You are currently on IBM Systems Media’s archival website. Click here to view our new website.

AIX > Administrator > Security

Verify System Integrity

AIX 6.1 and Trusted Execution help ensure secure systems



 Improving the Trusted Computing Base

AIX has supported integrity monitoring previously through Trusted Computing Base (TCB). One TCB components is tcbck program, which mainly supported integrity verification. To use tcbck program, a customer chose the TCB install option during installation. This resulted in computing of checksums for various AIX files and they were captured as part of the database related to TCB (called sysck.cfg). Integrity measurements were done using checksums, which don’t provide a high level of protection against modifications. TE doesn’t require a separate install option. TE’s related database, TSD, is created during installation of various packages and doesn’t add any significant overheads to the install. Additionally, TE is based on SHA256 hashes and the related signatures. Also TE provides for many more active-monitoring features. trustchk will be much more convenient to use for system administrators and will replace tcbck as part of the overall TCB features. Table 5 captures some of the key differences between the tcbck and trustchk.

Table 5: TE compared to TCB

TCB TE
Supports offline only integrity verification. - Supports offline and runtime integrity verification
- Trusted Paths
- Lock down mode and other policies
Verifies checksums Verifies the digital signatures and SHA256 hashes
tcbck trustchk (supports most of features of tcbck)
/etc/security/sysck.cfg /etc/security/tsd/tsd.dat

TE Database and Policies on an LDAP

TE supports hosting the TSD database and policies on a centralized lightweight directory-access protocol (LDAP) server. This feature will be supported in AIX 6 TL4. An LDAP server will host the TSD database and policy files for multiple clients, which helps central management. These central policies could be used as a master copy during offline verifications There will be two versions of TSD and TE policy files, one for local (/etc/security/tsd/) and one for LDAP (/etc/security/tsd/ldap). /etc/nscontrol.conf file can be used to specify the LDAP version has to be referred by trustchk command during various operations such as add/modify/verify attributes. This will enable the system administrators to enforce the TE policies on various clients by just changing policy file on LDAP.

TE Makes Security Simpler

As you can see, TE meets all of the requirements for a good system-security tool; it provides for integrity measurement, lockdown, and monitoring and protecting. In a secure environment TE provides great deal of flexibility for system administrators to configure the system for specific application environments.

References

IBM Redbooks publication: “AIX 6.1 Security

 

George M Koikara is a senior programmer in AIX development and has worked across multiple technologies in AIX. He is an expert on security and in particular trusted computing and multilevel-based security. He led and developed many of the security features of AIX 6.1.

Pruthvi Panyam Nataraj is a senior programmer in AIX development and has worked across multiple components of the AIX OS. He is an expert on trusted platform architecture and was instrumental in the implementation of the Trusted Execution function in AIX 6,1. He also is an expert in IPSecurity and IKE2 protocols.

Ravi Shankar is an architect for AIX and PowerHA. He joined IBM 14 years ago and has specialized in wide set of technologies from reliability, availability and serviceability, to AIX security to business resiliency. With more than 19 years of experience in IT, he’s an expert in real-time systems, OS internals and overall system architecture.

Saurabh Desai is an architect for AIX. He has more than 20 years of experience in the IT industry, mostly with IBM. Saurabh has in-depth knowledge of OS internals and has worked across AIX and Linux. He is an expert in process management and security. He led and implemented many of the security features in AIX 6.1.



Advertisement

Advertisement

2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Hardening the Cloud

Security considerations to protect your organization

Verify System Integrity

AIX 6.1 and Trusted Execution help ensure secure systems

A Bankable Solution

AIX Cryptographic Services improves security while simplifying administration

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters