Coffee With Carol AIX Issues Compared To I

www.skyviewpartners.
com
Welcome to
Coffee with Carol
Todays topic is:
Security and Compliance

What are the Issues on IBM AIX and
How do they Relate to the IBM i?
Guest Speaker: Steve Martinson, CISSP, CISM, CISA
Copyright SkyView Partners, Inc, 2011. All rights reserved.

1
www.skyviewpartners.com
Security, Security, Security Oh,

and Compliance!
Copyright SkyView Partners,

Inc, 2011. All rights reserved.
@SkyView Partners, Inc, 2011 All Rights Reserved.
Security Drivers
Regardless of computing platform and vertical market,

internal and external audit (read: management)
pressure forces organizations into improving their IT
security controls and processes:

System authentication and access control

User account security
System program and data security
System process and resource security
Best practice system hardening
Policy-specific and regulatory security
THIS is where compliance lives, since you either ARE or ARE NOT in
compliance with your security policy! (regardless of external regulatory
requirements)

3
Compliance Drivers
Nearly all companies across all markets banking,

financial services, health care, manufacturing, retail,
etc. are faced with some sort of compliance
regulation or security framework requirement:

FFIEC (OTS, FDIC), GLBA

SEC, OFAC, FACTA (Red Flags Rule)
SOX, J-SOX, Bill 198 (Canada)
HIPAA
ISO
COBIT
PCI DSS

4
Common Compliance Issues

AIX <> IBM i

Basic Compliance Buckets

Compliance management can be broken into three

basic buckets or areas:

Account security and compliance

Resource security and compliance
Network security and compliance
The Resource and Network security areas are often interspersed in

security hardening guides and frameworks, since they are created from the
perspective of securing the operating system (platform)
These compliance areas, along with the framework

provided by the Center for Internet Securitys most
recent AIX benchmark, will be the basis of the
comparisons presented today.

6
Account Security &

Compliance
Password Security
AIX
IBM i
/etc/security/user
mindiff
System Values
QPWDPOSDIF
Minimum number of characters in a new

password that must be different from
the old (previous) password, regardless
of position
Similar to AIX, but this control is limited to

the actual character positions when
comparing the new password to the old
password, i.e. the fifth character cannot be
the same in both
AIX check: lssec
-f /etc/security/user -s default -a mindiff
IBM i check: DSPSYSVAL SYSVAL(QPWDPOSDIF)

7
Account Security &

Compliance
Password Security
AIX
IBM i
/etc/security/user
maxage
System Values
QPWDEXPITV
Maximum number of weeks that a

password is valid
Password expiration interval; specifies the

number of days for which passwords are
valid
AIX check: lssec
-f /etc/security/user -s default -a maxage
IBM i check: DSPSYSVAL SYSVAL(QPWDEXPITV)

8
Account Security &

Compliance
Password Security
AIX
IBM i
/etc/security/user
minlen
System Values
QPWDMINLEN
Minimum length of a password
Minimum password length; specifies the

minimum number of characters in a
password
AIX check: lssec
-f /etc/security/user -s default -a minlen
IBM i check: DSPSYSVAL SYSVAL(QPWDMINLEN)

9
Account Security &

Compliance
Password Security
AIX
IBM i
/etc/security/user
minother
System Values
QPWDRQDDGT
The number of characters within a

Where AIX also has a minalpha
password which must be non-alphabetic parameter for the minimum number of
alphabetic characters required, IBM i does
not; this system value specifies whether a
digit is required in a new password
AIX check: lssec
-f /etc/security/user -s default -a minother
IBM i check: DSPSYSVAL SYSVAL(QPWDRQDDGT)

10
Account Security &

Compliance
Password Security
AIX
IBM i
/etc/security/user
histsize
System Values
QPWDRQDDIF
The number of previous passwords that

a user may not reuse
Duplicate password control; limits how

often a user can repeat the use of a
password
AIX check: lssec
-f /etc/security/user -s default -a histsize
IBM i check: DSPSYSVAL SYSVAL(QPWDRQDDIF)

11
Account Security &

Compliance
Password and Login Security
AIX
IBM i
/etc/security/login.cfg
pwd_algorithm
System Values
QPWDLVL
Defines the loadable password

algorithm used when storing user
passwords for AIX 5.3 TL-07 and later;
ssha256 supports long passwords,
up to 255 char and allows passphrases
using the extended ASCII table and the
space character
Specifies the level of password support on

the system; at Level 2 or 3, the system
supports passwords from 1-128
characters; passwords can consist of any
character, including a blank (space), and
the password will be case sensitive
AIX check: lssec
-f /etc/security/login.cfg -s usw -a pwd_algorithm
IBM i check: DSPSYSVAL SYSVAL(QPWDLVL)

