White Papers
Abstract
An overview of support and testing considerations for Trusted Execution
Content
Security configuration for AIX Trusted Execution (TE) and other security features requires advanced, comprehensive review and planning by administrators who are familiar with all system requirements. Customers are encouraged to explore security products such as IBM Power SC to ease the task of security and compliance.
AIX Support cannot make predictions about the application impact of Trusted Execution enablement. We can point to the overview of the feature:
IBM Documentation:
- Trusted Execution
- Trusted Execution commands
|
CHKEXEC
* Checks the integrity of executable file that belongs to the TSD before starting it. CHKKERNEXT * Checks the integrity of the kernel extensions that belong to the TSD before loading them. CHKSHLIB * Checks the integrity of shared libraries that belong to the TSD before loading them. CHKSCRIPT
* Checks the integrity of shell scripts that belong to the TSD before starting them. LOCK_KERN_POLICIES
* If this policy is disabled, then any policies can be enabled or disabled at any time. If this policy is enabled, then all of the other policies will be locked. To enable or disable a policy in such condition, disable the LOCK_KERN_POLICIES policy and then restart the system. SIG_VER * Enables or disables the Runtime Signature Verification policy. When both the Runtime Signature Verification policy and the TE policy are enabled, the signature is used to verify the integrity of files instead of the hash value. - Note: The SIG_VER policy is only applicable to files that belong to AIX system software. STOP_ON_CHKFAIL
* Stops the loading of files whose integrity check fails. STOP_UNTRUSTD
* Stops the loading of files that do not belong to the TSD. TROJAN
* Stops the loading of files that do not belong to the TSD and have one of the following security settings: - Have suid/sgid bit set - Linked to a file in the TSD - Has entry in the privcmds Database - Linked to a file in the privcmds database TE
* Enables or disables Trusted Execution. Policies can only be activated when the TE option is set to ON. TEP
* Sets the value of Trusted Execution path, and enables or disables it. The Trusted Execution path consists of a list of colon-separated absolute paths, for example, the /usr/bin:/usr/sbin. When this policy is enabled, the files belonging to only these directory paths are allowed to be started. If an executable program that does not belong to the TEP is to be loaded, the program is blocked. TLP
* Sets the value of Trusted Library path, and enables or disables it. The Trusted Library Path consists of a list of colon-separated absolute paths, for example, the /usr/lib:/usr/ccs/lib. When this policy is enabled, the libraries belonging to only these directory paths can be loaded. If a program tries to load a library that does not belong to the TLP, the program is blocked. TSD_FILES_LOCK
* Disables opening of files belonging to the TSD in write mode. EXVOL
* Disables the opening of only the nonvolatile files that belong to the TSD in write mode. The volatile files can be changed. TSD_LOCK
* Disallows opening of a TSD file (/etc/security/tsd/tsd.dat) in write mode to disable editing of the TSD. - NOTE: If the Trusted Execution (TE) policy is turned on along with the TSD_LOCK policy or the TSD_FILE_LOCK policy, the installp and emgr commands fail. To continue with the installation, manually turn off the TSD_LOCK policy or the TSD_FILE_LOCK policy. The emgr and installp commands run successfully with TE policies if the TSD_LOCK policy or the TSD_FILE_LOCK policy is not turned on. |
IBM recommends performing a security assessment of your systems prior to implementing security tools such as Trusted Execution. System administrators must determine which executables are allowed to run and which libraries and kernel extensions are permitted to load.
The system administrators must determine the policies to:
- Manage (and secure) the Trusted Signature Database
- Configure the security policies
- Define the trusted execution and library paths
Some points to consider as you plan to enable TE:
- Trusted Execution does have some overhead, since every time you run a command its integrity is checked. You should always test such configurations in a test environment to determine if this has any noticeable impact on performance.
- You should determine which actions you want to occur if trustchk encounters an anomaly.
- You should plan how you will establish and secure the base line database (tsd.dat).
- While AIX binaries are signed, third party products might require customizations, to include adding commands and libraries to the database.
- See Signing new binaries entries in AIX Trusted Signature Database
*** IMPORTANT*** The practical approach is to establish a test system (in a realistic test environment) similar to the production environment in which it will be deployed.
