
– rc.mls
– rc.mls.net
– bootauth (in case boot authentication is enabled)
 Libraries used by Trusted AIX commands

– /usr/ccs/lib/libmlsenc.a
– /usr/ccs/lib/libmls.a
– /usr/lib/libtn.a

SMIT interfaces

Centralized Policy Administration: LDAP

Policy Management
 Provide simplified and centralized

policy management
–Ease customer pain points in regards to
managing heterogeneous operating
environments
LDAP
–Support open standards where available
 Consistent tools for uniform policy
& user management
–Tools work across databases on local
disk, LDAP, Kerberos, Microsoft Active
Directory etc
 LDAP based policy management
–Fault Tolerant, RFC 2307

LDAP Policy Management: AIX 6.1 Enhancements

 Role Based Access Control Policies
– Deploy roles for users consistently across the enterprise
 Multi Level Security
– Manage User Clearances and other MLS information
 Pass phrase support
– Pass phrases and related policies could be stored on LDAP
 AIX Security Expert Policies
– Define different policies for different set of systems
 Pre AIX 6.1 Policies Support
– User, group policies
– Network policies: hosts, services
– Auto mount policies
– Advanced Accounting policies

Resources
 AIX 6.1 Links
– Open Beta: https://www14.software.ibm.com/iwm/web/cc/earlyprograms/ibm/aix6beta
– Docs: http://publib.boulder.ibm.com/infocenter/pseries/v6r1/index.jsp
– Security guide: http://publib.boulder.ibm.com/infocenter/pseries/v6r1/topic/com.ibm.aix.security/doc/security/security.pdf
– WPAR: http://publib.boulder.ibm.com/infocenter/pseries/v6r1/topic/com.ibm.aix.wpar/wpar-kickoff.htm
– Security Redbook http://www.redbooks.ibm.com/redpieces/abstracts/sg247430.html?Open
 pSeries Security
– http://www.ibm.com/eserver/pseries/security
 AIX online publications
– http://www.ibm.com/servers/aix
– Technical ‘Redbooks’ PDF/HTML available at http://www.redbooks.ibm.com
• SG24-5962-00 AIX 4.3 Elements of Security
• SG24-5971-00 Additional AIX Security Tools
• SG24-7463-00 AIX 5L Differences Guide Version 5.3 Edition
 HMC Security:
– http://www.ibm.com/servers/eserver/pseries/hardware/whitepapers/hmc_security.pdf
 IBM Security
– http://www.ibm.com/security
 Security Information by email.
– https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
 IBM Security Response Alerts
– security-alert@austin.ibm.com

Resources
 AIX LDAP integration : redbook
– http://www.redbooks.ibm.com/redpieces/pdfs/sg247165.pdf
 AIX LDAP Configuration
– Server
• http://www-1.ibm.com/servers/aix/whitepapers/ldap_server.html
– Client
• http://www-1.ibm.com/servers/aix/whitepapers/ldap_client.pdf
 AIX Virus Scan Software
– http://www-1.ibm.com/servers/eserver/pseries/security/feature/antivirus.html
 SSH DeveloperWorks Articles
– http://www-106.ibm.com/developerworks/eserver/articles/openssh_aix.html
– http://www-106.ibm.com/developerworks/eserver/articles/openssh_updated.html
 Service Update Management Assistant(SUMA): tool to monitor for security PTFs. : http://www-
03.ibm.com/servers/aix/whitepapers/suma.pdf
 AIX user management using Kerberos server
– http://www-03.ibm.com/systems/p/library/wp_aix_lit.html
– http://www.ibm.com/servers/aix/whitepapers/aix_kerberos.pdf
– http://www.ibm.com/servers/aix/whitepapers/aix_kerberos2.pdf
 NFS4 ACL: http://www.redbooks.ibm.com/redbooks/pdfs/sg246657.pdf

Questions ?

A18 Whats New in AIX Security

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A18 Whats New in AIX Security

Uploaded by

Copyright:

Available Formats

STG Technical Conferences

AIX 6.1 Security Enhancements Overview

AIX Security Architect

© 2007 IBM Corporation

 AIX 6.1 Security Enhancements Overview

2 © 2007 IBM Corporation

AIX Security Roadmap

Role Based Access Control

3 © 2007 IBM Corporation

Trusted Execution: Integrity & Execution Monitor

 Need: Attacks on the raise 3000

–Customer issue last year

 Signature based Integrity Verification

 Protect system modification

4 © 2007 IBM Corporation

Encrypted File System: Data Protection

 Need: Protect critical data access

 Backup in encrypted form

5 © 2007 IBM Corporation

Role Based Access Control (RBAC): Simplified Administration

 Flexible infrastructure for Role management

 AIX OS enabled for RBAC

 Open Framework for all software to be

6 © 2007 IBM Corporation

Multi Level Security (MLS): Label based security

 Provides for label based resource

 Label Security important Defense & IA

7 © 2007 IBM Corporation

Role Based Access Control - Demo

1. User bob is a normal user

4. Now bob assumes the role fs_manager

8 © 2007 IBM Corporation

Encrypted File System - Demo

1. User bob has a file in his home directory called

5. Move the file personal to secret directory

9 © 2007 IBM Corporation

Application 1 Kernel ext 1 Kernel ext 2

10 © 2007 IBM Corporation

System Integrity : Trusted Execution (AIX 6.1)

• difficult to detect if an exploit has Baseline Current

11 © 2007 IBM Corporation

System Integrity : Trusted Execution (AIX 6.1) …

12 © 2007 IBM Corporation

 Signature Based System Verification

13 © 2007 IBM Corporation

14 © 2007 IBM Corporation

Trusted Execution: Signature Creation & Deployment

15 © 2007 IBM Corporation

Trusted Execution: trustchk Command

 Add/delete entries to Trusted signature database

 Comparison of tcbck and trustchk

Feature tcbck trustchk

16 © 2007 IBM Corporation

Long Password (Pass phrase) Support

17 © 2007 IBM Corporation

Longer Password Support & non-Crypt Hash support

 Support for greater than 8 character password

18 © 2007 IBM Corporation

User Management: Support for Long Pass phrases

 Pre AIX 6.1 Password store support

•“My favorite vacation place is ….”

•Old passwords still supported crypt MD5 SHA1 ∙∙∙∙