12
Account Security &

Compliance
Login Security
AIX
IBM i
/etc/security/user
loginretries
System Values
QMAXSIGN
The number of attempts a user has to

login to the system before their account
is disabled
Maximum sign-on attempts allowed

(before the QMAXSGNACN system value
is performed disable device, disable
profile, or both)
AIX check: lssec
-f /etc/security/login.cfg -s default -a loginretries
IBM i check: DSPSYSVAL SYSVAL(QMAXSIGN)

13
Account Security &

Compliance
Login Security
AIX
IBM i
System account lockdown
System account lockdown
Disables direct login access for the

generic system accounts i.e. daemon,
bin, sys, adm, uucp, nobody and
lpd.
Set the appropriate user profile

parameters to prevent application and
system user profiles from being used for
sign-on
AIX check: lsuser
-a login rlogin <user> (for the user in question)
IBM i check: WRKUSRPRF USRPRF(user)
(check for INLPGM=*NONE and

INLMNU=*SIGNOFF; PASSWORD=*NONE prevents use via exit points (FTP, ODBC, etc.))

14
Resource/Network Security &

Compliance
System Services Security
AIX
IBM i
/etc/inittab
qdaemon
Writers and Output Queues
This is the printing scheduling daemon

that manages the submission of print
jobs to piobe (print job manager);
remove if not required
Various parameters for output queues and

authority settings for printer/writer
management commands can be used to
properly secure spool files (printed output)
AIX check: lsitab
qdaemon
(Remove: rmitab qdaemon)
IBM i check: Verify various output queue parameters, such as DSPDTA, OPRCTL, AUTCHK,
AUT, and *SPLCTL special authority; lockdown STRPRTWTR and WRKWTR commands

15

Compliance
AIX
IBM i
/etc/inittab
lpd
The lpd daemon accepts remote print

jobs from other systems; remove if not
required

AIX check: lsitab
lpd
(Remove: rmitab lpd)

16

Compliance
AIX
IBM i
/etc/inittab
piobe
This daemon is the I/O back end for the

printing process, handling the job
scheduling and spooling; remove if not
required

AIX check: lsitab
piobe
(Remove: rmitab piobe)

17

Compliance
AIX
IBM i
/etc/rc.tcpip
sendmail
CFGTCP
Configure TCP/IP Applications >
Configure SMTP
This entry starts the sendmail daemon

on system startup, meaning the system Use to configure SMTP, work with either
can operate as a mail server; remove if the system or personal alias table, change
not required
the SMTP attributes, and access SNADSrelated configuration information
AIX check: grep
"start /usr/lib/sendmail" /etc/rc.tcpip
IBM i check: CHGSMTPA (Change SMTP Attributes) command can be used to set the
AUTOSTART parameter to *NO if not required

18

Compliance
AIX
IBM i
/etc/rc.tcpip
snmpd
CFGTCP
Configure SNMP Agent
This entry starts the snmpd daemon on

system startup, which allows remote
monitoring of network and server
configuration; remove if not required
AIX check: grep
Use to change the attributes or work with

the communities for SNMP, AUTOSTART
setting, authentication, object access, and
logging
"start /usr/sbin/snmpd "$src_running"" /etc/rc.tcpip
IBM i check: CFGTCPSNMP (Configure TCP/IP SNMP) command can be used to set the

19

Compliance
AIX
IBM i
/etc/rc.tcpip
Numerous other services
CFGTCP
Configure TCP/IP Applications
Several other services to verify in

rc.tcpip include those that affect DHCP,
IPv6, routing functions, and DNS
Use to configure TCP interfaces, routes,

attributes, port restrictions, host table
entries, and TCP/IP applications (as
previously mentioned)
AIX check: Various
within /etc/rc.tcpip
IBM i check: Various within the CFGTCP menu

20
10

Compliance
AIX
IBM i
/etc/inetd.conf
telnet
CFGTCP
Configure TELNET
This entry starts the telnetd daemon,

which provides a protocol for command
line access from a remote machine;
remove if not required
AIX check: grep
While AIX compliance requires secure

access without the use of TELNET, IBM i
systems still use the secure
implementation of it for session connection
"telnet" /etc/inetd.conf
IBM i check: For the best security and compliance in most instances (PCI DSS, for example),
IBM i TELNET should be implemented using SSL (default port 992)

21

Compliance
AIX
IBM i
/etc/inetd.conf
exec
CFGTCP
Change REXEC attributes
This entry starts the rexecd daemon,

which executes a command from a
remote system, once the connection
has been authenticated; remove if not
required
AIX check: grep
Like AIX, IBM i Remote Execution requires

authentication, but it also checks whether
a user has command line access
(LMTCPB); blocked if set to *YES
rexecd" /etc/inetd.conf
IBM i check: CHGRXCA (Change REXEC Attributes) command can be used to set the

