IBM PowerSC & AIX Security Compliance [2018] by realbjornroden

p102550 IBM PowerSC Standard Edition with AIX Security — Björn Rodén (roden@ae.ibm.com) Faraz Ahmed (farahmad@in.ibm.com) IBM Systems Lab Services

2018 IBM Systems Technical University April 2018 Dubai

Björn Rodén

Session Objectives •

This session focus on using PowerSC and AIX security tools –

Such as PowerSC Security Expert (pscxpert), PowerSC Trusted Logging, PowerSC Real-Time Compliance, PowerSC TNCPM, AIX Security Expert (aixpert), Audit subsystem, RBAC, RBAC Domains, Trusted Execution, Stack Execution, File Permission Manager, Encrypted Filesystem and basics with IP filter. Exploring beyond chmod, setgroups and acledit

– •

Up to but not including centralized Identification & Authentication with LDAP.

objective

Björn Rodén

You will learn when and how to use IBM PowerSC Standard Edition with AIX Security.

Business Continuity in IT perspective

BjĂśrn RodĂŠn

Business Continuity

Ability to adapt and respond to risks as well as opportunities in order to maintain continuous business operations

High Availability

The attribute of a system to provide service during defined periods, at acceptable or agreed upon levels and masks unplanned outages

Disaster Recovery

Capability to recover a data center (set of services) at a different site if the primary site becomes inoperable

Security and Integrity

The attribute of a system to prevent, detect and report unauthorized access and manipulation and safeguard information integrity and disclosure ÂŠ 2018 IBM Corporation

IBM Security areas Security Intelligence and Analytics Identity and Access Management Application Security Advanced Security and Threat Protection Advanced Fraud Protection Data Protection Infrastructure protection

Björn Rodén

We will look at this

System Levels / Perspectives looki looki where is the wookie?

Björn Rodén

Attack types, vectors, chains, time and impact

IBM® X-Force® produces many thought leadership security research assets to help customers, fellow researchers and the public at large better understand the latest security risks, and stay ahead of emerging threats. http://www.ibm.com/security/xforce/

2014

2013

Attacks – Security events that have been identified by correlation and analytics tools as malicious activity attempting to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.

Björn Rodén

Security policy and technical implementation •

Non functional security requirements and considerations –

•

Technical considerations –

•

For applications, data, systems, storage, networks, services, management and maintenance Zoning/Tiering/Layering, IDS/IPS, FW, mobility and remote access entry points, information/data exchange points, identity, authentication and access management, access & activity monitoring and alerting, systems change management, governance, …

Power/AIX systems hardening topics – – – – – – – – – – – –

PowerSC and AIX Security Expert AIX Auditing subsystem AIX Trusted Execution AIX Stack Execution Disable AIX File Permission Manager Encrypted Filesystem AIX Role Based Access Control (RBAC) Power SC Trusted Logging Power SC Real-Time Compliance IP Filter System Logging Additionally: IP Security (IPSec), Access Control Lists (ACL), Virtual Private Network (VPN), Centralized Identification and Authentication, Multi-Factor Authentication, PAM & LAM.

Failure to verify non-functional SECURITY requirements and actual implementation, without proper governance, can create exposures. You might detect a breach, but in worst case you might never know! Björn Rodén

Attack Vectors : with UNIX/AIX systems Trojan software is a malicious software hidden inside another software that appears safe. Zero-Day refers to an unknown vulnerability in an application or a computer operating system.

Trojan

Breach or compromise refers to an incident that has successfully defeated security measures and accomplished its designated task.

Attack

UNIX/AIX k tac At

At tac k

Unauthorized

Worm

Human Access

Sixty percent of all attackers are “insiders”

Björn Rodén

Worms are a malicious software enters a computer through a vulnerability in the system, such as buffer overflow attack where the attack code is inserted into a running process through the buffer overflow, changing the execution path of the running process. The return address is overwritten and redirected to the inserted-code location. The worm then attempts to perform its design tasks, and also continue probe and propagate itself through the network from the now compromised system. © 2018 IBM Corporation

Attack Vectors : with UNIX/AIX systems AIX Trusted Execution (TE) purpose is prevention of installing and/or running Trojans, with the real-time online mode part of the AIX kernel when enabled.

Zero-Day refers to an unknown vulnerability in an application or a computer operating system.

Trojan

► IBM IPS with real-time protocol flow analysis

NOT on IBM AIX

Breach or compromise refers to an incident that has successfully defeated security measures and accomplished its designated task.

Fail

► IBM Qradar

UNIX/AIX IT can Unauthorized only Humando so Accessmuch IBM Security Directory Server (ISDS)* with ► LDAP Client for AIX, VIOS, HMC & PowerVC ► Multi-Factor Authentication ► Audit proof security policy and processes •

Björn Rodén

il Fa

Fa il

NOT on IBM Worm AIX

AIX Stack Execution Disable (SED) purpose is prevention of application memory buffer overflow, and when enabled, the kernel will disable execution on the memory areas of a process where execution commonly does not take place, such as stack and heap memory areas.

• SEW03133USEN.pdf, 2017-03-07 http://www-03.ibm.com/software/products/en/category/identity-access-management • http://www.cisco.com/c/en/us/about/security-center/virus-differences.html

Network zoning, tiering and layering • Zone – Restricted area of control with common exposure – Flat view within a tier – Exposed (Red Zone), semi exposed (DMZ), safe (Green)

• Tier – Restricted area of control with outer tier in exposure zone – Tier 0 is commonly the ISP(s) network – Depth view within one or more zones

• Layer

ISP (external)

– Communication protocols

FW/IPS

– Internet layer / TCP/IP

Routers

Switches Network Servers Storage Switches

Storage

Björn Rodén

Network zoning Corporate Privileged

Data Centre

Firewall/IPS

Storage

Servers

Workstations

Laptops

Servers

Corporate IT Management Firewall/IPS

Firewall & Management Console/Jump Station

Vital Infrastructure Administrative Interfaces

Laptops Workstations

Björn Rodén

Firewall/IPS

DMZ

Firewall/IPS

External Branches ISP connect

Corporate Guest

Laptops

Network tiering

Björn Rodén

PowerSC – Security Compliance with AIX Enterprise Edition • IBM PowerSC 1.1.6 components for Enhanced Security and Compliance Automation – Management Graphical User Interface * • Monitor and manage AIX security profiles and compliance – Trusted Boot * – Be sure that boot media & AIX has booted in a known-trusted state

– Trusted Network Connect & Patch Management * – When an LPAR attempts to join a VLAN, ensure a minimum AIX level

– Trusted Firewall * – Pass packets securely between LPARs without an external firewall

– Trusted Logging * – Secure audit files away and safe from malicious modification

– Compliance Automation * – Raise alerts if any of 100’s of settings of a security policy are violated

– Real-time alerts * – Immediate action - no more periodic script running/polling

• Additional offerings under the PowerSC offering family (separate): – IBM PowerSC Multi-Factor Authentication (MFA) on Power • Provides a method of controlling computer access in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism: •

https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=an&subtype=ca&appname=gpateam&supplier=877&letternum=ENUSZP17-0564

* https://www-03.ibm.com/systems/power/software/security/ https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_oc/1/760/ENUS5765-CD1/index.html&request_locale=en Björn Rodén

PowerSC 1.2 User Interface Server – uiServer – uiAgent – Cross certificates with uiAgents

Björn Rodén

IBM PowerSC Standard Edition V1.2

Announcement ZP18-0207 Planned availability date June 15, 2018

• Provides – Extended platform support for Linux on Power – Enhancements to the compliance framework and new built-in profiles – Audit and reporting enhancements that provide event timeline features – Patch management additions, including GUI integration (Verify and Update) – REST APIs that help users automate compliance and patch management in scripting – A new GDPR profile to support compliance with the new European law related to data privacy and data protection (AIX and Linux)

• Prereqs – Any IBM system that includes an IBM POWER7®, IBM POWER8®, or IBM POWER9™ technology-based processor – AIX 7.1 and 7.2 – Red Hat Enterprise Linux Server 7.4 – SUSE Linux Enterprise Server 12 SP3

http://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/7/877/ENUSZP18-0207/index.html&lang=en&request_locale=en Björn Rodén

