Introduction to Trusted AIX

Edit online

Trusted AIX® enhances the security of the standard AIX operating system by providing for label-based-security capabilities within the operating system.

Trusted AIX label-based environment can be installed by choosing the install time options. If you install Trusted AIX, you will not be able to go back to a regular AIX environment without performing an overwrite install of regular AIX. Once installed, Trusted AIX environment will apply to the entire AIX system, including any WPARs created within the AIX environment. While label based security (also termed as Multi Level Security, or MLS) is often used in the defence and intelligence industries, it can also be used in the commercial industries. This can be achieved by customizing the labels available on Trusted AIX. A fresh install of Trusted AIX provides for labels that adhere to standard MLS implementations.

Trusted AIX environment consists of regular AIX with some additional packages and file sets. Additionally, kernel switches will force the kernel to operate in Trusted AIX mode. When booted through a CD or DVD, the system boots in the regular AIX environment. When install menus are displayed, the installer can choose the Trusted AIX option and start installing the MLS-related files. When installation is complete, the installer must initiate the first boot resequence. During the first boot sequence, Config Assistant provides menus for the various users and ISSO, SA, and SO users are set up; then, the system completes the boot operation and the MLS is established.

Trusted AIX enhances system security through four primary elements of information security:
  • Confidentiality
  • Integrity
  • Availability
  • Accountability

In addition to the security features provided by AIX, Trusted AIX adds the following capabilities:

Sensitivity labels (SLs)
All processes and files are labeled according to their security level. Processes can only access objects that are within the process' security range.
Integrity labels (TLs)
All processes and files are labeled according to their integrity level. Files cannot be written by processes that have a lower integrity level label than the file. Processes cannot read from files that have a lower integrity level label than the process.
File security flags
Individual files can have additional flags to control security related operations.
Kernel security flags
The entire system can have different security features enabled or disabled.
Privileges
Many commands and system calls are only available to processes with specific privileges.
Authorizations
Each user can be granted a unique set of authorizations. Each authorization allows the user to perform specific security-related functions. Authorizations are assigned to users through roles.
Roles
Role Based Access Control function, as part of Trusted AIX, provides for selective delegation of administrative duties to non-root users. This delegation is achieved by collecting the relevant authorizations into a Role and then assigning the role to a non-root user.

Confidentiality

Threats centered around disclosure of information to unauthorized parties are a confidentiality issue.

Trusted AIX provides object reuse and access control mechanisms for protecting all data resources. The operating system ensures that protected data resources can only be accessed by specifically authorized users and that those users cannot make the protected resources available to unauthorized users either deliberately or accidentally.

Administrators can prevent sensitive files from being written to floppy disks or other removable media, from being printed on unprotected printers, or from being transferred over a network to unauthorized remote systems. This security protection is enforced by the operating system and cannot be bypassed by malicious users or rogue processes.

Integrity

Threats centered around modification of information by unauthorized parties are an integrity issue.

Trusted AIX offers numerous security mechanisms which ensure the integrity of trusted computing base and protected data, whether the data is generated on the system or imported via network resources. Various access control security mechanisms ensure that only authorized individuals can modify information. To prevent malicious users or rogue processes from seizing or disabling system resources, Trusted AIX eliminates the root privilege. Special administrative authorizations and roles allow the separation of administration duties, rather than giving a user root privileges.

Availability

Threats centered around accessibility of services on a host machine are an availability issue. For example, if a malicious program fills up file space so that a new file cannot be created, there is still access, but no availability.

Trusted AIX protects the system from attacks by unauthorized users and processes that can create a denial of service. Unprivileged processes are not allowed to read or write protected files and directories.

Accountability

Threats centered around not knowing which processes performed which actions on a system are an accountability issue. For example, if the user or process that altered a system file cannot be traced, you cannot determine how to stop such actions in the future.

This enhanced security feature ensures identification and authentication of all users prior to allowing user access to the system. The audit services provide the administrator a set of auditable events and an audit trail of all security-related system events.

Properties ofTrusted AIX

  • Trusted AIX is installed through the AIX install menus. Additional options can be chosen during installation of Trusted AIX.
  • Trusted AIX environment cannot revert to regular AIX environment without performing an overwrite install of regular AIX.
  • Root is disabled from logging in a Trusted AIX environment.
  • In a Trusted AIX environment, any WPARs created will also operate in the Labeled Security environment.
  • Trusted AIX supports both MAC (Mandatory Access Control) and MIC (Mandatory Integrity Control). Customer can define separate sets of labels for MAC and MIC.
  • Label Encodings file is located in the /etc/security/enc directory and captures the label-to-binary translation information. The default Label Encodings file adheres to the Compartmented Mode Workstations (CMW) labels-related naming requirements.
  • NIM installs are supported when initiated from Client. NIM install push from Server is not possible because root is disabled for logins on MLS systems.
  • The JFS2 (J2) file system (using Extended Attributes version 2) has been enabled for storing Labels in AIX. Other file systems (such as J1 or NFS) can only be mounted in a Trusted AIX environment as single-level file systems (label assigned to the mount point).
  • X environment is disabled for Trusted AIX.
  • Trusted AIX supports CIPSO and RIPSO protocols for netowork-based label-based communication. These protocols are supported for both IPv4 and IPv6.
  • Some AIX security mechanisms are common between regular AIX and Trusted AIX. Two of these common security mechanisms are Role Based Access Control (RBAC) and Trusted Execution for integrity verification.
  • Since root is disabled when Trusted AIX is installed, the installer must set up passwords for ISSO, SA, and SO users during the first boot after install. The system remains unusable until these passwords are created.
  • The AIX 6 security features Redbooks® publication contains use cases and examples for Trusted AIX.