AIX VUG Webinar AIX Security

 _{PowerSC Compliance/Monitoring and Pass-through Authentication with ISDS & MSAD}

 Stephen Dominguez, World Wide AIX and Linux Security Technical Lead – IBM Lab

Services – [email protected] - http://www.securitysteve.net - @Secur1tySteve

 _{July 30}th ₂₀₁₅

Who am I ?

 Peyton Manning/Broncos fan and also love jazz

 World-wide AIX and Linux on Power Security

Lead for IBM Lab Services

 Worked with Power for 18 years, specifically security for 12

 I've worked with around 300 corporate customers throughout the world

Who am I ?

 I have a security blog, www.securitysteve.net

 You can follow me on twitter, @Secur1tySteve

 IBM Lab Services is a cost center that works closely

with IBM development to assist Power customers with their systems

 To learn about all Lab Services' security services:

www.securitysteve.net/consulting-services/

 We have several flexible funding IBM programs available to provide security

consulting services at no charge to eligible customers

 If you'd like for me to setup a conference call so we can chat about security,

Agenda

 Recent statistics on security breaches

 PowerSC Security and Compliance Automation (pscxpert)

 PowerSC Real Time Compliance (RTC)

 Pass-through Authentication with IBM Security Directory Server and Microsoft

Recent Statistics on Security Breaches

My blog's “hacking and breaches” links section

 http://map.norsecorp.com/



Ponemon Institute's findings

 350 companies surveyed from 11 different countries

 Average cost of security breach of large company globally: 3.79 million

 Average cost of security breach of large company in US: 6.5 million

 Since 2013, the costs have risen globally by 23%

 Since 2013, the costs have risen in the US by 11%

 Average cost of stolen record in US is $217

 Average cost of stolen record globally is $154

Ponemon Institute's findings

 CEO Jamie Dimon personally informed shareholders following the

JPMorgan Chase data breach that by the end of 2014 the bank will invest $250 million and have a staff of 1,000 committed to IT security.

 Ponemon indicated the 3 major reasons for higher breach costs:

1) Cyber attacks have increased in frequency and in the cost to remediate the consequences

2) The consequences of lost business are having a greater impact on the cost of data breach

3) Data breach costs associated with detection and escalation increased

 Hackers or criminal insiders(employees, contractors or other 3rd parties) cause

most data breaches 47%

 Time to identify and contain a data breach affects cost

 Average time to identify breach was 206 days, with range of 20 to 582

PowerSC Security and Compliance Automation

Using the pscxpert command for security hardening

What is Security and Compliance Automation

 Deploys security controls on AIX and VIOS partitions according to 4

regulatory security standards

 Helps customers deploy regulatory-based controls to help their general

AIX and VIOS systems meet compliance standards

 It is a system security hardening tool

4 Security Standards & 1 database profile

 Payment Card Industry Data Security Standard v 3.0 (PCI-DSS)

 Sarbanes-Oxley Act and Cobit Compliance (SOX/COBIT)

 US Dept. of Defense Security Technical Implementation Guide (DoD-STIG)

 Health Insurance Portability and Accountability Act (HIPAA)

System Requirements?

3 PowerSC Managed System Types

AIX 6 TL 7 and greater

AIX 7 TL 1 and greater

16

pscxpert

 _{AIX System Security Hardening}

Tool

 _{Single consistent view to all}

security configurations

 _{Brings 300+ Security Settings to}

Central Control

 _{Easy to implement – can choose}

desired security level

− Low, Medium, High, PCI,

HIPAA, DOD, SOX-COBIT

 Provides compliance check and

undo option

 Easy to distribute to other

systems

Network

File Permissions

Services

Firewall Users & Groups

pscxpert







17

How pscxpert implements security policy

Policy Requirements:

Minimum length of password to be 8 characters Change user password every 90 days

Disable vulnerable services – FTP, Telnet

Enable auditing

XML Profile File

LPAR 1 LPAR 2 LPAR N

How are the security controls deployed?

# pscxpert -f /etc/security/aixpert/custom/DataBase.xml -p Processing prereqbinaudit :cached

Processing prereqcde :cached Processing prereqgated :cached Processing prereqipsec :cached ...

