Implementing and Maintaining AIX Security Policies

{LANG_NAVORIGIN} Operating System
Andre Derek Protas 03/25/2005

System/Data Integrity

Even though a sever may be very secure and hardened, there is always the likelihood of intrusion. This can be either from inside the network or outside. The main goal of an intruder is to usually open holes in the system to enter back in later. These could be Trojan Horses, new user with root UID levels, etc. Integrity systems are used to watch system-critical files and create alerts when they are tampered with. Also, integrity systems can be used to monitor network traffic to the server. There are integrity programs within standard AIX, but many times the commercial or open-source products are more robust.

UID Control

• Summary:
  • User ID values signify the identification of the user. These must be unique values and non-repeating. Most importantly, there should only be one UID of 0 (root). A common entry point of a hacker is to create a new user with a UID of 0, which opens a backdoor to root access.
• Location of File:
  • /etc/passwd
• Reference:
  • Is Your AIX Environment Secure?, Shiv Dutta
• Default Security:
  • Only root has a UID of 0, but this must be maintained.
• Standard Security:
  • crontab the following command to run daily
    • awk -F: '{if($3 == 0) print $1}' /etc/passwd
    • This script will check for other UID that have the value of 0. There should only be one: root.

Audit Control

• Summary:
  • The audit subsystem can be used by a security administrator to step through potential or actual exploits of security policy. The audits allow for security holes to be revealed. Also, the incredible logging features allow the administrator to track the path of the system in the case of an exploit/breech of security. Some of the logging features supported are: kernal logging, change configuration, change host ID, change route, conection, create socket, export object, etc.
• Location of File:
  • /etc/security/audit
• Reference:
  • AIX Security Manual (page 47)
  • IBM System Management Guide: Communication and Networks
• Default Security:
  • Audit subsystem is not enabled.
• Standard Security:
  • Use audit command without enabling full subsystem via watch command.
    • Example: watch -eFILE_Open -o /tmp/vi.watch vi /etc/hotsts
    • This command will show all of the events for file opening when vi /etc/hosts is run.
• Enhanced Security:
  • Implement/launch audit subsystem. More directions/documentation can be found in IBM Security Manual (page 53).

Remote Syslog Exploit

• Summary:
  • Syslog is used to document common system errors. Syslog is set up remotely in case another system sees a log on its own system with an @hostname for the action field. The system will send the other system a syslog for notification. The problem lies in the fact that no authentication is used for this system, and the format for a remote syslog is well documented (www.insecure.org/AIX_Sploits). This exploit allows for fake syslogs to be created. It may also be used as a DoS attack if enough syslogs were created to cause a memory overrun.
• Location of Problem:
  • netstat -a | grep udp
    • This command will list commands that are open for the udp user (which is typicaly where the syslog network daemon is present). If the udp user has been disabled, sort through the netstat -a | pg list.
• Reference:
  • www.insecure.org/sploits_AIX.html
• Default Security:
  • Syslog remote daemon is listening and is vulnerable to syslog spoofs and possibly DoS attacks.
• Standard Security:
  • Allow syslogs to come in, but put a resource limit on the amount of resource syslogs can take. Also, ensure that no syslogs can trigger a script to be run.
• Enhanced Security:
  • Disable syslog remote daemon will keep remote syslogs from coming in.

TCPD (aka "TCP Wrapper")

• Summary:
  • This program enhances logging and access control to network services. It is stable, and the logs are incredibly robust. TCPD does basic auditing of IP address from inetd and will then call upon services. Can be used as pure auditing, or can be used as an intrusion stopperd. This is best utilized with PortSentry.
• Location of File:
  • /etc/inetd.conf should execute tcpd.
• Reference:
  • ftp://ftp.purcupine.org/pub/security/index.html
  • www.cert.org
  • Is Your AIX Environment Secure?, Shiv Dutta
• Default Security:
  • None
• Standard Security:
  • Implement tcpd to do auditing on the TCP connections.
• Enhanced Security:
  • Implement tcpd in PARANOID mode.
  • Deny all hosts (hosts.deny = all:all) and manually list hosts that are acceptable in the /etc/hosts.allow file.
  • Use tcpd to block intruders from running certain daemons such as telnet, rlogin, and finger.
  • Launch TCPD with PortSentry to allow for dynamic port scan blocking.