22
11

Compliance
AIX
IBM i
/etc/inetd.conf
ftp
CFGTCP
Change FTP attributes
This entry starts the ftpd daemon,

which is used for transferring files
Like AIX, IBM i FTP requires a valid ID and
from/to a remote machine; remove if not password. Embedded remote commands
required
are subject to command line access profile
parm (LMTCPB); blocked if set to *YES
AIX check: grep
"^#ftp" /etc/inetd.conf
IBM i check: CHGFTPA (Change FTP Attributes) command can be used to set the

23

Compliance
AIX
IBM i
/etc/inetd.conf
Numerous other services
CFGTCP, where applicable
Several other services to verify in

inetd.conf include shell, uucp (file copy),
imap, talk, ntalk, and fingerd
AIX check: Various
Most of the services within AIXs

inetd.conf file do not have an
equivalent service or process on the IBM i,
due to the nature of how IBM i emerged
within the networked environment; recall
that the AS/400 was built as a closed
dumb terminal environment, whereas
UNIX is often considered the catalyst to
system internetworking
within /etc/inetd.conf

24
12

Compliance
TCP/IP Tuning (Hardening)
AIX
IBM i
/etc/tunables/nextboot directory
Numerous other settings
CFGTCP, where applicable
CIS focuses on the hardening of

standard TCP/IP tuning parameters,
which is particularly important for the
security of the system since the risk of
SYN, source routing and smurf attacks
can all be significantly reduced or
eliminated
As before, many of the settings within

AIXs /etc/tunables/nextboot
directory do not have a direct equivalent
service, process, or setting on the IBM i
AIX check: Various
within /etc/tunables/nextboot

25

Compliance
Miscellaneous Security Recommendations
AIX
IBM i
/etc/security/user
default umask
System Values
QCRTAUT
Default umask is set to 027, meaning default

file creation permissions give RW access to
the user, R access to the group and no
access to other. Better: 077 Only the user
has RW access to files/directories they
create; group/world access need to be
explicitly defined
Create authority; specifies the default public

authority when objects are created; when
*LIBCRTAUT value of the AUT keyword is used,
the CRTAUT value of the library where the object
is being created determines public authority;
thus, if the library CRTAUT value is set to
*SYSVAL, the system value is used
AIX check: lssec
-f /etc/security/user -s default -a umask
IBM i check: DSPSYSVAL SYSVAL(QCRTAUT)

26
13

Compliance
AIX
IBM i
/audit
Auditing
System Values
QAUDCTL and QAUDLVL
AIX auditing captures pertinent system and

security related information, such as failed
login attempts, cron usage, etc. Auditing
should be enabled as part of a group of
measures designed to provide enhanced
logging of system and security changes.
QAUDCTL is the on/off switch (*NONE=OFF)

and QAUDLVL contains the details of what is
audited on the IBM i when the switch is on.
AIX check: Several steps, including verification of the audit filesystem, the configuration in
/etc/security/audit/config, the existence of audit classes, and automatic startup.
IBM i check: WRKSYSVAL QAUD*; display the settings

27

Compliance
AIX
IBM i
Various settings
Various settings
CIS details some generic changes

within the benchmark that can be made
during the implementation of a
customized AIXpert XML file; AIXpert is
IBMs security hardening utility
As before, many of the other settings for

best practice AIX security do not have a
direct equivalent setting on the IBM i
Examples include environment

variables and scheduler access
AIX check: Various

28
14

Compliance
System Logging
AIX
IBM i
/etc/syslog.conf
syslog
System Values and QAUDJRN
By default the information sent to

syslogd is not logged and important
and pertinent information, such as failed
switch user and login attempts are not
recorded
Appropriate QAUDLVL settings enabled

when QAUDCTL is not *NONE will write
audit/security event data to the QAUDJRN
journal receiver files
AIX check: ls
l /var/adm/authlog /var/adm/syslog (see if files exist)
IBM i check: WRKJRNA QAUDJRN and WRKSYSVAL QAUD*

29

Compliance
System Access Security
AIX
IBM i
TCP Wrappers
IP Policies and/or Exit Programs
CIS recommends using TCP Wrappers if

there are active inetd controlled services on
the system. TCP Wrappers is a freely
available IP packet filtering facility that
provides greater and more specific control
over local network services and the hosts that
are allowed to access them. It also makes use
of the standard syslog facility to track local
network use
Packet rules is a feature available from the i

Navigator interface that allows you to configure
two core network security technologies, NAT
(Network Address Translation) and IP packet
filtering, in order to control the flow of TCP/IP
traffic to protect your system
AIX check: lslpp
Exit programs can facilitate IP controls for the

most commonly used remote access servers
L |grep "netsec.options" (see if software is installed)
IBM i check: Open IP Policies under Network in i Navigator and verify/review Packet Rules
30
15

