Does anybody have an opinion about Trusted Computing Base (TCB) in AIX systems? Somebody told me a couple of years ago (while I was installing my first AIX), that choosing this option during system installation would slow down the system (with no further explanation), and I believed him. Why is this option disabled by default? Is there a compatibility issue with third party applications? Any experience?
This topic has been locked.
4 replies Latest Post - 2008-02-04T11:56:35Z by SystemAdmin
Pinned topic TCB or not TCB?
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2008-02-04T11:56:35Z at 2008-02-04T11:56:35Z by SystemAdmin
Re: TCB or not TCB?2007-11-22T13:29:10Z in response to firstname.lastname@example.orgI suppose TCB is disabled by default because IBM assumes (rightly in my view) that most users don't need it. I'm one of those "most users" so I don't have experience to share. I suppose there must be a bit of extra overhead checking that whatever a process wants to do doesn't violate TCB requirements but I can't imagine that would add up to a lot. It's possible that there could be compatibility problems with TCB. If an application was written assuming it will be able to do something that TCB forbids then it will break. Any such application is probably rather suspect.
Re: TCB or not TCB?2007-12-03T15:50:45Z in response to SystemAdminThe Trusted Computing Base (TCB), with the tcbck command, provides very useful tools for both security and system integrity. The TCB facilities can help detect or prevent accidental system changes and help protect you from playful users. TCB must be enabed during the initial install. If it is not, then you must reinstall to enable TCB. This can be disabled anytime so No harm in enabling TCB .
The TCB is the set of programs and files that must be correct “trusted” if the rest of the system is to have security and integrity. This includes programs such as the AIX Kernel, the login programs, and the passwd programs. There are many commands to help ensure these are trusted. The most useful function of the TCB is the checking processes (syschk.cfg, tcbck, pwdchk, etc) associated with it.
The syschk.cfg file and the tcbck command can work together to verify that attributes in various files are correct. The syschk.cfg file maintains a list of these attributes (permissions, owner, checksum, links, etc) of certain files. Then the tcbck command checks that these same files still have the same attributes. Meaning that the attributes that make up the TCB were not changed since they were created. You should run the tcbck command periodically to verify the integrity of these attributes.
I have enabled TCB on all my systems but never encountered any performance issues till now , But this has helped me to identify the important files which have been modified ( checksum) .
Re: TCB or not TCB?2007-12-17T13:06:49Z in response to SystemAdminYes TCB is usefull and not at all performances issues generator !
With this option, you have the secure shell and path installed on top of the system check (system integrity control).