Topic
4 replies Latest Post - ‏2008-02-04T11:56:35Z by SystemAdmin
jnmalledo@telefonica.net
1 Post
ACCEPTED ANSWER

Pinned topic TCB or not TCB?

‏2007-11-21T15:54:32Z |
Hello,

Does anybody have an opinion about Trusted Computing Base (TCB) in AIX systems? Somebody told me a couple of years ago (while I was installing my first AIX), that choosing this option during system installation would slow down the system (with no further explanation), and I believed him. Why is this option disabled by default? Is there a compatibility issue with third party applications? Any experience?

Thank you
Updated on 2008-02-04T11:56:35Z at 2008-02-04T11:56:35Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6907 Posts
    ACCEPTED ANSWER

    Re: TCB or not TCB?

    ‏2007-11-22T13:29:10Z  in response to jnmalledo@telefonica.net
    I suppose TCB is disabled by default because IBM assumes (rightly in my view) that most users don't need it. I'm one of those "most users" so I don't have experience to share. I suppose there must be a bit of extra overhead checking that whatever a process wants to do doesn't violate TCB requirements but I can't imagine that would add up to a lot. It's possible that there could be compatibility problems with TCB. If an application was written assuming it will be able to do something that TCB forbids then it will break. Any such application is probably rather suspect.

    Regards,
    Jim Lane
    • SystemAdmin
      SystemAdmin
      6907 Posts
      ACCEPTED ANSWER

      Re: TCB or not TCB?

      ‏2007-12-03T15:50:45Z  in response to SystemAdmin
      The Trusted Computing Base (TCB), with the tcbck command, provides very useful tools for both security and system integrity. The TCB facilities can help detect or prevent accidental system changes and help protect you from playful users. TCB must be enabed during the initial install. If it is not, then you must reinstall to enable TCB. This can be disabled anytime so No harm in enabling TCB .
      The TCB is the set of programs and files that must be correct “trusted” if the rest of the system is to have security and integrity. This includes programs such as the AIX Kernel, the login programs, and the passwd programs. There are many commands to help ensure these are trusted. The most useful function of the TCB is the checking processes (syschk.cfg, tcbck, pwdchk, etc) associated with it.

      The syschk.cfg file and the tcbck command can work together to verify that attributes in various files are correct. The syschk.cfg file maintains a list of these attributes (permissions, owner, checksum, links, etc) of certain files. Then the tcbck command checks that these same files still have the same attributes. Meaning that the attributes that make up the TCB were not changed since they were created. You should run the tcbck command periodically to verify the integrity of these attributes.

      I have enabled TCB on all my systems but never encountered any performance issues till now , But this has helped me to identify the important files which have been modified ( checksum) .
      • SystemAdmin
        SystemAdmin
        6907 Posts
        ACCEPTED ANSWER

        Re: TCB or not TCB?

        ‏2007-12-17T13:06:49Z  in response to SystemAdmin
        Yes TCB is usefull and not at all performances issues generator !
        With this option, you have the secure shell and path installed on top of the system check (system integrity control).

        laurent.agarini@fr.ibm.com
        • SystemAdmin
          SystemAdmin
          6907 Posts
          ACCEPTED ANSWER

          Re: TCB or not TCB?

          ‏2008-02-04T11:56:35Z  in response to SystemAdmin
          Something which i have just learnt, which is something you need to consider.

          AIX 6.1 System WPARS cannot be used on TCB enabled systems.