Dec12thPart2

8/7/2019 Dec12thPart2

1/26

2007 IBM Corporation

This document is for IBM and IBM Business Partner use only.It is not intended for customer distribution or use with customers.

Introducing

AIX Version 6.1Daniel Sobik


2/26

2007 IBM Corporation2

AIX V6.1 Role Based Access Control (RBAC)

Go Green & Save

Allows for new ways to delegate administrationduties between system administrators and non-administrative users

R ealize Innovation

Can reduce the cost and complexity of securityadministration by allowing secure delegation of administrative tasks to non-privileged users

Enables a more secure IT infrastructure byreducing the need for so many privilegedadministrators

Assigning roles to programs can reduce theneed for security exposures such as the use of s etuid for programs

Manage Growth,

Complexity & R i sk

A new capability of AIX V6.1that allows privilegedadministration tasks to bedelegated to non-privilegedusers

Access to system resourcesare associated with roles thatare assigned to non-privilegedusers

Many roles are predefinedwhich can reduce the effort of implementing RBAC

Roles can also be associatedwith programs

H ow it can help? What i

sit?

U s e sU s e

s ole s

DBA

PRINT

BACKUP

AIX Re s o ce s

AIX Re s o ce s


3/26


Role Based Access Control (RBAC)

Authorizations Mechanism to grant access to commands or certain

functionality. Context aware.

Roles A container for authorizations that can be assigned to a

user.

Privileges Process attribute that allows process to bypass a security

restriction. Not context aware.

Authorizations vs. Privileges Auths exist only outside of kernel, Privs only inside Auths enable access to commands, Privs enable

execution of single functions e.g. "run mkuser" vs. "PV_DAC_W"


4/26


Main pre-defined AIX Roles:ISSO Information Systems Security Officer

Establishes and maintains security policySA System Administrator

Creates user accounts, groups, etc. Installs software packages

SO System Operator Archives file system Manages line printer Shuts down system

Additional pre-defined AIX Roles:AccountAdmin, BackupRestore, DomainAdmin, FSAdmin,SecPolicy, SysBoot, SysConfig.

Separation of duties through roles:

Role Based Access Control (RBAC)


5/26


AIX V6.1 Security Expert

Go Green & Save

Allows for new ways to efficiently managesecurity across multiple AIX systems

R ealize Innovation

Can reduce the cost and complexity of securityadministration by allowing federatedmanagement of security profiles across multipleservers

Enables a more secure IT infrastructure byreducing the effort of maintaining system security

Check functionality can provide additionalsecurity by validating that the security profile for each system matches the actual security settings

Manage Growth,Complexity & R i sk

A centralized securitymanagement tool that cancontrol over 300 securitysettings from a single console

Administrators can start from aLow, Medium, High or Sarbanes-Oxley securitytemplate and customize settingsto met business requirements

Security settings can beexported and imported as asecurity profile to multiple

systemsOn AIX V6.1, security profiles

can be stored in an LDAPdirectory for ease of distribution

AIX Security Expert was firstincluded in AIX V5.3 TL5


sit?


6/26


Secure by Default (SbD)

AIX 6 introduces three new security installation options Trusted AIX (MLS) LSPP/EAL4+ SbD - Secure by DefaultSbD is new default security option

Installs a minimal set of software Deletes components that use weak authorization (bos.net.tcp.client|

server) and runs AIX Security Expert to apply hardening for level "high" Additional software installed on as-needed basis"Bottom Up" Approach

Reverses traditional "Top Down" approach of full install followed byhardening

Thorough planning strongly suggested Can all applications' requisites be fulfilled by this install template?


7/26


Secure FTP

Based on OpenSSL needed to setup and handle keys and certificates

ftp and ftpd are secured using TLS protocol Command channel and data channel are encrypted

Nice add-on to OpenSSH's 'scp' and 'sftp' e.g. data exchange with legacy systems not offering SSH

Client usage is 'ftp -s ...' TLS stuff is configured in users ~/.ftpcnt file

Server usage is implicit TLS stuff is configured in /etc/ftpd.cnf


8/26


AIX V6.1 Encrypting Filesystem

Go Green & Save

Provides the capability for additional security for applications that may have security designexposures

R ealize Innovation

Enables improved security by reducingunauthorized access to data, even by privilegedusers

Secure backups reduces the exposure of datacompromised when backup media is takenoutside of secure facilities

Automatic management of protection keys canreduce the administrative effort of usingencrypted data


The capability to automaticallyencrypt data in a JFS2filesystem

Data can be protected fromaccess by privileged users

Backup in encrypted or clear formats

Automated key management -key store open on login,integrated into AIX securityauthentication

Each file encrypted with aunique key

No keys stored in clear inkernel memory

A variety of AES, and RSAcryptography keys supported


sit?

