Soumettre la recherche
Mettre en ligne
AIXpert - AIX Security expert
•
Télécharger en tant que PPT, PDF
•
3 j'aime
•
5,312 vues
D
dlfrench
Suivre
Technologie
Signaler
Partager
Signaler
Partager
1 sur 62
Télécharger maintenant
Recommandé
MySQL Group Replication - Ready For Production? (2018-04)
MySQL Group Replication - Ready For Production? (2018-04)
Kenny Gryp
Virtualization Architecture & KVM
Virtualization Architecture & KVM
Pradeep Kumar
Ansible 101
Ansible 101
Gena Mykhailiuta
Maria db 이중화구성_고민하기
Maria db 이중화구성_고민하기
NeoClova
LISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
Brendan Gregg
Everything You Need to Know About MySQL Group Replication
Everything You Need to Know About MySQL Group Replication
Nuno Carvalho
Performance Tuning EC2 Instances
Performance Tuning EC2 Instances
Brendan Gregg
ODA Backup Restore Utility & ODA Rescue Live Disk
ODA Backup Restore Utility & ODA Rescue Live Disk
Ruggero Citton
Recommandé
MySQL Group Replication - Ready For Production? (2018-04)
MySQL Group Replication - Ready For Production? (2018-04)
Kenny Gryp
Virtualization Architecture & KVM
Virtualization Architecture & KVM
Pradeep Kumar
Ansible 101
Ansible 101
Gena Mykhailiuta
Maria db 이중화구성_고민하기
Maria db 이중화구성_고민하기
NeoClova
LISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
Brendan Gregg
Everything You Need to Know About MySQL Group Replication
Everything You Need to Know About MySQL Group Replication
Nuno Carvalho
Performance Tuning EC2 Instances
Performance Tuning EC2 Instances
Brendan Gregg
ODA Backup Restore Utility & ODA Rescue Live Disk
ODA Backup Restore Utility & ODA Rescue Live Disk
Ruggero Citton
Deep Dive: a technical insider's view of NetBackup 8.1 and NetBackup Appliances
Deep Dive: a technical insider's view of NetBackup 8.1 and NetBackup Appliances
Veritas Technologies LLC
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Etsuji Nakai
Migration to Oracle Multitenant
Migration to Oracle Multitenant
Jitendra Singh
제3회난공불락 오픈소스 인프라세미나 - Pacemaker
제3회난공불락 오픈소스 인프라세미나 - Pacemaker
Tommy Lee
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The Hood
Ludovico Caldara
Oracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret Internals
Anil Nair
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
OpenStack Korea Community
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
NHN FORWARD
MySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB Status
Karwin Software Solutions LLC
Exadata master series_asm_2020
Exadata master series_asm_2020
Anil Nair
Ceph and RocksDB
Ceph and RocksDB
Sage Weil
Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLON
Markus Michalewicz
SteelEye 표준 제안서
SteelEye 표준 제안서
Yong-uk Choe
Oracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RAC
Markus Michalewicz
MySQL Group Replication
MySQL Group Replication
Ulf Wendel
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Colin Charles
Backup using rsync
Backup using rsync
Gaurav Mishra
Automate DBA Tasks With Ansible
Automate DBA Tasks With Ansible
Ivica Arsov
DB Monitoring 개념 및 활용 (박명규)
DB Monitoring 개념 및 활용 (박명규)
WhaTap Labs
VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1
Sanjeev Kumar
Aix student guide system administrations part 2 problem determination
Aix student guide system administrations part 2 problem determination
Yogesh Sharma
Aix overview
Aix overview
Raja Waseem Akhtar
Contenu connexe
Tendances
Deep Dive: a technical insider's view of NetBackup 8.1 and NetBackup Appliances
Deep Dive: a technical insider's view of NetBackup 8.1 and NetBackup Appliances
Veritas Technologies LLC
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Etsuji Nakai
Migration to Oracle Multitenant
Migration to Oracle Multitenant
Jitendra Singh
제3회난공불락 오픈소스 인프라세미나 - Pacemaker
제3회난공불락 오픈소스 인프라세미나 - Pacemaker
Tommy Lee
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The Hood
Ludovico Caldara
Oracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret Internals
Anil Nair
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
OpenStack Korea Community
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
NHN FORWARD
MySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB Status
Karwin Software Solutions LLC
Exadata master series_asm_2020
Exadata master series_asm_2020
Anil Nair
Ceph and RocksDB
Ceph and RocksDB
Sage Weil
Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLON
Markus Michalewicz
SteelEye 표준 제안서
SteelEye 표준 제안서
Yong-uk Choe
Oracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RAC
Markus Michalewicz
MySQL Group Replication
MySQL Group Replication
Ulf Wendel
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Colin Charles
Backup using rsync
Backup using rsync
Gaurav Mishra
Automate DBA Tasks With Ansible
Automate DBA Tasks With Ansible
Ivica Arsov
DB Monitoring 개념 및 활용 (박명규)
DB Monitoring 개념 및 활용 (박명규)
WhaTap Labs
VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1
Sanjeev Kumar
Tendances
(20)
Deep Dive: a technical insider's view of NetBackup 8.1 and NetBackup Appliances
Deep Dive: a technical insider's view of NetBackup 8.1 and NetBackup Appliances
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Migration to Oracle Multitenant
Migration to Oracle Multitenant
제3회난공불락 오픈소스 인프라세미나 - Pacemaker
제3회난공불락 오픈소스 인프라세미나 - Pacemaker
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The Hood
Oracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret Internals
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
MySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB Status
Exadata master series_asm_2020
Exadata master series_asm_2020
Ceph and RocksDB
Ceph and RocksDB
Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLON
SteelEye 표준 제안서
SteelEye 표준 제안서
Oracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RAC
MySQL Group Replication
MySQL Group Replication
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Backup using rsync
Backup using rsync
Automate DBA Tasks With Ansible
Automate DBA Tasks With Ansible
DB Monitoring 개념 및 활용 (박명규)
DB Monitoring 개념 및 활용 (박명규)
VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1
En vedette
Aix student guide system administrations part 2 problem determination
Aix student guide system administrations part 2 problem determination
Yogesh Sharma
Aix overview
Aix overview
Raja Waseem Akhtar
Aix install via nim
Aix install via nim
muhammad adeel
Informatica servicios utmach individual
Informatica servicios utmach individual
Katiuska Avila
PONTE EN FORMA
PONTE EN FORMA
ponteenforma
Manejo de materiales
Manejo de materiales
VANESSA MORENO
Semana Gastronómica Benissa (del 1 al 10 de marzo)
Semana Gastronómica Benissa (del 1 al 10 de marzo)
Ayuntamiento Benissa
Enano newsletter issue22
Enano newsletter issue22
Phantoms Foundation
PoolParty SKOS and Linked Data
PoolParty SKOS and Linked Data
Andreas Blumauer
Een Joomla-webshop bouwen zonder webshop-extensie, met formulieren
Een Joomla-webshop bouwen zonder webshop-extensie, met formulieren
Anja de Crom
SMS CLOUD
SMS CLOUD
NUBECORP
HRSeminar F&O Ulrich Penzkofer NRB
HRSeminar F&O Ulrich Penzkofer NRB
HRmagazine
Pengolahan air-limbah-domestik-dengan-metode-biology-irigation-memanfaatkan-e...
Pengolahan air-limbah-domestik-dengan-metode-biology-irigation-memanfaatkan-e...
Andien Ingin Sukses
JMCC
JMCC
海增 李
Intro al tema Instalaciones Digitales 2.0
Intro al tema Instalaciones Digitales 2.0
Daniel I. Krichman
Baseh rt 1 rw 1
Baseh rt 1 rw 1
Mola Key's
Ppt folleto
Ppt folleto
Evelyn Sepulveda
Hulu vs google
Hulu vs google
Carmen RSandianes-G
La influencia de los modelos de política de familia en las desigualdades de g...
La influencia de los modelos de política de familia en las desigualdades de g...
Agència de Salut Pública de Barcelona - ASPB
Influence of time and length size feature selections for human activity seque...
Influence of time and length size feature selections for human activity seque...