PowerSC 1.2 – User Interface Server & Endpoint Agent • To use the use Endpoint Management from the uiServer (pull down under the cogged wheel), to manage uiAgent requests to become managed endpoints: – Copy the uiServer LPARs endpoint truststore file • /etc/security/powersc/uiServer/endpointTruststore.jks – To the uiAgent LPARs truststore file • /etc/security/powersc/uiAgent/endpointTruststore.jks • IF Profiles, Endpoint Management etc is not available (greyed out) in the GUI, run the command: • /opt/powersc/uiServer/bin/pscuiserverctl set administratorGroupList security – And refresh the browser session (or login again) • Review uiServer logfiles after install – /var/log/powersc/uiServer/ • Check if uiServer is running – lssrc -s pscuiserver • Stop uiServer if it is running – stopsrc -s pscuiserver • Start uiServer if it is not running – startsrc -s pscuiserver

Björn Rodén

Security Expert tools

Björn Rodén

Security Expert tools • Security Expert is the system security hardening tools – aixpert with AIX and pscxpert commands with PowerSC – viosecure command with VIOS • Single consistent view to all security configurations – TCP/IP, IPSec, OS security settings, Auditing etc – Brings 300+ Security Settings to Central Control – Simplifies Complex Security Configuration – Easy to distribute to other systems – Undo Option • Easy to implement – can choose desired security level – Default, Low, Medium, High, Custom • pscxpert is introduced in PowerSC 1.1.6 – The “next generation” version of AIXpert – Additional security profiles: PCI DSS, HIPAA, US DoD, SOX COBIT, Database.xml •

Björn Rodén

Feature Enhancements: – Check the compliance of a system to a security standard without applying a profile – Generate compliance reports in csv format – the output can be used in security or compliance audit reports

Security Expert basic levels •

Low (LLS) – Provides more protection than standard default AIX install – Implements common security settings without impacting the openness of the system – Useful for systems which reside on an isolated secure local network, are used for a wide variety of people and services, and/or require non-disruptive security settings

• Medium (MLS) – Sets common security hardening parameters, but still allow telnet, rlogin and other clear text password access. – Enable port scan protection and enforces password rules – Useful for systems which connected to corporate network, are used by many users who need telnet and ftp access, need port scan protection and password hardening

• High (HLS) – – – – – – – –

Security is of utmost importance Local network is unsafe Enforces port scan detection Blocks most ports Disallows remote connections like rlogin Enforces strong password rules Clear text passwords are not allowed Useful for systems which are directly connected to Internet, contain sensitive user data, have either direct connection like console login or SSH for secure remote login

Björn Rodén

AIX Security Expert • Examples – To write all of the high-level security options to an output file, use the following command: • aixpert -l high -n -o /etc/security/aixpert/plugin/myPreferredSettings.xml • The output file can be edited, and specific security roles can be commented out by enclosing them in the standard xml comment string – To apply the security settings from a configuration file, use the following command: • aixpert -f /etc/security/aixpert/plugin/myPreferredSettings.xml – To check the security settings that have been applied to the system, and to log the rules that failed into the audit subsystem, use the following command: • aixpert –c -p – To check the compatibility of the system with a specific profile: • aixpert -c -P <profile name> • aixpert -c -P PCI.xml – To displays the type of the profile applied on the system: • aixpert -t

http://publib.boulder.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/doc/aixcmds1/aixpert.htm Björn Rodén

AIX Security Expert • Example editing aixpert XML – In this case creating one stanza and changing maxage for passwords from 13 to 10 weeks

• Apply the one stanza XML file aixpert -f mypolicy.xml -p Processing policy_maxage .....:done.

Original

# cat mypolicy.xml <AIXPertEntry name="hls_maxage" function="maxage"> <AIXPertRuleType type="HLS"/> <AIXPertDescription>Maximum age for password: Specifies the maximum number of weeks (13 weeks) that a password is valid</AIXPertDescription> <AIXPertPrereqList>bos.rte.date,bos.rte.commands,bos.rte.security,bos.rte.shell,bos.rte.ILS</AIXPertPrereqList> <AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand> <AIXPertArgs>maxage=13 ALL hls_maxage</AIXPertArgs> <AIXPertGroup>Password policy rules</AIXPertGroup> </AIXPertEntry>

Changed # cat mypolicy.xml <AIXPertEntry name=“policy_maxage" function="maxage"> <AIXPertRuleType type=“XLS"/> <AIXPertDescription>Maximum age for password: My policy specifies maximum age as 10 weeks</AIXPertDescription> <AIXPertPrereqList>bos.rte.date,bos.rte.commands,bos.rte.security,bos.rte.shell,bos.rte.ILS</AIXPertPrereqList> <AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand> <AIXPertArgs>maxage=10 ALL policy_maxage</AIXPertArgs> <AIXPertGroup>Password policy rules</AIXPertGroup> </AIXPertEntry>

Björn Rodén

pscxpert – applying a security policy • Automate the system hardening process • Achieve desired level of security by running a single pscxpert command • Periodically verify compliance using pscxpert check option • Easy to distribute same security settings on multiple servers

pscxpert –l <level> pscxpert –f <Path to XML file>

# pscxpert -l medium -p … Processing mls_minage .....:done. Processing mls_maxage .....:done. Processing mls_maxexpired .....:done. Processing mls_minlen .....:done. Processing mls_minalpha .....:done. … Processedrules=82 Passedrules=75 Failedrules=7 Level=MLS Input file=/etc/security/aixpert/core/aixpertall.xml

Björn Rodén

pscxpert – applying a security policy – PCI DSS example • PCI DSS Requirement 8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components

8.5.9 Change user passwords at least every 90 days. <AIXPertEntry name="PCI_maxage" function="maxage"> <AIXPertRuleType type="HLS"/> <AIXPertDescription>Maximum age for password: PCI Specifies this to be 13 weeks</AIXPertDescription> <AIXPertPrereqList>bos.rte.date,bos.rte.commands,bos.rte.security,bos.rte.shell,bos.rte.ILS</AIXPertPrereqList> <AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand> <AIXPertArgs>maxage=13 ALL PCI_maxage</AIXPertArgs> <AIXPertGroup>Password policy rules</AIXPertGroup> </AIXPertEntry>

8.5.10 Require a minimum password length of at least seven characters. <AIXPertEntry name="PCI_minlen" function="minlen"> <AIXPertRuleType type="HLS"/> <AIXPertDescription>Minimum length for password: PCI specifies this to be 7 </AIXPertDescription> <AIXPertPrereqList>bos.rte.date,bos.rte.commands,bos.rte.security,bos.rte.shell,bos.rte.ILS</AIXPertPrereqList> <AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand> <AIXPertArgs>minlen=7 ALL PCI_minlen</AIXPertArgs> <AIXPertGroup>Password policy rules</AIXPertGroup> </AIXPertEntry>

Björn Rodén

pscxpert – applying a security policy – customized example # pscxpert -l high -n /etc/security/aixpert/custom/high.xml

Settings with the associated level are not applied but redirected to a file

# cp /etc/security/aixpert/custom/high.xml /etc/security/aixpert/custom/mypolicy.xml

Edit the XML file as per the compliance requirement:

Keep a backup of original

Original

# vi /etc/security/aixpert/custom/mypolicy.xml <AIXPertEntry name="hls_maxage" function="maxage"> <AIXPertRuleType type="HLS"/> <AIXPertDescription>Maximum age for password: Specifies the maximum number of weeks (13 weeks) that a password is valid</AIXPertDescription> <AIXPertPrereqList>bos.rte.date,bos.rte.commands,bos.rte.security,bos.rte.shell,bos.rte.ILS</AIXPertPrereqList> <AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand> <AIXPertArgs>maxage=13 ALL hls_maxage</AIXPertArgs> <AIXPertGroup>Password policy rules</AIXPertGroup> </AIXPertEntry>

Changed

<AIXPertEntry name=“policy_maxage" function="maxage"> <AIXPertRuleType type="HLS"/> <AIXPertDescription>Maximum age for password: Specifies the maximum number of weeks (10 weeks) that a password is valid</AIXPertDescription> <AIXPertPrereqList>bos.rte.date,bos.rte.commands,bos.rte.security,bos.rte.shell,bos.rte.ILS</AIXPertPrereqList> <AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand> <AIXPertArgs>maxage=10 ALL policy_maxage</AIXPertArgs> <AIXPertGroup>Password policy rules</AIXPertGroup> </AIXPertEntry> Björn Rodén

pscxpert – applying a security policy – customized example pscxpert –f <custom filename> -p

# pscxpert -f /etc/security/aixpert/custom/mypolicy.xml -p Processing policy_minage .....:done. Processing policy_maxage .....:done. Processing policy_maxexpired .....:done. Processing policy_minlen .....:done. Processing policy_minalpha .....:done. Processing policy_minother .....:done. Processing policy_maxrepeats .....:done. Processing policy_mindiff .....:done. Processing policy_histexpire .....:done. Processing policy_histsize .....:done. Processing policy_pwdwarntime .....:done.

Björn Rodén

pscxpert – check compliance Check if anything has changed on the system compared to applied profile: pscxpert -c # pscxpert -c do_action(): rule(mls_minlen_F258A964) : failed. do_action(): rule(lls_minlen_7EDEFEDC) : failed. Processedrules=76 Passedrules=74 Failedrules=2 Level=AllRules Input file=/etc/security/aixpert/core/appliedaixpert.xml

Detail report in /etc/security/aixpert/check_report.txt minlen value differs from the applied security policy

# cat /etc/security/aixpert/check_report.txt ***** stglbs22.in.ibm.com : Nov 15 16:36:19 ******

chusrattr.sh: User attribute minlen, should have value 8, but it is 4 now comntrows.sh: Daemon/Script/String:lpd: should have status disabled, however its entry is not found in file /etc/inittab

§ Easy to track changes in security settings § Useful for periodical compliance check Björn Rodén

pscxpert – check system compatibility with profile The -P flag accepts profile name as input: pscxpert -c -P <profile name> # pscxpert -c -P /etc/security/aixpert/custom/PCI.xml Processing pci_minage :done. Processing pci_maxage : failed. Processing pci_maxexpired : failed. Processing pci_minl en : failed. Processing pci_minalpha : failed. Processing pci_minother : failed. Processing pci_maxrepeats :done. Processing pci_histexpire : failed. Processing pci_histsize : failed. Processing pci_loginretries : failed. Processing pci_logindisable : failed. Processing pci_loginreenable : failed. Processing pci_rootrlogin : failed. Processing pci_rootlogin :done. ……………………… …………………….... :done. Processedrules=82 Passedrules=43 Failedrules=39 Level=PLS Input file=/etc/security/aixpert/custom/PCI.xml

Björn Rodén

pscxpert – generate compliance report in csv format The -r flag generate compliance reports in csv format: pscxpert –c –P <profile name> -r -p

# pscxpert -c -P /etc/security/aixpert/custom/PCI.xml -r -p Processing pci_minage :done. Processing pci_maxage : failed. Processing pci_maxexpired : failed. Processing pci_minlen : failed. Processing pci_minalpha : failed. Processing pci_minother : failed. Processing pci_maxrepeats :done. Processing pci_histexpire : failed. Processing pci_histsize : failed. Processing pci_loginretries : failed. Processing pci_logindisable : failed. Processing pci_loginreenable : failed. Processing pci_rootrlogin : failed. …………………………… ………………………….... :done. Processedrules=82 Passedrules=42 Failedrules=40 Level=PLS Input file=/etc/security/aixpert/custom/PCI.xml

Björn Rodén

pscxpert – compliance audit report in CSV format

Björn Rodén

pscxpert – undo feature To undo applied security profile: pscxpert -u

# pscxpert -u -p Processing mls_minage_F258A964 :done. Processing mls_maxage_F258A964 :done. Processing mls_maxexpired_F258A964 :done. Processing mls_minlen_F258A964 :done. Processing mls_minalpha_F258A964 :done. Processing mls_minother_F258A964 :done. Processing mls_mindiff_F258A964 :done. Processing mls_histexpire_F258A964 :done. Processing mls_histsize_F258A964 :done. Processing mls_pwdwarntime_F258A964 :done. . . . . . Processing mls_rootpwdintchk_F258A964 :done.

Björn Rodén

pscxpert – undo works recursively § Multiple security profiles can be applied one after another § UNDO rules are built dynamically

# pscxpert -f /etc/security/aixpert/custom/PCI.xml Processedrules=82 Passedrules=81 Failedrules=1 Level=PLS Input file=/etc/security/aixpert/custom/PCI.xml # pscxpert -f /etc/security/aixpert/custom/Hipaa.xml –p Processedrules=31 Passedrules=29 Failedrules=2 Level=Hipaa Input file=/etc/security/aixpert/custom/Hipaa.xml

pscxpert UNDO command should be run twice in order to get back to AIX default settings

Björn Rodén

pscxpert – important files • All configuration data resides in /etc/security/aixpert directory – /etc/security/aixpert/core/aixpertall.xml • Contains an XML listing of all possible security settings – /etc/security/aixpert/core/appliedaixpert.xml • Contains an XML list of applied security settings – /etc/security/aixpert/core/undo.xml • Created as part of applying a security setting. It is used to UNDO security settings – /etc/security/aixpert/check_report.txt • Contains the contents of check compliance command – /etc/security/aixpert/log/aixpert.log • Contains a trace log of applied security settings

Björn Rodén

Auditing subsystem

Björn Rodén

Auditing subsystem basics • The purpose of the audit is to detect activities that might compromise the security of a system – The audit system only have a default set of events to be audited for the root user – You must select events or event classes that you want to be logged according to your needs.

• The auditing subsystem – Enables recording security-relevant information, which can be analyzed to detect potential and actual violations of the system security policy. An auditable event is any security-relevant occurrence in the system. – http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.security/doc/security/auditing.htm – http://www-01.ibm.com/support/docview.wss?uid=isg3T1000212

• Adjust classes and objects to fit event monitoring needs and align with security policy and AIX security standard – Per-Process Auditing – Per-Object Auditing

• The auditing systemem subsystem are controlled using the audit command – audit [ start | shutdown } – audit { off | on [ panic | fullpath ] } – audit query

http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.security/doc/security/aix_sec_expert_aud_policy_settings.htm Björn Rodén

Auditing subsystem logging • Kernel logging modes – Kernel logging can be set to BIN or STREAM modes to define where the kernel audit trail is to be written. – Use BIN mode direct to virtual log device • http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.files/doc/aixfiles/config.htm – With PowerSC Trusted Logging specify the virtual_log attribute in /etc/security/audit/config • The audit records are written to VIOS through the virtual_log device, in addition to the local file system files specified by the bin1 and bin2 parameters in the bin stanza of /etc/security/audit/config – The /etc/security/audit/bincmds contains the backend commands that process BIN mode records. • The path name of this file is defined in the bin stanza of the /etc/security/audit/config file. – Use the auditselect command to select BIN format audit records that match identified criteria and display to stdout. • http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/doc/aixcmds1/auditselect.htm – Use the auditpr command to convert all binary audit records into a human-readable form.

http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.security/doc/security/aix_sec_expert_aud_policy_settings.htm Björn Rodén

Auditing subsystem logging • To audit an activity – Identify the command or process that initiates the audit event and ensure that the event is listed in the /etc/security/audit/events file. – Add the event either to an appropriate class in /etc/security/audit/config, or to an object stanza in /etc/security/audit/objects. See the /etc/security/audit/events file for a list of events formatting.

• Audit events configuration – Audit event selection has the following types: • Per-Process Auditing – To select process events efficiently, the system administrator can define audit classes. An audit class is a subset of the base auditing events in the system. Auditing classes provide for convenient logical groupings of the base auditing events. – For each user on the system, the system administrator defines a set of audit classes that determine the base events that could be recorded for that user. Each process run by the user is tagged with its audit classes. • Per-Object Auditing – The operating system provides for the auditing of specific objects accesses by-name, such as files. – By-name object auditing prevents having to cover all object accesses to audit the few pertinent objects. In addition, the auditing mode can be specified, so that only a specified accesses mode are recorded (read/write/execute).

• The auditing subsystem are configured using specification files – – – –

/etc/security/audit/config /etc/security/audit/events /etc/security/audit/objects And for BIN and STREAM mode respectively: • /etc/security/audit/bincmds • /etc/security/audit/streamcmds

Björn Rodén

Auditing subsystem configuration •

Configure the /etc/security/audit/config file – –

This file contains the audit subsystem configuration Event selection must maintain a balance between insufficient to too much detail. 1. Group your selected audit events into sets of similar items called audit classes. 2. Define these audit classes in the classes stanza of the /etc/security/audit/config file. 3. Assign the audit classes to the individual users and assign audit events to the files (objects) to audit. 4. Assign audit classes to an individual user by adding a line to the users stanza of the /etc/security/audit/config file, or use the chuser command to assign audit classes to a user. >

mkuser or chuser auditclasses attribute

5. Specify default audit classes for users, such as: > Explicitly set a specific users auditclasses attribute with the mkuser or chuser command, which also update /etc/security/audit/config file with the specific user > New users by editing the /usr/lib/security/mkuser.default file before mkuser command

•

Configure the /etc/security/audit/objects file –

•

Configure the /etc/security/audit/events file –

•

This file contains the audit subsystem configuration for audit events of objects (files) 1. Assign audit events to an object (file) by adding a stanza for that file to /etc/security/audit/objects. 2. For each object (file), specify the type of events (read/write) to audit.

