aix vug webinar – aix security - ibm am i ? peyton manning/broncos fan and also love jazz...
TRANSCRIPT
PowerSC Compliance/Monitoring and Pass-through Authentication with ISDS & MSAD
Stephen Dominguez, World Wide AIX and Linux Security Technical Lead – IBM Lab Services – [email protected] - http://www.securitysteve.net - @Secur1tySteve
July 30th 2015
AIX VUG Webinar – AIX Security
Who am I ?
Peyton Manning/Broncos fan and also love jazz
World-wide AIX and Linux on Power SecurityLead for IBM Lab Services
Worked with Power for 18 years, specifically security for 12
I've worked with around 300 corporate customers throughout the world
I have a security blog, www.securitysteve.net
Who am I ?
I have a security blog, www.securitysteve.net
You can follow me on twitter, @Secur1tySteve
IBM Lab Services is a cost center that works closely with IBM development to assist Power customers with their systems
To learn about all Lab Services' security services: www.securitysteve.net/consulting-services/
We have several flexible funding IBM programs available to provide security consulting services at no charge to eligible customers
If you'd like for me to setup a conference call so we can chat about security, shoot me an email at [email protected]
Agenda Recent statistics on security breaches
PowerSC Security and Compliance Automation (pscxpert)
PowerSC Real Time Compliance (RTC)
Pass-through Authentication with IBM Security Directory Server and Microsoft Active Directory
Recent Statistics on Security Breaches
From the Ponemon Institute's “2015 Cost of Data Breach Study: Global Analysis”
My blog's “hacking and breaches” links section
http://map.norsecorp.com/
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Ponemon Institute's findings
350 companies surveyed from 11 different countries
Average cost of security breach of large company globally: 3.79 million
Average cost of security breach of large company in US: 6.5 million
Since 2013, the costs have risen globally by 23%
Since 2013, the costs have risen in the US by 11%
Average cost of stolen record in US is $217
Average cost of stolen record globally is $154
The cost of simply investigating a breach is $1 million globally
Ponemon Institute's findings
CEO Jamie Dimon personally informed shareholders following theJPMorgan Chase data breach that by the end of 2014 the bank willinvest $250 million and have a staff of 1,000 committed to IT security.
Ponemon indicated the 3 major reasons for higher breach costs:1) Cyber attacks have increased in frequency and in the cost to remediate the consequences2) The consequences of lost business are having a greater impact on the cost of data breach 3) Data breach costs associated with detection and escalation increased
Hackers or criminal insiders(employees, contractors or other 3rd parties) cause most data breaches 47%
Time to identify and contain a data breach affects cost
Average time to identify breach was 206 days, with range of 20 to 582
Average time to contain breach was 69 days, with a range of 7 to 175
PowerSC Security and Compliance Automation
Using the pscxpert command for security hardening
What is Security and Compliance Automation Deploys security controls on AIX and VIOS partitions according to 4
regulatory security standards
Helps customers deploy regulatory-based controls to help their generalAIX and VIOS systems meet compliance standards
It is a system security hardening tool
The command used pscxpert (replacing aixpert)
4 Security Standards & 1 database profile
Payment Card Industry Data Security Standard v 3.0 (PCI-DSS)
Sarbanes-Oxley Act and Cobit Compliance (SOX/COBIT)
US Dept. of Defense Security Technical Implementation Guide (DoD-STIG)
Health Insurance Portability and Accountability Act (HIPAA)
Database.xml (general purpose)
System Requirements?
3 PowerSC Managed System Types
AIX 6 TL 7 and greater
AIX 7 TL 1 and greater
VIOS 2.2.1.0 and greater
16
pscxpert
AIX System Security Hardening Tool
Single consistent view to all security configurations
Brings 300+ Security Settings to Central Control
Easy to implement – can choose desired security level
− Low, Medium, High, PCI, HIPAA, DOD, SOX-COBIT
Provides compliance check and undo option
Easy to distribute to other systems
Network
File PermissionsServices
Firewall Users & Groups
pscxpert
17
How pscxpert implements security policy
Policy Requirements:
Minimum length of password to be 8 characters
Change user password every 90 days
Disable vulnerable services – FTP, Telnet
Enable auditing
XML ProfileFile
LPAR 1 LPAR 2 LPAR N
pscxpert
How are the security controls deployed?
# pscxpert -f /etc/security/aixpert/custom/DataBase.xml -pProcessing prereqbinaudit :cachedProcessing prereqcde :cachedProcessing prereqgated :cachedProcessing prereqipsec :cached.....Processing db_minage .....:done.Processing db_maxage .....:done.Processing db_maxexpired .....:done.Processing db_minlen .....:done.Processing db_minalpha .....:done.Processing db_minother .....:done....Processing db_SecurityPatches
***************************************************************************************************************
The Operating System should be patched regularly to minimise exposure to security vulnerabilities. Consider using Power SC Trusted Network Connect for Patch Management to keep the systems updated
****************************************************************************************************************
:done.Processedrules=83 Passedrules=82 Failedrules=1 Level=DB Input file=/etc/security/aixpert/custom/DataBase.xml
pscxpert –f <profile_name>
Before and after
# lsuser -f rootroot: id=0 pgrp=system .... login=true su=true rlogin=true ..... logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= .......
# lsuser -f rootroot: id=0 pgrp=system .... login=true su=true rlogin=false .... logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=13 maxexpired=8 minalpha=1 minloweralpha=0 minupperalpha=0 minother=1 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=7 histexpire=52 histsize=4 pwdchecks= dictionlist=/etc/security/aixpert/ dictionary/English .......
User attributes before applying the profile
User attributes after applying the profile
20
pscxpert – compliance check
Reports compliance violation
# pscxpert –c# cat /etc/security/aixpert/check_report.txt***** famsdev : Jun 22 14:49:35 ******
chusrattr.sh: User attribute maxage, should have value 13, but it is 0 nowchusrattr.sh: User attribute maxexpired, should have value 8, but it is -1 nowchusrattr.sh: User attribute minlen, should have value 7, but it is 0 nowchusrattr.sh: User attribute minalpha, should have value 1, but it is 0 nowchusrattr.sh: User attribute minother, should have value 1, but it is 0 nowchusrattr.sh: User attribute histexpire, should have value 52, but it is 0 nowchusrattr.sh: User attribute histsize, should have value 4, but it is 0 nowchusrattr.sh: User attribute loginretries, should have value 6, but it is 0 nowchdefstanza.sh: User attribute logindisable, should have value 6, but it is 0 nowchdefstanza.sh: User attribute loginreenable, should have value 30, but it is 0 nowchuserstanza.sh: User attribute rlogin in stanza root, should have value false, but its value is NULL nowcomntrows.sh: Daemon/Script/String:lpd: should have status disabled, however its entry is not found in file /etc/inittabcomntrows.sh: Daemon/Script/String:dt: should have status disabled, however its entry is not found in file /etc/inittabcominetdconf.sh: Service ftp using protocol tcp should be disabled, however it is enabled now
Incompliance reported
Easy to implement periodical compliance check via crontab or PowerSC RTC
21
Generating a compliance audit report
Compatibility check without applying the profile
The –P flag accepts profile name as input:
pscxpert –c –P <profile name>
# pscxpert -c -P /etc/security/aixpert/custom/PCI.xml -pProcessing pci_minage :done.Processing pci_maxage : failed.Processing pci_maxexpired : failed.Processing pci_minl en : failed.Processing pci_minalpha : failed.Processing pci_minother : failed.Processing pci_maxrepeats :done.Processing pci_histexpire : failed.Processing pci_histsize : failed.Processing pci_loginretries : failed.Processing pci_logindisable : failed.Processing pci_loginreenable : failed.Processing pci_rootrlogin : failed.Processing pci_rootlogin :done.……………………………………………....:done.Processedrules=82 Passedrules=43 Failedrules=39 Level=PLS Input file=/etc/security/aixpert/custom/PCI.xml
Compatibility check is a game changer
Allows you to identify what controls have a high probability of immediately integrating to your system
Controls that fail the compatibility check are what you need toresearch
The compatibility feature allows you to detect what your existinghardening tooling is NOT doing
One integration possibility is deploying the security controls notbeing deployed by your existing tooling
This and the audit report feature are fantastic features only availablewith the PowerSC pscxpert command
pscxpert – Customization Feature
Modify existing security rules to meet your compliance requirements
Create new custom rules according to your security policy
Create compliance check for periodical compliance verification
Create rules to automate day to day administrative tasks
Create readily deployable security profiles to meet compliance requirements of security standards like PCI DSS, HIPAA, SOX-COBIT etc
Creating new rules
pscxpert provides a framework to integrate user define scripts tocreate new rules
Example:
− Create rules to implement password policy
− Create rules to implement login settings
− Create rules to disable services that should be disabled
− Create rules to enable auditing and logging
− Create rules to implement security features like RBAC, EFS, Trusted Execution
− Create rules to enforce network security
− Create rules to secure SSH server configuration
− Create rules to set file permissions
Beyond security – administrative tasks
In addition to security rules, pscxpert customization feature can be used to automate other administrative tasks
Example:
− LDAP setup
− Set and verify permissions and ownership of system files
− Implement PowerSC features
− Network tuning
Security and Compliance Automation Summary
Helps companies with meeting compliance
Helps companies verify the hardening has stayed applied
Single tool for hardening AIX & VIOS
Provides framework to define your own security rules
Automation saves time and effort
Best paired with PowerSC RTC, to receive alerts concerning policy violations
Security and Compliance Automation Summary
Helps companies with meeting compliance
Helps companies verify the hardening has stayed applied
Single tool for hardening AIX & VIOS
Provides framework to define your own security rules
Automation saves time and effort
Best paired with PowerSC RTC, to receive alerts concerning policy violations
PowerSC Real Time Compliance
Monitoring file content, file access and security policy changes in real time
WHY RTC?
RTC is different from typical security monitoring applications
It registers files with the operating system using AHAFS, Autonomic Health Advisory File System
AHAFS is a pseudo file system implemented as an AIX kernel extension
AHAFS will in turn will notify rtcd when one of the registered files changes
This saves on computing cycles and allows immediate real time notification.
Communication of messages Standard emails can be sent using sendmail
An alternative method is using SNMP
Local Logging of messages
Email message of content change
Email message of access change
Content change resulting in security policy violation
Monitoring details By default, approximately 280 files are monitored
You can customize the set of monitored files
Attributes Monitoring triggers an alert when the access to a file changes
Content Monitoring triggers an alert when the contents of a file changes
Requirements
For AIX 6: bos.ahafs 6.1.7.0 or later
For AIX 7: bos.ahafs 7.1.1.0 or later
powerscExp.rtc
powerscExp.license
OPTIONAL: for automated compliance:powerscExp.ice
NOTE: all PowerSC filesets in PowerSC Express Ed.
39
SUMMARY PowerSC provides unique compliance and monitoring capabilities only
available with PowerSC
PowerSC – Security & Compliance Automation provides comprehensive security controls
PowerSC – RTC provides a sophisticated kernel-based tool for real time monitoring which dramatically enhances the capabilities of PowerSCSecurity & Automated Compliance
IBM Lab Services provides a 3 day workshop: pscxpert & RTC - install, configure and customize
Additional integration assistance services are available
40
PowerSC pricing by Edition and System Tier
PowerSC Standard Edition(PID 5765-PSE) is priced per-activated-core similar to the way PowerVM is priced, Pre-requisite PowerVM.
– Intended for hardening virtualization deployments on PowerVM
Power Systems Tiers PowerSC Standard Edition
Large $625+125
Medium $313+63
Small (includes Blades) $125+25
Pricing is per-activated-core license + SWMA after 1st Year (example shown is $US for NA region)
• PowerSC Trusted Surveyor(PID 5765-PTS) is priced per monitored HMC. $10,000 per HMC no tiering. Only one license is needed for dual-HMC configurations
Per Monitored Console PowerSC Trusted Surveyor
HMC $10,000+2,000 SWMA after 1st Year (example shown is $US for NA region)
41
PowerSC pricing for maximum POWER models
Pricing for Express is Capacity based pricing. Example above is for all cores.Pricing is per-activated-core license (example shown is $US for NA region)Standard Edition
TierPOWERModel Cores
PowerSC Standard
Large 795 256 $160,000
Medium 770 64 $20,032
Small 750 32 $4,000
Small S822 16 $2,000
Pass-through Authentication with IBM Security Directory Server and Microsoft Active DirectoryThe perfect general solution for centralized AIX user management
No ISDS licensing and support cost for AIX No cost --- $0
Use of ISDS for AIX authentication and identification is covered underyour AIX SWMA
This only applies to an LDAP client or LDAP server running on AIX with SWMA
If you have a technical issue, open and AIX ticket and it will be routedto Tivoli support
I have a US customer that has been happily using ISDS for several hundred AIX partitions for over 5 years
Why LDAP? - #1 make life easier
Why LDAP? #2 Improve security Separation of Duties
Reduce Shared Access
User auditing based on general user accounts
Promote integrity of security tooling
What is AIX Authentication?