Compliance
File Access
AIX
IBM i
SUID & SGID
Adopted Authority & Profile Swaps
CIS recommends the removal of suid and

sgid bits on key system files and daemons in
order to improve upon standard AIX security.
File Permissions Manager (FPM) is available
and has been back ported to AIX 5.3 TL-09
and above. Prior levels require the use of the
find and chmod commands
Programs can be compiled to adopt the object

owners authority in order to provide temporarily
elevated access when the user of the program is
not authorized.
AIX check: fpm
Profile swapping permits a requesting user

profile to run a job as a different user profile
based upon all of the swapped users security
attributes, including LMTCPB and SPCAUT
-l high p (where p indicates preview mode allows viewing of
proposed changes)
IBM i check: PRTADPOBJ
USRPRF(*ALL) and DSPAUDJRNE ENTTYP(PS)

31

Compliance
File Access
AIX
IBM i
Un-owned & World-Writable Files Object Ownership & *PUBLIC Auth

CIS recommends checking for the presence
of world writable files and directories, which
present a compliance risk if not remediated
using the chmod command
On IBM i, object ownership control is important

since any group member of a profile that owns
objects has *ALL authority to them
Ensuring the appropriate *PUBLIC authority
setting of critical objects (programs and files) is
the most basic way to properly control access;
*ALL and *CHANGE should be avoided
AIX check: find
/ -type f -perm -o+w -exec ls -l {} \;

find / -type d -perm -o+w -exec ls -ld {} \
IBM i check: PRTPUBAUT
OBJTYPE(XXX) LIB(YYY) (also shows the object owner)

32
16
Q&A

33
For More Information

The Center for Internet Security (CIS)

http://www.cisecurity.org
http://cisecurity.org/en-us/?route=downloads.benchmarks
IBM i and i5/OS Security & Compliance: A

Practical Guide by Carol Woodbury, 29th Street Press,
2009, ISBN: 978-1-58304-124-6
SkyView Partners, Inc.

http://www.skyviewpartners.com

34
17

Coffee With Carol AIX Issues Compared To I

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Coffee With Carol AIX Issues Compared To I

Încărcat de

Drepturi de autor:

Formate disponibile

www.skyviewpartners.

Security and Compliance

Copyright SkyView Partners, Inc, 2011. All rights reserved.

Security, Security, Security Oh,

Copyright SkyView Partners,

@SkyView Partners, Inc, 2011 All Rights Reserved.

Regardless of computing platform and vertical market,

System authentication and access control

Copyright SkyView Partners, Inc, 2011. All rights reserved.

Nearly all companies across all markets banking,

FFIEC (OTS, FDIC), GLBA

Copyright SkyView Partners, Inc, 2011. All rights reserved.

@SkyView Partners, Inc, 2011 All Rights Reserved.

Common Compliance Issues

Copyright SkyView Partners,

Basic Compliance Buckets

Compliance management can be broken into three

Account security and compliance

The Resource and Network security areas are often interspersed in

These compliance areas, along with the framework

Copyright SkyView Partners, Inc, 2011. All rights reserved.

@SkyView Partners, Inc, 2011 All Rights Reserved.

Account Security &

Minimum number of characters in a new

Similar to AIX, but this control is limited to

AIX check: lssec

-f /etc/security/user -s default -a mindiff

IBM i check: DSPSYSVAL SYSVAL(QPWDPOSDIF)

Copyright SkyView Partners, Inc, 2011. All rights reserved.

Account Security &

Maximum number of weeks that a

Password expiration interval; specifies the

AIX check: lssec

-f /etc/security/user -s default -a maxage

IBM i check: DSPSYSVAL SYSVAL(QPWDEXPITV)

Copyright SkyView Partners, Inc, 2011. All rights reserved.

@SkyView Partners, Inc, 2011 All Rights Reserved.

Account Security &

Minimum length of a password

Minimum password length; specifies the

AIX check: lssec

-f /etc/security/user -s default -a minlen

IBM i check: DSPSYSVAL SYSVAL(QPWDMINLEN)

Copyright SkyView Partners, Inc, 2011. All rights reserved.

Account Security &

The number of characters within a

AIX check: lssec

-f /etc/security/user -s default -a minother

IBM i check: DSPSYSVAL SYSVAL(QPWDRQDDGT)

Copyright SkyView Partners, Inc, 2011. All rights reserved.

@SkyView Partners, Inc, 2011 All Rights Reserved.

Account Security &

The number of previous passwords that

Duplicate password control; limits how

AIX check: lssec

-f /etc/security/user -s default -a histsize

IBM i check: DSPSYSVAL SYSVAL(QPWDRQDDIF)

Copyright SkyView Partners, Inc, 2011. All rights reserved.

Account Security &

Password and Login Security

Defines the loadable password

Specifies the level of password support on

AIX check: lssec