This file contains the audit subsystem configuration of available audit events output formatting

Example how to spot check a system for users without audit class defined for i in $(lsuser -a auditclasses ALL|grep -v custom);do printf "%s %s\n" $i $(grep -c $i //etc/security/audit/config); done Techdoc for basic components and configuration of auditing on AIX @ http://www-01.ibm.com/support/docview.wss?uid=isg3T1000212

Björn Rodén

Auditing subsystem jump start 1. 2.

Verify audit configuration in /etc/security/audit/config Create class myclass with only the Events in /etc/security/audit/config file classes: myclass = USER_Login,USER_Logout,USER_SU,PROC_Execute

Map user to the class, such as

Start auditing

chuser auditclasses=myclass user123 audit start

5. 6.

Login as the user and run commands Track audit events # auditselect -e"login == user123" /audit/trail |auditpr -v event login status time command --------------- -------- ----------- ------------------------ ----------------------FS_Chdir user123 OK Tue Mar 25 13:06:52 2014 sshd change current directory to: /home/user123 PROC_Execute user123 OK Tue Mar 25 13:06:52 2014 ksh euid: 205 egid: 1 epriv: 0:0 name -ksh PROC_Execute user123 OK Tue Mar 25 13:07:00 2014 su euid: 205 egid: 1 epriv: 0:0 name su S_PASSWD_READ user123 OK Tue Mar 25 13:07:00 2014 su audit object read event detected /etc/security/passwd ... FS_Chdir user123 OK Tue Mar 25 13:07:06 2014 su change current directory to: / PROC_Execute user123 OK Tue Mar 25 13:07:06 2014 ksh euid: 0 egid: 0 epriv: ffffffff:ffffffff name -ksh

Björn Rodén

PowerSC Real Time Compliance

Björn Rodén

PowerSC Real-Time Compliance • The PowerSC Real Time Compliance feature continuously monitors enabled AIX systems to ensure that they are configured consistently and securely. –

When the security configuration policy of a system is violated, the PowerSC Real Time Compliance feature sends an email or a text message to alert the system administrator.

• Monitors file modifications of predefined list of files – Using the AIX event infrastucture (AHAFS/ Autonomic Health Advisor File System)

• Checks for compliance violations on file changes – Using aixpert command

• Sends alerts – Via • • – On • •

Email – must be set at configuration SNMP trap – optional alert mechanism Compliance violations File modification events

https://www.ibm.com/support/knowledgecenter/en/SSTQK9_1.1.6/com.ibm.powersc.se/kc_welcome_se.htm Björn Rodén

PowerSC Real-Time Compliance • RTC registers files with the operating system using AHAFS. – The AIX Kernel in turn will notify rtcd daemon when one of the registered files changes. – This allows immediate near real time notification saves on computing cycles (vs. polling). – AIX AHAFS – Autonomic Health Advisor File System – is an event monitoring framework for monitoring predefined and user-defined events, represented as a pseudo-file system.

Björn Rodén

Configure Real Time Compliance • PowerSC Real Time Compliance can be configured to send alerts when violations of a compliance profile or changes to a monitored file occur – Content Monitoring checks if the content of the file was modified – Attributes Monitoring verifies if the file permissions were changed

• Configure PowerSC Real Time Compliance: – Edit /etc/security/rtc/rtcd.conf, using mkrtc command or smitty RTC – Edit /etc/security/rtc/rtcd_policy.conf, or chsec command

• Configuration files – /etc/security/rtc/rtcd.conf •

The /etc/security/rtc/rtcd.conf file is the configuration file for the Real Time Compliance daemon (rtcd). This file is updated by the mkrtc command when configuring the real-time compliance subsystem. If the real-time compliance subsystem is configured and running, any change to this file becomes effective immediately and it is not necessary to restart the rtcd daemon.

– /etc/security/rtc/rtcd_policy.conf • The /etc/security/rtc/rtcd_policy.conf file contains a list of files and the associated events to be monitored by the real-time compliance subsystem. The file is a stanza file with each stanza name being a file name followed by a colon. After the file is saved, the new list is immediately used as a baseline and monitored for changes without restarting the system.

Björn Rodén

Configure Real Time Compliance # smitty RTC Real-Time Compliance (RTC) Move cursor to desired item and press Enter. Configure Real-Time Compliance Subsystem Unconfigure Real-Time Compliance Subsystem

Configure Real-Time Compliance subsystem Type or select values in entry fields. Press Enter AFTER making all desired changes. * Email Alert Alert Alert Debug

# lssrc -s rtcd Subsystem rtcd

Björn Rodén

[Entry Fields] [rtcmon@localhost] [1] [always] [RTC alert mail] [off]

Address (comma separated) Information Level Style Email Subject

Group

PID 6684896

Status active

Configure Real Time Compliance • RTC configuration file /etc/security/rtc/rtcd.conf – Defines configuration for the RTC monitoring daemon rtcd

# cat /etc/security/rtc/rtcd.conf # List of email addresses to send alerts to #email: foo@abc.com email:rtcmon@localhost # Specifies the subject of the alert email #emailSubject: PowerSC Real-Time Alert emailSubject:RTC alert mail # Specifies the information level of file modifications. Valid values # are 1, 2, and 3. Default is 1 #infolevel: 1 …. content omitted for readability… #alertStyle: once alertStyle:always # Specifies whether to turn debug on. Valid values are on and off. # Default is off. Debug info is written to syslog #debug: on

Björn Rodén

/etc/security/rtc/rtcd.conf attributes • alertStyle – Specifies the alert style. The valid values follows: – once

// Alert once for the same set of compliance violations. This is default value.

– event

// Alert once for the same set of compliance violations, but keep alerting for each file modification event.

– always

// Alert compliance violations and file modification on each file change modification

• alertMsgSize – Specifies the alert message size. The limited size is suitable for email addresses that are directed at the smartphone SMS messaging. The valid values follows: – verbose

// Provides the entire message. This is the default value.

– limited

// Limits the size of the alert message to the first violation and the first event. If there are more than one violations or events, it is indicated in the message.

• debug

// Specifies whether to turn on debug messages on. The valid values are on and off. The default value is off.

• email

// Specifies the email address to which the alerts will be sent. It allows multiple email:<email address> pairs, each pair on a separate line.

• Infolevel

// Specifies the information level of file modification events. The valid values are 1, 2, and 3. The default value is 1. A higher value indicates more details.

• emailSubject • snmptrap

// Specifies the subject line that is used for the email alert.

Björn Rodén

// Specifies the parameters for the snmptrap notifications.

Configure Real Time Compliance • RTC configuration file /etc/security/rtc/rtcd_policy.conf – Defines the even type to be monitored. – The attributes can be one or both of the following values, separated by a comma: • modFile // File content modifications. •

modFileAttr

// File attribute modifications.

# cat /etc/security/rtc/rtcd_policy.conf /etc/inittab: eventtype = modFile /etc/inetd.conf: eventtype = modFile …. content omitted for readability… /usr/bin/atq: eventtype = modFileAttr /usr/bin/capture: eventtype = modFileAttr /usr/bin/chcore: eventtype = modFileAttr

Björn Rodén

Real Time Compliance in action File content changes # chsec -f /etc/security/user -s default -a maxage=0

Alert mail generated From root Sat Jun 28 20:39:05 2014 Date: Sat, 28 Jun 2014 20:39:04 +0530 To: rtcmon@stglbs34.in.ibm.com From: RTC@stglbs34.in.ibm.com Subject: RTC alert mail The following event(s) has occurred: BEGIN_EVENT_INFO Hostname : stglbs34.in.ibm.com Filename : /etc/security/user Time : Sat Jun 28 20:39:04 2014 Sequence Num : 3 Process ID : 9043998 User Info : userName=root, loginName=root, groupName=system Program Name : chsec Event : AHAFS_MODFILE_WRITE END_EVENT_INFO

Björn Rodén

Real Time Compliance in action File attribute changes # chown "root:staff" /usr/bin/mkuser

Alert mail generated From root Sat Jun 28 20:40:23 2014 Date: Sat, 28 Jun 2014 20:40:23 +0530 To: rtcmon@stglbs34.in.ibm.com From: RTC@stglbs34.in.ibm.com Subject: RTC alert mail The following event(s) has occurred: BEGIN_EVENT_INFO Hostname : stglbs34.in.ibm.com Filename : /usr/bin/mkuser Time : Sat Jun 28 20:40:22 2014 Sequence Num : 1 Process ID : 9044012 User Info : userName=root, loginName=root, groupName=system Program Name : chown Event : AHAFS_MODFILEATTR_SETOWN END_EVENT_INFO

Björn Rodén

Real Time Compliance in action How to add new files to RTC policy file? # touch /tmp/myfile # chsec -f /etc/security/rtc/rtcd_policy.conf -s /tmp/myfile -a eventtype=modFileAttr,modFile

Restart the rtcd daemon #stopsrc -s rtcd 0513-044 The rtcd Subsystem was requested to stop. # startsrc -s rtcd 0513-059 The rtcd Subsystem has been started. Subsystem PID is 9044024.