PortSentry

• Summary:
  • PortSentry is a scan detector. When programs such as nmap or SAINT (as described in the programs section) are being run against a server with Port Sentry, PortSentry will automatically add the IP address of the scanning source to the list of denied IP addessses in the TCP Wrapper file (/etc/hosts.deny). Bear in mind that a paranoid program (nMap) may delay pings for hours, which may not be detected by PortSentry.
• Reference:
  • www.psionic.com/abacus/portsentry
  • AIX Security Supplement (page 103)
• Default Security:
  • None
• Standard Security:
  • Log port scans
• Enhanced Security:
  • Implement tcpd and PortSentry together to block port scanning attempts for produtcion servers that may be vulnerable to internet attacks.

Tripwire

• Summary:
  • Tripwire constantly monitors files (chosen by the administrator) for validity. Many different methods are used to check the integrity of the files: md5, permission logging, etc. This is very important for securing a system against trojan horses. Many times a user can change a small part of a script or file that is run commonly and turns a benign script into a malicious one. Tripwire (hopefully before the script is run) will notice the change and will notify the administrators. Tripwire may even be configured to launch defensive tactics to check the validity of other files and possibly even shut down vulnerable services before exploits occur.
• Reference:
  • www.tripwire.org / www.tripwire.com
• Default Security:
  • The audit subsystem can be used as a similar system, but will not be nearly as robust or powerful in its detection.
• Standard Security:
  • crontab files
    • To ensure that invalid entries or tampering has not been done to the cron scripts.
  • /etc/passwd
    • Very important file and very vulnerable to exploit. Tripwire would be best for this as it also reviews all permissions (instead of just checksums).
  • /etc/profile
    • Especially if this is a global profile setup. This also contains the $PATH variable which can be exploited to spoof other users.
  • /etc/hosts.equiv and /etc/ftpusers
    • These are very important as they allow remote computers to run ftp commands as well as remote commands – if they are in this list.
  • /etc/security
    • This folder carries with it many of the security policies run on this computer; ensure that it is always valid and clean.
  • /etc/syslog.conf
    • This should be kept under audit to ensure that logging functions are not changed in order to mask future attacks.
  • /etc/publickey and /etc/.rootkey and /etc/keystore
    • These store the public keys for all of the users over a network – ensure this file is never tampered with and only edited using chkey or newkey commands.
  • /etc/shadow
    • This file holds the encrypted passwords and should only accessible as root.
  • Permissions/owners that must be checked/maintained
    • /etc/filesystem : -rw-rw-r-- root system
    • /etc/inittab : -rw------- root system
    • /etc/passwd: -rw-r--r-- root system
    • /etc/group : -rw-r--r-- root system
    • /etc/vfs : -rw-r--r-- root system
    • /etc/security/failedlogin : -rw-r--r-- root system
    • /etc/security/audit/hosts : -rw-rw---- root audit
• Enhanced Security:
  • Keep the tripwire binaries and configuration files offline so that they will not be tampered with. If these files become vulnerable to attack, an intruder could possibly change the previous logs of important files to match that of the trojan horse they possibly planted.
  • /etc/*
    • The entire folder holds many secure files that should be monitored in higher security environments.

Vulnerability Assessment

What better way to test the security of a server using the same tools that intruders use? Many times, by using the most common tools that hackers use to check for vulnerabilities, an administrator is able to find holes in their system (possibly even before being rolled onto the network). There are certain elements that intruders try to find in order to exploit a server; know them and use them before the intruders do. By ensuring that common intrusion tools/rootkits are useless against a server, the amount of possible intruders has substantially decreased as many do not know much beyond the use of tools. Redundancy is not a waste of time. By cross-checking systems with multiple tools, an administrator can be certain that most rootkits will not be able to offer much information to an intruder.

