AIX Security Forum. An Overview of AIX Security, including PowerSC Security

Transcription

1 AIX Security Forum An Overview of AIX Security, including PowerSC Security Stephen Dominguez, World Wide AIX and Linux Security Technical Lead IBM Lab Services - Dec

2 Who am I? Peyton Manning/Broncos fan, Omaha!, and also love jazz World-wide AIX and Linux on Power Security Lead for IBM Lab Services Worked with Power for 18 years, specifically security for 12 I've worked with around 300 corporate customers throughout the world I have a security blog,

3 Who am I? You can follow me on IBM Lab Services is a cost center that works closely with IBM development to assist Power customers with their systems To learn about all Lab Services' security services: We have several flexible funding IBM programs available to provide security consulting services at no charge to eligible customers If you'd like for me to setup a conference call so we can chat about security, shoot me an at sdoming@us.ibm.com

4 Agenda Recent statistics on security breaches PowerSC Security and Compliance Automation (pscxpert) PowerSC Real Time Compliance (RTC) Pass-through Authentication with IBM Security Directory Server and Microsoft Active Directory AIX Enhanced Role Based Access Control AIX Trusted Execution AIX Auditing

5 Recent Statistics on Security Breaches From the Ponemon Institute's 2015 Cost of Data Breach Study: Global Analysis

6 My blog's hacking and breaches links section

7 Ponemon Institute's findings 350 companies surveyed from 11 different countries Average cost of security breach of large company globally: 3.79 million Average cost of security breach of large company in US: 6.5 million Since 2013, the costs have risen globally by 23% Since 2013, the costs have risen in the US by 11% Average cost of stolen record in US is $217 Average cost of stolen record globally is $154 The cost of simply investigating a breach is $1 million globally

8 Ponemon Institute's findings CEO Jamie Dimon personally informed shareholders following the JPMorgan Chase data breach that by the end of 2014 the bank will invest $250 million and have a staff of 1,000 committed to IT security. Ponemon indicated the 3 major reasons for higher breach costs: 1) Cyber attacks have increased in frequency and in the cost to remediate the consequences 2) The consequences of lost business are having a greater impact on the cost of data breach 3) Data breach costs associated with detection and escalation increased Hackers or criminal insiders(employees, contractors or other 3rd parties) cause most data breaches 47% Time to identify and contain a data breach affects cost Average time to identify breach was 206 days, with range of 20 to 582 Average time to contain breach was 69 days, with a range of 7 to 175

9 PowerSC Security and Compliance Automation Using the pscxpert command for security hardening

10

11

12

13 What is Security and Compliance Automation Provides preventative, detective, and corrective security functionality Deploys security controls on AIX and VIOS partitions according to 4 regulatory security standards Helps customers deploy regulatory-based controls to help their general AIX and VIOS systems meet compliance standards It is a system security hardening tool The command used pscxpert (replacing aixpert)

14 4 Security Standards & 1 database profile Payment Card Industry Data Security Standard v 3.0 (PCI-DSS) Sarbanes-Oxley Act and Cobit Compliance (SOX/COBIT) US Dept. of Defense Security Technical Implementation Guide (DoD-STIG) Health Insurance Portability and Accountability Act (HIPAA) Database.xml (general purpose)

15 System Requirements? 3 PowerSC Managed System Types AIX 6 TL 7 and greater AIX 7 TL 1 and greater VIOS and greater

16 pscxpert AIX System Security Hardening Tool Single consistent view to all security configurations Brings 300+ Security Settings to Central Control Easy to implement can choose desired security level 16 Low, Medium, High, PCI, HIPAA, DOD, SOX-COBIT Provides compliance check and undo option Easy to distribute to other systems Network File Permissions Services pscxpert Firewall Users & Groups

17 How pscxpert implements security policy Policy Requirements: Minimum length of password to be 8 characters XML Profile File Change user password every 90 days Disable vulnerable services FTP, Telnet pscxpert LPAR 1 Enable auditing 17 LPAR 2 LPAR N

