Linux Managing security compliance
Linux Managing security compliance
Note Before using this information and the product it supports, read the information in Notices on page 7. First Edition (December 2013) Copyright IBM Corporation 2013. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents Managing security compliance..... 1 Security compliance on PowerLinux...... 1 Security compliance command requirements... 1 Security compliance command supported distributions............. 1 Security compliance process overview..... 1 Installing the comply command package..... 2 comply command............. 3 Additional information about Linux on Power security................ 5 Notices............... 7 Privacy policy considerations......... 8 Trademarks............... 8 Code license and disclaimer information..... 9 Copyright IBM Corp. 2013 iii
iv Linux: Managing security compliance
Managing security compliance You can manage security compliance for your Power Systems server running Linux. Security compliance on PowerLinux The Linux security compliance (comply) command allows you to manage security compliance on Power Systems servers running Linux. It also provides the information that is needed for security or compliance audit reports for your server. The Linux security compliance (comply) command is a security hardening and auditing command. comply supports compliance with portions of the Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act (HIPAA) standards. These standards can be implemented through automated operating system configuration. Companies require the ability to configure systems according to government and industry compliance rules to do business in many fields. These companies need to be able to ensure that their systems have the appropriate compliance settings. In addition, they also must be able to generate reports concerning system compliance in order to satisfy audit requirements. The comply command package is included with the following products: v IBM PowerSC Express Edition 1.1.3 or later v IBM PowerSC Standard Edition 1.1.3 or later Security compliance command requirements The Linux security compliance (comply) command has software prerequisites. v Audit-libs libraries for audit framework v Bash command processor v Gettext internationalization and localization system For Red Hat Enterprise Linux: gettext For SUSE Linux Enterprise Server: gettext-runtime v Libpthread.so library v Linux Standard Base (LSB) For Red Hat Enterprise Linux: redhat-lsb-core For SUSE Linux Enterprise Server: lsb-release v Java SE Security compliance command supported distributions This information lists the Linux distributions that are supported by the Linux security compliance (comply) command. The comply command is supported on the following Linux distributions: v SUSE Linux Enterprise Server 11 SP3, and any subsequent service packs v Red Hat Enterprise Linux 6.4, and any subsequent updates Security compliance process overview This topic provides an overview of the process for Linux security compliance using the comply command. In addition, it describes compliance profiles used by and reports produced by the comply command. Copyright IBM Corp. 2013 1
The following is an overview of the process for Linux security compliance: 1. Use a provided configuration profile or create a configuration profile that contains the security settings. 2. Run the comply command with the -f option. 3. The security settings are applied. v The applied settings are recorded in the applied rules file. v A log file is created. 4. When needed, check the security setting by running the comply command with the -c option. 5. When an audit is requested, create a report in CSV format by running the comply command with the -r or -R option. Optionally, use the -t option to convert to text format. Profiles for PCI-DSS and HIPAA compliance are provided in the comply command package. After you install the package, you can find the profiles in the /etc/security/comply/core/language_code directory, where language_code is the two character ISO 639 language code, for example, en. The provided profiles are the following: v Linux_PCI.xml, for compliance with the PCI-DSS standard. v Linux_Hipaa.xml, for compliance with the HIPAA standard. You can also create your own compliance profile, either based on these profiles or based on your own unique requirements. Reports can be output in CSV (comma-separated values) format to enable easy importing by spreadsheet applications, or in text format. Reports are stored in the /etc/security/comply/log directory, with the time stamp reflected in the file name. Installing the comply command package The comply command package is encapsulated in a shell archive for distribution with PowerSC. This topic provides instructions for installing the package. When updates or fixes are available, you can also use these instructions to upgrade. Before you begin Ensure that you have installed all the packages listed in Security compliance command requirements on page 1. About this task To unpack and install or upgrade the package, complete the following steps: Procedure 1. Ensure that you are logged in as root user. 2. Mount the PowerSC media. On a terminal command line, enter the following command: mount -t iso9660 -r ro /dev/cdrom /media 3. Enter the following command: bash /media/comply-version-distro.ppc64.sh. In this command: v version is the version of the comply command package. v distro is the distribution. For example: bash /media/comply-1.0-rhel6.ppc64.sh The license text is displayed. 4. Accept the license agreement to install the RPM. 2 Linux: Managing security compliance
Results The installed RPM can be managed just like other RPMs. This means that it can be uninstalled with rpm -e comply run with root privileges. comply command Name The comply command aids the system administrator in setting the security configuration on systems running Linux. Synopsis comply -f filename [ -p ] comply -c [ -p ] comply -c -R [ -t ] comply -c -r [ -t ] comply -d Description The comply command sets various system configuration settings to enable the wanted security profile. After major system changes, such as installing or updating software, run the comply command again. Options -c Checks the security settings against the previously applied set of rules. If the check against a rule fails, the previous versions of the rule are also checked. This process continues until the check passes, or until all of the instances of the failed rule in the /etc/security/comply/core/appliedrules.xml file are checked. -d Displays the document type definition (DTD). -f Applies the security settings that are provided in the specified filename configuration file. Specifying the -f option allows security settings to be consistently applied from system to system when the same profile XML is transferred to each system. The successfully applied rules are written to the /etc/security/comply/core/appliedrules.xml file. -p Specifies that the output of the security rules is displayed by using verbose output. The -p option logs the rules that are processed into the audit subsystem if the system is configured for auditing. -r Reports existing settings of the system. The output is intended to be used in security or compliance audit reports. The report describes each setting, how it might relate to a regulatory compliance requirement, and whether the check passed or failed. The check fails if the operating system configuration does not match the last successfully applied xml profile rules that were applied to the system. The output also includes the command or script name and arguments used. By default, the output of the report is in CSV (comma-separated values) format to enable easy importing by spreadsheet applications. The CSV output file is created in the /etc/security/comply/log directory with a file name in the format report.yyyymmmdd.hhmmss.csv, where: Managing security compliance 3
