Monitoring System Security

This chapter describes System Security Monitoring feature.

This chapter includes the following sections:

Finding Feature Information

Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature History table in this chapter.

Overview of System Security Monitoring

The security features in Cisco NX-OS provides resilience against attacks. From Cisco NX-OS Release 8.0 (1), the system security monitoring functionality provides status for the following security features:

  • XSPACE — An operating system capability to enforce mutual exclusivity between execution and write permissions. This capability prevents an attacker from executing malicious code by removing executable permissions in program data areas, such as the heap and the stack.

  • Address Space Layout Randomization (ASLR) — Randomizes memory segment of a program when it is loaded to run. Randomization makes it statistically impossible for an attacker to predict a target address to jump by using Return Oriented Programming (ROP) technique. 



  • Object Size Checking (OSC) — A compiler technique to protect against buffer overflow. During run time, a buffer overflow may be detected and logged as DATACORRUPTION-DATAINCONSISTENCY errors.

  • SafeC — Enhances the security of a new software. SafeC provides enhanced boundary checking as an alternative to certain C library functions. SafeC constraint violations are reported as DATACORRUPTION-DATAINCONSISTENCY errors.

For more information about how to check the status of security features, see Displaying System Security Status.

Additionally, system configuration and capability for these security features are being monitored. If an unexpected negative change occurs, a critical syslog message is issued.

Displaying Information About System Security Monitoring

Use the following commands to display runtime integrity information:

  • show security system state - Displays the status of system related security features.

  • show data-corruption - Displays the DATACORRUPTION-DATAINCONSISTENCY errors collected from all running processes by OSC and SafeC techniques during runtime.

Displaying System Security Status

The following example displays the status of system related security features.

switch# show security system state
  XSPACE:
        Non-Executable stack:   Yes
        Non-Executable heap:    Yes
        Non-Writable text:      Yes
  ASLR:
        ASLR enabled:           Yes
        CVE-offset2lib Patch:   Present
        Randomization entropy:  Good
  OSC:
        Version:                1.0.0
  SafeC:
        Version:                3.0.1

This output displays information about the following fields:

  • Non-Executable stack – Indicates whether system prevents execution from stack.

  • Non-Executable heap – Indicates whether system prevents execution from heap.

  • Non-Writable text – Indicates whether system prevents text section to be writable.

  • ASLR enabled – Indicates whether ASLR is enabled in Linux kernel and system has capability to randomize all memory sections for binaries compiled with PIC/PIE flags.

  • CVE-offset2lib Patch – Indicates whether Offset2lib patch is in kernel, so that randomized memory segment for text and data are not adjacent to libraries.

  • Randomization entropy – Indicates whether entropy of randomization is sufficient.

  • OSC version – Indicates the version of OSC library used by applications.

  • SafeC version – Indicates the version of SafeC library used by applications.

Displaying OSC and SafeC Events

The following example displays the DATACORRUPTION-DATAINCONSISTENCY errors collected from all running processes by runtime OSC and SafeC techniques.

switch# show data-corruption
DATACORRUPTION-DATAINCONSISTENCY: -Traceback= vmtracker libhmm_dll.so+0x1b4d0 libhmm.so+0x2cf0 libhmm_dll.so +0x1ba0a libhmm_dll.so+0x1c9e7 libhmm.so+0x2f49 +0x209d0 libvmtracker.so+0x4d586 libvmtracker.so+0x9b0c1 libvmtracker.so+0x43154 libvmtracker.so+0x42c happened 20 times since Mon Feb 15 09:05:20 2016
DATACORRUPTION-DATAINCONSISTENCY: -Traceback= hmm +0x40faf +0xbf870 +0xc0b4c +0x40292 +0xa37fa +0xa9f29 +0xc05aa +0xc060e +0xc0765 +0x42c35 +0x2c339 librsw.so+0xacc33 libpthread.so.0+0x6b75 libc.so.6+0xee02e happened 1 time since Fri Feb 12 00:01:16 2016

Additional References for Monitoring System Security

This section includes additional information related to monitoring system security.

Related Documents

Related Topic

Document Title

Cisco NX-OS Licensing

Cisco NX-OS Licensing Guide

Command reference

Cisco Nexus 7000 Series NX-OS Security Command Reference

Feature History for Monitoring System Security

This table lists the release history for this feature.

Table 1. Feature History for Monitoring System Security

Feature Name

Release

Feature Information

Monitoring System Security

8.0(1)

This feature was introduced. The following commands were introduced:

  • show security system state
  • show data-corruption