18 How are the security controls deployed? pscxpert f <profile_name> # pscxpert -f /etc/security/aixpert/custom/database.xml -p Processing prereqbinaudit :cached Processing prereqcde :cached Processing prereqgated :cached Processing prereqipsec :cached... Processing db_minage...:done. Processing db_maxage...:done. Processing db_maxexpired...:done. Processing db_minlen...:done. Processing db_minalpha...:done. Processing db_minother...:done.... Processing db_securitypatches *************************************************************************************************************** The Operating System should be patched regularly to minimise exposure to security vulnerabilities. Consider using Power SC Trusted Network Connect for Patch Management to keep the systems updated **************************************************************************************************************** :done. Processedrules=83 Passedrules=82 Failedrules=1 Level=DB Input file=/etc/security/aixpert/custom/database.xml

19 Before and after # lsuser -f root root: id=0 pgrp=system... login=true su=true rlogin=true... logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist=... # lsuser -f root root: id=0 pgrp=system... login=true su=true rlogin=false... logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=13 maxexpired=8 minalpha=1 minloweralpha=0 minupperalpha=0 minother=1 mindigit=0 User attributes after minspecialchar=0 mindiff=0 applying the profile maxrepeats=8 minlen=7 histexpire=52 histsize=4 pwdchecks= dictionlist=/etc/security/aixpert/ dictionary/english... User attributes before applying the profile

20 pscxpert compliance check Reports compliance violation Incompliance reported # pscxpert c # cat /etc/security/aixpert/check_report.txt ***** famsdev : Jun 22 14:49:35 ****** chusrattr.sh: User attribute maxage, should have value 13, but it is 0 now chusrattr.sh: User attribute maxexpired, should have value 8, but it is -1 now chusrattr.sh: User attribute minlen, should have value 7, but it is 0 now chusrattr.sh: User attribute minalpha, should have value 1, but it is 0 now chusrattr.sh: User attribute minother, should have value 1, but it is 0 now chusrattr.sh: User attribute histexpire, should have value 52, but it is 0 now chusrattr.sh: User attribute histsize, should have value 4, but it is 0 now chusrattr.sh: User attribute loginretries, should have value 6, but it is 0 now chdefstanza.sh: User attribute logindisable, should have value 6, but it is 0 now chdefstanza.sh: User attribute loginreenable, should have value 30, but it is 0 now chuserstanza.sh: User attribute rlogin in stanza root, should have value false, but its value is NULL now comntrows.sh: Daemon/Script/String:lpd: should have status disabled, however its entry is not found in file /etc/inittab comntrows.sh: Daemon/Script/String:dt: should have status disabled, however its entry is not found in file /etc/inittab cominetdconf.sh: Service ftp using protocol tcp should be disabled, however it is enabled now Easy to implement periodical compliance check via crontab or PowerSC RTC 20

21 Generating a compliance audit report 21

22 Compatibility check without applying the profile The P flag accepts profile name as input: pscxpert c P <profile name> # pscxpert -c -P /etc/security/aixpert/custom/pci.xml -p Processing pci_minage :done. Processing pci_maxage : failed. Processing pci_maxexpired : failed. Processing pci_minl en : failed. Processing pci_minalpha : failed. Processing pci_minother : failed. Processing pci_maxrepeats :done. Processing pci_histexpire : failed. Processing pci_histsize : failed. Processing pci_loginretries : failed. Processing pci_logindisable : failed. Processing pci_loginreenable : failed. Processing pci_rootrlogin : failed. Processing pci_rootlogin :done.... :done. Processedrules=82 Passedrules=43 Failedrules=39 Level=PLS Input file=/etc/security/aixpert/custom/pci.xml

23 Compatibility check is a game changer Allows you to identify what controls have a high probability of immediately integrating to your system Controls that fail the compatibility check are what you need to research The compatibility feature allows you to detect what your existing hardening tooling is NOT doing One integration possibility is deploying the security controls not being deployed by your existing tooling This and the audit report feature are fantastic features only available with the PowerSC pscxpert command

