advertisement
Chapter 1. Installing and Configuring a Secure System
This chapter provides information about installing and configuring a secure system.
Topics in this chapter include: v
v
“Controlled Access Protection Profile and Evaluation Assurance Level 4+” on page 8
v
v
“Managing X11 and CDE Concerns” on page 21
Trusted Computing Base
The system administrator must determine how much trust can be given to a particular program. This determination includes considering the value of the information resources on the system in deciding how much trust is required for a program to be installed with privilege.
The Trusted Computing Base (TCB) is the part of the system that is responsible for enforcing systemwide information security policies. By installing and using the TCB, you can define user access to the trusted communication path, which allows for secure communication between users and the TCB. TCB features can only be enabled when the operating system is installed. To install TCB on an already installed machine, you will have to perform a Preservation installation. Enabling TCB allows you to access the trusted shell, trusted processes, and the Secure Attention Key (SAK).
This section discusses the following topics: v
“Installing a System with the Trusted Computing Base”
v
“Checking the Trusted Computing Base” on page 4
v
“Structure of the sysck.cfg file” on page 4
v
“Using the tcbck Command” on page 5
v
“Configuring Additional Trusted Options” on page 7
Installing a System with the Trusted Computing Base
The TCB is the part of the system that is responsible for enforcing the information security policies of the system. All of the computer’s hardware is included in the TCB, but a person administering the system should be concerned primarily with the software components of the TCB.
If you install a system with the Trusted Computing Base option, you enable the trusted path, trusted shell, and system-integrity checking (tcbck command). These features can only be enabled during a base operating system (BOS) installation. If the TCB option is not selected during the initial installation, the
tcbck command is disabled. You can use this command only by reinstalling the system with the TCB option enabled.
To set the TCB option during a BOS installation, select More Options from the Installation and Settings screen. In the Installation Options screen, the default for the Install Trusted Computing Base selection is
no. To enable the TCB, type 2 and press Enter.
Because every device is part of the TCB, every file in the /dev directory is monitored by the TCB. In addition, the TCB automatically monitors over 600 additional files, storing critical information about these files in the /etc/security/sysck.cfg file. If you are installing the TCB, immediately after installing, back up this file to removable media, such as tape, CD, or disk, and store the media in a secure place.
© Copyright IBM Corp. 2002, 2003
3
Checking the Trusted Computing Base
The tcbck command audits the security state of the Trusted Computing Base. The security of the operating system is jeopardized when the TCB files are not correctly protected or when configuration files have unsafe values. The tcbck command audits this information by reading the /etc/security/sysck.cfg file. This file includes a description of all TCB files, configuration files, and trusted commands.
The /etc/security/sysck.cfg file is not offline and, could therefore be altered by a hacker. Make sure you create an offline read-only copy after each TCB update. Also, copy this file from the archival media to disk before doing any checks.
Installing the TCB and using the tcbck command do not guarantee that a system is operating in a
Controlled Access Protection Profile (CAPP) and Evaluation Assurance Level 4+ (EAL4+) compliant mode.
For information on the CAPP/EAL4+ option, see “Controlled Access Protection Profile and Evaluation
Assurance Level 4+” on page 8.
Structure of the sysck.cfg file
The tcbck command reads the /etc/security/sysck.cfg file to determine which files to check. Each trusted program on the system is described by a stanza in the /etc/security/sysck.cfg file.
Each stanza has the following attributes: acl Text string representing the access control list for the file. It must be of the same format as the output of the aclget command. If this does not match the actual file ACL
(access control list), the sysck command applies this value using the aclput command.
class group links mode owner program
Note: The SUID, SGID, and SVTX attributes must match those specified for the mode, if present.
Name of a group of files. This attribute allows several files with the same class name to be checked by specifying a single argument to the tcbck command. More than one class can be specified, with each class being separated by a comma.
Group ID or name of the file group. If this does not match the file owner, the tcbck command sets the owner ID of the file to this value.
Comma-separated list of path names linked to this file. If any path name in this list is not linked to the file, the tcbck command creates the link. If used without the tree parameter, the tcbck command prints a message that there are extra links but does not determine their names. If used with the tree parameter, the tcbck command also prints any additional path names linked to this file.
Comma-separated list of values. The allowed values are SUID, SGID, SVTX, and TCB.
The file permissions must be the last value and can be specified either as an octal value or as a 9-character string. For example, either 755 or rwxr-xr-x are valid file permissions. If this does not match the actual file mode, the tcbck command applies the correct value.
User ID or name of the file owner. If this does not match the file owner, the tcbck command sets the owner ID of the file to this value.
Comma-separated list of values. The first value is the path name of a checking program. Additional values are passed as arguments to the program when it is executed.
source
Note: The first argument is always one of -y, -n, -p, or -t, depending on which flag the tcbck command was used with.
Name of a file this source file is to be copied from prior to checking. If the value is blank, and this is either a regular file, directory, or a named pipe, a new empty version of this file is created if it does not already exist. For device files, a new special file is created for the same type device.
4
AIX 5L Version 5.2: Security Guide
symlinks Comma-separated list of path names symbolically linked to this file. If any path name in this list is not a symbolic link to the file, the tcbck command creates the symbolic link. If used with the tree argument, the tcbck command also prints any additional path names that are symbolic links to this file.
If a stanza in the /etc/security/sysck.cfg file does not specify an attribute, the corresponding check is not performed.
Using the tcbck Command
The tcbck command is normally used to do the following: v Ensure the proper installation of security-relevant files v Ensure that the file system tree contains no files that clearly violate system security v Update, add, or delete trusted files
The tcbck command can be used in the following ways: v Normal use
– Noninteractive at system initialization
– With the cron command v Interactive use
– Check out individual files and classes of files v Paranoid use
– Store the sysck.cfg file offline and restore it periodically to check out the machine
Although not cryptographically secure, the TCB uses the sum command for checksums. The TCB database can be set up manually with a different checksum command, for example, the md5sum command that is shipped in the textutils RPM Package Manager package with AIX Toolbox for Linux
Applications CD.
Checking Trusted Files
To check all the files in the tcbck database, and fix and report all errors, type: tcbck -y ALL
This causes the tcbck command to check the installation of each file in the tcbck database described by the /etc/security/sysck.cfg file.
To perform this automatically during system initialization, and produce a log of what was in error, add the previous command string to the /etc/rc command.
Checking the File System Tree
Whenever you suspect the integrity of the system might have been compromised, run the tcbck command to check the file system tree: tcbck -t tree
When the tcbck command is used with the tree value, all files on the system are checked for correct installation (this could take a long time). If the tcbck command discovers any files that are potential threats to system security, you can alter the suspected file to remove the offending attributes. In addition, the following checks are performed on all other files in the file system: v If the file owner is root and the file has the SetUID bit set, the SetUID bit is cleared.
Chapter 1. Installing and Configuring a Secure System
5
v If the file group is an administrative group, the file is executable, and the file has the SetGID bit set, the
SetGID bit is cleared.
v If the file has the tcb attribute set, this attribute is cleared.
v If the file is a device (character or block special file), it is removed.
v If the file is an additional link to a path name described in /etc/security/sysck.cfg file, the link is removed.
v If the file is an additional symbolic link to a path name described in /etc/security/sysck.cfg file, the symbolic link is removed.
Note: All device entries must have been added to the /etc/security/sysck.cfg file prior to execution of the tcbck command or the system is rendered unusable. To add trusted devices to the
/etc/security/sysck.cfg file, use the -l flag.
Attention: Do not run the tcbck -y tree command option. This option deletes and disables devices that are not properly listed in the TCB, and might disable your system.
Adding a Trusted Program
To add a specific program to the /etc/security/sysck.cfg file, type: tcbck -a PathName [Attribute=Value]
Only attributes whose values are not deduced from the current state of the file need be specified on the command line. All attribute names are contained in the /etc/security/sysck.cfg file.
For example, the following command registers a new SetUID root program named /usr/bin/setgroups, which has a link named /usr/bin/getgroups: tcbck -a /usr/bin/setgroups links=/usr/bin/getgroups
To add jfh and jsl as administrative users and to add developers as an administrative group to be verified during a security audit of the file /usr/bin/abc, type: tcbck -a /usr/bin/abc setuids=jfh,jsl setgids=developers
After installing a program, you might not know which new files are registered in the
/etc/security/sysck.cfg file. These files can be found and added with the following command: tcbck -t tree
This command string displays the name of any file that is to be registered in the /etc/security/sysck.cfg file.
Deleting a Trusted Program
If you remove a file from the system that is described in the /etc/security/sysck.cfg file, you must also remove the description of this file from the /etc/security/sysck.cfg file. For example, if you have deleted the /etc/cvid program, the following command string produces an error message: tcbck -t ALL
The resulting error message is as follows:
3001-020 The file /etc/cvid was not found.
The description for this program remains in the /etc/security/sysck.cfg file. To remove the description of this program, type the following command: tcbck -d /etc/cvid
6
AIX 5L Version 5.2: Security Guide
Configuring Additional Trusted Options
This section provides information about how to configure additional options for the TCB.
Restricting Access to a Terminal
The getty and shell commands change the owner and mode of a terminal to prevent untrusted programs from accessing the terminal. The operating system provides a way to configure exclusive terminal access.
Using the Secure Attention Key
Attention: Use caution when using SAK because it kills all processes that attempt to access the terminal and any links to it (for example, /dev/console can be linked to /dev/tty0).
A trusted communication path is established by pressing the Secure Attention Key (SAK) reserved key sequence (Ctrl-X, and then Ctrl-R). A trusted communication path is established under the following conditions: v When logging in to the system
After you press the SAK:
– If a new login screen displays, you have a secure path.
– If the trusted shell prompt displays, the initial login screen was an unauthorized program that might have been trying to steal your password. Determine who is currently using this terminal by using the
who command and then log off.
v When you want the command you enter to result in a trusted program running. Some examples of this include:
– Running as root user. Run as root user only after establishing a trusted communication path. This ensures that no untrusted programs are run with root-user authority.
– Running the su -, passwd, and newgrp commands. Run these commands only after establishing a trusted communication path.
Configuring the Secure Attention Key
Each terminal can be independently configured so that pressing the Secure Attention Key (SAK) at that terminal creates a trusted communication path. This is specified by the sak_enabled attribute in
/etc/security/login.cfg file. If the value of this attribute is True, the SAK is enabled.
If a port is to be used for communications, (for example, by the uucp command), the specific port used has the following line in its stanza of the /etc/security/login.cfg file: sak_enabled = false
This line (or no entry in that stanza) disables the SAK for that terminal.
To enable the SAK on a terminal, add the following line to the stanza for that terminal: sak_enabled = true
Chapter 1. Installing and Configuring a Secure System
7
advertisement
Related manuals
advertisement
Table of contents
- 9 Who Should Use This Book
- 9 Highlighting
- 9 Case-Sensitivity in AIX
- 9 ISO 9000
- 10 Related Publications
- 13 Trusted Computing Base
- 13 Installing a System with the Trusted Computing Base
- 14 Checking the Trusted Computing Base
- 14 Structure of the sysck.cfg file
- 15 Using the tcbck Command
- 17 Configuring Additional Trusted Options
- 18 Controlled Access Protection Profile and Evaluation Assurance Level 4+
- 18 CAPP/EAL4+ Compliant System Overview
- 19 Installing a CAPP/EAL4+ System
- 19 CAPP/EAL4+ Software Bundle
- 20 Physical Environment for a CAPP/EAL4+ System
- 20 Organizational Environment for a CAPP/EAL4+ System
- 21 System Configuration for a CAPP/EAL4+ System
- 28 Login Control
- 28 Setting Up Login Controls
- 29 Changing the Welcome Message on the Login Screen
- 29 Changing the Login Screen for the Common Desktop Environment
- 29 Setting up System Default Login Parameters
- 29 Securing Unattended Terminals
- 29 Enforcing Automatic Logoff
- 31 Managing X11 and CDE Concerns
- 31 Removing the /etc/rc.dt File
- 31 Preventing Unauthorized Monitoring of Remote X Server
- 31 Enabling and Disabling Access Control
- 31 Disabling User Permissions to Run the xhost Command
- 33 Root Account
- 33 Disabling Direct root Login
- 34 Administrative Roles
- 34 Roles Overview
- 34 Setting Up and Maintaining Roles Using SMIT
- 35 Understanding Authorizations
- 38 User Accounts
- 38 Recommended User Attributes
- 39 User Account Control
- 40 Login User IDs
- 40 Strengthening User Security with Access Control Lists
- 40 PATH Environment Variable
- 41 Set Up Anonymous FTP with a Secure User Account
