S e c u r i n g I B M '
s A I X
Practical unix security
By Simon Taylor |
|
1. Background
One of the events that aroused my interest in
computer security occurred during a service visit to a client. I had run a
health check / information gathering script and noticed an unexpected .tar file
in the root directory. When I asked the customer why the file was there, they
mentioned that they had been security audited and that the auditors had reported
that theirs was one of the better systems they had seen. I looked at the .tar
file which had global read access and found that it contained a generic security
checking script for unix as well as the script output including the shadow
password file (again with global read access). In addition, root on an adjacent
system had rsh access to the audited system.
This paper is not meant as an attack against generalized security standards,
rather it seeks to demonstrate that standards (guidelines would be better)
should not be slavishly followed. Those responsible for system security can,
with moderate knowledge and the application of common sense create systems that
are sufficiently secure to resist all but a deliberate, focused attack.
To illustrate the application of common sense to system security I would like to
draw parallels between domestic security in Johannesburg and computer system
security:
Everyone understands basic household security.
Home/Business | Generic Description | Computer System |
Locked Door | Perimeter Security | Firewall. Router. Port closure. |
Alarm System | Intrusion Detection | Port Monitor. Service Wrapper. File integrity checking. Log monitoring. |
Security Company | Intrusion Response | Software or configuration update. |
Most households and all businesses subscribe to an armed response security company. How many businesses implement the equivalent computer security activities?
1.1 AIX vs. Other unix variants
While AIX has roots based in both BSD and System V (witness the login buffer overflow)2, it has sufficient unique aspects from an administration point of view to warrant a specific approach to implementing and maintaining system security. Many configuration parameters are stored in the ODM configuration database and are manipulated using commands that differ from other unix variants. Nevertheless, there are a number of security related configuration areas (mainly network parameters) that are not held in the ODM and are manipulated using AIX specific commands3 (no - network options and nfso - nfs options). While most configuration parameters are stored in ASCII files, these files are not meant to be directly edited. For example:
/etc/inittab | mkitab, chitab, lsitab, rmitab |
/var/spool/cron/crontab | crontab (-e|-l|-r|-d) |
/etc/inetd.conf | chsubserver |
/etc./services | chservices |
/etc/passwd | mkuser, chuser, lsuser, rmuser |
/etc/security/passwd | chsec, lssec, usrck, pwdck, grpck |
In many cases, the commands shown act on more
than one file and make synchronised changes. While it is possible to edit these
files directly, doing so is likely to create discrepancies between files as well
as causing changes to permissions and ownership's.
AIX also has a distinct approach to the management of system software
installation and upgrades. System software is packaged to be manipulated by the
"installp" program. This program interrogates the ODM to determine
what software and hardware exists on the system and will apply or commit updates
in an appropriate fashion. In most cases, copying system software between
systems is guaranteed to cause corruption.
1.2 Common unix security vulnerabilities
SANS4/FBI
top twenty vulnerabilities.
The SANS (System Administration, Networking,
and Security) Institute and the FBI expanded the previously released SANS
security vulnerability list in October 2002:
Vulnerabilities affecting all systems.
1 - Default installs of operating systems and applications.
Most installs are designed for ease of use rather than security.
2 - Accounts with No Passwords or Weak Passwords.
Any password that is found in or derived from a dictionary word is trivial -
almost any password cracking program will reveal it.
3 - Nonexistent or Incomplete Backups.
If a system cannot be easily and quickly restored to a working state, it is
seriously at risk.
4 - Large number of open ports.
Many services exist for historical reasons and are not commonly used.
5 – Not filtering packets for correct incoming and outgoing addresses.
Assume that all network traffic is benign.
6 - Nonexistent or incomplete logging.
If no log of normal behavior exists, how can abnormal behavior be detected?
7 - Vulnerable CGI Programs
CGI programs are designed for external invocation so are more sensitive than
other programs.
Unix specific vulnerabilities
1 - Buffer Overflows in RPC Services
RPC - Remote Procedure Calls are designed for external invocation.
2 - Sendmail Vulnerabilities
Widely used and interprets externally generated input.
3 - Bind Weaknesses
Widely used and accepts external commands.
4 - R Commands
Remote access commands.
5 - LPD (remote print protocol daemon)
Widely used and accepts external commands.
6 – sadmind and mountd
Sadmind is Solaris' remote administration server and mountd accepts external
commands.
7 - Default SNMP Strings
Simple Network Management Protocol - accepts external commands sometimes without
access control.
It can be seen that any program or service which accepts external input is a
popular target.
Windows specific vulnerabilities have been ignored.
Quote from the SANS Web Page http://www.sans.org/top20.htm
These few software vulnerabilities account for the majority of successful
attacks, simply because attackers are opportunistic – taking the easiest and
most convenient route. They exploit the best-known flaws with the most effective
and widely available attack tools. They count on organizations not fixing the
problems, and they often attack indiscriminately, scanning the Internet for any
vulnerable systems.
2. Objective
2.1 Improve the security of an average system so that it is no longer a soft target
Organizations should (at minimum) harden systems so that they do not fall victim to random or opportunistic attacks. Sufficient monitoring should be performed so that an attack or unwelcome attention can be detected before actual intrusion takes place. See network monitoring.
2.2 Reasons for increasing system security
2.2.1 Is a firewall defence enough?5
A common reaction when the question of system
security is raised is, "We already have a firewall". My response is,
"the Titanic had watertight bulkheads, but the lifeboats were still
needed."
While I agree that a properly configured firewall is an important element of a
secure environment, it must not be the only form of defense. Firewalls exist to
provide controlled access to computers. They are normally configured to permit
access through a small number of communication ports, typically providing for
mail, name resolution and html traffic. They do not normally differentiate
between normal and hostile traffic over these ports.
2.2.2 Corporate audit requirements
The requirements of corporate auditing departments must be addressed, but it must be remembered that few hackers have respect for corporations.
2.2.3 Automated scans/attacks
Many of the high profile security problems
reported in the last year or so - Nimda, Code Red, Ramen6, etc. have scanning code built into them.
The scan code and payload typically do not contain logic to avoid non-vulnerable
operating systems.
At least one security analyst7 has predicted that a Nimda style
attack will be launched using the system V login buffer overflow vulnerability.
3 Securing a system
3.1 Basic steps
Hiding your money under the mattress. It may not be very secure, but it's better than leaving it in plain sight.
3.1.1 Analyse the system
System analysis should provide sufficient
information to asses the potential vulnerability of the system as well as being
a starting point for documentation. Analysis should cater for both external and
internal access. Example: Which network ranges can access the host, and in the
case of logged in users, are members of one group able to access data belonging
to other groups?
In addition to generic analysis tools such as nmap, nessus, sara and saint8,
the following AIX specific checks should be performed:
password and group files should be checked with usrck, pwdck and grpck; these
are standard AIX utilities to check and maintain synchronisation between the
password and group files and their shadow counterparts.
Network configuration settings should be checked; AIX uses the command 'no' to
set and display network configuration parameters.
NFS configuration settings should be checked; AIX uses the command 'nfso' to set
and display network file system configuration parameters.
3.1.2 Disable unnecessary / insecure services
Common services: AIX, in common with many
unix variants enables common services which are considered to be insecure. These
services include echo, chargen, daytime, statd, rusersd, rwalld, sprayd, pcnfsd,
discard and time. These services are started by the inetd daemon and can be
disabled by modifying the /etc/inetd.conf file and restarting the daemon.
NFS: the use of NFS is not desirable in a secure environment9,
but if NFS must be used, at minimum, privileged port checking should be enabled.
Sendmail: the default sendmail configuration allows sendmail to display
both the operating system and sendmail program versions as well as permitting
user verification and mail list expansion. If sendmail service is required, the
configuration should be altered to prevent this information leak.10
FTP and Telnet: both ftp and telnet transfer user data in clear text on
the network. They should never be used over an external network and should only
be used on an internal network when it can be guaranteed that no traffic
monitoring can be done.