Processing db_minage ...:done. Processing db_maxage ...:done. Processing db_maxexpired ...:done. Processing db_minlen ...:done. Processing db_minalpha ...:done. Processing db_minother ...:done. .

. .

Processing db_SecurityPatches

*************************************************************************************************************** The Operating System should be patched regularly to minimise exposure to security vulnerabilities.

Consider using Power SC Trusted Network Connect for Patch Management to keep the systems updated ****************************************************************************************************************

:done.

Processedrules=83 Passedrules=82 Failedrules=1 Level=DB Input file=/etc/security/aixpert/custom/DataBase.xml

Before and after

# lsuser -f root root: id=0 pgrp=system .... login=true su=true rlogin=true ... logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= ... # lsuser -f root root: id=0 pgrp=system .... login=true su=true rlogin=false .... logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=13 maxexpired=8 minalpha=1 minloweralpha=0 minupperalpha=0 minother=1 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=7 histexpire=52 histsize=4 pwdchecks= dictionlist=/etc/security/aixpert/ dictionary/English ...

User attributes before applying the profile

User attributes after applying the profile

20

pscxpert – compliance check

 Reports compliance violation

# pscxpert –c

# cat /etc/security/aixpert/check_report.txt

***** famsdev : Jun 22 14:49:35 ******

chusrattr.sh: User attribute maxage, should have value 13, but it is 0 now

chusrattr.sh: User attribute maxexpired, should have value 8, but it is -1 now

chusrattr.sh: User attribute minlen, should have value 7, but it is 0 now

chusrattr.sh: User attribute minalpha, should have value 1, but it is 0 now

chusrattr.sh: User attribute minother, should have value 1, but it is 0 now

chusrattr.sh: User attribute histexpire, should have value 52, but it is 0 now

chusrattr.sh: User attribute histsize, should have value 4, but it is 0 now

chusrattr.sh: User attribute loginretries, should have value 6, but it is 0 now

chdefstanza.sh: User attribute logindisable, should have value 6, but it is 0 now

chdefstanza.sh: User attribute loginreenable, should have value 30, but it is 0 now

chuserstanza.sh: User attribute rlogin in stanza root, should have value false, but its

value is NULL now

comntrows.sh: Daemon/Script/String:lpd: should have status disabled, however its entry

is not found in file /etc/inittab

comntrows.sh: Daemon/Script/String:dt: should have status disabled, however its entry

is not found in file /etc/inittab

cominetdconf.sh: Service ftp using protocol tcp should be disabled, however it is enabled now

Incompliance reported

 Easy to implement periodical compliance check via

21

Compatibility check without applying the profile

 The –P flag accepts profile name as input:

pscxpert –c –P <profile name>

# pscxpert -c -P /etc/security/aixpert/custom/PCI.xml -p Processing pci_minage :done.

Processing pci_maxage : failed. Processing pci_maxexpired : failed. Processing pci_minl en : failed. Processing pci_minalpha : failed. Processing pci_minother : failed. Processing pci_maxrepeats :done. Processing pci_histexpire : failed. Processing pci_histsize : failed. Processing pci_loginretries : failed. Processing pci_logindisable : failed. Processing pci_loginreenable : failed. Processing pci_rootrlogin : failed. Processing pci_rootlogin :done. ………

……….... :done.

Processedrules=82 Passedrules=43 Failedrules=39 Level=PLS Input file=/etc/security/aixpert/custom/PCI.xml

Compatibility check is a game changer

 Allows you to identify what controls have a high probability of

immediately integrating to your system

 Controls that fail the compatibility check are what you need to

research

 The compatibility feature allows you to detect what your existing

hardening tooling is NOT doing

 One integration possibility is deploying the security controls not

being deployed by your existing tooling

 This and the audit report feature are fantastic features only available

pscxpert – Customization Feature

 Modify existing security rules to meet your compliance requirements

 Create new custom rules according to your security policy

 Create compliance check for periodical compliance verification

 Create rules to automate day to day administrative tasks

 Create readily deployable security profiles to meet compliance requirements

Creating new rules

 _{pscxpert provides a framework to integrate user define scripts to}

create new rules

 Example:

− Create rules to implement password policy − Create rules to implement login settings

− Create rules to disable services that should be disabled − Create rules to enable auditing and logging

− Create rules to implement security features like RBAC, EFS, Trusted Execution

− Create rules to enforce network security

− Create rules to secure SSH server configuration − Create rules to set file permissions

Beyond security – administrative tasks

 In addition to security rules, pscxpert customization feature can be used to

automate other administrative tasks

 Example:

− LDAP setup

− Set and verify permissions and ownership of system files − Implement PowerSC features

Security and Compliance Automation Summary

 Helps companies with meeting compliance

 Helps companies verify the hardening has stayed applied

 Single tool for hardening AIX & VIOS

 Provides framework to define your own security rules

 Automation saves time and effort

 Best paired with PowerSC RTC, to receive alerts concerning policy

Security and Compliance Automation Summary

 Helps companies with meeting compliance

 Helps companies verify the hardening has stayed applied

 Single tool for hardening AIX & VIOS

 Provides framework to define your own security rules

 Automation saves time and effort

 Best paired with PowerSC RTC, to receive alerts concerning policy

PowerSC Real Time Compliance

WHY RTC?

 RTC is different from typical security monitoring applications

 It registers files with the operating system using AHAFS, Autonomic Health

Advisory File System

 AHAFS is a pseudo file system implemented as an AIX kernel extension

 AHAFS will in turn will notify rtcd when one of the registered files changes

Communication of messages

 Standard emails can be sent using sendmail

 An alternative method is using SNMP

Monitoring details

 By default, approximately 280 files are monitored

 You can customize the set of monitored files

 Attributes Monitoring triggers an alert when the access to a file changes

Requirements

 For AIX 6: bos.ahafs 6.1.7.0 or later

 For AIX 7: bos.ahafs 7.1.1.0 or later

 powerscExp.rtc

 powerscExp.license

 OPTIONAL: for automated compliance:

powerscExp.ice

39

SUMMARY

 PowerSC provides unique compliance and monitoring capabilities only

available with PowerSC

 PowerSC – Security & Compliance Automation provides comprehensive

security controls

 PowerSC – RTC provides a sophisticated kernel-based tool for real time

monitoring which dramatically enhances the capabilities of PowerSC Security & Automated Compliance

 IBM Lab Services provides a 3 day workshop:

pscxpert & RTC - install, configure and customize

40

PowerSC pricing by Edition and System Tier

 PowerSC Standard Edition(PID 5765-PSE) is priced per-activated-core

similar to the way PowerVM is priced, Pre-requisite PowerVM.

– Intended for hardening virtualization deployments on PowerVM

Power Systems Tiers PowerSC Standard Edition

Large $625+125

Medium $313+63

Small (includes Blades) $125+25

Pricing is per-activated-core license + SWMA after 1st _{Year (example shown is $US for NA region)}

• PowerSC Trusted Surveyor(PID 5765-PTS) is priced per monitored HMC. $10,000 per HMC no tiering. Only one license is needed for dual-HMC configurations

Per Monitored Console PowerSC Trusted Surveyor

HMC $10,000+2,000

41

PowerSC pricing for maximum POWER models

Pricing for Express is Capacity based pricing. Example above is for all cores. Pricing is per-activated-core license (example shown is $US for NA region) Standard Edition

Tier

POWER

Model

Cores

PowerSC

Standard

Large

795

256

$160,000

Medium

770

64

$20,032

Small

750

32

$4,000

Pass-through Authentication with IBM Security

Directory Server and Microsoft Active Directory

No ISDS licensing and support cost for AIX

 No cost --- $0

 Use of ISDS for AIX authentication and identification is covered under

your AIX SWMA

 This only applies to an LDAP client or LDAP server running on AIX with

SWMA

 If you have a technical issue, open and AIX ticket and it will be routed

to Tivoli support

 I have a US customer that has been happily using ISDS for several

Why LDAP? #2 Improve security

 Separation of Duties

 Reduce Shared Access

 User auditing based on general user accounts

What is AIX Authentication?

