AIX 6.1 security: defense in depth

AIX 6.1 introduces multiple security enhancements to provide a variety of options for clients to secure their IT environment. Clients can achieve defense in depth protection for their IT environment by deploying most of these AIX security features. Additionally multiple laws have been enacted in regards to compliance, privacy etc requiring that IT departments implement many security controls. AIX 6.1 provides for multiple security features to help clients in this area of compliance. AIX 6.1 is being evaluated independently to be certified by the Common Criteria body for CAPP/LSPP EAL4+ to ensure that it provides a high level of security for our clients.

AIX 6.1 security enhancements are listed below:

Feature Security enhancement
Trusted Execution Integrity verification, system security
Enhanced Role Based Access Control Simplified administration, least privilege use hardening
Encrypted Filesystem Data protection, compliance
AIX Security Expert/ Secure by Default System hardening, secure installs
Trusted AIX/Multi Level Security (MLS)** Labeled security, mandatory access controls
Long Pass Phrase support Enhanced long password hashing, supports pass phrases

These enhancements are described in brief in the following sections.


1.1 Role Based Access Control

Role Based Access Control (RBAC) provides improved security and manageability by allowing administrators to delegate system administrative duties to non-root users. RBAC in AIX has been enhanced to provide very fine granular authorizations which identify the privileged operation that they control by name. These authorizations can be used to create the required roles necessary and assign those roles to the users required to manage the system. Such non-root users will be able to assume the role and perform the allowed privileged operations.

1.2 Trusted AIX

Trusted AIX 6.1 extends the security capabilities of the AIX 6.1 operating system (OS) by supplying integrated multi-level security. Trusted AIX 6.1 is implemented as an installation option that can provide the highest levels of label based security to meet critical government and private industry security requirements. Trusted AIX supports various MLS features such as partitioned directories, trusted networking, and labeled printing.

1.3 Encrypted Filesystem

The IBM Enhanced Journaled Filesystem (JFS2) provides for even greater data security with the addition of a new capability to encrypt the data in a filesystem. Clients can select from a number of different encryption algorithms. The encrypted data can be backed up in encrypted format using the backup and restore AIX commands, reducing the risk of data being compromised if backup media is lost or stolen. The JFS2 encrypted filesystem protects data viewing even to root level users.

1.4 Enhancements to AIX Security Expert

The AIX 5L Security Expert was introduced with Technology Level 5 of AIX V5.3 OS, it provides clients with the capability to manage more than 300 system security settings from a single interface and the ability to export and import those security settings between systems. In AIX V6.1 OS it includes an enhancement to store security templates in a Lightweight Directory Protocol (LDAP) directory for use across a client's enterprise to help centralize its administration.

1.5 Trusted Execution

The Trusted Execution (TE) feature provides for an advanced mechanism for checking and maintaining system integrity. A signature SHA256/RSA) database for the important system files is created automatically as part of regular AIX install. The TE tool is then used to check the integrity of the system against the database. The administrator can define policies so that the loading of files listed in the database are monitored and execution is not allowed if the hashes do not match. Additionally the administrator can lock the signature database or the files in the database from being modified by anyone in the system, including root.

1.6 Secure By Default Install option

The AIX 6.1 OS installation process now offers a new option, Secure by Default - this installs only a limited number of services and packages to enable a higher level of security on installation . The Secure by Default option works particularly well when used in conjunction with the AIX 6.1 Security Expert to only enable the system services required for the systems intended purpose.

1.7 Support for long passwords and Pass Phrases

The AIX 53 TL07 & 6.1 now support greater than eight character passwords for authentication of users. These releases provide for the storing of passwords using encryption algorithms such as SHA/256/52, MD5 etc. System wide control is configured by the administrator by selecting the appropriate algorithm. The size of the password can be up to 255 characters. Enhanced support will also include support for pass phrases (example: "My vacation to Hawaii").

1.8 References

1. AIX 6.1 Security Guide
2. AIX 6.1 Security Redbook

Contact IBM

Browse Power Systems

Next generation applications for big data and analytics and cognitive computing are providing unprecedented insights into opportunities, threats and efficiencies. IBM Power Systems is at the forefront of delivering solutions to gain faster insights from analyzing both structured information and unstructured big data. With the secure, flexible and open platform of IBM Power Systems plus solutions and software, organizations can outpace their competitors by delivering faster services, providing differentiated offerings and turning operational cost into investment opportunity.

To draw insights and make better decisions, businesses rely on the secure, flexible and open platform of IBM Power Systems. Built with the first processor designed for big data workloads, the design of Power Systems combines the computing power, memory bandwidth and I/O in ways that are easier to consume and manage, building on strong resiliency, availability and security.

IBM Power Systems deliver flexibility and choice of operating systems to enable your business to support the next generation applications for big data and analytics and cognitive computing that are transforming how organizations work today. Whether running 1, 2, or all 3 - coupled with PowerVM, they maximize the benefit of Power Systems in your business.

Transform your business with Systems Software that enables virtualization, high availability, flexibility, security and compliance on Power Systems™. IBM’s integrated approach to developing Systems and Systems Software together delivers optimized results with Power Systems.

As an open innovation platform, Power Systems is optimized for big data and analytics performance and to deliver scale-out economics and security for the cloud. IBM and IBM Business Partner solutions exploit key capabilities in IBM Power Systems.

Over the last five years thousands of clients have migrated to IBM Power Systems. Learn how Power Systems has helped them support next generation applications for big data and analytics and cognitive computing on an open platform for choice while improving business performance, reducing risk, and establishing a platform for growth.