AIX 5L SysAdmin II: (Unit 12) – Security

Unit Objectives:
1. Provide Authentication Procedures
2. Specify Extended File Permissions
3. Configure the Trusted Computing Base (TCB)

Protecting Your System:
Hardware – Access to boot media, Access to front key
Login – Passwords, System logged in but not used, Trojan horse
Shell – Restricted shell, Execution of unauthorized programs, Trojan

How Do You Set Up Your PATH?
Which Path is more secure?

PATH=/usr/bin:/etc:/usr/sbin:/sbin:. or
PATH=.:/usr/bin:/etc:/usr/sbin:/sbin (Don’t ever use this path)

Note: It is better to not use either one because they both include the current directory “.” which could be anywhere.

Trojan Horse: An Easy Example (1 or 3)
cd /home/hacker
vi ls
# !/usr/bin/ksh

cp /usr/bin/ksh /tmp/.hacker
chown root /tmp/.hacker
chmod u+s /tmp/.hacker

rm -f $0
/usr/bin/ls $*

chmod a+x ls

Note: u+s above – SUID-Bit: Runs under root authority

Trojan Horse: An Easy Example (2 of 3)
Hacker creates a -i file
cd /home/hacker
cat > -i

Hello SysAdmin, I have a file “-i” and cannot remove it. Please help me…

PATH=.:/usr/bin:/etc:/usr/sbin:/sbin (Don’t use this PATH!!!)
Actually runs the ls script in the /home/hacker directory instead of the ls command.

cd /home/hacker

login.cfg: login prompts

# vi /etc/security/login.cfg

sak_enabled = false
logintimes =
herald = “\n\*Restricted Access”\n\rAuthorized Users Only\n\rLogin:”

login.cfg: Restricted Shell
# vi /etc/security/login.cfg

Other security attributes
shells = /bin/sh,/bin/bsh,/usr/bin/ksh, …,/usr/bin/Rsh

# chuser shell=/usr/bin/Rsh michael
michael can’t:
– Change the current directory
– Change the PATH variable
– Use command names containing slashes
– Redirect standard output (>,>>)

Customized Authentication:
# vi /usr/lib/security/methods.cfg
* Authentication Methods
program = /usr/local/bin/getSecondPassword

# vi /etc/security/user
auth1 = SYSTEM,secondPassword

Note: This activates a second program to authenticate users.

Authentication Methods (1 of 2):
# vi /usr/local/bin/getSecondPassword
print “Please enter the second Password: ”
stty -echo # No input visible
stty echo

if [[ $PASSWORD = “d1f2g3” ]]; then
exit 0 (Valid Login)
exit 255 (Invalid Login)

Authentication Methods (2 of 2):
# vi /usr/local/bin/limitLogins

#! /usr/bin/ksh
# Limit login to one session per user
USER=$1 # User name is first argument
# How often is the user logged in?
COUNT-$(WHO | GREP “^$USER | wc -l)
# User already logged in?
if [[ $COUNT -ge 1 ]]; then
errlogger “$1 tried more than 1 login”
print “Only one login is allowed”
exit 128

exit 0 # Return 0 for correct authentication

Two-Key Authentication:
# vi /etc/security/user

auth1 = SYSTEM;deputy1,SYSTEM;deputy2

login: boss
deputy1’s Password:
deputy2’s Password:

Base Permissions:

owner = silva
group = staff
Base permissions = rwx(owner) —(group) —(others)
How can silva easily give simon read access to the file salaries?

Setting up permissions for the group will give access to all in the group. But what if you only want one person to

Extended Permissions: Access Control Lists
Extended Permissions: permit r– u:simon
# acledit salaries
base permissions

extended permissions
permit r– u:simon

ACL Commands:
# aclget file1 – Display base/extended permissions
# aclget status99 | aclput report99 – Copy an Access Control List
# acledit salaries2 – To specify extended permissions

– chmod in the octal format diables ACLs (Use chmod u+x salaries instead of chmod 777 salaries)
– Only the backup command saves ACLs
– acledit requires the EDITOR variable (full pathname of an AIX editor)

ACL Keywords: permit and specify:
# acledit status99

base permissions

extended permissions
permit –x u:michael
specify r– u:anne,g:account
specify r– u:nadine

– michael (member in the group finance) gets read, write (base) and execute (extended) permissions.
– If anne is in group account, she gets read permissions on file status99
– nadine (member in group finance) gets only read access

ACL Keywords: deny
# acledit report99
base permissions

extended permissions
deny r– u:paul g:mail
deny r– g:gateway

– deny: Restricts the user or group from using the specified access to the file
– deny overrules permit and specify

The Trusted Computing Base (TCB):
The TCB is the part of the system that is responsible for enforcing the security policies of the system

# ls -l /etc/passwd
-rw-r–rw- 1 root security … /etc/passwd

# ls -l /usr/bin/be_happy
-r-sr-xr-x 1 root system … /usr/bin/be_happy

Note: TCB is installed with the operating system but has to be enabled.

TCB Components:
The AIX Kernel
Configuration files that control AIX
Any program that alters the kernel or an AIX configuration file

The TCB can only be enabled at installation time. You can not switch it on or off later, only through re-installation.

Note: 98% of users don’t enable TCB. Only used for very secure environments.