 When an AIX user accesses a system, his password is verified to

What is AIX identification?

 The list of user and group

AIX User Authentication & Identification

 AIX’s LAM framework

eg compat, nis, files, LDAP

 AIX’s compound LAM framework

What is files-based Security

 User passwords (authentication) stored locally on each individual LPAR

 User accounts (identification) stored locally on each individual LPAR

Why LDAP is so important?

 Centralized authentication – (authentication is the checking and

updating of passwords)

 Centralized identification – (identification determines the set of

Benefits of LDAP

 Manage one password per user account

 Allows applications to operate correctly that rely on user-identification in

a distributed environment. For example, NFS

 User creation only on one system vs. many

 User deactivation only on one system vs. many

 When using ITDS, user access can be specified on server for all AIX

What is LDAP Schema?

 Controls how information is added to the Directory

 There are 3 major types:

 RFC2307AIX

 RFC2307

A major issue migrating to LDAP

 File-based user accounts out of sync

 LDAP servers export the same namespace to LDAP clients

LDAPAfiles

 Allows you to use LDAP only for authentication

 You use this when your local account is completely out of sync with the

user account on LDAP

 You use the local account information

 You can determine which users are LDAP users and LDAPAfiles users

on a per system and per user basis. For example, LPAR_01 has 100 out 100 AIX general accounts using LDAP for authentication and

identification, but on LPAR_02, 90 users are pure LDAP users and 10 users are LDAPAfiles.

Restricting system access

 A typical LDAP client sees all users in your directory

 Typical question is limiting a select users on a partition basis

 Netgroups, host_allow_login, pam_modules possible

What is login tagging?

 We tag a user's ldap account with various tags

 The tags indicate what type of system access the user should have eg

user, steve, could be tagged with “db2” and “nfs_server”, so steve should be able to login to db2 systems or nfs servers

 The LDAP client system is configured to only see users with certain

tags.

 The LDAP client can define logical operations on login tags

eg the client only sees users who are tagged either “db2” or “nfs_server” but never tagged “tnc server”

 Lab Services provides a login tagging tool in our services that greatly

LDAP Server Options

 IBM’s Tivoli Directory Server

 MSAD

Additional Centralized Options only for ISDS

 Enhanced RBAC policies

 Security Expert Policies

 Trusted Execution’s TSD Database

 EFS

 HMC RBAC roles

 VIOS RBAC roles

 HMC login

76

Why Should MSAD handle authentication?

 99.9% of IBM customers using AIX use MSAD for their corporate Identity

Management.

 99.9% of IBM customers using AIX have a corporate MSAD-based password

 Instead of having to remember a separate AIX/Unix/Linux password,

77

Why Should ISDS handle Identification?

 ISDS implements RFC2307AIX schema, which is the most compatible

schema for AIX user management

 Unlike MSAD, ISDS provides a graphical web-based administrative

interface that can manage all the user attributes possible with RFC2307AIX Schema

 In addition to AIX, ISDS can support your other UNIX/Linux operating

78

Who Benefits Using PTA?

 Administrators needing access to their AIX/Unix/Linux systems

 Application user community who needs to access an application that is

PTA features

 Can support any level and any configuration of MSAD

 No alteration of your existing MSAD environment

 Uses SSL to encrypt for all communication

 Provides the ability to use a Windows based password when logging

onto an AIX/UNIX/Linux partition

 When an application server utilizes OS-based security, allows users

running application clients on any operating system to authenticate access to the application server using their MSAD-based password

 Can eliminate recurring password resets for non-MSAD-based passwords

 Any length of password and login name can be used on your AIX

LDAP clients

 The aix login username doesn't need to be identical to the MSAD login

username

81

PTA features continued

 On a per AIX user basis, you may exclude a user from PTA

authentication and use a separate password stored on ISDS

 No Delay --- Passwords reset on Windows, will be immediately

effective on AIX systems

 It is possible to map multiple AIX/UNIX/Linux login names to a single

MSAD password

 On different AIX LDAP clients, it is possible to map the same login

name to different MSAD passwords

 When using an MSAD trusted root certificate, high availability can

be provided to the PTA server, by pointing the ISDS server to the MSAD domain

 Allows AIX administrators to update UNIX user/group attributes by

leveraging the AIX standard command line interface without needing to access to the MSAD server

