Embed Size (px)
Citation preview
© 2015 IBM Corporation
Security and Compliance Automation
Morten Vågmo
IBM Power SystemsConsulting IT Specialist
© 2017 IBM
2
Agenda
�PowerSC overview
�PowerSC security profiles
�Testing
�AIX Security and Compliance Automation
© 2017 IBM
3
Client Benefits
Simplifies management, by automating security and compliance configuration, auditing and monitoring; all systems are configured securely and consistently which simplifiescompliance audits.
Tamperproof Logs are centrally stored on the VIOS, simplifies log backup management, and eliminates the need for log-scraping agents running on the OS.
Automatically Detects any AIX system which boots, resumesor moves by live mobility into the virtual environment and ensures it is at the prescribed install and security patch level.
A Central Remote Console can attest to the security and trustof the boot image, OS and all running applications; even if a malicious root is running on the system.
Improves performance by providing network firewall services within the server not requiring an external firewall for VM to VM traffic on the same CEC
Monitors a default list of files from the high-level security settings for changes
Technology
� Compliance Automation
managed with Director or single AIX/VIOS command.
� Trusted Logging captures and protects logging in real-time in the virtualization layer
� Trusted Network Connect and Patch Management centrally manages installs, updates and patching.
� Trusted Boot provides industry leading
virtual Trusted Platform Module technology.
� Trusted Firewall ensures that every virtual machine has appropriate network isolation with the best possible performance.
� Real Time Compliance
PowerSC provides a security and compliance solution to protect
data centers virtualized with PowerVM enabling higher quality services
© 2017 IBM
PowerSC Security and Compliance Automation
� Install server
� Install client on every endpoint
� Exchange certificates (see manual)
� Test and customize client
– Profiles in /etc/security/aixpert/custom
� Copy tested profile to server
� GUI at https://server-IP/webclient/index.html#!/login
� Deploy profile to endpoints
� Check compliance
� Redeploy if endpoint is out of compliance
4
© 2017 IBM
5
© 2017 IBM
Testing DataBase_Custom.xml� >: pscxpert -f /etc/security/aixpert/custom/DataBase_Custom.xml
� 3004-687 User "so" does not exist.
� ******************************************************************************************************************
� RBAC Enablement Rule:
� This Rule requires you to make sure rbac users isso,so and sa are created on the system with appropriate roles
� To create these RBAC users please run the script /etc/security/pscexpert/bin/RbacEnablement
� *****************************************************************************************************************
� ********************************************************************************
� IPSec can be used to encrypt and secure the network traffic. AIX supports IPSec feature which can be used for this purpose.
� ********************************************************************************
� ********************************************************************************
� The Operating System should be patched regularly to minimise exposure to security vulnerabilities. Consider using PowerSC Trusted Network Connect and Patch Management to keep the systems updated.
� ********************************************************************************
� Processedrules=83 Passedrules=83 PrereqFailedrules=0 Failedrules=0 Level=DB_Custom
� Input file=/etc/security/aixpert/custom/DataBase_Custom.xml
6
© 2017 IBM
pscxpert –c –pTo check the security settings that have been applied to the system, and to log the rules that failed into the audit subsystem, use the following command: aixpert -c -p
� Processing db_removeguest_D41691A9 :done.
� Processing db_sedconfig_D41691A9 :done.
� Processing db_rootpwdintchk_D41691A9 :done.
� Processing db_autologoff_D41691A9 :done.
� Processing db_tcptr_D41691A9 :done.
� Processing db_SecureLPM_D41691A9 :done.
� Processing db_ipsecpermit_D41691A9 :done.
� Processing db_sysintegrity_D41691A9 :done.
� Processing db_enableRbac_D41691A9 : failed.
� Processing db_encryptNt_traffic_D41691A9
� ********************************************************************************
� IPSec can be used to encrypt and secure the network traffic. AIX supports IPSec feature which can be used for this purpose.
� ********************************************************************************
� :done.
� Processing db_SecurityPatches_D41691A9
� ********************************************************************************
� The Operating System should be patched regularly to minimise exposure to security vulnerabilities. Consider using PowerSC Trusted Network Connect and Patch Management to keep the systems updated.
� ********************************************************************************
� :done.
