The latest version of the AIX OS offers key new security features, including role-based access control, AIX Security Expert, Trusted AIX and improved password capabilities.
Among many other innovations, AIX 6.1 has a full suite of security enhancements that are now available, including:
Role-based access control
Encrypted filesystems
Trusted Execution
AIX Security Expert
Trusted AIX
Long Pass Phrase support
Let’s look at some of these enhancements and features:
Role-Based Access Control
Role-based access control (RBAC) provides for allowing non-root system administrators to perform various system administrative tasks. This feature was enhanced in AIX Version 6.1 to simplify administration and also to provide for least privileged use hardening. There are also various other structural improvements on this release. In AIX Version 5.3, RBAC is implemented on user space, while in AIX 6.1 it covers both kernel and user spaces. The enhanced user framework that allows systems administrators to delegate tasks to operators and users, involve authorizations, privileges and roles. There are actually several new user-level databases that correlate to configuration files that support this new feature, including:
/etc/security/authorizations
/etc/security/roles
/etc/security/privcrnds
/etc/security/privdevs
/etc/security/privfiles
Let’s look at the authorizations file (see code sample 1):
The /etc/security/authorizations file stores the list of user-defined authorizations which are available on a system. These are changed by the authorization administrator and are modified by using the mkauth or chauth commands. In this file, each stanza is identified by the authorization name followed by a colon (:).
When changes are made to these files, they must be sent to the Kernel Security Table (KST) to be updated. The KST includes the following tables: user-defined KAT, system-defined KAT, Kernel Role Table, Kernel Command Table and a Kernel Device Table. Unlike AIX 5.3, AIX 6.1 authorizations are divided into many granular parts—252 different system authorizations as opposed to 11 in AIX 5.3. The major authorizations include aix.devices, aix.security, aix.system, aix.wpar and aix.fs.
Let’s display the filesystem-defined and system-defined authorizations from the authorization database:
lpar39ml16fd_pub[/etc/security] > lsauth -a description aix.fs.*
aix.fs description=File System Administration
aix.fs.chroot description=Change the root directory
aix.fs.manage description=Manage File Systems
aix.fs.manage.backup description=Backup Files and File Systems
aix.fs.manage.change description=Change Attributes of File Systems
aix.fs.manage.create description=Create New File Systems
aix.fs.manage.debug description=Debug File Systems
aix.fs.manage.defrag description=Defragment File Systems
aix.fs.manage.dump description=Dump File System Information
aix.fs.manage.export description=Export File Systems
aix.fs.manage.list description=List Characteristics of File Systems
aix.fs.manage.mount description=Mount File Systems
aix.fs.manage.quota description=Manage Disk Quotas
aix.fs.manage.recover description=Recover Corrupted File Systems
aix.fs.manage.remove description=Remove File Systems
aix.fs.manage.restore description=Restore Files from a Backup
aix.fs.manage.snapshot description=Modify, Create or View Properties of Snapshots
aix.fs.manage.unmount description=Unmount File Systems
aix.fs.object description=File System Object Administration
aix.fs.object.acl description=Read and Write Object ACL
aix.fs.object.create description=Create File System Objects
aix.fs.object.group description=Read and Write Object Group Ownership
aix.fs.object.list description=List Attributes of File System Objects
aix.fs.object.mode description=Read and Write Object Mode
aix.fs.object.owner description=Read and Write Object Owner
aix.fs.object.remove description=Remove File System Object
aix.fs.object.time description=Change Object Access and Modification Time
aix.fs.stat description=File System Statistics
lpar39ml16fd_pub[/etc/security] >
AIX Security Expert
Other important features reside in AIX Security Expert enhancements. New features in AIX 6.1 include Centralized Policy Distribution through LDAP, the capability to customize and include user-defined policies, more stringent checks for root passwords, and performance enhancements for the GUI. Another important enhancement is the support for SOX-COBIT best practices security. The AIX OS provides for a SOX configuration assistant through the aixpert command and allows for the easy implementation of COBIT best practices to implement SOX. It even provides a special auditor feature that reports back to the auditor whether the system is configured for optimum SOX compliance. It does this by providing for password policy enforcement, violation and security reporting, malicious software prevention and firewall setup. Let’s run the aixpert command:
lpar39ml16fd_pub[/] > aixpert -c -l s
do_action(): rule(scbps_pwdpolicyenf) : failed.
do_action(): rule(scbps_secactreport) : failed.
do_action(): rule(scbps_virusdetsw) : failed.
do_action(): rule(scbps_firewsetup) : failed.
lpar39ml16fd_pub[/] >
The failure indicates that there are some issues on the system requiring further examination.