When an AIX user accesses a system, his password is verified toauthenticate the userid to the system
What is AIX identification?
The list of user and group attributes on the system
AIX User Authentication & Identification
AIX’s LAM frameworkeg compat, nis, files, LDAP
AIX’s compound LAM frameworkeg LDAPAfiles, KRB5files, KRB5Afiles
What is files-based Security
User passwords (authentication) stored locally on each individual LPAR
User accounts (identification) stored locally on each individual LPAR
Decentralized[
Why LDAP is so important?
Centralized authentication – (authentication is the checking and updating of passwords)
Centralized identification – (identification determines the set of attributes that describe your users and groups)
Benefits of LDAP
Manage one password per user account
Allows applications to operate correctly that rely on user-identification in a distributed environment. For example, NFS
User creation only on one system vs. many
User deactivation only on one system vs. many
When using ITDS, user access can be specified on server for all AIX clients being accessed by user
What is LDAP Schema?
Controls how information is added to the Directory
There are 3 major types:
RFC2307AIX
RFC2307
IDMU
A major issue migrating to LDAP
File-based user accounts out of sync
LDAP servers export the same namespace to LDAP clients
LDAPAfiles is the solution
LDAPAfiles
Allows you to use LDAP only for authentication
You use this when your local account is completely out of sync with the user account on LDAP
You use the local account information
You can determine which users are LDAP users and LDAPAfiles users on a per system and per user basis. For example, LPAR_01 has 100 out 100 AIX general accounts using LDAP for authentication and identification, but on LPAR_02, 90 users are pure LDAP users and 10 users are LDAPAfiles.
Restricting system access
A typical LDAP client sees all users in your directory
Typical question is limiting a select users on a partition basis
Netgroups, host_allow_login, pam_modules possible
Most sophisticated method is “login tagging”
What is login tagging?
We tag a user's ldap account with various tags
The tags indicate what type of system access the user should have eg user, steve, could be tagged with “db2” and “nfs_server”, so steve should be able to login to db2 systems or nfs servers
The LDAP client system is configured to only see users with certain tags.
The LDAP client can define logical operations on login tags eg the client only sees users who are tagged either “db2” or “nfs_server” but never tagged “tnc server”
Lab Services provides a login tagging tool in our services that greatly simplifies this configuration and ongoing administration
LDAP Server Options
IBM’s Tivoli Directory Server
MSAD
Other RFC2307 servers
MSAD AIX User Attribute Administrative Interface
ISDS AIX User Attribute Administrative Interface
Additional Centralized Options only for ISDS
Enhanced RBAC policies
Security Expert Policies
Trusted Execution’s TSD Database
EFS
HMC RBAC roles
VIOS RBAC roles
HMC login
VIOS login
76
Why Should MSAD handle authentication?
99.9% of IBM customers using AIX use MSAD for their corporate Identity Management.
99.9% of IBM customers using AIX have a corporate MSAD-based password
Instead of having to remember a separate AIX/Unix/Linux password,use the existing MSAD corporate password for AIX/Unix/Linux authentication
77
Why Should ISDS handle Identification?
ISDS implements RFC2307AIX schema, which is the most compatible schema for AIX user management
Unlike MSAD, ISDS provides a graphical web-based administrativeinterface that can manage all the user attributes possible withRFC2307AIX Schema
In addition to AIX, ISDS can support your other UNIX/Linux operatingsystem LDAP clients
78
Who Benefits Using PTA?