82

Lab Services PTA Consulting Services

 3 week Identity Management consulting services

 Knowledge transfer, SSL implementation, replication, upgrade

components, web based administration tool, training in LDAP essential concepts, essential LDAP server administration, LDAP client functionality

 Also provide assistance with integrating other UNIX/LINUX clients

 Lab Services customers obtain a PTA mapping tool and also the

LDAP References

• Redbook: Integrating AIX into Heterogenous LDAP Environments

• AIX Knowledge Center

• IBM Security Directory Server Administration Guide

• I have an LDAP section of links on my links page on securitysteve.net

IBM Systems Lab Services & Training - Power Systems

Services for AIX, i5OS, and Linux on Power – PowerCare Eligible

http://www.ibm.com/systems/services/labservices/platforms/labservices_power.html

RHEL Security Assessment

Terms and Conditions: Actual Tasks, Deliverables, Service Estimates,,and travel requirements vary with each client’s environment. When we have reached a final agreement on the scope of your initiative and our level of assistance, a formal document describing our proposed work effort, costs, etc, will be presented for your approval and signature.

Overview:

As detailed in the Ponemon Institute's survey, “2015 Cost of Data Breach Study”, the average cost of a computer breach at a large company globally was $3.79 million. For U.S.-based companies, the average cost was much higher, 6.5 million. These costs have risen globally 23% since 2013. In the “2014 Global Report on the Cost of Cyber Crime”, the Ponemon Institute, a security research center, recommends that deployment of security intelligence systems and maintaining a strong security posture makes a difference and moderates the cost of cyber attacks.

IBM Lab Services is providing the following services to help you reduce your security risk and improve the security of your information assets. These services are being provided to help you deploy the type of security intelligence systems and achieve the strong security posture

recommended by the Ponemon Institute.

The RHEL Security Assessment's goal is to identify effective security controls for your company to utilize which will significantly reduce your security risk.

This service is designed for IBM Power Systems customers. The security controls have been recommended for Red Hat Enterprise Linux by the United States NSA Information Assurance Directorate. The controls are primarily based on Red Hat and security community concesus-based recommendations.

Client Benefits

• Helps achieve regulatory compliance, such PCI, HIPAA, etc

• Helps improve RHEL security configurations and lower risk

• Helps promote the adoption of the latest RHEL security solutions

• Provides a baseline for defining standard RHEL image builds

• Learn of hundreds of security controls to reduce security risk

Duration

• Time varies depending on scope requested: 1-3 days on-site Phase 1 – Preparation (remote):

Conference calls are held prior to the service to validate the scope, agenda, schedule and required materials.

 Client provides overview of their current RHEL security environment  IBM team prepares the service agenda/schedule

 IBM team details security data collection process  IBM team provides customer security questionnaire  Identify required materials / Finalize key players

Phase 2 – RHEL Security Assessment (on-site):

Assessment Phase

• Partition data is collected

• Data is processed and assessment documents are created

Review Phase

• Consultant holds a review of the results of the assessment with key customer staff

• Additional presentations may be provided on recommended security solutions

Deliverables – Detailed RHEL Security Assessment Findings document, Heat Map, Executive Summary

References:

NSA RHEL Guidelines

https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/oper ating_systems.shtml

Erin M. Hansen - PowerCare Opportunity Manager [email protected]

Linda Hoben – Opportunity Manager [email protected] 1-720-395-0556

Stephen Brandenburg – Opportunity Manager [email protected] 1-301-240-2182

IBM Systems Lab Services & Training - Power Systems Services for AIX, i5OS, and Linux on Power – PowerCare Eligible

86

Stephen Dominguez

www.securitysteve.net

If you'd like for me to setup a conference call so we can chat about security, shoot me an email at [email protected]