24 pscxpert Customization Feature Modify existing security rules to meet your compliance requirements Create new custom rules according to your security policy Create compliance check for periodical compliance verification Create rules to automate day to day administrative tasks Create readily deployable security profiles to meet compliance requirements of security standards like PCI DSS, HIPAA, SOX-COBIT etc

25 Creating new rules pscxpert provides a framework to integrate user define scripts to create new rules Example: Create rules to implement password policy Create rules to implement login settings Create rules to disable services that should be disabled Create rules to enable auditing and logging Create rules to implement security features like RBAC, EFS, Trusted Execution Create rules to enforce network security Create rules to secure SSH server configuration Create rules to set file permissions

26 Beyond security administrative tasks In addition to security rules, pscxpert customization feature can be used to automate other administrative tasks Example: LDAP setup Set and verify permissions and ownership of system files Implement PowerSC features Network tuning

27 Security and Compliance Automation Summary Helps companies with meeting compliance Helps companies verify the hardening has stayed applied Single tool for hardening AIX & VIOS Provides framework to define your own security rules Automation saves time and effort Best paired with PowerSC RTC, to receive alerts concerning policy violations

28 PowerSC Real Time Compliance Monitoring file content, file access and security policy changes in real time

29 WHY RTC? Very sophisticated detective security functionality RTC is different from typical security monitoring applications It registers files with the operating system using AHAFS, Autonomic Health Advisory File System AHAFS is a pseudo file system implemented as an AIX kernel extension AHAFS will in turn will notify rtcd when one of the registered files changes This saves on computing cycles and allows immediate real time notification.

30

31

32 Communication of messages Standard s can be sent using sendmail An alternative method is using SNMP Local Logging of messages

33 message of content change

34 message of access change

35 Content change resulting in security policy violation

36 Monitoring details By default, approximately 280 files are monitored You can customize the set of monitored files Attributes Monitoring triggers an alert when the access to a file changes Content Monitoring triggers an alert when the contents of a file changes

37 Requirements For AIX 6: bos.ahafs or later For AIX 7: bos.ahafs or later powerscexp.rtc powerscexp.license OPTIONAL: for automated compliance: powerscexp.ice NOTE: all PowerSC filesets in PowerSC Express Ed.

38 SUMMARY 38 PowerSC provides unique compliance and monitoring capabilities only available with PowerSC PowerSC Security & Compliance Automation provides comprehensive security controls PowerSC RTC provides a sophisticated kernel-based tool for real time monitoring which dramatically enhances the capabilities of PowerSC Security & Automated Compliance IBM Lab Services provides a 3 day workshop: pscxpert & RTC - install, configure and customize Additional integration assistance services are available

39 PowerSC pricing by Edition and System Tier PowerSC Standard Edition(PID 5765-PSE) is priced per-activated-core similar to the way PowerVM is priced, Pre-requisite PowerVM. Intended for hardening virtualization deployments on PowerVM Power Systems Tiers PowerSC Standard Edition Large $ Medium $ Small (includes Blades) $ Pricing is per-activated-core license + SWMA after 1 Year (example shown is $US for NA region) st PowerSC Trusted Surveyor(PID 5765-PTS) is priced per monitored HMC. $10,000 per HMC no tiering. Only one license is needed for dual-hmc configurations Per Monitored Console PowerSC Trusted Surveyor HMC $10,000+2,000 SWMA after 1st Year (example shown is $US for NA region) 39

40 PowerSC pricing for maximum POWER models Tier POWER Model PowerSC Standard Cores Large $160,000 Medium $20,032 Small $4,000 Pricing for Express is Capacity based pricing. Example above is for all cores. Small S $2,000 Pricing is per-activated-core license (example shown is $US for NA region) Standard Edition 40

41 Pass-through Authentication with IBM Security Directory Server and Microsoft Active Directory The perfect general solution for centralized AIX user management