3.1.3 Modify insecure configuration values
Default path: the default path for AIX is
defined in /etc/security/.profile and includes the 'current directory' as the
last entry. While this may be convenient for users familiar with DOS systems, it
is insecure. The root user's default path should contain only system directories
containing commands required for the administration of the system.
Remote access: the /etc/hosts.equiv file should either be empty or
removed and no users should have a .netrc file in their home directory.
Network options:
arpt_killc - arp buffer time-out; default value is 20 minutes. To avoid arp
buffer poisoning attacks, this value should be reduced to between 1 and 5
minutes.
Bcastping - response to a broadcast ping message; default is to ignore.
Directed_broadcast - permit directed broadcast; default is to allow. To prevent
undesirable system use, this should be disallowed.
Clean_partial_conns - disconnect connection attempts which have not been
successful; default is not to disconnect failed connections. To avoid SYN flood
attacks, this should be disallowed.
Ipforwarding - forward packets destined for a remote network; default is to
deny. This should only be enabled if the system is to act as a router.
Ip6srcrouteforward - forward IP version 6 source routed packets; default is to
allow. This should be disabled to prevent undesirable system use.
Ipsrcrouteforward - forward source routed packets; default is to allow. This
should be disabled to prevent undesirable system use.
Ipsrcrouterecv - accept source routed packets; default is to disallow. This
should not be enabled.
Ipsrcroutesend- transmit source routed packets; default is to allow. Source
routed packets should not be transmitted.
Ipignoreredirects - process redirected packets; default is to allow. Redirected
packets may be received as the result of hostile action and should not be
processed.
Ipsendredirects - send redirected signals; default is to allow. This should only
be enabled if the system is to act as a router.
Rfc1122addrchk - perform RFC1122 address validation; default is to allow. This
should be disabled to block incoming & outgoing SYN packets aimed at
loopback and multicast addresses.
Tcp_pmtu_discover - perform TCP MTU discovery; default is enabled. This should
be disabled to avoid a potential DOS attack.
Udp_pmtu_discover - perform UDP MTU discovery; default is enabled. This should
be disabled to avoid a potential DOS attack.
Nonlocsrcroute - control strict source routing outside the local network;
default is disabled. This should only be enabled if IBM PSSP topology service
support is required.
NFS: as mentioned before, this should not be used, but if it is required,
it should be configured as securely as possible; AIX permits the use of secure
ports (those lower than 1024) as well as allowing encrypted NFS traffic (between
two AIX systems).
Sendmail: AIX ships with sendmail enabled. The default configuration should be
altered to prevent the display of operating system and sendmail version in the
connection banner. User verification and list expansion should also be disabled.
Name resolution: if named is to be run, care should be taken to ensure that zone
transfer information is severely restricted and that version information is not
displayed.
System logging: AIX ships with the syslog daemon enabled, but with an
empty configuration file. Log files should be enabled and logs examined on a
daily basis for evidence of illegal or hostile activity.
Information leaks: any program or service which displays information to casual
access should be identified and leaks stopped. An example is the welcome message
displays at initial login - normally the operating system version is displayed.
This should be replaced with a restricted use banner. This is often a
recommendation of auditing firms11.
3.1.4 User and password management
AIX provides a number of utility programs for the
management of users and groups, these include mkuser, chuser, lsuser, rmuser,
chsec, lssec, usrck, pwdck, grpck; these programs permit normal and shadow files
to be kept synchronised. Additional programs and scripts should be used to
ensure that users meet security standards, for example to check whether users
have logged in within a specified time period, or whether they have changed
their passwords within the defined interval.
User removal needs special attention - rmuser removes a user id, and optionally
the home directory, but a search should be run for files owned by a user
anywhere on the system before that user is removed.
3.2 Advanced Steps
Keeping your money in the bank. A bank vault is designed to resist attack for a fixed time period. It is also monitored to detect attempted attacks.
3.2.1 Securing network access/Implementing openssh or openssl
As far as network access is concerned, a system
connected to any network should be considered vulnerable. A secure approach is
first to disable all access and thereafter to grant access only as required.
While this may sound totalitarian, the alternative is to grant access to anyone
on any port and then to attempt to apply restrictions. 12
A valuable tool for the management of ftp and telnet access is Wietse Venema's
tcp wrapper program. This open source program is started by inetd in place of
the standard telnet and ftp programs which it invokes after checking that the
calling address is allowed access. It is simple to compile, install and
configure on an AIX system. It has the added benefit of recording successful and
failed connection attempts for all services it protects. 13
So far, so good. Unfortunately, both ftp and telnet transmit all traffic across
the network "in the clear", which means that anyone with a network
connection and a traffic monitor can read your user id and password as well as
your transaction information. Ftp makes this particularly simple as the password
is transmitted in a single packet unlike telnet which tends to send each
character of the password in a separate packet. This may sound far fetched - why
would someone sit and monitor network traffic just to find your password. Well,
the simple answer is that they don't, unless they are unaware of network
password sniffers - these tools will log hostnames, protocols, userids and
passwords to a file for subsequent use. 14
The solution to this problem is openSSH 15 - an open source program
which can be used to replace both ftp and telnet and encrypts all traffic (not
just passwords). OpenSSH relies on openSSL 16 - a secure socket layer
(network traffic is encrypted). OpenSSL and openSSH compile for AIX, but openSSL
requires a source of genuine randomness to ensure that the encryption used for a
session cannot feasibly be broken. Other operating systems have /dev/random as a
source for truly random numbers. AIX requires egd - entropy gathering daemon to
serve as a source of true randomness. Again this program is open source and easy
to compile and install.
Note that commercial versions of this software are available.
3.2.2 Network monitoring
How do we know if our system is under attack? In
most cases, we only find out if the attack was successful and if the attacker
was foolish enough to leave traces. This is obviously unsatisfactory. A far
better approach is to test for "attack signatures". A simple example
of this would be to examine the /etc./security/failedlogin file. If there have
been a hundred failed login attempts logged for the root id since yesterday, it
is reasonable to assume that our system is under attack.
What about other access methods? Once again, the open source community as well
as the commercial sector have solutions. Network intrusion detection software
can be installed on a host system and configured to detect known attacks. Unless
an attacker is very sophisticated or very stupid, an attack attempt would be
preceded by some form of port scan 17 (either targeted at specific
ports or at the system in general). Traffic which could be viewed as a prelude
to an attack (or at least unwelcome) would be a scan aimed at port 53 (DNS). If
this traffic takes the form of a connect or partial connect, followed by a DNS
version query or a request for a zone transfer it is time to batten down the
hatches. This kind of traffic will pass straight through your firewall (assuming
that DNS traffic is permitted - which it usually is) and may not even raise
alerts there! The normal reason for a DNS version query is to check whether your
version of the name daemon is remotely exploitable. Again if this seems
paranoid, we have logged precisely this type of traffic on systems in
Johannesburg where the queries initiated from the Netherlands, the USA and Korea
(a handful of .edu or .ac addresses in Seoul)! I have also seen systems
successfully hacked using name daemon vulnerabilities.
A host based Network Intrusion Detection system that I have used successfully on
AIX is Snort18. This open source program uses rule/signature based
detection mechanisms. It provides individual host or subnet monitoring. The
rules are easy to create and manage and are regularly updated. It is easy to
configure to avoid false alerts. It is reasonably easy to compile, but relies on
the portable packet capture library libpcap which is more difficult to compile
for AIX. Fortunately, AIX 5 includes libpcap.
3.2.3 File monitoring
What do we do if our system was successfully
attacked? First we have to recover from the attack - restore
damaged/trojaned/deleted files. Then we have to guard against a repeat visit.
How can we tell which files have been affected and whether trojaned programs or
back doors exist?