Computer Oracle and Password System (COPS)

COPS is used to check a system for possible vulnerabilities based upon recent CERT advisories. COPS does not stay thoroughly up to date, so it should not be used as the end all of vulnerability assessment, but it is a good start towards ensuring a system is secure.
COPS: ftp:/info.cert.org/pub/tools/cops

NMAP

nmap is referred to as one of the strongest tools in a "rootkit" (hacking toolkit to achieve root status). System administrators should run nmap on their system and fix any vulnerabilities found. This will repeal most attacks, as many of the intruders don't have much more of a toolkit for vulnerability assessment besides nmap. Nmap offers many different variations, one of which is the "paranoid" mode. This will send the ping requests at 5 minute inteverals (if not more), which will usually not be detected by intrusion detection systems. Because of these variations that can bypass intrusion detection, it is of utmost importance that a system adminstrator run nmap before the server is rolled into production.
nMap: www.insecure.org/nmap/

Crack/John the Ripper

Crack and John the Ripper are very popular tools for cracking passwords. Like any other vulnerability assessment program, if the server's passwords can pass a brute force attack from these two programs, chances are that it will hold up to an intruder who is most likely using the same programs. both programs require that the password files be merged into one file. Since AIX uses a shadow password file, a merge script is needed and can be found the in Appendix of the AIX Security Supplement.
Crack: ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/
John the Ripper: www.openwall.com/john/

Network Security Auditor (NSA)

Fileset (from IBM) : nsauditor.base. This program essentially works as a port scanner, but will give a good understanding (as many of the other programs listed) of a hacker's perception of the system. It is always important to ensure that multiple assessment tools are used to offer the full picture of the server security status; this tool offers a great angle.
NSA : www-4.ibm.com/software/security/firewall/about

FPing

Fping is a network sweep utility that is used to map the network topology. This should be used for testing a network versus the documentation of the network. This can also be used to check for certain ports responses. On higher security servers, there should be very few (if any) responses the fping. Ensure that the broadcasts are also check (port 0 and 255). This is a common tool in a hackers toolbox, by ensuring that a system is not responding to the fping requests, the intruder has less information with which to launch an attack.
FPING : www-frec.bull.fr

SNORT

A very powerful network sniffer as well as filter to be used to enforce rules upon certain types of network traffic.
SNORT: www.snort.org

Nessus

Remote security scanner with over 1200 checks that will also offer suggestions for filling holes found in the audit.
Nessus: www.nessus.org

AIDE

Free AIX Tripwire replacement.
AIDE: www.cs.tut.fi/~rammer/aide.html

Security Administrator's Integrated Network Tool (SAINT)

SAINT is a very powerful tool that will scan for system vulnerabities (much like NSA and nmap). SAINT is constantly being updated, so to ensure that the newest audits are running, download the latest version of SAINT each time SAINT is to be run. A mailing list is available that will notify an administrator when a new version of SAINT is released.
SAINT: www.wwdsi.com/saint/index

This is a source code version and must be compiled before use. It is strongly suggested that a C compiler is kept off of production servers, so compile it on a proff of concept box and copy it over to the production PC.

SARA

Similar to SAINT but open source and not supported.
SARA: www-arc.com/sara

Maintenance

The maintenance of servers is important. Security flaws are constantly being discovered, and it is important that an administrator keep up-to-date. If just one server is neglected from security patches, and an intruder finds that one node, he could feasibly take out a network of patched/up-to- date systems. Implement the suggested features on all servers on a subnet.

Maintenance Level

Maintenance Levels are released by IBM and tend to be very stable and secure. There is thorough documentation on IBM's AIX website to deal with Maintenance Levels.

The Maintenance Level on a machine should always be the highest available. The only exception is if the system cannot go to a higher level because of dependency problems. If this is the case, security patches galore must be installed as these levels hold many security patches inside of them. IBM offers the compare_report command to help with automation. By downloading the compare report file of the present patches, this is then compared to the local server. Following this, the administrator then updates the output file to IBM, and a custom service pack with all of the necessary patches to bring the AIX system up to date is created. Depending on how often the system is patched, this can be a very large service pack.

After a maintenance level has been installed, run a security audit of the system to ensure the state of security has not been altered.

Crontabs

Crontabs are highly effective at automatic security auditing. Once strong crontabs are setup, as long as they are not changed or altered unknowingly (use Tripwire or a similar product to supervise any changes to the files), an administrator will watch the logs/flags for suspicious activity on those crontab logs. By automating many of these security audits, administrators are allotted more time to work towards offering stronger customer solutions.