ISA Interchange
En vedette
(20)
Aix student guide system administrations part 2 problem determination
Aix student guide system administrations part 2 problem determination
Aix overview
Aix overview
Aix install via nim
Aix install via nim
Informatica servicios utmach individual
Informatica servicios utmach individual
PONTE EN FORMA
PONTE EN FORMA
Manejo de materiales
Manejo de materiales
Semana Gastronómica Benissa (del 1 al 10 de marzo)
Semana Gastronómica Benissa (del 1 al 10 de marzo)
Enano newsletter issue22
Enano newsletter issue22
PoolParty SKOS and Linked Data
PoolParty SKOS and Linked Data
Een Joomla-webshop bouwen zonder webshop-extensie, met formulieren
Een Joomla-webshop bouwen zonder webshop-extensie, met formulieren
SMS CLOUD
SMS CLOUD
HRSeminar F&O Ulrich Penzkofer NRB
HRSeminar F&O Ulrich Penzkofer NRB
Pengolahan air-limbah-domestik-dengan-metode-biology-irigation-memanfaatkan-e...
Pengolahan air-limbah-domestik-dengan-metode-biology-irigation-memanfaatkan-e...
JMCC
JMCC
Intro al tema Instalaciones Digitales 2.0
Intro al tema Instalaciones Digitales 2.0
Baseh rt 1 rw 1
Baseh rt 1 rw 1
Ppt folleto
Ppt folleto
Hulu vs google
Hulu vs google
La influencia de los modelos de política de familia en las desigualdades de g...
La influencia de los modelos de política de familia en las desigualdades de g...
Influence of time and length size feature selections for human activity seque...
Influence of time and length size feature selections for human activity seque...
Similaire à AIXpert - AIX Security expert
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
Martin Holovský
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
David Sweigert
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
Security Session
UKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle Solaris
JomaSoft
Platform Security Presentation
Platform Security Presentation
Tyson Key
Introduction to Linux
Introduction to Linux
Anil Kumar Pugalia
Unix Security
Unix Security
replay21
Cisco ios (1)
Cisco ios (1)
kashi4583
Nim
Nim
muhammad adeel
Hardening solaris
Hardening solaris
Femi Adeyemi
Ch11
Ch11
Raja Waseem Akhtar
Ch11 system administration
Ch11 system administration
Raja Waseem Akhtar
How to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata Environments
Sandesh Rao
How to build an admin guy
How to build an admin guy
Mohamed Aboul-Fotouh
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
David Sweigert
dokumen.tips_aix-presentation.ppt
dokumen.tips_aix-presentation.ppt
AhmedFawzy916524
Introduction to Linux
Introduction to Linux
Anil Kumar Pugalia
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
James Morris
Linux Security
Linux Security
nayakslideshare
SFS (Secure File System)
SFS (Secure File System)
Ahmed EL-KOSAIRY
Similaire à AIXpert - AIX Security expert
(20)
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
UKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle Solaris
Platform Security Presentation
Platform Security Presentation
Introduction to Linux
Introduction to Linux
Unix Security
Unix Security
Cisco ios (1)
Cisco ios (1)
Nim
Nim
Hardening solaris
Hardening solaris
Ch11
Ch11
Ch11 system administration
Ch11 system administration
How to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata Environments
How to build an admin guy
How to build an admin guy
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
dokumen.tips_aix-presentation.ppt
dokumen.tips_aix-presentation.ppt
Introduction to Linux
Introduction to Linux
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
Linux Security
Linux Security
SFS (Secure File System)
SFS (Secure File System)
Dernier
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Sujit Pal
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
HostedbyConfluent
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Dernier
(20)
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
AIXpert - AIX Security expert
1.
AIX 6.1 Security
Expert May 2011 AIXpert
2.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-2 AIX V6.1 Security Expert A new capability of AIX V6.1 that allows privileged administration tasks to be delegated to non-privileged users Access to system resources are associated with roles that are assigned to non-privileged users Many roles are predefined which can reduce the effort of implementing RBAC Roles can also be associated with programs
3.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-3 Authorizations – Mechanism to grant access to commands or certain functionality. – Context aware. Roles – A container for authorizations that can be assigned to a user. Privileges – Process attribute that allows a process to bypass a security restriction. – Not context aware. Authorizations vs. Privileges – Auths exist only outside of kernel, Privs only inside – Auths enable access to commands, Privs enable execution of single functions – e.g. "run mkuser" vs. "PV_DAC_W" Role Based Access Control (RBAC)
4.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-4 Role Based Access Control (RBAC) Separation of duties through roles: Main pre-defined AIX Roles: – ISSO Information Systems Security Officer • Establishes and maintains security policy – SA System Administrator • Creates user accounts, groups, etc. • Installs software packages – SO System Operator • Archives file system • Manages line printer • Shuts down system – Additional pre-defined AIX Roles: • AccountAdmin, BackupRestore, DomainAdmin, FSAdmin, SecPolicy, SysBoot, SysConfig.