Test by modifying file # echo "test message" >> /tmp/myfile # chmod 777 /tmp/myfile

RTC emailed event User Info : userName=root, loginName=root, groupName=system Program Name : ksh Event : AHAFS_MODFILE_WRITE

Björn Rodén

Real Time Compliance in action • AIXpert compliance check is triggered automatically when RTC detects a change – Compliance check is triggered in real time – Avoids the need to schedule compliance check using cron or scripts – Updates the /etc/security/aixpert/check_report.txt file

Test by modifying an RTC monitored file #chsec -f /etc/security/user -s default -a minlen=0 # cat /etc/security/aixpert/check_report.txt chusrattr.sh: User attribute minlen, should have value 8, but it is 0

RTC emailed event User Info : userName=root, loginName=root, groupName=system Program Name : ksh Event : AHAFS_MODFILE_WRITE

Björn Rodén

Trusted Execution

Björn Rodén

Using Trusted Execution • Introduced in AIX v6.1 • Provides integrity checking, such as against trojan programs • Allows policy driven approach to maintain system integrity • Provides 2 modes of integrity check: – System (Offline) – Run time (Online)

• TE Components – TSD – Trusted Signature Database – Certificates – trustchk command

• The TSD database stores security attributes of trusted files – /etc/security/tsd/tsd.dat – Populated with default entries at install time – Integrity check compares the actual command with the corresponding entry in TSD database – New commands can be added to the TSD database – Application commands can be added to the TSD – Requires OpenSSL

http://publib.boulder.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.security/doc/security/bos_trusted_execution.htm Björn Rodén

Trusted Execution vs. Trusted Computing Base • Can replace TCB – Trusted Computing Base TE (Trusted Execution)

TCB (Trusted Computing Base)

Installed by default on AIX system with version 6.1 or above

Can only be installed as part of AIX installation process

Uses certificates to verify integrity

Uses checksum to verify integrity

Provides online and offline checking mode

Provides only offline checking mode

Björn Rodén

Integrity Check Modes Online

Offline

Run Executable

File Name Input

Run time Integrity check enabled?

trustchk command (can be run periodically as cron job)

Yes TSD

TSD Integrity check Certificates Database

Certificates Database

Policy Engine Output report

Björn Rodén

Integrity Check successful?

No Does not allow execution

Yes

Follow normal execution path

Example of TSD stanza in /etc/security/tsd/tsd.dat Attribute

Description

Owner

Owner of the file

/usr/sbin/lsuser: Group Name of the group of the file owner = root Type Type of file – directory, FIFO, device etc group = security mode = TCB,SUID,555 Mode Permission bits of the file type = FILE hardlink Colon separated list of hard links pointing to the file hardlinks = symlink Colon separated list of symbolic links pointing to the file symlinks = size = 85308 size Size of the file in bytes (or VOLATILE) cert_tag = 00d3cbd2922627b209 cert_tag Certificate tag used to calculate the signature of the file signature = 5348748cde2600daa6004532196d57ce22179c05c148f0764438d6e6a8ee31dac714c7d67119 2c04729e161770bc441dd7ce8e2f3507af525ddd5caba5e6548e6a38a382904a41b45b84c7ad2934c8e5 signature Digital signature of the file (or VOLATILE) 3c6962278e04835160732b2840a996e87e60f1da8efc8dc5a84613065d0bea33d8b54d56881692a71fdd hash_value Cryptographic hash value of the file (or VOLATILE) hash_value = de19fb40b67f172e346a2601b88445c3bb24aba3569ebfa50e18bc8609002cbf Accessauths Access authorization on the object minslabel = maxslabel = Innateprivs Innate privileges for the file intlabel = inheritprivs Inheritable privileges for the file accessauths = ALLOW_ALL innateprivs = PV_DAC_R,PV_DAC_UID,PV_DAC_X,PV_DEV_LOAD,PV_DEV_QUERY authprivs Privileges that will be assigned to users if they have the given authorizations authprivs = secflags = FSF_EPS secflags File security flags associated with the object t_accessauths = minslabel Minimum sensitivity label for the object. This is valid only on a Trusted t_authprivs = AIX system t_innateprivs = PV_DAC_X,PV_MAC_R,PV_MIC

Björn Rodén

maxslabel

Maximum sensitivity label for the object. This is valid only on a Trusted AIX system

intlabel

Integrity label for the object. This is valid only on a Trusted AIX system

TSD Customization • Delete file from TSD – trustchk –d <filename>

• Add a new file to TSD – – – –

Requires OpenSSL Create self signed certificate using OpenSSL Add certificate to /etc/security/certificates directory trustchk –s <signing key> –v <verification certificate> –a <filename>

• Modify file in TSD – TE doesn’t allow modification of an entry – To modify: • delete the entry • add new entry

Björn Rodén

System Integrity Check (Offline Mode) • Run trustchk command to check integrity of a file trustchk [-n | -t | -y] <command | ALL> -n : Indicates pass or fail without any correction -y : Take corrective action -t : Take corrective action with prompt

• Minor changes like permission, ownership can be corrected by trustchk command -y and –t can take corrective actions VOLATILE attributes will be skipped

• Major changes like size, hash value can not be corrected by trustchk command -y and –t will disable the file

• Keyword ALL checks integrity of all the commands in TSD • Can be run as cron for periodical system integrity check: 0 15 * * * /usr/sbin/trustchk –n all

• Check the TSD attributes for a specific file usr/sbin/trustchk –q /etc/passwd

• To scan the whole system for a TROJAN detection report only: trustchk –n tree

Björn Rodén

Example of minor changes – file permission mode trustchk –n <filename> reports change in file attributes trustchk –t <filename> reports change in file permission mode and prompts for correction

# ls -l /etc/syslog.conf -rw-r--r-1 root system 4408 Jul 7 12:47 /etc/syslog.conf # trustchk with –n option # chmod 664 /etc/syslog.conf reports change in file # Modify access permission mode # permissions of syslog # trustchk -n /etc/syslog.conf trustchk: /etc/syslog.conf: Verification of attributes failed: mode # ls -l /etc/syslog.conf -rw-rw-r-1 root system 4408 Jul 7 12:47 /etc/syslog.conf trustchk with –t # option reports # trustchk -t /etc/syslog.conf change in file trustchk: Verification of attributes failed: mode permission mode Change the file mode for /etc/syslog.conf? [(y)es,(n)o,(i)gnore all errors]: y and prompts for trustchk: Verification of stanza failed: correction # # ls -l /etc/syslog.conf -rw-r--r-1 root system

4408 Jul

7 12:47 /etc/syslog.conf

File permissions corrected

Björn Rodén

Example of minor changes – ownership trustchk –n <filename> reports change in file attributes trustchk –y <filename> corrects the deviating file attributes

# ls -l /etc/syslog.conf -rw-r--r-1 root system 4408 Jul 7 12:47 /etc/syslog.conf # Change the group # chown root:staff /etc/syslog.conf ownership of syslog # # # trustchk -n /etc/syslog.conf trustchk: /etc/syslog.conf: Verification of attributes failed: group # # trustchk with –n option # trustchk -y /etc/syslog.conf reports change in file trustchk: Verification of attributes failed: group ownership trustchk: Verification of stanza failed: trustchk with –y option # corrects the ownership # ls -l /etc/syslog.conf -rw-r--r-1 root system 4408 Jul 7 12:47 /etc/syslog.conf Ownership corrected