42

43 No ISDS licensing and support cost for AIX No cost --- $0 Use of ISDS for AIX authentication and identification is covered under your AIX SWMA This only applies to an LDAP client or LDAP server running on AIX with SWMA If you have a technical issue, open and AIX ticket and it will be routed to Tivoli support I have a US customer that has been happily using ISDS for several hundred AIX partitions for over 5 years

44 Why LDAP? - #1 make life easier

45 Why LDAP? #2 Improve security Separation of Duties Reduce Shared Access User auditing based on general user accounts Promote integrity of security tooling

46 What is AIX Authentication? When an AIX user accesses a system, his password is verified to authenticate the userid to the system

47 What is AIX identification? The list of user and group attributes on the system

48 Why LDAP is so important? Centralized authentication (authentication is the checking and updating of passwords) Centralized identification (identification determines the set of attributes that describe your users and groups)

49 Benefits of LDAP Manage one password per user account Allows applications to operate correctly that rely on user-identification in a distributed environment. For example, NFS User creation only on one system vs. many User deactivation only on one system vs. many When using ITDS, user access can be specified on server for all AIX clients being accessed by user

50

51

52

53

54 What is LDAP Schema? Controls how information is added to the Directory There are 3 major types: RFC2307AIX RFC2307 IDMU

55

56 A major issue migrating to LDAP File-based user accounts out of sync LDAP servers export the same namespace to LDAP clients LDAPAfiles is the solution

57 LDAPAfiles Allows you to use LDAP only for authentication You use this when your local account is completely out of sync with the user account on LDAP You use the local account information You can determine which users are LDAP users and LDAPAfiles users on a per system and per user basis. For example, LPAR_01 has 100 out 100 AIX general accounts using LDAP for authentication and identification, but on LPAR_02, 90 users are pure LDAP users and 10 users are LDAPAfiles.

58 Restricting system access A typical LDAP client sees all users in your directory Typical question is limiting a select users on a partition basis Netgroups, host_allow_login, pam_modules possible Most sophisticated method is login tagging

59 What is login tagging? We tag a user's ldap account with various tags The tags indicate what type of system access the user should have The LDAP client system is configured to only see users with certain tags. The LDAP client can define logical operations on login tags Lab Services provides a login tagging tool in our services that greatly simplifies this configuration and ongoing administration

60 60

61 LDAP Server Options IBM s Tivoli Directory Server MSAD Other RFC2307 servers

62 MSAD AIX User Attribute Administrative Interface

63 ISDS AIX User Attribute Administrative Interface

64

65

66

67

68

69

70

71

72 Additional Centralized Options only for ISDS Enhanced RBAC policies Security Expert Policies Trusted Execution s TSD Database EFS HMC RBAC roles VIOS RBAC roles HMC login VIOS login

73 Why Should MSAD handle authentication? % of IBM customers using AIX use MSAD for their corporate Identity Management. 99.9% of IBM customers using AIX have a corporate MSAD-based password Instead of having to remember a separate AIX/Unix/Linux password, use the existing MSAD corporate password for AIX/Unix/Linux authentication

74 Why Should ISDS handle Identification? 74 ISDS implements RFC2307AIX schema, which is the most compatible schema for AIX user management Unlike MSAD, ISDS provides a graphical web-based administrative interface that can manage all the user attributes possible with RFC2307AIX Schema In addition to AIX, ISDS can support your other UNIX/Linux operating system LDAP clients

75 Who Benefits Using PTA? 75 Administrators needing access to their AIX/Unix/Linux systems Application user community who needs to access an application that is running on AIX/Unix/Linux

76 Simple Topology

77 PTA features Can support any level and any configuration of MSAD No alteration of your existing MSAD environment Uses SSL to encrypt for all communication Provides the ability to use a Windows based password when logging onto an AIX/UNIX/Linux partition When an application server utilizes OS-based security, allows users running application clients on any operating system to authenticate access to the application server using their MSAD-based password Can eliminate recurring password resets for non-msad-based passwords Any length of password and login name can be used on your AIX LDAP clients The aix login username doesn't need to be identical to the MSAD login username Allows you to utilize LDAPAfiles for accounts out of sync