Checking the Trusted Computing Base:
– Reports differences
– Implements fixes

Security Model:
owner = root
mode = 644

/etc/passwd rw-r–r–

The sysck.cfg File
# vi /etc/security/sysck.cfg

owner = root
group = security
mode = TCB, 644
type = FILE
class = apply, inventory,
checksum = VOLATILE

# tcbck -t /etc/passwd (Verifies files)

Note: TCP will always check to make sure that nothing has changed.

tcbck: Checking Mode Examples:
tcbck -n Report(Y) Fix(N)
tcbck -p Report(N) Fix(Y)
tcbck -t Report(Y) Fix(Prompt)
tcbck -y Report(Y) Fix(Y)

can be:
– a filename (for example /etc/passwd)
– a classname: Logical group of files defined by a class = name in sysck.cfg
– tree: Check all files in the filesystem tree
– ALL: Check all files listed in sysck.cfg

tcbck: Update Mode Examples:
# tcbck -a /salary/salary.dat class=salary
Add salary.dat to sysck.cfg in the class salary

# tcbck -t salary – Test all files belonging to class salary
# tcbck -d /etc/cvid – Delete file /etc/cvid from sysck.cfg

Note: TCB requires a lot of maintenance as it is used.

chtcb: Marking Files As Trusted
# ls -le /salary/salary.dat
-rw-rw— – Not trusted
-rw-rw— + Trusted File

tcbck: Effective Usage:
tcbck – n (Normal mode)
tcbck -t (Interactive mode)
Paranoid Use – Store the sysck.cfg file offline and restore it periodically to check out the system.

Trusted Communication Path:
The Trusted Communicatio Path allows for secure communication between users and the Trusted Computing Base.

What do you think when you see this screen on a terminal?

AIX Version 4
(C) Copyrights by IBM and by others 1982, 1996

Note: This could be a Trojan horse script that will steal my login and password.

Trusted Communication Path: Trojan Horse

print”AIX Version 4″
print “(C) Copyrights by IBM and by others 1982, 1996”
print -n “login:”
read NAME
print -n “$NAME’s Password:”
stty -echo
stty echo
print $PASSWORD > /tmp/.4711

$ cat /tmp/.4711

Trusted Communication Path Elements:
1. A trusted shell (tsh) that only executes commands that are marked as being trusted
2. A trusted terminal
3. A reserved key sequence, called the secure attention key (SAK), which allows the user to request a trusted communication path

Using the Secure Attention Key (SAK)
Before logging in at the trusted terminal:

Previous login was a trojan horse.

Ensures that no untrusted programs will be run with root authority.

Configuring the Secure Attention Key:
Configure a trusted terminal:
# vi /etc/security/login.cfg
sak_enabled = true

Eanble a user to use the trusted shell:
# vi /etc/security/user
tpath = on

chtcb: Changing the TCB Attribute:
# chtcb query /usr/bin/ls
/usr/bin/ls is not in the TCB

tsh>ls *.c
ls: Command must be trusted to run in the tsh

# chtcb on /usr/bin/ls
tsh>ls *.c
a.c b.c d.c

Q: How do I install the TCB fileset on my machine?
A: You cannot just install TCB to an existing install. TCB must be installed at the same time the operating is installed. You will be prompted during installation
Q: Are my files secure on my backup tapes?
A: You need to physically protect your data on your backup tapes.

Q: Why don’t we address auth2 very much?
A: Auth2 is not a sceurity feature. Auth2 allows you to collect information during the login process.

vi /etc/security/login.cfg

sak_enabled = false
logintimes =
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 0
herald = “\n\n\n\n# Restricted Access #\n\rAuthorized Users Only\n\r”


# Restricted Access #
Authorized Users Only

who /etc/security/failedlogin | more
more /var/adm/sulog

who /var/adm/wtmp | more
last root

vi /home/workshop/ex14_login (view the file)
ls -l /home/workshop/ex14_login (check permission)

vi /usr/lib/security/methods.cfg
program = /home/workshop/ex14_login

vi /etc/security/user
admin = faluse

startx (start AIX Windows)
login as team01
login again as team01
Only one login allowed per user….

vi /etc/security/user (remove previous entry from team01 stanza)

mkuser michael (create a new user)
mkuser sarah
passwd michael (create passwords for michael)
passwd sarah

su team01
cd /home/team01
vi sample
tput clear
banner We love AIX
print End of Program

chmod 777 sample
ls -l sample
sample (execute the script)
chmod 700 sample

Login as michael
cd /home/team01
cat sample
ls -l /home/team01/sample

Login as team01
vi .profile
export EDITOR=/usr/bin/vi

./.profile (re-execute the profile)

echo $EDITOR (check to make sure it is set)

acledit sample
base permissions
owner[team01]: rwx
group[staff]: —
others: —
extended permissions
permit rwx u:michael
permit r-x u:sarah
Should the modified ACL be applied? (yes) or (no) y
ls -e sample
-rwx——+ 1 team01 staff (+ says that ACL is enabled)

login as michael
cd /home/team01
vi sample
date (add command)

./sample (re-execute)

login as sarah
cd /home/team01
vi sample
echo This is from sarah (add command)
The file has read permission only. error

login as team01
acledit sample
base permissions
owner[team01]: rwx
group[staff]: r-x
others: —
extended permissions
deny rwx u:michael
Should the modified ACL be applied? (yes) or (no) y

login as michael
$ groups
cd /home/team01

ls -l sample
-rwxr-x— 1 team01 staff
./sample: 0403-006 Execute permission denied.

login as team01
vi sample2
echo hello class
echo today is date
echo goodbye

aclget sample2
base permissions
owner[team01]: rw-
group[staff]: r–
others: r–
extended permissions

aclget sample | aclput sample2
aclget sample2

cdmod 700 sample (Lose ACL permissions using octal notation)
aclget sample
Note: It changed enabled to disabled in the ACL. Instead use the symbolic notation when changing permissions.

Leave a Reply

Your email address will not be published. Required fields are marked *