Topic
  • 4 replies
  • Latest Post - ‏2008-02-04T11:56:35Z by SystemAdmin
jnmalledo@telefonica.net
1 Post

Pinned topic TCB or not TCB?

‏2007-11-21T15:54:32Z |
Hello,

Does anybody have an opinion about Trusted Computing Base (TCB) in AIX systems? Somebody told me a couple of years ago (while I was installing my first AIX), that choosing this option during system installation would slow down the system (with no further explanation), and I believed him. Why is this option disabled by default? Is there a compatibility issue with third party applications? Any experience?

Thank you
Updated on 2008-02-04T11:56:35Z at 2008-02-04T11:56:35Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: TCB or not TCB?

    ‏2007-11-22T13:29:10Z  
    I suppose TCB is disabled by default because IBM assumes (rightly in my view) that most users don't need it. I'm one of those "most users" so I don't have experience to share. I suppose there must be a bit of extra overhead checking that whatever a process wants to do doesn't violate TCB requirements but I can't imagine that would add up to a lot. It's possible that there could be compatibility problems with TCB. If an application was written assuming it will be able to do something that TCB forbids then it will break. Any such application is probably rather suspect.

    Regards,
    Jim Lane
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: TCB or not TCB?

    ‏2007-12-03T15:50:45Z  
    I suppose TCB is disabled by default because IBM assumes (rightly in my view) that most users don't need it. I'm one of those "most users" so I don't have experience to share. I suppose there must be a bit of extra overhead checking that whatever a process wants to do doesn't violate TCB requirements but I can't imagine that would add up to a lot. It's possible that there could be compatibility problems with TCB. If an application was written assuming it will be able to do something that TCB forbids then it will break. Any such application is probably rather suspect.

    Regards,
    Jim Lane
    The Trusted Computing Base (TCB), with the tcbck command, provides very useful tools for both security and system integrity. The TCB facilities can help detect or prevent accidental system changes and help protect you from playful users. TCB must be enabed during the initial install. If it is not, then you must reinstall to enable TCB. This can be disabled anytime so No harm in enabling TCB .
    The TCB is the set of programs and files that must be correct “trusted” if the rest of the system is to have security and integrity. This includes programs such as the AIX Kernel, the login programs, and the passwd programs. There are many commands to help ensure these are trusted. The most useful function of the TCB is the checking processes (syschk.cfg, tcbck, pwdchk, etc) associated with it.

    The syschk.cfg file and the tcbck command can work together to verify that attributes in various files are correct. The syschk.cfg file maintains a list of these attributes (permissions, owner, checksum, links, etc) of certain files. Then the tcbck command checks that these same files still have the same attributes. Meaning that the attributes that make up the TCB were not changed since they were created. You should run the tcbck command periodically to verify the integrity of these attributes.

    I have enabled TCB on all my systems but never encountered any performance issues till now , But this has helped me to identify the important files which have been modified ( checksum) .
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: TCB or not TCB?

    ‏2007-12-17T13:06:49Z  
    The Trusted Computing Base (TCB), with the tcbck command, provides very useful tools for both security and system integrity. The TCB facilities can help detect or prevent accidental system changes and help protect you from playful users. TCB must be enabed during the initial install. If it is not, then you must reinstall to enable TCB. This can be disabled anytime so No harm in enabling TCB .
    The TCB is the set of programs and files that must be correct “trusted” if the rest of the system is to have security and integrity. This includes programs such as the AIX Kernel, the login programs, and the passwd programs. There are many commands to help ensure these are trusted. The most useful function of the TCB is the checking processes (syschk.cfg, tcbck, pwdchk, etc) associated with it.

    The syschk.cfg file and the tcbck command can work together to verify that attributes in various files are correct. The syschk.cfg file maintains a list of these attributes (permissions, owner, checksum, links, etc) of certain files. Then the tcbck command checks that these same files still have the same attributes. Meaning that the attributes that make up the TCB were not changed since they were created. You should run the tcbck command periodically to verify the integrity of these attributes.

    I have enabled TCB on all my systems but never encountered any performance issues till now , But this has helped me to identify the important files which have been modified ( checksum) .
    Yes TCB is usefull and not at all performances issues generator !
    With this option, you have the secure shell and path installed on top of the system check (system integrity control).

    laurent.agarini@fr.ibm.com
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: TCB or not TCB?

    ‏2008-02-04T11:56:35Z  
    Yes TCB is usefull and not at all performances issues generator !
    With this option, you have the secure shell and path installed on top of the system check (system integrity control).

    laurent.agarini@fr.ibm.com
    Something which i have just learnt, which is something you need to consider.

    AIX 6.1 System WPARS cannot be used on TCB enabled systems.