Security policies configuration

When a file is marked as trusted (by adding its definition to Trusted Signature Database), the TE feature can be made to monitor its integrity on every access. TE can continuously monitor the system and is capable of detecting tampering of any trusted file (by a malicious user or application) present on the system at run-time (for example, at load time). If the file is found to be tampered, TE can take corrective actions based on pre-configured policies, such as disallow execution, access to the file, or logging error. If a file being opened or executed, and has an entry in the Trusted Signature Database (TSD), the TE performs as follows:

• Before loading the binary, the component responsible for loading the file (system loader) invokes the Trusted Execution subsystem, and calculates the hash value by using the SHA-256 algorithm (configurable) to verify the integrity of files. If you set the value of the SIG_VER policy to ON, a signature is used to verify the integrity of files instead of run-time calculated hash value.
• The run-time calculated hash value or the signature is matched with the one stored in the TSD.
• If the hash value or the signature match, the file opening or execution is permitted.
• If the hash value or the signature do not match, either the binary is tampered, or somehow compromised. It is up to the user to decide the action to be taken. The TE mechanism provides options for users to configure their own policies for the actions to be taken if the hash values, or the signature do not match.
• Based on these configured policies, a relevant action is taken.

The following policies can be configured:

CHKEXEC

Checks the hash value or the signature of only the trusted executables before loading them in memory for execution.

CHKSHLIBS

Checks the hash value or the signature of only the trusted shared libraries before loading them in memory for execution.

CHKSCRIPTS

Checks the hash value or the signature of only the trusted shell scripts before loading them in memory.

CHKKERNEXT

Checks the hash value or the signature of only the kernel extension before loading it in memory.

SIG_VER

Enables or disables the Runtime Signature Verification policy. When both the Runtime Signature Verification policy and the TE policy are enabled, the signature is used to verify the integrity of files instead of the hash value.

Note: The SIG_VER policy is only applicable to files that belong to AIX system software.

STOP_UNTRUSTD

Stops loading of files that are not trusted. Only files belonging to TSD are loaded. This policy only works in combination with any of the CHK* policies mentioned above. For example, if CHKEXEC=ON and STOP_UNTRUSTD=ON, then any executable binary that does not belong to TSD is blocked from execution.

STOP_ON_CHKFAIL

Stops loading of trusted files that fails the hash value check or the signature check. This policy also works in combination with CHK* policies. For example, if CHKSHLIBS=ON and STOP_ON_CHKFAIL=ON, then any shared library not belonging to the TSD is blocked from being loaded into memory for use.

TSD_LOCK

Locks TSD so it is not available for editing.

TSD_FILES_LOCK

Locks trusted files. This does not allow opening of trusted files in write mode.

TE

Enables/Disables Trusted Execution functionality. Only when this functionality is enabled, the above configuration policies are in effect.

The following table gives the interaction between different CHK* policies and STOP* policies when enabled: