AIX 6.1 introduces multiple security enhancements to provide a variety of options for clients to secure their IT environment. Clients can achieve defense in depth protection for their IT environment by deploying most of these AIX security features. Additionally multiple laws have been enacted in regards to compliance, privacy etc requiring that IT departments implement many security controls. AIX 6.1 provides for multiple security features to help clients in this area of compliance. AIX 6.1 is being evaluated independently to be certified by the Common Criteria body for CAPP/LSPP EAL4+ to ensure that it provides a high level of security for our clients.
AIX 6.1 security enhancements are listed below:
|Trusted Execution||Integrity verification, system security|
|Enhanced Role Based Access Control||Simplified administration, least privilege use hardening|
|Encrypted Filesystem||Data protection, compliance|
|AIX Security Expert/ Secure by Default||System hardening, secure installs|
|Trusted AIX/Multi Level Security (MLS)**||Labeled security, mandatory access controls|
|Long Pass Phrase support||Enhanced long password hashing, supports pass phrases|
These enhancements are described in brief in the following sections.
1.1 Role Based Access Control
Role Based Access Control (RBAC) provides improved security and manageability by allowing administrators to delegate system administrative duties to non-root users. RBAC in AIX has been enhanced to provide very fine granular authorizations which identify the privileged operation that they control by name. These authorizations can be used to create the required roles necessary and assign those roles to the users required to manage the system. Such non-root users will be able to assume the role and perform the allowed privileged operations.
1.2 Trusted AIX
Trusted AIX 6.1 extends the security capabilities of the AIX 6.1 operating system (OS) by supplying integrated multi-level security. Trusted AIX 6.1 is implemented as an installation option that can provide the highest levels of label based security to meet critical government and private industry security requirements. Trusted AIX supports various MLS features such as partitioned directories, trusted networking, and labeled printing.
1.3 Encrypted Filesystem
The IBM Enhanced Journaled Filesystem (JFS2) provides for even greater data security with the addition of a new capability to encrypt the data in a filesystem. Clients can select from a number of different encryption algorithms. The encrypted data can be backed up in encrypted format using the backup and restore AIX commands, reducing the risk of data being compromised if backup media is lost or stolen. The JFS2 encrypted filesystem protects data viewing even to root level users.
1.4 Enhancements to AIX Security Expert
The AIX 5L Security Expert was introduced with Technology Level 5 of AIX V5.3 OS, it provides clients with the capability to manage more than 300 system security settings from a single interface and the ability to export and import those security settings between systems. In AIX V6.1 OS it includes an enhancement to store security templates in a Lightweight Directory Protocol (LDAP) directory for use across a client's enterprise to help centralize its administration.
1.5 Trusted Execution
The Trusted Execution (TE) feature provides for an advanced mechanism for checking and maintaining system integrity. A signature SHA256/RSA) database for the important system files is created automatically as part of regular AIX install. The TE tool is then used to check the integrity of the system against the database. The administrator can define policies so that the loading of files listed in the database are monitored and execution is not allowed if the hashes do not match. Additionally the administrator can lock the signature database or the files in the database from being modified by anyone in the system, including root.
1.6 Secure By Default Install option
The AIX 6.1 OS installation process now offers a new option, Secure by Default - this installs only a limited number of services and packages to enable a higher level of security on installation . The Secure by Default option works particularly well when used in conjunction with the AIX 6.1 Security Expert to only enable the system services required for the systems intended purpose.
1.7 Support for long passwords and Pass Phrases
The AIX 53 TL07 & 6.1 now support greater than eight character passwords for authentication of users. These releases provide for the storing of passwords using encryption algorithms such as SHA/256/52, MD5 etc. System wide control is configured by the administrator by selecting the appropriate algorithm. The size of the password can be up to 255 characters. Enhanced support will also include support for pass phrases (example: "My vacation to Hawaii").
** Is a separate installation of AIX