v yyyymmmdd represents the year in digits, the month in a three-character abbreviation, and the day of the month in digits. v HHMMSS represents the hour, minute, and seconds in digits. -R Produces the same output as the -r option, but also appends a description about each script or program that was used to implement the configuration setting. Compliance or security audits might require this level of detailed reporting. -t Changes the -r and -R options default reporting output from CSV (comma-separated values) format to text format. The text output file is created in the /etc/security/comply/log directory with a file name in the format report.yyyymmmdd.hhmmss.txt, where: v yyyymmmdd represents the year in digits, the month in a three-character abbreviation, and the day of the month in digits. v HHMMSS represents the hour, minute, and seconds in digits. Parameters filename The configuration file, in xml format, that contains the security settings. Root permission is required to access this file. Security The comply command is executable only by root. Examples 1. To apply the security settings from a configuration file, use the following command: comply -f /etc/security/comply/core/mypreferredsettings.xml 2. To check the security settings that were applied to the system, and to log the rules that failed in to the audit subsystem, use the following command: comply -c -p Location /usr/sbin/comply Contains the comply command. Files /etc/security/comply/core/language_code/linux_hipaa.xml Profile that is provided with for comply command package for compliance with the HIPAA standard. /etc/security/comply/core/language_code/linux_pci.xml Profile that is provided with for comply command package for compliance with the PCI-DSS standard. /etc/security/comply/core/appliedrules.xml Contains an xml listing of applied security. /etc/security/comply/log/comply.log Contains a trace log of applied security settings. The logging method does not use syslog. The comply command writes directly to the file. The file has read/write permissions, and requires root security. /etc/security/comply/log/report.yyyymmmdd.hhmmss.csv Contains the report output from the comply command in CSV format. 4 Linux: Managing security compliance
/etc/security/comply/log/report.yyyymmmdd.hhmmss.txt Contains the report output from the comply command in text format. Additional information about Linux on Power security Additional security information is provided by each Linux distribution. Refer to the following links to stay up-to-date with additional information about security for Linux on Power systems. Security information for Red Hat Enterprise Linux If you are an entitled Red Hat Enterprise Linux user, you can subscribe to Red Hat security advisories. If you are not an entitled user, you can monitor the Red Hat Security Advisory list archive. To download security updates and check that they are applied to particular machines, you can subscribe to the Red Hat Network (RHN). Security information for SUSE Linux Enterprise Server Security alerts, patches, and announcements for SUSE Linux Enterprise Server are available from the SUSE Linux Enterprise Server Security page. Security information for Ubuntu Security notices for Ubuntu are available from the Ubuntu security notices page. IBM Product Security Incident Response (PSIRT) The IBM PSIRT website contains important information regarding security vulnerabilities that may affect IBM products and solutions. Managing security compliance 5
6 Linux: Managing security compliance
Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Dept. LRAS/Bldg. 903 11501 Burnet Road Austin, TX 78758-3400 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Copyright IBM Corp. 2013 7
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. Privacy policy considerations IBM Software products, including software as a service solutions, ( Software Offerings ) may use cookies or other technologies to collect product usage information, to help improve the end user experience, to tailor interactions with the end user or for other purposes. In many cases no personally identifiable information is collected by the Software Offerings. Some of our Software Offerings can help enable you to collect personally identifiable information. If this Software Offering uses cookies to collect personally identifiable information, specific information about this offering s use of cookies is set forth below. This Software Offering does not use cookies or other technologies to collect personally identifiable information. If the configurations deployed for this Software Offering provide you as the customer the ability to collect personally identifiable information from end users via cookies and other technologies, you should seek your own legal advice about any laws applicable to such data collection, including any requirements for notice and consent. For more information about the use of various technologies, including cookies, for these purposes, see IBM s Privacy Policy at http://www.ibm.com/privacy and IBM s Online Privacy Statement at http://www.ibm.com/privacy/details the section entitled Cookies, Web Beacons and Other Technologies and the IBM Software Products and Software-as-a-Service Privacy Statement at http://www.ibm.com/software/info/product-privacy. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( and ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information 8 Linux: Managing security compliance
was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others. Code license and disclaimer information IBM grants you a nonexclusive copyright license to use all programming code examples from which you can generate similar function tailored to your own specific needs. SUBJECT TO ANY STATUTORY WARRANTIES WHICH CANNOT BE EXCLUDED, IBM, ITS PROGRAM DEVELOPERS AND SUPPLIERS MAKE NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, REGARDING THE PROGRAM OR TECHNICAL SUPPORT, IF ANY. UNDER NO CIRCUMSTANCES IS IBM, ITS PROGRAM DEVELOPERS OR SUPPLIERS LIABLE FOR ANY OF THE FOLLOWING, EVEN IF INFORMED OF THEIR POSSIBILITY: 1. LOSS OF, OR DAMAGE TO, DATA; 2. DIRECT, SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES, OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES; OR 3. LOST PROFITS, BUSINESS, REVENUE, GOODWILL, OR ANTICIPATED SAVINGS. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF DIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, SO SOME OR ALL OF THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. Notices 9
10 Linux: Managing security compliance
Printed in USA