Additional AIX Trusted Execution resources
- IBM Documentation: Trusted Execution
- Integrity Monitoring and Server Hardening through AIX 6.1 Trusted Execution (White Paper)
- IBM Redbook: AIX V6 Advanced Security Features, Introduction, and Configuration: Trusted Execution (Chapter 4)
An AIX Power Systems member has written a great series of blogs about TE that might be helpful:
- AIX and TE (Trusted Execution): an underestimated security feature? part1
- AIX and TE (Trusted Execution): an underestimated security feature? Part 2
- AIX and TE (Trusted Execution): an underestimated security feature? Part 3
- AIX and TE (Trusted Execution): an underestimated security feature? Part 4
Tips and Examples:
| How to find the files that might be blocked by Trusted Execution |
|---|
|
TE treats all the files that are not present in Trusted Signature Database as untrusted. If the STOP_UNTRUSTD policy is enabled, execution of such files gets blocked. To configure the Trusted Execution effectively, administrators will need a list of untrusted files that might be loadeed or executed on the system. Additionally, administrators will want to know about any files that might have mismatched signatures, file sizes, or modes.
These files can be identified with the following steps:
1) Enable Trusted Execution with "Check" policies
# trustchk –p TE=ON CHKEXEC=ON CHKSHLIB=ON CHKSCRIPT=ON CHKKERNEXT=ON
CHKEXEC
* Checks the integrity of executable file that belongs to the TSD before starting it. CHKKERNEXT
* Checks the integrity of the kernel extensions that belong to the TSD before loading them. CHKSHLIB
* Checks the integrity of shared libraries that belong to the TSD before loading them. CHKSCRIPT
* Checks the integrity of shell scripts that belong to the TSD before starting them. This configuration enables verification of all loaded files.
2) Check the policies
# trustchk -p
TE=ON SIG_VER=OFF CHKEXEC=ON CHKSHLIB=ON CHKSCRIPT=ON CHKKERNEXT=ON STOP_UNTRUSTD=OFF STOP_ON_CHKFAIL=OFF LOCK_KERN_POLICIES=OFF TSD_FILES_LOCK=OFF TSD_LOCK=OFF TEP=OFF TLP=OFF At this point, blocking policies are not enabled yet. Thus, files will not be stopped from execution. However, Trusted Execution logs a message to syslog when an untrusted file is loaded on the system.
3) Administrators can check the syslog for messages with "Trusted Execution: " tag and find out the files that are untrusted. Note that syslog must be enabled, with at least info the kern facility, with at least info priority.
3.1) For example, add the following to syslog.conf
*Note, the rotation is provided as an example, set up the rotation per your own system requirements. kern.info /tmp/kern.info rotate size 500k time 1w files 10 compress archive /syslogfiles
or for more verbose you can have debug enabled (this won't likely result in additional Trusted Execution errors, but might have other debug logging)
kern.debug /tmp/kern.debug rotate size 500k time 1w files 10 compress archive /syslogArchive
3.2) Create the log files, and archive directory
# mkdir /syslogArchive (you should consider creating this on a different file system) # touch /tmp/kern.info (or /tmp/kern.debug) 3.3) Refresh the syslogd daemon
# refresh -s syslogd 3.4) Monitor the /tmp/kern.info or /tmp/kern.debug for TE related messages
Dec 19 11:15:55 tcp63 kern:info unix: Trusted Execution: pid=11403676, euid=0, ruid=0: Allowing to execute non trusted file: /opt/freeware/lib64/libcurl.a 4) Once you have a list of reported files, you can decide whether to add those files into Trusted Signature Database or block them from execution.
|
| SUPPORT |
|---|
|
AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.
If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available. Read about IBM Systems Lab Services:
And here is more information:
If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.
1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.
2. Capture any logs or data relevant to the situation.
3. Contact IBM to open a case:
-For electronic support, see the IBM Support Community:
https://www.ibm.com/mysupport -If you require telephone support, visit the IBM Directory of worldwide contacts. Click your country and use the Software phone number listed in the Contact information section. https://www.ibm.com/contact/global 4. Provide a clear, concise description of the issue.
- For guidance, see: Working with IBM AIX Support: Describing the problem
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.
- For guidance, see: Working with IBM AIX Support: Collecting snap data
|
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzhAAA","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
19 December 2024
UID
ibm17178676