Trusted AIX
Deploying Trusted AIX enables much higher levels of security capabilities on AIX, allowing the system to meet the US Department of Defense criteria for enhanced BI security. Furthermore, it enables labeled security, which supports labeled objects, labeled printrsppor, and Trusted Network and its support for RIPSO and CIPSCO in Ipv4 and Ipv6.
A new mechanism in AIX 6.1 is the Trusted Execution environment (TE), which refers to a collection of features used to verify the integrity of the system. This is an improvement over the Trusted Computer Base (TCB), because it allows for the system to check a file’s integrity at the actual execution time of a command. It also contains features that help verity the integrity of the database, including the Trusted Signature Database (TSD), which helps prevent Trojan horses and other attacks. Trusted AIX also utilizes several security elements: confidentiality, integrity, availability and accountability. It’s important that when choosing to go with Trusted AIX, you can’t flick the switch and revert back to an untrusted system. This would require you to perform a new installation of the AIX OS.
Passwords
One of the most important and perhaps simplest of enhancements is the support for stronger passwords and the removal of the eight-character limit for passwords. AIX 6.1 allows storing passwords using encryption algorithms such as SHA and MD5. The administrator can configure system-wide control by selecting the appropriate algorithm, and the size of the password can now be up to 255 characters. AIX 6.1 also has enhanced pass phrases. It does all this by using loadable password algorithms. Each encrypted algorithm is implemented as a special LPA module, which are defined in the global config file, /etc/security/pwdalg.cfg. This stanza file defines the attributes of supported LPAs.
I can’t stress enough the importance of taking the time to learn about these enhancements before deploying them in a production environment. Some of these features can’t revert back without an entire restore, and others may pose problems if you don’t take the time to fully understand their true capabilities. If you already use AIX 6.1, I recommend first creating a workload partition (WPAR)—which can take mere minutes—and than do all of your testing in this environment.
Fuente
Among many other innovations, AIX 6.1 has a full suite of security enhancements that are now available, including:
Role-based access control
Encrypted filesystems
Trusted Execution
AIX Security Expert
Trusted AIX
Long Pass Phrase support
Let’s look at some of these enhancements and features:
Role-Based Access Control
Role-based access control (RBAC) provides for allowing non-root system administrators to perform various system administrative tasks. This feature was enhanced in AIX Version 6.1 to simplify administration and also to provide for least privileged use hardening. There are also various other structural improvements on this release. In AIX Version 5.3, RBAC is implemented on user space, while in AIX 6.1 it covers both kernel and user spaces. The enhanced user framework that allows systems administrators to delegate tasks to operators and users, involve authorizations, privileges and roles. There are actually several new user-level databases that correlate to configuration files that support this new feature, including:
/etc/security/authorizations
/etc/security/roles
/etc/security/privcrnds
/etc/security/privdevs
/etc/security/privfiles
Let’s look at the authorizations file (see code sample 1):
The /etc/security/authorizations file stores the list of user-defined authorizations which are available on a system. These are changed by the authorization administrator and are modified by using the mkauth or chauth commands. In this file, each stanza is identified by the authorization name followed by a colon (:).
When changes are made to these files, they must be sent to the Kernel Security Table (KST) to be updated. The KST includes the following tables: user-defined KAT, system-defined KAT, Kernel Role Table, Kernel Command Table and a Kernel Device Table. Unlike AIX 5.3, AIX 6.1 authorizations are divided into many granular parts—252 different system authorizations as opposed to 11 in AIX 5.3. The major authorizations include aix.devices, aix.security, aix.system, aix.wpar and aix.fs.