- 44 System Special User Accounts
- 44 Removing Unnecessary Default User Accounts
- 45 Access Control Lists
- 46 Using setuid and setgid Programs
- 47 Base Permissions
- 47 Extended Permissions
- 48 Access Control List Example
- 49 Access Authorization
- 50 Passwords
- 50 Establishing Good Passwords
- 51 Using the /etc/passwd File
- 52 Using the /etc/passwd File and Network Environments
- 52 Hiding User Names and Passwords
- 52 Setting Recommended Password Options
- 54 Extending Password Restrictions
- 55 User Authentication
- 55 Login User IDs
- 55 Disk Quota System Overview
- 55 Understanding the Disk Quota System
- 56 Recovering from Over-Quota Conditions
- 56 Setting Up the Disk Quota System
- 59 Auditing Subsystem
- 59 Detecting Events
- 59 Collecting Event Information
- 60 Processing the Audit Trail Information
- 60 Event Selection
- 61 Auditing Subsystem Configuration
- 61 Collecting Auditing Subsystem Information
- 61 Audit Logging
- 62 Audit Record Format
- 62 Audit Logger Configuration
- 62 Selecting Audit Events
- 62 Kernel Audit Trail Modes
- 64 Processing Audit Records
- 65 Using the Audit Susbystem for a Quick Security Check
- 65 Setting Up Auditing
- 66 Selecting Audit Events
- 67 Selecting Audit Classes
- 67 Selecting an Audit Data-Collection Method
- 67 Example of Real-Time File Modification Monitoring
- 68 Example of a Generic Audit Log Scenario
- 71 Setting Up an LDAP Security Information Server
- 72 Setting Up an LDAP Client
- 73 LDAP User Management
- 74 LDAP Host Access Control
- 74 LDAP Security Information Server Auditing
- 75 LDAP Commands
- 75 The mksecldap Command
- 78 The secldapclntd Daemon
- 79 LDAP Management Commands
- 81 The ldap.cfg File Format
- 82 Mapping File Format for LDAP Attributes
- 83 Related Information
- 85 IBM 4758 Model 2 Cryptographic Coprocessor
- 85 Verifying the IBM 4758 Model 2 Cryptographic Coprocessor for use with the PKCS #11 Subsystem
- 86 PKCS #11 Subsystem Configuration
- 86 Initializing the Token
- 86 Setting the Security Officer PIN
- 86 Initializing the User PIN
- 87 Setting the PKCS #11 Function Control Vector
- 87 PKCS #11 Usage
- 89 Overview of Certificate Authentication Service
- 90 Certificates
- 91 Keystores
- 91 Implementation of Certificate Authentication Service
- 91 Creating PKI User Accounts
- 92 Server Implementation
- 93 Client Implementation
- 101 Planning for Certificate Authentication Service
- 101 Certificate Considerations
- 101 Keystore Considerations
- 102 User Registry Considerations
- 102 Configuration Considerations
- 102 Security Considerations
- 103 Other Certificate Authentication Service Considerations
- 103 Packaging of Certificate Authentication Service
- 104 Installing and Configuring Certificate Authentication Service
- 104 Install and Configure the LDAP Server
- 107 Install and Configure Certificate Authentication Service Server
- 107 Configure LDAP For Certificate Authentication Service Server
- 109 Configure Certificate Authentication Service Client
- 113 Administration Configuration Examples
- 117 PAM Library
- 118 PAM Modules
- 119 PAM Configuration File
- 120 Adding a PAM Module
- 120 Changing the /etc/pam.conf
- 121 Enabling PAM Debug
- 121 Integrating PAM in AIX
- 121 PAM Module
- 122 pam_aix Module
- 126 Using OpenSSH with PAM
- 131 Operating System-Specific Security
- 131 Network Access Control
- 132 Network Auditing
- 132 Trusted Path, Trusted Shell, and Secure Attention Key (SAK)
- 133 TCP/IP Command Security
- 134 Remote Command Execution Access (/etc/hosts.equiv)
- 135 Restricted File Transfer Program Users (/etc/ftpusers)
- 135 Trusted Processes
- 136 Network Trusted Computing Base
- 137 Data Security and Information Protection
- 138 User Based TCP Port Access Control with Discretionary Access Control for Internet Ports
- 138 Access control for TCP based services
- 139 Privileged Ports for Running Local Services
- 141 Identifying Network Services with Open Communication Ports
- 143 Identifying TCP and UDP Sockets
- 145 IP Security Overview
- 145 IP Security and the Operating System
- 146 IP Security Features
- 147 Security Associations
- 147 Tunnels and Key Management