This is a difficult task, but it can be made easier if we have some sort of
reference. This is where file monitoring can be useful. A file monitoring system
will keep a record of all the important attributes of a file or directory
including permissions, size, modification time and checksum. Obviously not all
files can or should be monitored as some will change (at least in size) many
times in the course of a day. Nevertheless, selected files can provide clear
evidence of an intrusion. On an AIX system, most (if not all) of /usr, /etc. and
/var should be monitored. If maintenance has not been applied to the system and
the login, ps, who, netstat and ls programs changed at the same time you can be
reasonably confident that a rootkit has been installed. Note that decent
rootkits will attempt to keep the same time stamps on all of these files, good
ones will not only succeed, but may maintain the same simple checksums and file
sizes. They are highly unlikely to manage to maintain the md5 checksum though
and the selection of a file monitor should take this into account. The use of a
simple script to check files may not be adequate.
Again file monitors are available in both open source and commercial versions.
Tripwire19 is one of the better known commercial versions and Aide20
is a good open source program. Aide is easy to compile for AIX and is reasonable
straightforward to configure and manage. A useful bonus of using a file
monitoring program is that backups can be checked to ensure that all modified
files are in fact part of your backup plan.
3.2.4 Log Management
It will be evident that the increased level of monitoring and logging will create problems of its own - particularly where large or multiple systems are concerned. One of the great things about the unix operating system is that there are already solutions to most problems and log file management is no exception. Swatch and Logsurfer21 are both open source (again) programs that can be used to wade through your log files and to alert you when predefined conditions occur. They can monitor logs in real time or as batch processes and are valuable tools.
4 Maintaining Security
As long as hackers search for ways to attack systems, we will have to continue to maintain and improve security. It seems likely that hackers will continue attacks, so maintaining security is something we will have to live with. The challenge is to integrate security maintenance and management into normal operations.
4.1 Regular Audits
The effective security of a system cannot be
ensured without regular auditing. Audit components range from the ongoing
tracking of network and file monitoring logs to running simulated attacks
against the system. Another recommended audit tool is to attempt to crack user
passwords - to ensure that sensible passwords are chosen. There are a number of
tools available for attack testing and password cracking including
Nessus external attack
Saint external attack
Sara external attack
Whisker http server probe
Crack password cracker
John the ripper password cracker
Again, this may seem destructive or insecure, but we have found that crack (for
example) can guess a weak password within one or two seconds.22
Part of the task of maintaining a secure system is in keeping up with attack
techniques and attack trends. There are a number of organisations which publish
a daily or weekly newsletter on security related issues and attack trends. These
include CERT, SANS, ISS and Neohapsis.23
4.2 Keeping up to date with maintenance releases
All software vendors produce official maintenance releases at fairly frequent intervals and IBM is no exception, AIX is currently available in three versions; 4.3.3, 5.1.0 and 5.2.0. Maintenance release 10 is presently available for 4.3.3, maintenance release 3 for AIX 5.1.0 and none available yet for AIX 5.2.0. It is common practice to upgrade to a maintenance release within three months of its becoming available. In the case of a system where security is considered important, maintenance releases should be closely tracked. In the case of AIX, software maintenance can be applied and the previous version saved. This allows rollback if that should become necessary.
4.3 Security related software patches (APARs in IBM-speak)
IBM releases individual software patches as and when it becomes necessary. The majority of these patches are to provide improvements in function or to resolve problems. Some are to resolve security related problems. Individual patches are incorporated in the next subsequent maintenance release. IBM provides a subscription service that will send an e-mail notification when patches become available.24
4.4 Security emergency fixes
From time to time IBM releases emergency fixes in response to known threats. These threats are normally CERT documented. The difference between efixes and patches is that efixes involve manual replacement of existing files or programs. An efix should be installed on a system if that system is potentially vulnerable to the threat. An efix was released for the System V login vulnerability at the same time as the threat was made public. Once again, IBM provides an e-mail subscription service for efixes.
5 Summary/Conclusion
My personal feeling is that it is (relatively)
easy to secure a system as a "once-off" project. This is because a
large quantity of information is available on general and specific
vulnerabilities as well as advice on their resolution.
Maintaining a secure system is more challenging. Changes to system and
application configurations may introduce vulnerabilities. New attack methods
will continue to arise. It is difficult for the average organisation to devote
significant time to security (to be fair, this is not the primary function of
most computer systems).
What can be done?
Security can be outsourced.