78 PTA features continued 78 On a per AIX user basis, you may exclude a user from PTA authentication and use a separate password stored on ISDS No Delay --- Passwords reset on Windows, will be immediately effective on AIX systems It is possible to map multiple AIX/UNIX/Linux login names to a single MSAD password On different AIX LDAP clients, it is possible to map the same login name to different MSAD passwords When using an MSAD trusted root certificate, high availability can be provided to the PTA server, by pointing the ISDS server to the MSAD domain Allows AIX administrators to update UNIX user/group attributes by leveraging the AIX standard command line interface without needing to access to the MSAD server

79 Lab Services PTA Consulting Services 79 3 week Identity Management consulting services Knowledge transfer, SSL implementation, replication, upgrade components, web based administration tool, training in LDAP essential concepts, essential LDAP server administration, LDAP client functionality Also provide assistance with integrating other UNIX/LINUX clients Lab Services customers obtain a PTA mapping tool and also the login tagging tool only available via our consulting service

80 LDAP References Redbook: Integrating AIX into Heterogenous LDAP Environments AIX Knowledge Center IBM Security Directory Server Administration Guide I have an LDAP section of links on my links page on securitysteve.net 80

81 AIX Enhanced Role Based Access Control Step 1: Gain as much administrative access, or even better: root access from A Step-by-step Guide to UNIX Security Breaching

82 What is RBAC Most sophisticated access control solution on AIX Reduces use of root You don't have to be root to install an application Provides preventative security functionality 82

83

84

85 RBAC vs. SUDO Provides true separation of duties Doesn t use the vulnerability of SUID & SGID like SUDO does Provides extremely granular access control not possible with SUDO Provides priviledged files Provides RBAC Domains Kernel-based Only way to deactivate any setuid or setgid executable and provide equivalent functionality an an RBAC command Allows Domain RBAC Provides RBAC-based auditing RBAC is fully supported by IBM 85 85

86 Top 10 Reasons to Use AIX RBAC 1) IT is kernel-based and native to the OS 2) RBAC Privileged Files 3) You can customize 3rd party scripts and remove unnecessary root access 4) Will make your auditors happy 5) Provides streamlined AIX auditing using role-based auditing 6) Remove the need to su to root 7) Leverage Domain RBAC 8) You can centrally manage RBAC with LDAP 9) You can secure your RBAC controls with Trusted Execution 10) Drastically reduce security risk 86

87 AIX Trusted Execution Step 2: Once privileged access is gained, deploy root kits and trojan horses from A Step-by-step Guide to UNIX Security Breaching

88 What is AIX Trusted Execution Integrity Checker Database of Trusted files System Check Run-time Checks Provides preventative, detective and corrective security functionality Provides preventative and detective malware functionality Provides great flexibility on selecting the combination of preventative, detective and corrective functionality that you want 88

89 TSD Entry 89

90 TE Run-time Policies 90

91 Top 10 Reasons to Use TE 1) Allows you to detect if a file has been compromised 2) Allows you to detect improper file permissions or ownership 3) Allows you to add your own files for verification 4) You may choose to only use TE's detective functionality 5) You may choose to also use TE's preventative functionality 6) You may choose to use TE's corrective functionality 7) Promotes consistency and prevents drift that could be exploited 8) When used with LDAP, you can retrieve a read only TSD copy from LDAP and verify it across multiple systems 9) AIX Auditing aware tool 10) RBAC aware tool 91

92 AIX Auditing If you can't prevent an attack, at least detect it

93 What is AIX Auditing? Monitor and record security related events occurring on your AIX partition Potentially alert you of security policy violations Detect breach Detect security threats Monitor how files are used and accessed Helps you integrate aixpert hardening profiles by auditing the system environment Monitor the administrative actions of users using other security features like PowerSC TNC 93