Administrators needing access to their AIX/Unix/Linux systems
Application user community who needs to access an application that is running on AIX/Unix/Linux
Simple Topology
PTA features
Can support any level and any configuration of MSAD
No alteration of your existing MSAD environment
Uses SSL to encrypt for all communication
Provides the ability to use a Windows based password when loggingonto an AIX/UNIX/Linux partition
When an application server utilizes OS-based security, allows usersrunning application clients on any operating system to authenticate access to the application server using their MSAD-based password
Can eliminate recurring password resets for non-MSAD-based passwords
Any length of password and login name can be used on your AIXLDAP clients
The aix login username doesn't need to be identical to the MSAD login username
Allows you to utilize LDAPAfiles for accounts out of sync
81
PTA features continued
On a per AIX user basis, you may exclude a user from PTA authentication and use a separate password stored on ISDS
No Delay --- Passwords reset on Windows, will be immediatelyeffective on AIX systems
It is possible to map multiple AIX/UNIX/Linux login names to a singleMSAD password
On different AIX LDAP clients, it is possible to map the same loginname to different MSAD passwords
When using an MSAD trusted root certificate, high availability canbe provided to the PTA server, by pointing the ISDS server to theMSAD domain
Allows AIX administrators to update UNIX user/group attributes byleveraging the AIX standard command line interface without needingto access to the MSAD server
82
Lab Services PTA Consulting Services
3 week Identity Management consulting services
Knowledge transfer, SSL implementation, replication, upgradecomponents, web based administration tool, training in LDAP essential concepts, essential LDAP server administration, LDAP client functionality
Also provide assistance with integrating other UNIX/LINUX clients
Lab Services customers obtain a PTA mapping tool and also thelogin tagging tool only available via our consulting service
LDAP References
• Redbook: Integrating AIX into Heterogenous LDAP Environments
• AIX Knowledge Center
• IBM Security Directory Server Administration Guide
• I have an LDAP section of links on my links page on securitysteve.net
83
IBM Systems Lab Services & Training - Power SystemsServices for AIX, i5OS, and Linux on Power – PowerCare Eligible
http://www.ibm.com/systems/services/labservices/platforms/labservices_power.html RHEL Security Assessment
Terms and Conditions: Actual Tasks, Deliverables, Service Estimates,,and travel requirements vary with each client’s environment. When we have reached a final agreement on the scope of your initiative and our level of assistance, a formal document describing our proposed work effort, costs, etc, will be presented for your approval and signature.
Overview:As detailed in the Ponemon Institute's survey, “2015 Cost of Data Breach Study”, the average cost of a computer breach at a large company globally was $3.79 million. For U.S.-based companies, the average cost was much higher, 6.5 million. These costs have risen globally 23% since 2013. In the “2014 Global Report on the Cost of Cyber Crime”, the Ponemon Institute, a security research center, recommends that deployment of security intelligence systems and maintaining a strong security posture makes a difference and moderates the cost of cyber attacks.
IBM Lab Services is providing the following services to help you reduce your security risk and improve the security of your information assets. These services are being provided to help you deploy the type of security intelligence systems and achieve the strong security posture recommended by the Ponemon Institute.
The RHEL Security Assessment's goal is to identify effective security controls for your company to utilize which will significantly reduce your security risk.
This service is designed for IBM Power Systems customers. The security controls have been recommended for Red Hat Enterprise Linux by the United States NSA Information Assurance Directorate. The controls are primarily based on Red Hat and security community concesus-based recommendations.
Client Benefits• Helps achieve regulatory compliance, such PCI, HIPAA, etc• Helps improve RHEL security configurations and lower risk• Helps promote the adoption of the latest RHEL security solutions• Provides a baseline for defining standard RHEL image builds• Learn of hundreds of security controls to reduce security risk
Duration• Time varies depending on scope requested: 1-3 days on-site
Phase 1 – Preparation (remote):Conference calls are held prior to the service to validate the scope,
agenda, schedule and required materials. Client provides overview of their current RHEL security environment IBM team prepares the service agenda/schedule IBM team details security data collection process IBM team provides customer security questionnaire Identify required materials / Finalize key players
Phase 2 – RHEL Security Assessment (on-site):
Assessment Phase• Partition data is collected• Data is processed and assessment documents are created
Review Phase• Consultant holds a review of the results of the assessment with key
customer staff• Additional presentations may be provided on recommended security
solutions
Deliverables – Detailed RHEL Security Assessment Findings document, Heat Map, Executive Summary
References:NSA RHEL Guidelineshttps://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
Erin M. Hansen - PowerCare Opportunity Manager [email protected] Hoben – Opportunity Manager [email protected] 1-720-395-0556Stephen Brandenburg – Opportunity Manager [email protected] 1-301-240-2182
IBM Systems Lab Services & Training - Power SystemsServices for AIX, i5OS, and Linux on Power – PowerCare Eligible
86
Stephen Dominguez
www.securitysteve.net
If you'd like for me to setup a conference call so we can chat about security, shoot me an email at [email protected]
Let’s Stay in Touch!