The Trusted Computing Base (TCB), with the tcbck command, provides very useful tools for both security and system integrity. The TCB facilities can help detect or prevent accidental system changes and help protect you from playful users. TCB must be enabed during the initial install. If it is not, then you must reinstall to enable TCB. This can be disabled anytime so No harm in enabling TCB .
The TCB is the set of programs and files that must be correct “trusted” if the rest of the system is to have security and integrity. This includes programs such as the AIX Kernel, the login programs, and the passwd programs. There are many commands to help ensure these are trusted. The most useful function of the TCB is the checking processes (syschk.cfg, tcbck, pwdchk, etc) associated with it.
The syschk.cfg file and the tcbck command can work together to verify that attributes in various files are correct. The syschk.cfg file maintains a list of these attributes (permissions, owner, checksum, links, etc) of certain files. Then the tcbck command checks that these same files still have the same attributes. Meaning that the attributes that make up the TCB were not changed since they were created. You should run the tcbck command periodically to verify the integrity of these attributes.
I have enabled TCB on all my systems but never encountered any performance issues till now , But this has helped me to identify the important files which have been modified ( checksum) .
AIX 6.1 System WPARS cannot be used on TCB enabled systems.
AIX TCB details
- TCB must remain part of rootvg (thus make sure rootvg is on optimal disk for high I/O)
- Will only monitor static flat files, no database integration (Although it seems as AIX 6.1 has a feature that might provide some type of database monitoring?)
- Monitors files/devices/etc listed in /etc/secuirty/sysck.cfg
- Can possible be switched off and on with odm commands?
- Performance overhead would relate directly to how many alerts/checks are configured in /etc/security/sysck.cfg and how frequently they are monitored
#tcbck
(or )
The right command to type is $ tcbck -n ALL
There are 3 types of response :
1) no answer with getting the prompt means that TCB is installed and
everything is right (no integrity errors) : Great ! Nothing to do at
all !
2) error message sayning that TCB is not installed or something like
this. If you want the TCB being part of the system, you need to
reinstall AIX choosing in the install option TCB enabled a yes
3) other messages about i.e. file checksum errors or permissions
errors. In that case, that means that your TCB is correctly installed
but there are differences between the attributes informations stored
into /etc/security/sysck.cfg (TCB database) and the reality of your
system.
i.e. for a file listed, the permissions stored into TCB don't reflect
the permissions of that file on your system.
The way to recover, either change the TCB attributes, saying that the
new permissions of that file have to be updated into the TCB. You can
do that using
$ tcbck -a ......... (depending on the type of error you get). Or the
reverse scenario : saying that the right permissions for that file is
stored into TCB and permissions of that file residing on your system
have to be changed to reflect the permissions stored into TCB.
Remember that it is possible to edit TCB database (/etc/security/
sysck.cfg). Editing is possible just to look at the structure.
I would not recommend to perform any changes directly by vi or any
other editor, because the results could be unpredictable....
To update /etc/security/sysck.cfg, use absolutely commands designed
for that purpose, saying tcbck, chtcb, ...
Hope this helps.
How to disable TCB on running Aix Server
It
has been thinking of many Aix admins that Trusted Computing Base if
enabled cant be disabled on the running system; you need to reinstall
the OS to deactivate it. What a Joke!!! Everything is becoming dynamic
and we are still standing on same level. Let's step forward:-
MYTH of TCB can't be disbaled if once enabled. How to disable TCB on fly
If TCB is enabled in AIX can be disabled without rebooting or rather say reinstalling the OS. Here is the process: -
Don't need any application downtime.
*Playing with ODM is dangerous, so keep your hands safe ;)))
1) Take Odm backup
/usr/lib/objrepos, /usr/share/lib/objrepos and /etc/objrepos recursively
2) Check the TCB in odm
# odmget -q attribute=TCB_STATE PdAt
PdAt:
uniquetype = ""
attribute = "TCB_STATE"
deflt = "tcb_enabled"
values = ""
width = ""
type = ""
generic = ""
rep = ""
nls_index = 0
#
3) Disable TCB
odmget -q attribute=TCB_STATE PdAt | sed 's/tcb_enabled/tcb_disabled/' | odmchange -o PdAt -q attribute=TCB_STATE
|
4) Now TCB is disbaled
# odmget -q attribute=TCB_STATE PdAt
PdAt:
uniquetype = ""
attribute = "TCB_STATE"
deflt = "tcb_disabled"
values = ""
width = ""
type = ""
generic = ""
rep = ""
nls_index = 0
#
5) If you want to enable TCB again
odmget -q attribute=TCB_STATE PdAt | sed 's/tcb_disabled/tcb_enabled/' | odmchange -o PdAt -q attribute=TCB_STATE
* Source Article from : Internet