Sample of Suggested Crontabs

Daily

• fin / -nouser –ls: This command will list all of the files that do not have a user; these files may or may not be needed, but should be set to a different user if they are necessary.
• find / -perm -4000 –user 0 –ls and fin / -perm -2000 –user 0 –ls: These commands will list all sticky bit files that can be potentially exploited for root permissions.
• awk –F: ‘{ if ($2 == “”) print $1 }’ /etc/passwd : This will give a listing of all of the users that are registered without passwords
• awk –F: ‘ {if ($3 == 0) print $1}’ /etc/passwd : This will show all users that have a UID of 0 (root user) – there should only be one unless there is other testing being done with another user.
• tcbck : This command ensures that the TCB contains no files that clearly violate system security and updates/adds/deleted trusted files.
• find all files that are writeable by world
• check all files executable by root to ensure that they are owned by root and their parent directory is owned by root
• check for .netrc files
• check for .rhosts files.
• check for .netrc files
• check for hosts.equiv files.
• COPS (more information in Programs section)
• Tripwire: possibly hourly depending on the severity of the files being monitored (multiple threads can be instantiated so that one may run daily, while another runs hourly) (more information in Programs section)

Monthly

• skulker –p: This command will remove all obsolete files from the following categories: /tmp directory; executable a.out files; ed.hup files. These files can be exploited from time to time and should be kept clear.
• compare_report : This command is used in concordance with IBM to get a listing of all of the filesets and compare them against present day filesets from an IBM website. The results can then be uploaded (automatically) and the updates can then be downloaded and reviewed prior to installation. –Refer to AIX compare_report command.

Security Patches

• Once at the highest maintenance level, ensure that all delta security patches (patches that are released after the most recent maintenance level) have been installed.
• Review emergency patches for IBM to ensure system is up to date.
• After install, run a quick check of major security functions to ensure that the patch has not compromised a different security feature.

E-mail/Websites

• Review security and system hardening related websites (including IBM) for new headlines or vulnerabilities.
• Review security forums and mailing lists. These get rather lengthy so it may be smart to start a generic hotmail account (company accounts would not be advised as to tip off others on the mailing list of occupation/location).
• Review attached resources as often as possible. Log/Report Review
• Review the sulog for suspicious activity.
• Review the audit logs.
• Review the wtmp file for login/logout activity.
• Review the syslogd to review security issues.
• Ensure all crontab scripts are working correctly (refer to audit/tripwire checksum reports of chrontabs).
• Review all tripwire reports to ensure that all files being supervised remain authentic.
• All logs should be saved for 13 months in the case of an incident.

Live CD's/USB's

Live CD's are an intruder main rootkit now. These tools can be used on nearly any Intel-compatible system and gain them immediate root access. If launched on a benign computer, it leaves no trace and after an attack, is nearly impossible to trace.

Because of this, a security administrator is strongly urged to keep up to date with Linux Live CD's. These come out daily, and should be downloaded and run to see what tools are coming packaged. Tools are changing daily, and these are great barometers for the status of rootkits for intruders.

These CD’s can now be launched from USB drives. This offers the option of data extraction (as USB thumbdrives are write-able). Ensure that BIOS does not allow “Boot from USB”.

Resources

Mailing Lists (Create a new account for these as they will flood an inbox)
-Unix-security: security@cpd.com
-Security-misc: comp.security.misc
-Virus-list: comp.virus
-ACM risks: com.risks
-Cert-tools: cert-tools-request@cert.org
-Cert-advisory: cert-advisory-request@cert.org
-Security Announcements: comp.security.announce

Books
Practical Unix & Internet Security by Simson Garfinkel and Gene Spafford. O’Reilly & Associates, Inc., ISBN: 1-56592-148-8
Unix System Administration Handbook by Evi Nemeth et al. Prentice Hall. ISBN: 0-13-151051-7.

Redbooks
AIX Security
AIX Security Supplement (2000 and 2003 versions)
AIX Security Tools
AIX Administration

Tutorials/Whitepapers/Articles
Deploying Tripwire on AIX
Using IPSec as a packet filer on AIX
Deploying OpenSSH on AIX
Securing AIX Network Services on AIX
Strengthening AIX Security: A System Hardening Approach
Find out ways to protect your system from intruders
FAQ: Network Intrusion Detection Systems

















Your IP address will be sent with this e-mail

From e-mail to e-mail