Björn Rodén

Periodical System Integrity Check trustchk –n ALL command can be used for periodical system integrity check /# trustchk -n ALL trustchk: /usr/bin/acctras: Verification of attributes failed: mode Useful to run as cron to trustchk: /usr/bin/ps: Verification of attributes failed: mode run system integrity trustchk: /usr/bin/cronadm: Verification of attributes failed: mode trustchk: /usr/bin/getconf: Verification of attributes failed: mode check periodically trustchk: /usr/lib/trcload: Verification of attributes failed: mode trustchk: /usr/sbin/cfgmgr: Verification of attributes failed: mode trustchk: /usr/sbin/timedc: Verification of attributes failed: mode trustchk: /usr/bin/filemon: Verification of attributes failed: mode trustchk: /usr/sbin/chpath: Verification of attributes failed: mode trustchk: /usr/bin/paginit: Verification of attributes failed: mode trustchk: /usr/bin/smitacl: Verification of attributes failed: mode trustchk: /usr/bin/confsrc: Verification of attributes failed: mode trustchk: /usr/sbin/backbyinode: Verification of attributes failed: mode trustchk: /usr/sbin/allocp: Verification of attributes failed: mode trustchk: /usr/bin/refresh: Verification of attributes failed: mode trustchk: /usr/lib/lpd/pio/etc/pioout: Verification of attributes failed: mode trustchk: /usr/sbin/mtrace: Verification of attributes failed: mode trustchk: /usr/sbin/chcons: Verification of attributes failed: mode trustchk: /usr/sbin/pdelay: Verification of attributes failed: mode trustchk: /usr/bin/paglist: Verification of attributes failed: mode trustchk: /usr/bin/capture: Verification of attributes failed: mode trustchk: /usr/sbin/pshare: Verification of attributes failed: mode trustchk: /usr/sbin/mkpath: Verification of attributes failed: mode ….

Björn Rodén

How to set a TE policy? trustchk –p <policy>=on|off # trustchk -p chkexec=on # trustchk -p stop_on_chkfail=on # trustchk -p te=on

# trustchk -p TE=ON CHKEXEC=ON CHKSHLIB=OFF CHKSCRIPT=OFF CHKKERNEXT=OFF STOP_UNTRUSTD=OFF STOP_ON_CHKFAIL=ON LOCK_KERN_POLICIES=OFF TSD_FILES_LOCK=OFF TSD_LOCK=OFF TEP=OFF TLP=OFF

Björn Rodén

Example 1 – Setting check on executables trustchk –p chkexec=on Changing the content of a file by creating a new one

# trustchk -p chkexec=on # trustchk -p stop_on_chkfail=on # trustchk -p te=on # mv /usr/bin/chmod /usr/bin/chmod_orig # touch /usr/bin/chmod

Command execution fails

# /usr/bin/chmod ksh: /usr/bin/chmod: cannot execute

Copying back the original file with correct content

# mv /usr/bin/chmod_orig /usr/bin/chmod # chmod Usage: chmod [-R] [-f] [-h] {u|g|o|a ...} {+|-|=} {r|w|x|X|s|t ...} File ... chmod [-R] [-f] [-h] OctalNumber File ... Changes the permission codes for files or directories.

Björn Rodén

Command executes successfully

Example 2 – Setting Trusted Execution Path trustchk –p TEP=on # trustchk -p TEP TEP=OFF TEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/sbin/helpers/jfs2:/usr/lib/instl:/usr/ccs/bin: /usr/lib:/usr/lib/security Change the trusted execution # path to /usr/sbin directory only # trustchk -p TEP=/usr/sbin # # trustchk -p TEP=on Enable trusted execution path # trustchk -p TEP TEP=ON policy TEP=/usr/sbin # # /usr/bin/mkuser Command execution fails because the ksh: /usr/bin/mkuser: cannot execute command is not present in the trusted path # trustchk -p TEP=/usr/bin:/usr/sbin # trustchk -p TEP TEP=ON Change the trusted execution TEP=/usr/bin:/usr/sbin path to include /usr/bin also # # mkuser Command Usage: mkuser [-R load_module] [-a] "attr=value" ... newuser executes # /usr/bin/mkuser successfully Usage: mkuser [-R load_module] [-a] "attr=value" ... newuser

Björn Rodén

TSD Customization • Delete file from TSD – trustchk –d <filename>

• Add a new file to TSD – – – –

Requires OpenSSL Create self signed certificate using OpenSSL Add certificate to /etc/security/certificates directory trustchk –s <signing key> –v <verification certificate> –a <filename>

• Modify file in TSD – TE doesn’t allow modification of an entry – To modify: • delete the entry • add new entry

Björn Rodén

Stack Execution Disable

Björn Rodén

Stack Execution Disable (SED) jump start • Stack Execution Disable (SED) prevents buffer overflow attacks by not executing code in data areas of memory – The sedmgr command is the manager of the Stack Execution Disable (SED) facility. You can use the command to enable and control the level of stack execution done in the system. This command can also be used to set the various flags in an executable file, controlling the stack execution disable. – If no flag is specified, the sedmgr command displays the current setting in regards to the stack execution disable environment (current SED setting in the kernel var structure and the system-wide SED settings in ODM).

• Examples: – To change the system-wide SED Mode flag to setidfiles and the SED Control flag to on: • sedmgr -m setidfiles -o on – To change the SED checking flag to exempt for the ftp file: • sedmgr -c exempt ftp – To change the SED checking flag to select for all the executable files marked as a TCB file: • sedmgr -c request TCB_files – To display the SED checking flag of the ftp file: • sedmgr -d /usr/bin/ftp – To enable SED to monitor instead of terminating the processes when exceptions occur: • sedmgr -o on – To display the SED settings: • sedmgr Stack Execution Disable (SED) mode: select SED configured in kernel: select http://publib.boulder.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.security/doc/security/stack_exec_disable.htm http://publib.boulder.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/doc/aixcmds5/sedmgr.htm Björn Rodén

RBAC

Björn Rodén

Role Based Access Control (RBAC) • Defines system-wide roles for admin/regular tasks • Delegates admin tasks, traditionally done by root user, to regular users • Granular control over system operations • Principle of least privilege – avoid the need of setuid/setgid programs

Role 1

Role 3

File System Mgt.

Network Mgt.

File System Mgt.

Backup Recovery Network Mgt.

System Management by root

Traditional

Role 2

Backup Recovery

RBAC

http://publib.boulder.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.security/doc/security/rbac.htm Björn Rodén

Elements of RBAC § Authorizations – Mechanism to grant access to commands or certain functionality.

§ Roles – A container for authorizations that can be assigned to a user.

§ Privileges – Process attribute that allows process to bypass a security restriction.

Björn Rodén

RBAC Scenario 1. Authorization is created to allow access to a command.

2. A set of authorizations are collected into a role.

3. Roles are assigned to a user.

4. User activates role to unlock command access.

Björn Rodén

RBAC Command Execution Flow-chart

Start

Color Code Traditional behavior RBAC changes

Is command in the database?

YES

NO Execution Failed

Does process have file system access rights?

Is user authorized?

YES

Raise privileges to bypass access right checks

YES

Execution Allowed

Björn Rodén

Using RBAC jump start (1/3) • AIX standard predefined system roles, which can be modified from their default AIX configuration, and may contain subroles e.g. so contains SysBoot: – isso – Information System Security Officer – sa – System Administrator – so – System operator

• Additional system roles from AIX 7.1 TL 2 & AIX 6.1 TL 8: – – – – – – –

auditadm – Audit Administrator fsadm – File System Administrator pkgadm – Software Package Administrator secadm – Security Administrator svcadm – Service Administrator sysop – System Operator useradm – User Administrator

• To check which authorization is required to execute a specific program: – lssecattr -c <program>

• To list all commands with a specific authorization – authrpt <authorization>

• To list authorizations for a specific program – tracepriv -ef <program>

• To check which role a specific authorization belongs to: – lsrole ALL | grep -i <authorization> – lsrole ALL | egrep -i “<authorization>|<authorization>”

• To list all system-defined authorizations and their description: – lsauth -f -a description ALL_SYS

Björn Rodén

Using RBAC jump start (2/3) • To create a new role with appropriate authorizations to run the specific program: – mkrole authorizations=”<authorizations>” <rolename>

• To update the Kernel Security Tables (KST) with the new role definition: – lskst -t role -f <rolename> – setkst – lskst -t role -f <rolename>

• To assign a role to a user, and assign default roles to a user (default is a subset of assigned roles): – chuser roles=<role> <username> – chuser default_roles=<role,role,...> <username>

• To display all the authorizations – lsauth ALL

• To activate a role as a user: – swrole <role>

• To check all capabilities for a user – usrrpt <user>

• To check the commands associated with user: – usrrpt -c <user>

• To check a users active roles: – rolelist -e

Note: § Privileges are associated with specific processes § Authorizations are associated to users through Roles

• To chec role usage (using Audit trail) – roleqry -q <user> Björn Rodén

Using RBAC jump start (3/3) • Frequent system administration task groups: – Creating and changing file systems – Creating and changing users – Rebooting partitions

> role FSAdmin > role useradm > role SysBoot

Example with user in staff group, adding roles and verifying basic operations # chuser roles=”FSAdmin,useradm,SysBoot” user123 # chuser default_roles=”FSAdmin,useradm,SysBoot” user123 # su - user123 $ rolelist -e $ smitty fs $ smitty mkuser $ shutdown -Fr

Björn Rodén

PowerSC Trusted Logging

Björn Rodén

Trusted Logging feature (1/6) –

–

Trusted Logging lets AIX LPARs write to log files that are stored on an attached Virtual I/O Server (VIOS). –

Storing log files as virtual logs increases the level of trust in the records because they cannot be changed by a user with root privileges on the client LPAR where they were generated.