5.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-5 A centralized security management tool that can control over 300 security settings from a single console. Administrators can start from a “Low”, “Medium”, “High” or “Sarbanes-Oxley” security template and customize settings to meet business requirements. Security settings can be exported and imported as a security profile to multiple systems. On AIX V6.1, security profiles can be stored in an LDAP directory for ease of distribution. AIX Security Expert was first included in AIX V5.3 TL5. AIX V6.1 Security Expert: How it can help?
6.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-6 AIX 6 introduces three new security installation options – Trusted AIX (MLS) – Multi-Level Security – LSPP/EAL4+ – Labeled Security Protection Profile and Evaluation Assurance Level 4+ – SbD - Secure by Default SbD is new default security option – Installs a minimal set of software – Deletes components that use weak authorization (bos.net.tcp.client|server) and runs AIX Security Expert to apply hardening for level "high" – Additional software installed on as-needed basis Secure by Default (SbD)
7.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-7 "Bottom Up" Approach – Reverses traditional "Top Down" approach of full install followed by hardening Thorough planning strongly suggested – Can all applications' requisites be fulfilled by this install template? Secure by Default (SbD) (Continued)
8.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-8 Based on OpenSSL – needed to setup and handle keys and certificates ftp and ftpd are secured using TLS protocol – Command channel and data channel are encrypted Nice add-on to OpenSSH's 'scp' and 'sftp' – e.g. data exchange with legacy systems not offering SSH Client usage is 'ftp -s …' – TLS stuff is configured in user’s ~/.ftpcnt file Server usage is implicit – TLS stuff is configured in /etc/ftpd.cnf Secure FTP
9.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-9 Automatically encrypt data in a JFS2 filesystem Data can be protected from access by privileged users Backup in encrypted or clear formats Automated key management – key store open on login, integrated into AIX security authentication Each file encrypted with a unique key No keys stored in clear in kernel memory A variety of AES, and RSA cryptography keys supported AIX V6.1 Encrypting Filesystem
10.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-10 Embedded in JFS2, not stacked, for performance and reliability – all JFS2 operations can be performed with an EFS • mounting and unmounting, increasing and decreasing size, defragmenting, removing, … • but no NFS or GPFS support – In stacked FSs, data may be lost through strong encryption when crypto meta data write and data write are out of sync Each file is encrypted with a separate key (stored in its Eas) AIX V6.1 Encrypting Filesystem
11.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-11 Encryption/Decryption happens in memory, not on storage – hence no DIO/CIO User keystore gets opened by login password or separate pw – login pw is distinct from keystore pw – holds user's private and public key (asymmetric encryption, RSA) – public key is used to access shared secret for file en/decryption (symmetric encryption, AES) – hybrid approach for the sake of performance (e.g. like TLS) AIX V6.1 Encrypting Filesystem (Continued)
12.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-12 Prereqs – CryptoLite in C (CLiC) library and kernel extension must be installed and loaded – Enhanced RBAC must be enabled (default in AIX6) – EFS must be explicity enabled (can be done at any time using 'efsenable') New and existing FShttp://www.tecmint.com/linux-server-hardening- security-tips/s can be encrypted – smitty crfs -> "Enable EFS? [yes]" – 'crfs' or 'chfs' along with "-a efs=yes" – not to be applied on "/", /usr, /var and /opt since keystore can't be opened during boot – but that's OK, since EFS' main focus is on protectinguser/application data – encrypted files can be identified by 'ls -U' Encrypted File System (EFS)
13.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-13 # ls -U file* -rw-r--r--- 1 root system 0 May 14 13:22 file1 -rw-r--r--e 1 root system 0 May 14 13:22 file2 User key management is provided with 'efskeymgr' command Performance penalty is said to be low*) – best practice: use it selectively where needed, not everywhere e.g. on sensitive filesystems only, selected DB columns, etc. Encrypted File System (EFS)
14.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-14 Two keystore protection modes – Root Admin Mode • Pro: Root can reset user and group key store access passwords • Con: Root might be able to gain access to a user's key store and encrypted files – Root Guard Mode • Pro: Root cannot reset user and group key store access passwords • Con: Root cannot gain access to a user's key store and encrypted files, even when necessary! EFS backup Best Practices – Backup raw encrypted form – Backup the file owner's keystore – The file owner's keystore password must also be "saved" or files must be re-encrypted in a timely manner when keystore pw changes Encrypted File System (EFS)
15.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-15 A new web based management tool that provides easy access to common system administration tasks Administrators can access Systems Management Interface Tool (SMIT) menus from a browser Graphical user interface is fast and consistent with IBM Systems Director look and feel All necessary components for the Console are included in AIX The Distributed Command Execution Manager (DCEM) feature of the Console allows an administrative task to run on multiple systems at once AIX V6.1 Systems Director Console for AIX
16.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-16 Remote AIX management from a web browser – Verify Fileset installation # lslpp -h sysmgt.pconsole.rte Use SRC to control the director console # lssrc -s pconsole Subsystem Group PID Status pconsole pconsole 319644 active Stop and start with startsrc and stopsrc Access from your browser – http://HostName:5335/ibm/console View and save commands like smit Config file – /pconsole/lwi/conf/overrides/config.properties IBM Systems Director Console
17.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-17 From global LPAR use the -@ flag to designate WPAR # ps -ef -@ ec08 WPAR UID PID PPID C STIME TTY TIME CMD ec08 root 217128 389182 0 15:00:58 - 0:00 /usr/sbin/rsct/b ec08 root 266398 389182 0 15:00:21 - 0:00 /usr/sbin/rsct/b ec08 root 278634 389182 0 15:00:20 - 0:00 /usr/sbin/rpc.lo ec08 root 290942 389182 0 15:00:18 - 0:00 /usr/sbin/biod 6 WPAR command support
18.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-18 From WPAR use normal commands # ps -ef UID PID PPID C STIME TTY TIME CMD root 217128 389182 0 15:00:58 - 0:00 /usr/sbin/rsct/bin/IBM.Sensor root 266398 389182 0 15:00:21 - 0:00 /usr/sbin/rsct/bin/rmcd -a IB root 278634 389182 0 15:00:20 - 0:00 /usr/sbin/rpc.lockd -d 0 root 290942 389182 0 15:00:18 - 0:00 /usr/sbin/biod 6 root 1 0 0 15:00:04 - 0:00 /etc/init WPAR command support
19.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-19 Some commands are not supported from WPAR # netstat -rn Routing tables Destination Gateway Flags Refs Use If Exp Groups netstat : Permission error, unable to continue. WPAR command support
20.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-20 Network adapters are alias on global partition # ifconfig en0 en0: flags=1e080863,480<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLE X,... inet 9.19.51.153 netmask 0xffffff00 broadcast 9.19.51.255 inet 9.19.51.154 netmask 0xffffff00 broadcast 9.19.51.255 tcp_sendspace 262144 tcp_recvspace 262144 rfc1323 1 WPAR command support
21.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-21 AIX Security Expert – AIX 5.3 TL5 Secure By Default – AIX 6.1 File Permission Manager – AIX 5.2, 5.3, 6.1 Role-base Access Cntl – AIX 6.1 Encrypted File System – AIX 6.1 Trusted Execution – AIX 6.1 Trusted AIX – AIX 6.1 AIX Security Feature Release Schedule
22.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-22 Long Passphrase – AIX 5.2, 5.3, 6.1 Configurable Password Algorithms – AIX 5.3, 6.1 Enhancements for LDAP R2 Support – AIX 5.3, TL 6 AIX Security Feature Release Schedule
23.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-23 Support for extended base DN format Support for multiple base DN definitions AIX LDAP Client support against Microsoft Active Directory LDAP
24.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-24 Enable AIX client to use Active Directory (AD) LDAP – Support AD similar to any RFC 2307 compliant LDAP server. AD users must be UNIX enabled AD must have UNIX schema support installed Users can be managed from the AIX LDAP client, but the system administrator should create users in AD. Transparent to administrators and users – Hide all implementation details – Use 'mksecldap'to configure AIX client to operate with AD AIX LDAP Client support against Microsoft Active Directory
25.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-25 Fileset: bos.net.ipsec Firewall – Packet filtering – Stateful inspection filtering NAT Support Virtual Private Network – FTP – IKE/ISAKMP Port Scan Protection – SSH Pattern Matching – Supports ClamAV virus DB* AIX is IPv6 Certified AES support IPSEC Suite
26.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-26 IP Filter is also known as IPF. Open source internet protocol filtering tool Acts as a firewall Allows for consistent firewall rules tables in a heterogeneous environment (AIX, HP, Solaris, Linux) Provides NAT support IP Filter
27.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-27 OpenSSH – http://sourceforge.net/projects/openssh-aix – Client and server connectivity encryption tool. – Supports Triple DES & Blowfish encryption protocols. – Eliminates clear text passwords and traffic over the network. – NLS Enablement – Kerberos v5 as an optional authentication method. – New version to ship in November, SSH 4.6 TCP Wrapper – Open source tool that protects access to network services such as telnet, ftp, r-commands, etc. – It can be configured to explicitly deny or permit remote hosts attempting to access these services. – Monitors access to services and reports via a log file and/or can be integrated into the AIX audit utility. OpenSSH & TCP Wrapper
28.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-28 FIPS 140-2 Level 4 certified Common Cryptographic Architecture (CCA) and PKCS11 APIs PCI-X Cryptographic Coprocessor (4764)
29.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-29 On board API functionality: – DES and 3DES encryption and message authentication – RSA digital signatures (up to 2048 bits) – DES, 3DES and RSA key management Secure Electronic Transaction (electronic commerce functions) ATM and POS PIN processing. Key diversification for smart card applications 4764 CCA API Functionality
30.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-30 Banking and finance Electronic commerce Certificate Authorities General purpose encryption services Custom applications – Limited basis under custom contracts. CCA Applications
31.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-31 SED protects against the most common and exploited vulnerability: A stack buffer overflow, usually causes application and/or operating system termination. More sophisticated attackers will use it to escalate their privileges in order to gain control of the system. Stack Execution Disable (SED)
32.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-32 Stops buffer overflow based vulnerabilities – Disables execution on the stack and heap • Uses process page level protection • Processor interrupts the OS on exceptions Control granularity – Off/On (all) – Select – setuid and setgid files Two modes of operation – Monitor & Operational Logging – Logged events are sent to the AIX error log Stack Execution Disable: Administration
33.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-33 Offers system-wide protection of all files when ON – Drawback is Java and GCC, which may legitimately execute on the stack Select file protections – Network services – Mission critical applications and services setuid/getuid permission – Protection against escalation of privileges Stack Execution Disable: Administration cont.
34.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-34 Virtual IO Server v1.3 Security Enhanced – Common Criteria certified EAL4+ under CAPP & LSPP – Implements AIX Security Expert – Fully customizable set of security policies – Built in firewall – 'viosecure' command enables and alters the state of the firewall • Default rule is, deny • Limited set of network services permitted Other System p AIX Offerings
35.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-35 Network and OS hardening tool Result of hardening and security research Brings 300+ security settings to a central point of control Simplifies complex security configuration Extensible to enterprise specific settings and software Single system configuration applied to the whole enterprise AIX Security Expert: Overview
36.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-36 Network and OS Security Hardening Tool Knowledge of multitude of Unix hardening papers Brings 300+ Security Settings to Central Control Simplifies Complex Security configuration Extensible to Enterprise specific settings and software Configure one system, and apply template throughout the enterprise. AIX Security Expert: Bringing the Security Pieces Together
37.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-37 Security Expertise in the Tool Simple Configuration Settings – High, Medium, Low Advanced settings Each settings offers system admin selectable detail of settings. Undo option – Recursive undo of settings Consistent Security Option for Enterprise AIX Security Expert
38.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-38 AIX Security Hardening Groupings – Password Administration – Login Policy – Audit – /etc/inittab – /etc/rc.tcpip – /etc/inetd.conf – remove SUID (remove bit from r-cmds) – Network Tunning (‘no’ security options) – IP Security (firewall) port scans – Misc AIX Security Expert
39.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-39 Simple Solid Design Core engine never changes Engine has no knowledge of High, Med, Low, Advanced, Undo All security setting described in xml rules Undo xml built dynamically AIX Security Expert
40.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-40 Xml fomat /etc/security/aixpert/core/aixpertall.xml <AIXPertEntry name="minagehls"> <AIXPertRuleType> 1 </AIXPertRuleType> <AIXPertRuleState>Desired</AIXPertRuleState> <AIXPertDescription> Specifies the minimum number of weeks to 1 week, before a password can be changed </AIXPertDescription> <AIXPertPrereqList> bos.rte.date, bos.rte.commands, bos.rte.security, bos.rte.shell, bos.rte.ILS </AIXPertPrereqList> <AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCo mmand> <AIXPertArgs>minage= 1 ALL minagehls</AIXPertArgs> </AIXPertEntry> AIX Security Expert
41.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-41 Security Configuration Saved in – /etc/security/aixpert/core/appliedaixpert.xml Configure one system, stamp appliedaixpert.xml on rest of enterprise, for uniform security settings – After configuring one system, the settingsimplemented on that system are saved in appliedaixpert.xml file – Via a secure out of band method, copy this file to other systems – Run a single command to implement these exact settings on other systems – /usr/sbin/aixpert –f appliedaixpert.xml AIX Security Expert
42.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-42 Check Security compares current system configuration with – /etc/security/aixpert/core/appliedaixpert.xml Check Security; has anything changed? AIX Security Expert
43.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-43 Security Hardening at install time with Config Assist AIX Security Expert can be accessed at install time via Config Assist AIX security settings unchanged unless user selects the Configure Security from the Config Assist menu – Default Config Assist Security Level is Low Level Security NIM Post Install script to automatically configure Security – /etc/security/aixpert/core/appliedaixpert.xml AIX Security Expert
44.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-44 More on High, Medium, and Low Level Security High – Security is paramount – On an unsafe network Medium – Safe network – Clear text passwords over network is OK Low – Common non-disruptive security settings Standard AIX AIX Security Expert
45.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-45 Enhanced AIX Security Expert Multilevel Security (MLS) Role-based Access Control Trusted Execution Encrypted File System AIX 5L 6.1 Security Features
46.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-46 appliedaixpert.xml distributed through LDAP – No need for sneaker-net or secure copy Performance boost – XML parsing via C library routines "Secure by Default" – Initial installation is a minimal install – High security level is applied during install File Permission Manager SOX/Cobit Compliance Assistant – Wizard for setting up system to comply with SOX requirements Enhanced AIX Security Expert
47.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-47 #name program arguments ftp /usr/sbin/ftpd ftpd telnet /usr/sbin/telnetd telnetd -a shell /usr/sbin/rshd rshd login /usr/sbin/rlogind rlogind exec /usr/sbin/rexecd rexecd comsat /usr/sbin/comsat comsat uucp /usr/sbin/uucpd uucpd bootps /usr/sbin/bootpd bootpd /etc/bootp finger /usr/sbin/fingerd fingerd systat /usr/bin/ps ps -ef netstat /usr/bin/netstat netsta -f inet tftp /usr/sbin/tftpd tftpd -n Secure by Default
48.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-48 #name program arguments talk /usr/sbin/talkd talkd ntalk /usr/sbin/talkd talkd rquotad /usr/sbin/rpc.rquotad rquotad 100011 1 rexd /usr/sbin/rpc.rexd rexd 100017 1 rstatd /usr/sbin/rpc.rstatd rstatd 100001 1-3 rusersd /usr/lib/netsvc/rusers/rpc.rusersd rusersd 100002 1-2 rwalld /usr/lib/netsvc/rwall/rpc.rwalld rwalld 100008 1 sprayd /usr/lib/netsvc/spray/rpc.sprayd sprayd 100012 1 pcnfsd /usr/sbin/rpc.pcnfsd pcnfsd 150001 1-2 instsrv /u/netinst/bin/instsrv instsrv -r /tmp/netinstalllog /u/netinst/scripts Secure by Default (Continued)
49.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-49 STOP giving out root users password Distribute administration of the system to disparate and unconnected users. – i.e. Human resources creates the user, finance changes the users salary, operations defines authorizations and managements creates roles The goal of RBAC is to reduce or eliminate the use of "root" RBAC is installed and active by default – Integrated into the kernel and installed commands Role-Based Access Control
50.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-50 RBAC was previously provided by PitBull (AIX v5.3) Limited set of roles Authorizations are hard-coded into the command code User “root” cannot be completely removed Third party applications are required to code authorizations into their commands Role-Based Access Control: Background v5.3
51.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-51 Distribution of root roles to system users – Gives user “cingram” the authority to create users, but not give them access to set passwords More levels of granularity than previously offered – Users can assume a very specific role – System-defined roles and user-defined roles Integration into LDAP – Authorization tables do not have to be stored locally Option to eliminate the root user – Removes the "golden egg" from the system Reduces collaborative attacks from insiders – Least privilege security model reduces exposure and increases effort Role-based Access Control
52.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-52 Suited to roles where there are many users managing a single system Government organizations Datacenter operations Database management RBAC Environments
53.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-53 What is it? – Security through classifications and labels (EAL4+ Labeled Security Protection Profile) – Separate product and will NOT be included with the base distribution MLS via PitBull in AIX v5.3 MLS via AIX in v6.1 Expands on RBAC infrastructure Multi-Level Security (MLS)
54.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-54 MLS details – Add on security enhancement for AIX based on the Trusted OS model – Protects servers from internal and external attackers – Compartmentalizes and secures applications – Prevents malicious code from damaging systems – Removes administrative (superuser/root) privileges – Meets and exceeds government standards for maximum security Multilevel Security (MLS)
55.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-55 Federal government networks and databases (datacenters) Banks and financial institutions Healthcare (HIPAA requirements) Public utilities Service providers (application, eCommerce) Large corporate datacenters Any environment containing sensitive information Value proposition: – Provides maximum security for an organizations assets – Provides lower overall costs for IT – Permits for a simpler security architecture – Maintains 100% compatibility with AIX applications MLS Environments
56.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-56 Extension of current Trusted Computing Base Provides both install time and run time integrity check Loader verifies signature on files before they are executed Trusted Execution
57.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-57 Scenario: Hacker replaces the existing /usr/bin/ls with his own: – How do you scan the system to detect this change? – How do you stop execution of the invalid executable? – How do you prevent future modification of trusted applications? Scenario: Hacker places a trojan horse "ls" command on system. – How do you enforce where executables / libraries come from? The Need for Trusted Execution
58.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-58 Provides Signature Based System Verification – Two modes of integrity checking: • System: Comparison of current system with stored database. • Run-time: Validation of binary at execution time. Cryptographic Hash Mechanism – Supports SHA-1, SHA-256 and SHA-512 – Allows for signed hash signatures. Configurable Policies – Monitor all executions and loads of files in signature database. – Monitor only loads of kernel extensions. – Monitor only loads of shared libraries. – Lock the signature database. Even root cannot write to database. – Disable trusted file opens for write. Trusted Execution
59.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-59 Integrity Checking – TE - System and Run-time checking. – TCB - System checking only. System Enablement – TE - Enabled at any time. – TCB - Install time option. Security Database – TE - /etc/security/tsd/tsd.dat – TCB - /etc/security/sysck.cfg Management Commands – TE – trustchk – TCB - tcbck Trusted Execution(TE) Comparison to TCB
60.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-60 Transparent to users and system administrators File level encryption granularity Centralization of key-store – User key store allocated after successful login Employs AES symmetric encryption algorithm Integrated into the user administration – Automatic generation of key-stores for every user – Wraps users private key-store with the users password Encrypted File System
61.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-61 AIX EFS offers file level encryption – HP EVFS only offers logical volume level encryption AIX EFS offers unique keying and crypto metadata per file – HP EVFS only offers one key and crypto metadata per logical volume AIX EFS has the key-store connected to the users login – HP EVFS requires a separate command Competitive Analysis: AIX EFS vs. HP EVFS
62.
© Copyright 2010
by Mt Xia Inc, All rights reserved. mxase-62 AIX EFS is integrated into FS commands (i.e.: chmod) – HP EVFS has a separate ‘evfs’ command and then it only operates on the logical volume AIX EFS backups are encrypted by default – HP EVFS backups must be re-encrypted AIX EFS volume groups can be resized as it is done today – HP EVFS volume groups cannot be resized (-F (force) option results in corrupted data Competitive Analysis cont.
Télécharger maintenant