94 AIX Auditing Log 94

95 Top 10 Reasons to AIX Auditing 1) Allows you to detect if a file has been compromised 2) Allows you to detect improper file permissions or ownership 3) Allows you to add your own files for verification 4) You may choose to only use TE's detective functionality 5) You may choose to also use TE's preventative functionality 6) You may choose to use TE's corrective functionality 7) Promotes consistency and prevents drift that could be exploited 8) When used with LDAP, you can retrieve a read only TSD copy from LDAP and verify it across multiple systems 9) AIX Auditing aware tool 10) RBAC aware tool 95

96 96

97 AIX Security Forum Summary Excellent security depends on Defense in Depth An excellent security approach involves the following in priority: preventive, detective and corrective security functionality PowerSC pscxpert and RTC provide a security hardening and monitoring solution that has no peer PTA is the perfect solution for centralized AIX account and password management RBAC is the best way to stop a hacker from taking his very first step, once he's inside your network Trusted Execution is the best way to verify & maintain AIX integrity AIX Auditing is an indispensable tool for detective security functionality 97

98 IBM Systems Lab Services & Training - Power Systems Services for AIX, i5os, and Linux on Power PowerCare Eligible RHEL Security Assessment Overview: As detailed in the Ponemon Institute's survey, 2015 Cost of Data Breach Study, the average cost of a computer breach at a large company globally was $3.79 million. For U.S.-based companies, the average cost was much higher, 6.5 million. These costs have risen globally 23% since In the 2014 Global Report on the Cost of Cyber Crime, the Ponemon Institute, a security research center, recommends that deployment of security intelligence systems and maintaining a strong security posture makes a difference and moderates the cost of cyber attacks. IBM Lab Services is providing the following services to help you reduce your security risk and improve the security of your information assets. These services are being provided to help you deploy the type of security intelligence systems and achieve the strong security posture recommended by the Ponemon Institute. The RHEL Security Assessment's goal is to identify effective security controls for your company to utilize which will significantly reduce your security risk. This service is designed for IBM Power Systems customers. The security controls have been recommended for Red Hat Enterprise Linux by the United States NSA Information Assurance Directorate. The controls are primarily based on Red Hat and security community concesus-based recommendations. Client Benefits Helps achieve regulatory compliance, such PCI, HIPAA, etc Helps improve RHEL security configurations and lower risk Helps promote the adoption of the latest RHEL security solutions Provides a baseline for defining standard RHEL image builds Learn of hundreds of security controls to reduce security risk Duration Time varies depending on scope requested: 1-3 days on-site Phase 1 Preparation (remote): Conference calls are held prior to the service to validate the scope, agenda, schedule and required materials. Client provides overview of their current RHEL security environment IBM team prepares the service agenda/schedule IBM team details security data collection process IBM team provides customer security questionnaire Identify required materials / Finalize key players Phase 2 RHEL Security Assessment (on-site): Assessment Phase Partition data is collected Data is processed and assessment documents are created Review Phase Consultant holds a review of the results of the assessment with key customer staff Additional presentations may be provided on recommended security solutions Deliverables Detailed RHEL Security Assessment Findings document, Heat Map, Executive Summary References: NSA RHEL Guidelines ating_systems.shtml Terms and Conditions: Actual Tasks, Deliverables, Service Estimates,,and travel requirements vary with each client s environment. When we have reached a final agreement on the scope of your initiative and our level of assistance, a formal document describing our proposed work effort, costs, etc, will be presented for your approval and signature. IBM Systems Lab Services & Training - Power Systems Services for AIX, i5os, and Linux on Power PowerCare Eligible Erin M. Hansen - PowerCare Opportunity Manager erinh@us.ibm.com Linda Hoben Opportunity Manager hoben@us.ibm.com Stephen Brandenburg Opportunity Manager sbranden@us.ibm.com

99

100 Let s Stay in Touch! Stephen Dominguez If you'd like for me to setup a conference call so we can chat about security, shoot me an at sdoming@us.ibm.com 100