–

Centralized logging ensures that even when virtual machines are discarded or unavailable, the logs remain on the central location and can be analyzed.

–

The VIOS administrator creates and manages the log files, and they are presented to the AIX operating system as virtual log devices in the /dev directory, similar to the virtual disks or virtual optical media.

Data is transmitted to the VIOS directly through the hypervisor using the VSCSI interface, and network connectivity is not required between the client LPAR and the VIOS. –

The maximum individual write size is limited to 32 KB.

–

Multiple virtual log devices can be attached to the same client LPAR and each log is a different file in the /dev directory.

–

Optionally clustered VIOS configuration can be used to create virtual log repository on the Shared Storage Pool – any VIOS in the cluster can retrieve and analyze any log file in the repository.

Björn Rodén

Trusted Logging feature (6/6) Three methods to store virtual logs 1.

With Shared Storage Pool (SSP) and with same UUID for each virtual log • This method supports multi-pathing to VIOS and the same shared backend log device • Infrastructure changes are required for the SSP repository disk and the SSP shared disks

Without Shared Storage Pool (SSP) with different UUID for each virtual log • Two VIOS each having separate copy of the repository logfile • No infrastructure changes are required

Without Shared Storage Pool (SSP) with same UUID for each virtual log • Two VIOS each having separate copy of the repository logfile • No infrastructure changes are required

Björn Rodén

Trusted Logging feature (2/6) Virtual Logs directory structure – –

Default location under /var/vio/vlogs Two Types of Files 1. Log Data File: hostname_logname.### – contains client logs 2. State File: hostname_logname.state.### – contains log metadata

– – –

– –

To list the virtual log repositories lsvlrepo lsvlrepo –d (for detailed description) To change the configuration of a repository chvlrepo To create virtual logs mkvlog To list virtual logs lsvlog lsvlog –d (for detailed description) To change configuration of virtual logs chvlog To remove virtual logs rmvlog

Björn Rodén

lpar#1 syslog

Virtual Log commands –

/var/vio/vlogs (Default Location)

Log Data File State File audit Log Data File State File

Trusted Logging feature (3/6) AIX LPAR: syslog with virtual logging On VIOS as padmin: mkvlog -name aixlpar1_syslog -vadapter vhost# # echo "*.crit /dev/vlog0" >> /etc/syslog.conf # refresh -s syslogd 0513-095 The request for subsystem refresh was completed successfully.

http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/doc/aixcmds5/syslogd.htm

AIX LPAR: audit with virtual logging On VIOS as padmin: mkvlog -name aixlpar1_audit -vadapter vhost# # cat /etc/security/audit/config start: binmode = on streammode = off bin: bincompact = off trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 10240 cmds = /etc/security/audit/bincmds freespace = 65536 backuppath = /audit backupsize = 0 virtual_log = /dev/vlog1 # audit start

http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.files/doc/aixfiles/config.htm Björn Rodén

Trusted Logging feature (4/6)

AIX LPAR: errpt with virtual logging On VIOS as padmin: mkvlog -name aixlpar1_errpt -vadapter vhost# # cat add2odm4vlog.errnotify errnotify: en_name = "ERRPTVLOG" en_persistenceflg = 1 en_method = "/usr/bin/echo $1 $2 $3 $4 $5 $6 $7 $8 $9 > /dev/vlog3" # odmadd add2odm4vlog.errnotify

Parameter Description $1 Sequence number from the error log entry $2 Error ID from the error Log entry $3 Class from the error log entry $4 Type from the error log entry $5 Alert flags from the error log entry $6 Resource name from the error log entry $7 Resource type from the error log entry $8 Resource class from the error log entry $9 Error label from the error log entry

http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.genprogc/doc/genprogc/error_notice.htm

AIX LPAR: console with virtual logging On VIOS as padmin: mkvlog -name aixlpar1_console -vadapter vhost# # swcons /dev/vlog4 # and/or chcons command for permanent change at next startup of the system

http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/doc/aixcmds5/swcons.htm

Björn Rodén

Trusted Logging feature (5/6) On VIOS: audit logs can be formatted using the auditpr command # auditpr -r -i event --------------FS_Chdir FS_Chdir FS_Chdir FS_Chdir FS_Chdir FS_Chdir FS_Chdir FS_Chdir FS_Chdir FS_Chdir FS_Chdir FS_Chdir FS_Mkdir FS_Mkdir FS_Mkdir FS_Mkdir FILE_Unlink FILE_Rename FS_Rmdir FS_Rmdir

/var/vio/vlogs/aixlpar1/audit/aixlpar1_audit.000 login status time command -------- ----------- ------------------------ ------------------------0 OK Thu Jun 20 08:18:44 2013 ps 0 OK Thu Jun 20 08:18:44 2013 ps 0 OK Thu Jun 20 08:18:47 2013 ps 0 OK Thu Jun 20 08:18:47 2013 ps 0 OK Thu Jun 20 08:18:57 2013 ps 0 OK Thu Jun 20 08:18:57 2013 ps 0 OK Thu Jun 20 08:19:07 2013 ps 0 OK Thu Jun 20 08:19:07 2013 ps 0 OK Thu Jun 20 08:19:17 2013 ps 0 OK Thu Jun 20 08:19:17 2013 ps 0 OK Thu Jun 20 08:19:27 2013 ps 0 OK Thu Jun 20 08:19:27 2013 ps 0 FAIL Thu Jun 20 08:19:29 2013 java 0 OK Thu Jun 20 08:19:29 2013 java 0 OK Thu Jun 20 08:19:29 2013 java 0 OK Thu Jun 20 08:19:29 2013 java 0 OK Thu Jun 20 08:19:29 2013 java 0 OK Thu Jun 20 08:19:29 2013 java 0 OK Thu Jun 20 08:19:29 2013 java 0 OK Thu Jun 20 08:19:29 2013 java

wpar name --------Global Global Global Global Global Global Global Global Global Global Global Global Global Global Global Global Global Global Global Global

http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.genprogc/doc/genprogc/error_notice.htm

Björn Rodén

Using Trusted Logging jump start – one VIOS Scenario with syslog output to virtual log 1.

On VIOS#1 –

Install PowerSC vlog filesets

–

Check vSCSI vhost1 for the AIX VIO client

–

mkvlog -name vhost1test -vadapter vhost1

–

lsvlog -d

–

(wait until AIX VIO client have output to the logfile)

–

tail -f /var/vio/vlogs/powersc/vhost1test/powersc_vhost1test.000

On AIX VIO client –

Install PowerSC vlog filesets

–

cfgmgr && lsdev -t vlog

–

echo "Hello World" > /dev/vlog0

–

Enable syslogd to output to /dev/log0 •

Edit /etc/syslog.conf, and add “*.debug /dev/vlog0”

•

refresh -s syslogd

Björn Rodén

Encrypted Filesystem

Björn Rodén

EFS – Encrypted File System • Introduced in AIX v 6.1 • Files are encrypted on disk • AIX commands modified to work with EFS – chmod, chown, mv, cp, mkuser, mkgroup, lsuser, crfs

• New AIX commands added – efsenable, efsmgr, efskeymg

• EFS modes – Admin • • •

Root can reset user’s keystore passowrd Root has access to user’s keys Default mode

– Guard • • • •

Root can not reset user’s keystore password Root can not access user’s keys Protects from malicious root NOTE: If user’s keystore password is lost, then encrypted file can not be accessed

• To change mode: – efsenable –a -m <admin | guard> – efskeymgr -v

Björn Rodén

Using Encrypted Filesystem jump start (1/3) 1. 2.

Install the clic.rte fileset Enable EFS on the system with the efsenable command

3. 4.

Create an EFS-enabled filesystem with the -a efs=yes option Mount the filesystem

Turn on the cryptographic inheritance on the EFS-enabled filesystem with the efsmgr command

•

When a user or process with an open keystore (login process) creates a file on this filesystem, the file will be encrypted. For EFS enabled filesystem, without inheritance enabled, do manual encrypting with efsmgr -e and decrypting with efsmgr -d

•

http://publib.boulder.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.security/doc/security/efs_setup.htm Björn Rodén

Using Encrypted Filesystem jump start (2/3) # lslpp -l clic.* Fileset Level State Description ---------------------------------------------------------------------------Path: /usr/lib/objrepos clic.rte.kernext 4.7.0.1 COMMITTED CryptoLite for C Kernel clic.rte.lib 4.7.0.1 COMMITTED CryptoLite for C Library Path: /etc/objrepos clic.rte.kernext 4.7.0.1 COMMITTED CryptoLite for C Kernel # efsenable -a Enter password to protect your initial keystore: Enter the same password again: # grep efs_ /etc/security/user efs_keystore_access = file efs_adminks_access = file efs_initialks_mode = admin efs_allowksmodechangebyuser = yes efs_keystore_algo = RSA_1024 efs_file_algo = AES_128_CBC # grep efs_ /etc/security/group efs_keystore_access = file efs_initialks_mode = admin efs_keystore_algo = RSA_1024 # crfs -v jfs2 -g rootvg -a size=1G -m /efs -a efs=yes # efsmgr –s –E /efs

For EFS enabled filesystem, without inheritance enabled, manually encrypting with efsmgr -e and decrypting with efsmgr -d

http://publib.boulder.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.security/doc/security/efs_efs.htm Björn Rodén

Using Encrypted Filesystem jump start (3/3) login: mrniceguy mrniceguy's Password:

$ id uid=212(mrniceguy) gid=1(staff)

$ id uid=213(evildoer) gid=1(staff)

$ echo "hello secret" > /efs/topsecretfile $ ls -l /efs/topsecretfile -rw-r--r-- 1 mrniceguy staff 0 Nov 14 14:32 /efs/topsecretfile

$ cat /efs/topsecretfile cat: cannot open /efs/topsecretfile

$ efsmgr -a /efs/topsecretfile -u evildoer $ efsmgr -l /efs/topsecretfile EFS File information: Algorithm: AES_128_CBC List of keys that can open the file: Key #1: Algorithm : RSA_1024 Who : uid 212 Key fingerprint : 7e57984e:e53147c3:f9c78c36:858e05fa:b43ea00b Key #2: Algorithm : RSA_1024 Who : uid 213 Key fingerprint : 91e339b7:fe65d2cc:10f37c9e:1bc650b9:e9c09ebf

$ cat /efs/topsecretfile hello secret

The DAC permissions still apply in addition to the public key. Group keys are enabled and disabled with the efsmgr command with the "-g" flag.

http://publib.boulder.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/doc/aixcmds2/efsmgr.htm Björn Rodén

System logging

Björn Rodén

System logging l

syslog daemon logging – – – – – – –

The syslog daemon is a server process that provides a message logging facility for application and system processes. The syslog daemon is by default started by the Internet daemon (inetd) and receives messages on well-known port 514. User processes can log messages to the syslog daemon. Configuration file is /etc/syslog.conf. Starting and stopping by using SRC (System Resource Controller) http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/do c/aixcmds5/syslogd.htm http://www.ietf.org/rfc/rfc3164.txt Figure 1. Syslog daemon operation

rsyslog daemon logging –

– – – – –

The rsyslog daemon is a server process that provides a message logging facility for application and system processes. It provides further option for filtering and managing messages. User processes can log messages to the rsyslog daemon. Configuration file is /etc/rsyslog.conf, and rules from the /etc/syslog.conf file can be converted to the /etc/rsyslog.conf file. Starting and stopping by using SRC (System Resource Controller) http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/do c/aixcmds4/rsyslogd.htm http://www.rsyslog.com/doc/manual.html Note: the AIX port of rsyslog is not the complete Open Source implementation.

Björn Rodén

File Permission Manager

Björn Rodén

File Permission Manager jump start • The fpm command allows administrators to harden their system by disabling the setuid and setgid bits on many commands in the operating system. – Directory: /usr/lib/security/fpm/ – Logfiles directory: /var/security/fpm/log/ If necessary, these log files can be used to restore the system's file permissions recorded in a previously saved log file.

• Examples: – To list the current status of the system as changed through the fpm command: • fpm -s – To check if the system commands are presently set to fpm low-level permissions: • fpm -c -l low – To list, or give a preview of what permission changes are to be done to make the system compliant with the fpm command's low-level security without changing any file permissions: • fpm -l low -p – To apply the fpm command's low level security settings: • fpm -l low – To restore the traditional out-of-the-box default permissions: • fpm -l default – To use a file containing files (full paths) to perform operations on: • fpm -f /etc/security/fpm/setbits.files

http://publib.boulder.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/doc/aixcmds2/fpm.htm http://publib.boulder.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.security/doc/security/list_suid_guid_progs.htm Björn Rodén

100

IP Filter

Björn Rodén

Fileset

IP filter

• •

• On AIX the IPFilter product loads as a kernel extension. • Load at boot time, add a rc.ipf to inittab, such as: # Load IPFilter into kernel /usr/lib/methods/cfg_ipf -l # Load ipmon and log to syslog /usr/sbin/ipmon -s -D # Load IP filter Rules /usr/sbin/ipf -Fa -f /etc/ipf.conf

Commands • •

• Add rules, such as to /etc/ipf.conf, such as:

ipfl.rte bos.net.ipsec.rte ipf, ipfs, ipfstat, ipmon, and ipnat lsfilt,genfilt, chfilt, rmfilt, and mkfilt

SMIT • smitty ipsec4

# Allow all traffic on loopback. pass in quick on lo0 all pass out quick on lo0 all # Block everything not explicitly allowed block in log on en0 all block out log on en0 all # ADD rules to ALLOW in & out below ... # Allow incoming connections to Oracle listener: pass in quick on en0 proto tcp from 192.168.0.0/24 to any port = 1521 keep state block in log proto tcp from any to any port = 21 # block incoming FTP port TCP access block in log on en0 proto udp from any to any port = ntp # block NTP port UDP access on en0

Use the aixpert/pscxpert rule “hls_ipsecpermit”, to only allow all communications to/from HMC. https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.security/ipsec_setting_filters.htm https://www.ibm.com/support/knowledgecenter/ssw_aix_72/com.ibm.aix.cmds2/genfilt.htm https://www.ibm.com/developerworks/aix/library/au-aixfiltering/index.html http://www-01.ibm.com/support/docview.wss?uid=isg3T1012909 Björn Rodén

102

Documentation

Björn Rodén

PowerSC – Blue book Content PowerSC editions What's new in PowerSC PowerSC concepts Installing PowerSC PowerSC Express Edition Security and Compliance Automation PowerSC Real Time Compliance PowerSC Standard Edition Trusted Boot Trusted Firewall Trusted Logging Trusted Network Connect and Patch management

http://public.dhe.ibm.com/systems/power/docs/powersc/116/powersc_se_pdf.pdf Björn Rodén

104

Virtual I/O Server – Blue book Content … Getting started with shared storage pools Getting started with Trusted Logging Getting started with Trusted Firewall …

https://www.ibm.com/support/knowledgecenter/en/POWER8/p8ecu/p8ecu_kickoff.htm Björn Rodén

105

AIX Security – Blue book Content What's new in Security Securing the base operating system Securing the network AIX Security Expert Security checklist Security resources …

http://public.dhe.ibm.com/systems/power/docs/aix/72/security_pdf.pdf Björn Rodén

106

Updated in progress for 2018

PowerSC – Redbook Content Part 1. Business drivers and solution overview Chapter 1. IT security and compliance management business context Chapter 2. Introducing the IBM PowerSC solution Part 2. Technical concepts and deployment guidelines Chapter 3. Security and Compliance Automation Chapter 4. Real Time Compliance Chapter 5. Trusted Logging Chapter 6. Trusted Network Connect and Patch Management Chapter 7. Trusted Boot Chapter 8. Trusted Firewall Chapter 9. Trusted Surveyor Appendix A. Trusted Firewall addendum

http://www.redbooks.ibm.com/redbooks/pdfs/sg248082.pdf Björn Rodén

107

Please complete the session survey! Björn Rodén

108

Thank you – Tack !

J Björn Rodén roden@ae.ibm.com http://www.linkedin.com/in/roden Björn Rodén

109