Let’s display the filesystem-defined and system-defined authorizations from the authorization database:
lpar39ml16fd_pub[/etc/security] > lsauth -a description aix.fs.*
aix.fs description=File System Administration
aix.fs.chroot description=Change the root directory
aix.fs.manage description=Manage File Systems
aix.fs.manage.backup description=Backup Files and File Systems
aix.fs.manage.change description=Change Attributes of File Systems
aix.fs.manage.create description=Create New File Systems
aix.fs.manage.debug description=Debug File Systems
aix.fs.manage.defrag description=Defragment File Systems
aix.fs.manage.dump description=Dump File System Information
aix.fs.manage.export description=Export File Systems
aix.fs.manage.list description=List Characteristics of File Systems
aix.fs.manage.mount description=Mount File Systems
aix.fs.manage.quota description=Manage Disk Quotas
aix.fs.manage.recover description=Recover Corrupted File Systems
aix.fs.manage.remove description=Remove File Systems
aix.fs.manage.restore description=Restore Files from a Backup
aix.fs.manage.snapshot description=Modify, Create or View Properties of Snapshots
aix.fs.manage.unmount description=Unmount File Systems
aix.fs.object description=File System Object Administration
aix.fs.object.acl description=Read and Write Object ACL
aix.fs.object.create description=Create File System Objects
aix.fs.object.group description=Read and Write Object Group Ownership
aix.fs.object.list description=List Attributes of File System Objects
aix.fs.object.mode description=Read and Write Object Mode
aix.fs.object.owner description=Read and Write Object Owner
aix.fs.object.remove description=Remove File System Object
aix.fs.object.time description=Change Object Access and Modification Time
aix.fs.stat description=File System Statistics
lpar39ml16fd_pub[/etc/security] >
AIX Security Expert
Other important features reside in AIX Security Expert enhancements. New features in AIX 6.1 include Centralized Policy Distribution through LDAP, the capability to customize and include user-defined policies, more stringent checks for root passwords, and performance enhancements for the GUI. Another important enhancement is the support for SOX-COBIT best practices security. The AIX OS provides for a SOX configuration assistant through the aixpert command and allows for the easy implementation of COBIT best practices to implement SOX. It even provides a special auditor feature that reports back to the auditor whether the system is configured for optimum SOX compliance. It does this by providing for password policy enforcement, violation and security reporting, malicious software prevention and firewall setup. Let’s run the aixpert command:
lpar39ml16fd_pub[/] > aixpert -c -l s
do_action(): rule(scbps_pwdpolicyenf) : failed.
do_action(): rule(scbps_secactreport) : failed.
do_action(): rule(scbps_virusdetsw) : failed.
do_action(): rule(scbps_firewsetup) : failed.
lpar39ml16fd_pub[/] >
The failure indicates that there are some issues on the system requiring further examination.
Trusted AIX
Deploying Trusted AIX enables much higher levels of security capabilities on AIX, allowing the system to meet the US Department of Defense criteria for enhanced BI security. Furthermore, it enables labeled security, which supports labeled objects, labeled printrsppor, and Trusted Network and its support for RIPSO and CIPSCO in Ipv4 and Ipv6.
A new mechanism in AIX 6.1 is the Trusted Execution environment (TE), which refers to a collection of features used to verify the integrity of the system. This is an improvement over the Trusted Computer Base (TCB), because it allows for the system to check a file’s integrity at the actual execution time of a command. It also contains features that help verity the integrity of the database, including the Trusted Signature Database (TSD), which helps prevent Trojan horses and other attacks. Trusted AIX also utilizes several security elements: confidentiality, integrity, availability and accountability. It’s important that when choosing to go with Trusted AIX, you can’t flick the switch and revert back to an untrusted system. This would require you to perform a new installation of the AIX OS.
Passwords
One of the most important and perhaps simplest of enhancements is the support for stronger passwords and the removal of the eight-character limit for passwords. AIX 6.1 allows storing passwords using encryption algorithms such as SHA and MD5. The administrator can configure system-wide control by selecting the appropriate algorithm, and the size of the password can now be up to 255 characters. AIX 6.1 also has enhanced pass phrases. It does all this by using loadable password algorithms. Each encrypted algorithm is implemented as a special LPA module, which are defined in the global config file, /etc/security/pwdalg.cfg. This stanza file defines the attributes of supported LPAs.
I can’t stress enough the importance of taking the time to learn about these enhancements before deploying them in a production environment. Some of these features can’t revert back without an entire restore, and others may pose problems if you don’t take the time to fully understand their true capabilities. If you already use AIX 6.1, I recommend first creating a workload partition (WPAR)—which can take mere minutes—and than do all of your testing in this environment.
Fuente
Comentarios
Publicar un comentario