- 148 Native Filtering Capability
- 149 Digital Certificate Support
- 149 Virtual Private Networks and IP Security
- 150 Installing the IP Security Feature
- 150 Loading IP Security
- 151 Planning IP Security Configuration
- 151 Hardware Acceleration
- 152 Tunnels Versus Filters
- 153 Tunnels and Security Associations
- 154 Tunnel Considerations
- 157 Using IKE with DHCP or Dynamically Assigned Addresses
- 159 Configuring Internet Key Exchange Tunnels
- 159 Using Web-based System Manager to Configure IKE Tunnels
- 161 Using the SMIT Interface for IKE Tunnel Configuration
- 161 Command Line Interface for IKE Tunnel Configuration
- 164 IKE Tunnel Configuration Scenarios
- 165 Working with Digital Certificates and the Key Manager
- 165 Format of Digital Certificates
- 166 Security Considerations for Digital Certificates
- 167 Certificate Revocation Lists (CRLs)
- 167 Uses for Digital Certificates in Internet Applications
- 168 Digital Certificates and Certificate Requests
- 168 The Key Manager Tool
- 175 Configuring Manual Tunnels
- 175 Setting Up Tunnels and Filters
- 175 Creating a Manual Tunnel on the First Host
- 176 Creating a Manual Tunnel on the Second Host
- 178 Setting Up Filters
- 178 Static Filter Rules
- 181 Autogenerated Filter Rules and User Specified Filter Rules
- 182 Predefined Filter Rules
- 182 Subnet Masks
- 183 Host-Firewall-Host Configuration
- 184 Logging Facilities
- 186 Labels in Field Entries
- 188 IP Security Problem Determination
- 188 Troubleshooting Manual Tunnel Errors
- 189 Troubleshooting IKE Tunnel Errors
- 195 Tracing Facilities
- 195 ipsecstat
- 197 IP Security Reference
- 197 List of Commands
- 197 List of Methods
- 199 Operating System Security Mechanisms
- 201 NIS+ Security Mechanisms
- 202 NIS+ Principals
- 202 NIS+ Security Levels
- 204 NIS+ Authentication and Credentials
- 204 User and Machine Credentials
- 204 DES versus Local Credentials
- 206 NIS+ Authorization and Access
- 206 Authorization Classes
- 208 NIS+ Access Rights
- 210 NIS+ Security and Administrative Rights
- 211 NIS+ Security Reference
- 213 NFS Authentication
- 213 Public Key Cryptography for Secure NFS
- 214 NFS Authentication Requirements
- 214 NFS Authentication Process
- 215 Naming Network Entities for DES Authentication
- 216 The /etc/publickey File
- 216 Booting Considerations of Public Key Systems
- 216 Performance Considerations of Secure NFS
- 217 Checklist for Administering Secure NFS
- 217 Configuring Secure NFS
- 218 Exporting a File System Using Secure NFS
- 219 Mounting a File System Using Secure NFS
- 221 Managing Multiple User Registries
- 221 Current Approaches
- 222 Using Enterprise Identity Mapping
- 223 Understanding the Secure Remote Commands
- 224 System Configuration
- 224 Kerberos Version 5 User Validation
- 224 DCE Configuration
- 225 Local Configuration
- 225 Related Information
- 225 Authenticating to AIX Using Kerberos
- 225 Installing and Configuring the System for Kerberos Integrated Login Using KRB5
- 229 Installing and Configuring the System for Kerberos Integrated Login Using KRB5A
- 230 KRB5A Authentication Load Module Questions and Troubleshooting Information
- 230 How do I Configure an AIX Kerberos Client that Authenticates Against an Active Directory Server KDC
- 231 How do I Modify AIX Configuration for Kerberos Integrated Login
- 232 How do I Create an AIX User for Kerberos Integrated Login with the KRB5A Load Module
- 232 How do I Create Kerberos Principals on Active Directory
- 232 How do I Change the Password of Kerberos Authenticated User
- 232 How do I Remove a Kerberos Authenticated User
- 232 How do I Migrate an AIX User to a Kerberos Authenticated User
- 232 What do I do if the Password is Forgotten
- 232 What is the Purpose of the auth_name and auth_domain Attributes
- 233 Can a Kerberos-Authenticated User Become Authenticated Using Standard AIX Authentication
- 233 Do I Need to Set up Kerberos Server (KDC) on AIX When Using a Windows 2000 Active Directory Server
- 233 AIX Does not Accept my Password
- 233 Cannot Log Into the System
- 239 Security Web Sites
- 239 Security Mailing Lists
- 239 Security Online References
- 256 Trademarks