� Processedrules=83 Passedrules=82 Failedrules=1 Level=DB
� Input file=/etc/security/aixpert/core/appliedaixpert.xml7
© 2017 IBM
� vi /etc/security/aixpert/check_report.txt
– Scan for «FAIL»
8
© 2017 IBM
Checking with PowerSC GUI
9
© 2017 IBM
Rerun after Rbac script
10
© 2017 IBM
Disable Rbac
11
© 2017 IBM
Notifications
� Manage your My Notifications subscriptions, or send questions and comments.- Subscribe or Unsubscribe -https://www.ibm.com/support/mynotifications- Feedback - https://www-01.ibm.com/support/feedback/techFeedbackCardContentMyNotifications.html
- Follow us on Twitter - https://twitter.com/IBMAIXeSupp
12
© 2017 IBM
GUI status
13
© 2017 IBM
Undo a profile
14
© 2011 IBM
15
<AIXPertArgs>/etc/security/login.cfg loginreenable=30 default pci_loginreenable</AIXPertArgs>
<AIXPertGroup>Login policy recommendations</AIXPertGroup>
</AIXPertEntry>
- <AIXPertEntry name="pci_rootrlogin" function="rootrlogin">
<AIXPertRuleType type="PLS" />
<AIXPertDescription>Implements PCI Section 12.3.9, Remote root login: Disables remote root login.Activation on need basis by system admin followed by deactivation</AIXPertDescription>
<AIXPertPrereqList>bos.rte.security,bos.rte.date,bos.rte.commands,bos.rte.ILS,bos.rte.shell</AIXPertPrereqList>
<AIXPertCommand>/etc/security/aixpert/bin/chuserstanza</AIXPertCommand>
<AIXPertArgs>/etc/security/user rlogin=false root pci_rootrlogin</AIXPertArgs>
<AIXPertGroup>Login policy recommendations</AIXPertGroup>
</AIXPertEntry>
- <AIXPertEntry name="pci_rootlogin" function="rootlogin">
<AIXPertRuleType type="PLS" />
<AIXPertDescription>Local login: Enables root to login locally</AIXPertDescription>
<AIXPertPrereqList>bos.rte.date,bos.rte.commands,bos.rte.security,bos.rte.shell,bos.rte.ILS</AIXPertPrereqList>
Section of PCI.xml
© 2017 IBM
Testing PCIv3_Custom CLI
� >: pscxpert -f PCIv3_Custom.xml
� 3004-687 User "so" does not exist.
� ******************************************************************************************************************
� RBAC Enablement Rule:
� This Rule requires you to make sure rbac users isso,so and sa are created on the system with appropriate roles
� To create these RBAC users please run the script /etc/security/pscexpert/bin/RbacEnablement
� *****************************************************************************************************************
� do_action(): rule(pciv3_sshstart): warning.
� do_action(): Warning: Prereq failed for openssl.license
� Processedrules=105 Passedrules=101 PrereqFailedrules=1 Failedrules=3 Level=PCIv3_Custom
� Input file=PCIv3_Custom.xml
� vega-ROOT[127]/etc/security/aixpert/custom
16
© 2017 IBM
Checking PCIv3_Custom
17
© 2017 IBM
Removed ipsec
� Removed ipsec from client profile
� Reran the profile from GUI
� (client profile copied to server when good)
18
© 2011 IBM
19
2 left
© 2017 IBM
20
© 2017 IBM
PowerSC Security and Compliance Automation
21
© 2017 IBM
Security profiles
22
© 2017 IBM
AIX security levels
23
© 2017 IBM
Applying the DataBase profile
24
© 2017 IBM
Security groups
25
© 2017 IBM
DataBase_custom applied
26
© 2017 IBM
27
© 2017 IBM
28
© 2017 IBM
Powersc 1.1.5 documentation� https://www.ibm.com/support/knowledgecenter/SSTQK9_1.1.5/com.ibm.powersc.se/kc_welcome_se.htm
29
powersc 1.1.5 documentation
Don’t be upset (like me) because
of parts of the documentation is
referring to IBM Systems Director
and not the new GUI
© 2017 IBM
http://www-03.ibm.com/systems/power/software/security/
Learn more about PowerSC on the Web
Put Page here
IBM PowerC
© 2017 IBM
� Custom profiles and custom groups that are created by the user are stored under the directory
� /opt/powersc/uiServer/knowledge/site/powerscui
� You should ensure that the /opt/powersc/uiServer/knowledge/site/powerscui/ directory is backed up.