Always encrypted on disk

Data in clear in memory.

VMM

J2Filesystem

CLiC

Crypto Lib

User and GroupKey Stores

Crypto Kernext

Kernel ucred openkey store

Login Authentication Module

Key Store

Mgt Cmds

BOS Cmds

Backup/Restore

Cp, mv, crfs, etc


9/26


Encrypted File System (EFS)

Embedded in JFS2, not stacked, for performance and reliability all JFS2 operations can be performed with an EFS

mounting and unmounting, increasing and decreasing size,defragmenting, removing, ...but no NFS or GPFS support

In stacked FSs, data may be lost through strong encryption whencrypto meta data write and data write are out of sync

Each file is encrypted with a separate key (stored in its EAs)Encryption/Decryption happens in memory, not on storage

hence no D IO /C IOU ser keystore gets opened by login password or separate pw

login pw is distinct from keystore pw

holds user's private and public key (asymmetric encryption, RSA) public key is used to access shared secret for file en/decryption

(symmetric encryption, A ES) hybrid approach for the sake of performance (e.g. like TLS)


10/26


Encrypted File System (EFS)

Prereqs CryptoLite in C (CLiC) library and kernel extension must be installed and

loaded Enhanced RBAC must be enabled (default in A IX6) EFS must be explicity enabled (can be done at any time using 'efsenable')New and existing FSs can be encrypted

smitty crfs -> " Enable EFS? [yes]" 'crfs' or 'chfs' along with "-a efs=yes" not to be applied on "/", /usr, /var and /opt since keystore can't be opened

during bootbut that's OK , since EFS' main focus is on protecting user/application data

encrypted files can be identified by 'ls - U '# ls -U file*-rw-r--r--- 1 root system 0 May 14 13:22 file1-rw-r--r-- e 1 root system 0 May 14 13:22 file2

U ser key management is provided with 'efskeymgr' commandPerformance penalty is said to be low *)

best practice: use it selectively where needed, not everywheree.g. on sensitive filesystems only, selected DB columns, etc.

*) according to early benchmarks (1H07) at the Austin ITSO labs, but no hard numbers available yet


11/26


Encrypted File System (EFS)Encrypted File System (EFS)

Two keystore protection modes Root Admin Mode

Pro: Root can reset user and group key store access passwordsCon: Root might be able to gain access to a users key store andencrypted files

Root Guard ModePro: Root cannot reset user and group key store access passwordsCon: Root cannot gain access to a users key store and encryptedfiles, even when neccessary!

EFS backup Best Practices Backup raw encrypted form Backup the file owners keystore The file owners keystore password must also be "saved" or files must

be reencrypted in a timely manner when keystore pw changes


12/26

2007 IBM Corporation1 2

AIX AND System p Security Certifications Plans *

AIX 5200-06 CAPP/EAL4+Application: 01/11/05Final report: 10/26/05Certificate: 12/14/05

AIX 5L 5200-05 andPitbull LSPP/EAL4+

Application :01/11/05Certificate issued: 05/16/06

AIX 5300-05LSPP/EAL4+

Pitbull product Supports P5, P4Certificate issued: 12/19/06Pitbull MLS Ported to

AIX 5300-03Pitbull product available tocustomers Dec 31, 05

AIX 5300-04 CAPP/EAL4+Supports P5, P4Certificate issued: 12/19/06

AIX 6100-00) CAPP/RBACPP/LSPP/EAL4+MLS capabilities integrated into standard AIX

productOne certification for 3 Protection ProfilesSupports POWER6, POWER5, POWER4

Legend

AIX V5.2AIX V5.3AIX V6 .1 (Planned)VIOSPOWE R6 (Proposed)

C ertification History AIX 4 .2 C2 : Apr 2 4 , 1 997AIX 4 .3 C2 : May 6 , 1 9987

AIX 5 .2 CAPP/ EAL4+ : Nov 4 , 200 2P OWE R4 HW CAPP/ EAL4+ : Apr 2 00 3AIX 5 .2 ML 1 CAPP/ EAL4+ : Sept 8 , 2 00 3AIX 5 .2 ML6 CAPP/ EAL4+ : Dec 1 4 , 200 5AIX 5 .2 ML5 and Pitbull LSPP : May 1 6 , 200 6AIX 5 .3 TL 5 and Pitbull LSPP : May 1 6 , 200 6AIX 5 .2 TL 4 & VIOS CAPP/ EAL4+ : Dec 1 6 , 200 6

* All statements regarding IBM's future direction and intent are subject

to change or withdrawal without notice, and represent goals and objectives only

VIOS EAL4+

Included with AIX 53.00-04 CAPP/EAL4+

POWER6 HardwareEAL4

Dynamic LPAR withMicroPartitioning


13/26


AIX V6.1 Concurrent Kernel Maintenance

Go Green & Save

This new capability can change the wayadministrators handle critical fixes such assecurity patches

R ealize Innovation

Can provide for higher application and AIXavailability by reducing the number of plannedoutages to reboot for kernel fixes

Enables greater security by reducing the impactof installing some security fixes


A new capability to install somekernel fixes without having toreboot

Concurrent kernelmaintenance can be appliedwithout substantially impactingapplication or AIX operations

Concurrent maintenance canbe backed off without an outage

Theoretically could be used for about 80% of the single modulekernel updates

Concurrent maintenance willinitially be packaged as InterimFixes

Traditional install and rebootstill required for upgrades andsome kernel maintenance


sit?

Kernel Space

User Space

Interim Fix

Concurrent updatevmmove() patch

vmmove()

getgidx()

sleepx()

vmmove()

emgr


14/26


AIX V6.1 POWER6 Storage Keys

Go Green & Save

This new capability can reduce the likelihood of an entire class of intermittent application and AIXproblems

R ealize Innovation

Can provide for higher AIX availability byreducing the number of unplanned outages dueto intermittent memory overlay

Enables complex applications that use largeamounts of memory to protect core functionsfrom memory overlay


Exploitation of a POWER6processor hardware feature toprovide additional isolation of kernel and application data

Storage keys can preventinvalid changes to memorycause by programming errors

Application use of POWER6storage keys is enabled in AIXV5.3

AIX Kernel exploitation of POWER6 storage keys isincluded in AIX V6.1


sit?

User Code

User Data

Files

WS DB2

KernelCode

KernelData

JFS2 LVM VMM . . . SCSI ENT FC

ApplicationAddress Space

AIX DriversAIX Kernel

UNIX Kernel Address Space

User Code

User Data

Files

WS DB2

KernelCode

KernelData




UNIX Kernel Address Space

User Code

User Data

Files

WS DB2

KernelCode

KernelData




AIX Kernel Address Space

User Code

User Data

Files

WS DB2

KernelCode

KernelData




AIX Kernel Address Space

Af ter POWER6 Storage Keys

Be fo re POWER6 St o rage Keys


15/26


AIX 6 dynamic tracing with probevueTrace existing programs without recompiling

Dynamic placement of trace probes

For debugging and performance analysis

Tracable Calls:

AIX system calls,

application functions, and application calls to library functions

Dynamic tracing language called Vue

Initial support only for C programs

#!/usr/bin/probevue /* countreads.v */

@@syscall.$ 1 .read.entry{

count ++;}@@interval.*.clock. 100{

printf(Number of reads = %d\n, count) ;count = 0 ;

}

# countreads.v 40 4Number of reads = 22Number of reads = 0Number of reads = 1Number of reads = 1 7 ..

FormattedI/O

User Kernel

Probe Location

User Process CodeSome thread

hits probe point(1)

Branches to probecode (2)

Probecode

(3)Returns toprobe point

(4)

Threadcontinues

execution(5)

Trace Consumer

Trace Fileor

Trace OutputTrace Buffers

E-codeVue probe code example


16/26


AIX V6.1 Systems Director Console for AIX

Go Green & Save

The combination of Web access toadministration tools and the ability to executeadministrative tasks on multiple systems canchange the way you manage the AIX OS

R ealize Innovation

Can reduce the amount of effort and costassociated with managing the AIX OS

Web access to administrative tasks can simplifysystems management

Consistent user interface with IBM SystemsDirector and the WPAR Manager can reduceretraining and other administrative costs


A new web basedmanagement tool that provideseasy access to common systemadministration tasks

Administrators can accessSystems Management InterfaceTool (SMIT) menus from abrowser

Graphical user interface is fastand consistent with IBMSystems Director look and feel

All necessary components for the Console are included in AIX

The Distributed CommandExecution Manager (DCEM)feature of the Console allows anadministrative task to run onmultiple systems at once

H ow it can help? What i s it?

All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.


17/26


Systems Director for AIX

Included with A IX

Web access to SM ITFast performanceIntegrated with IBM Systems Director


18/26


IBM Systems Director ConsoleRemote AIX management from a web browser

Verify Fileset installationlslpp -h sysmgt.pconsole.rte

Use SRC to control the director console# lssrc -s pconsole

Subsystem Group PID Status

pconsole pconsole 319644 active

Stop and start with startsrc and stopsrc

Access from your browser

http://HostName:5335/ibm/console View and save commands like smit

Config file/pconsole/lwi/conf/overrides/config.properties


19/26


pConsole PMR

"The following has also been brought to myattention from the pconsole team....There is a setting that may also be tried:.Uncomment the "#-clean=true" line in the file:./pconsole/lwi/conf/overrides/config.properties.This allows a refresh of the bundle data for thepconsole instance. The pconsole system would thenbe restarted with:.stopsrc -s pconsolestartsrc -s pconsole

.With this setting enabled, the pconsole server startup will take a little longer (i.e. 30 sec),but no runtime performance penalties should occur.It has not been formally decided as of yet, butthis setting may become the default in future. "


20/26


21/26


WPAR command supportFrom global LPAR use the -@ flag

to designate WPAR# ps -ef -@ ec08

WPAR UID PID PPID C STIME TTY TIME CMDec08 root 217128 389182 0 15:00:58 - 0:00 /usr/sbin/rsct/bec08 root 266398 389182 0 15:00:21 - 0:00 /usr/sbin/rsct/bec08 root 278634 389182 0 15:00:20 - 0:00 /usr/sbin/rpc.loec08 root 290942 389182 0 15:00:18 - 0:00 /usr/sbin/biod 6

From WPAR use normal commands# ps -ef

UID PID PPID C STIME TTY TIME CMDroot 217128 389182 0 15:00:58 - 0:00 /usr/sbin/rsct/bin/IBM.Sensorroot 266398 389182 0 15:00:21 - 0:00 /usr/sbin/rsct/bin/rmcd -a IBroot 278634 389182 0 15:00:20 - 0:00 /usr/sbin/rpc.lockd -d 0root 290942 389182 0 15:00:18 - 0:00 /usr/sbin/biod 6root 1 0 0 15:00:04 - 0:00 /etc/init


22/26


WPAR command support

Some commands are not supported from WPAR# netstat -rn^M

Routing tables^M

Destination Gateway Flags Refs Use If ExpGroups^M

netstat : Permission error, unable to continue.^M

Network adapters are alias on global partition# ifconfig en0en0: flags=1e080863,480


23/26


AIX V6.1 Hardware Support

Systems based on POWER4, POWERPC 970, POWER5 andPOWER6 processors are supported

32- and 64-bit applications will continue to run unchanged on AIX 6

64-bit kernel only

*Complete details on AIX binary compatibility can be found at http://www.ibm.com/servers/aix/os/compatibility/


24/26


POWER6 Delivers with your Choice of AIX or Linux

Linux on P OWE RPOWER and x86 apps [2008]

Advanced POWERVirtualizationReliability, Availability,Serviceability featuresScalability to 128 threads

AIX 6*Virtualization

Workload PartitionsLive Application Mobility

Security AvailabilityManageability

Binary compatible **

Broad application selectionWide range of workloadsReduced complexityPotential cost savings with consolidationLive Partition Mobility

L inux, AIX V5.3 and AIX V6.1

Binary compatible with existingapplications on POWER6 *Micro-PartitioningMainframe-inspired RASfeatures hardware and operatingsystemScalability up to 128 threads

AIX 5L V5 .2/5 .3

*Complete details on AIX binary compatibi lity can be found athttp://www.ibm.com/servers/aix/os/compatibility/


25/26



26/26


AIX Version 6.1

Innovative features for virtualization, security,continuous availability, and manageability

Mainframe-inspired technologies

Strong future roadmap and IBM commitment

ibm.com/aix

Date post:	08-Apr-2018
Category:	Documents
Upload:	rv687
View:	216 times
Download:	0 times

Dec12thPart2

Documents