This option should be exercised with care. As mentioned earlier, a generic
approach to security could result in system or environment specific loopholes
remaining unplugged. Additionally, the "at arm's length" approach to
managing system security is not ideal. If the entire computer operation is
outsourced, the ability of the outsourcing agent to provide effective security
should form part of the selection process.
I believe that maintaining a secure system should be an active process. An
intrusion detection system should be deployed and its logs should be used to
assess the actual threat that systems are exposed to. Further security measures
can be deployed (or not) based on real rather than theoretical risk.
This does not mean that regular audits and tests are unnecessary.
I would recommend that companies form a security relationship with vendors or
specialists who support their operating system and application environments.
These relationships should result in the regular flow of information and advice
on specific security issues. The practical benefit is that the vendor or
specialist can provide information on issues which are likely to affect specific
environments.
Download the AIX Security
Toolkit
AIX
Security Toolkit
References / Links
1 ODM (Object Data Manager) http://publib16.boulder.ibm.com/cgi-bin/ds_form?lang=en_US&viewset=AIX
2 CERT Advisory CA-2001-34 Buffer Overflow in System V Derived Login http://www.cert.org
3 AIX-specific commands http://publib16.boulder.ibm.com/cgi-bin/ds_form?lang=en_US&viewset=AIX
4 SANS/FBI Top Twenty Vulnerabilities http://www.sans.org/top20/#index
SANS Newsletter Subscription Service http://server2.sans.org/sansnews/
5 Marcus J. Ranum "Thinking About Firewalls" http://www.ranum.com/pubs/think/index.htm
6 Nimda - "The worm searches for Web servers using randomly generated IP addresses." http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
Code Red - "attempt to exploit more computers by targeting random IP addresses." http://www.symantec.com/avcenter/venc/data/codered.worm.html
Ramen - "The first network activity caused by the worm is the Synscan probe of the random class b address space." http://www.whitehats.com/library/worms/ramen/
Note: While none of the above worms actively attack AIX, they do not avoid it and may negatively affect services on ports that are scanned or targeted.
7 John Pescatore "Special to CNET News.com" December 17 2001 http://news.com.com/2009-1001-277120.html
8 nmap - documentation and download from http://www.insecure.org
Nessus - documentation and download from http://www.nessus.org
Sara - documentation and download from http://www-arc.com/sara/
Saint - documentation and download from http://www.wwdsi.com/products/saint_engine.html
9 NFS http://csrc.nist.gov/publications/nistpubs/800-7/node148.html
10 Sendmail http://www.sendmail.org/security.html
11 and 12 National Security Agency "The 60 Minute Network Security Guide" http://nsa2.www.conxion.com/support/download.htm
13 Tcp wrapper - documentation and download from http://ftp.porcupine.org/pub/security/
14 Password Sniffers http://www.faqs.org/faqs/computer-security/sniffers/
15 OpenSSH http://www.openssh.com
16 OpenSSL http://www.openssl.org
17 Port Scanning - John Wack, Miles Tracey
"DRAFT Guideline on Network Security Testing"
http://online.securityfocus.com/library/3716
Recommendations of the National Institute of Standards and Technology
18 Paul Innella and Oba McMillan "An
Introduction to Intrusion Detection Systems"
http://online.securityfocus.com/infocus/1520
Snort - documentation and download from http://www.snort.org/
19 Tripwire http://www.tripwire.com/
20 Aide http://www.cs.tut.fi/~rammer/aide.html
21 Swatch http://www.stanford.edu/~atkins/swatch/
Logsurfer http://www.cert.dfn.de/eng/logsurf/
22 Whisker http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
John The Ripper http://www.openwall.com/john/
Crack / Libcrack http://www.users.dircon.co.uk/~crypto/
23 CERT http://www.cert.org
SANS http://www.sans.org/newlook/home.htm
neohapsis http://www.neohapsis.com/
24 IBM e-mail subscription http://techsupport.services.ibm.com/server/listserv
AIX V4 Fixes http://techsupport.services.ibm.com/server/nav?fetch=ffa4e
AIX V5 Fixes http://techsupport.services.ibm.com/server/aix.fdc