31
© 2017 IBM
Creating security certificates
32
© 2017 IBM
Running the Certficate scripts, 1Running the certificate scripts
System administrators must run the provided scripts to create security certificates and certificate stores
for the PowerSC GUI server and for each endpoint.
You use the provided scripts to create both truststores and keystores for the PowerSC GUI server and
endpoints.
The endpoint truststore enables the endpoints to verify the credentials of the PowerSC GUI server.
Depending on the script you choose, the endpoint truststore contains either a certificate from a
well-known certificate authority, or a self-signed security certificate that references the PowerSC GUI
server. You use the same truststore for all endpoints, but the keystores are endpoint-specific.
1. On the PowerSC GUI server, change directory to /opt/powersc/uiServer/bin/.
2. Choose one of the following scripts to create the endpoint truststore, the GUI server truststore, and
the GUI server keystore:
v If you already have a certificate .pem file from a well-known certificate authority, run the
import_well_known_certificate_uiServer.sh script to import that certificate:
./import_well_known_certificate_uiServer.sh wellknowncert.pem
v If you do not already have a certificate .pem file from a well-known certificate authority, run the
generate_server_keystore_uiServer.sh script to create a self-signed certificate.
./generate_server_keystore_uiServer.sh fully-qualified-UI server-hostname
3. Generate a certificate (opt/powersc/uiServer/psc_signing_cert.pem) that is used to sign messages
and store it in the /etc/security/powersc/uiServer/signingKeystore.jks keystore.
./generate_signing_keystore_uiServer.sh
33
© 2017 IBM
Running the Certficate scripts, 24. Generate the endpoint keystore in the /etc/security/powersc/uiServer/fully-qualified-hostname/
endpointKeystore.jks file. You must provide the fully qualified host name for the endpoint. The
140 IBM PowerSC Standard Edition Version 1.1.5: PowerSC Standard Edition
common name (CN) of the created certificate uses the fully qualified host name to identify the
endpoint. This script uses the location of the signing keystore that is created by the
generate_signing_keystore_uiServer.sh script.
./generate_endpoint_keystore_uiServer.sh fully-qualified-endpoint-hostname
5. Copy the /etc/security/powersc/uiServer/fully-qualified-hostname/endpointKeystore.jks file to
the /etc/security/powersc/uiAgent/endpointKeystore.jks file on the endpoint you specified by
running the following scp command:
# scp endpointKeystore.jks user@endpoint-host-name:
/etc/security/powersc/uiAgent
6. Copy the endpoint truststore /etc/security/powersc/uiServer/endpointTruststore.jks file to the
/etc/security/powersc/uiAgent/endpointTruststore.jks file on each endpoint by running the
following scp command:
# scp endpointTruststore.jks user@endpoint-host-name:
/etc/security/powersc/uiAgent
7. Repeat steps 4 on page 140, 5 and 6 for each endpoint.
8. If you add more endpoints, complete steps 4 on page 140, 5, and 6 for each additional endpoint.
5. Copy the /etc/security/powersc/uiServer/fully-qualified-hostname/endpointKeystore.jks file to
the /etc/security/powersc/uiAgent/endpointKeystore.jks file on the endpoint you specified by
running the following scp command:
# scp endpointKeystore.jks user@endpoint-host-name:
/etc/security/powersc/uiAgent
34
© 2017 IBM
Running the Certficate scripts, 36. Copy the endpoint truststore /etc/security/powersc/uiServer/endpointTruststore.jks file to the
/etc/security/powersc/uiAgent/endpointTruststore.jks file on each endpoint by running the
following scp command:
# scp endpointTruststore.jks user@endpoint-host-name:
/etc/security/powersc/uiAgent
7. Repeat steps 4 on page 140, 5 and 6 for each endpoint.
8. If you add more endpoints, complete steps 4 on page 140, 5, and 6 for each additional endpoint.
35
