From: Green, Simon (Simon.Green@EU.ALTRIA.COM)
Date: Tue Feb 17 2004 - 05:59:38 EST
TCB does a few different things.
The simplest - and most useful, IMO - is to keep a record of file checksums
and permissions, which can be checked periodically to ensure nothing's been
tampered with. It starts off with a default database and you can add your
own files to it if you wish.
The bit which I don't like is the Trusted Shell. This verifies that every
executable you call is running from the right place. i.e. Nobody has
slipped their own copy into your path. This is of limited use; I think it
only works on terminals, not over a network. Unless you're working for the
military or something like that it seems far too much trouble. I don't
think it checks the actual executable each time, though, so if someone
manages to replace the actual /usr/bin/xxxx you're stuffed.
Given that you have to re-install your system - and you CAN'T simply restore
from a mksysb: preservation install is the best you can manage - even just
using TCB for the first part looks like it's more trouble than it's worth,
to me.
Of course, that does depend on how much you want it and how many systems are
affected.
There's a good basic introduction to the TCB in the AIX Admin Guide, or the
Elements of Security RedBook.
-- Simon Green Altria ITSC Europe Ltd AIX-L Archive at https://new-lists.princeton.edu/listserv/aix-l.html New to AIX? http://publib-b.boulder.ibm.com/redbooks.nsf/portals/UNIX N.B. Unsolicited email from vendors will not be appreciated. Please post all follow-ups to the list. > -----Original Message----- > From: jeff barratt-mccartney [mailto:jbarratt@COMPSAT.COM] > Sent: 14 February 2004 03:14 > To: aix-l@Princeton.EDU > Subject: Re: OS binaries integrity check > > > gustavo, > if your goal is to check(for trojan horses/etc) every binary > every time it > is launched,it is my understanding that you HAVE to use TCB.I > may be wrong > here.Can anyone correct me? TCB(Trusted Computing Base?) is > very stringent > and works everytime. It is also not an 'upgradable feature' > you need to > select it at install time. to move to TCB I believe you can > just backup your > existing environment, reinstall selecting TCB at install > time, and lay down > your applications/etc. my understanding is that TCB is fool > proof, I know > from the one time I used it, that it was also a PITA. maybe > this observation > was my inexperience at time. > Tripwire is 1. not free(open source and 2. not fool proof. > I have to ask the question...what problem or perceived problem are you > trying to solve? If your concern is trojan horses set up by other root > users, then you need to severely limit root access, if your concern is > trojan horses created by nonroot users, then I suggest you > investigate some > simple security precautions(sudo) that are not addressed by > default AIX > installs. A good primer on the subject is quickly found on > google if you > search for "bastion aix". If you are simply interested in > making sure the > binaries jive, lppcheck will do the job, assuming lppcheck hasn't been > compromised. > > IMHO the AIX community has turned a blind eye to security. There are a > considerable number of holes in AIX, and I am surprised by the lack of > communication on this listserv on this subject. > I am not playing the high and mighty here, nor am I preaching > to the choir, > certainly some of the posters and lurkers here have some opinions. > > > > -----Original Message----- > From: IBM AIX Discussion List [mailto:aix-l@Princeton.EDU]On Behalf Of > Fette, Gustavo > Sent: Friday, February 13, 2004 3:10 PM > To: aix-l@Princeton.EDU > Subject: Re: OS binaries integrity check > > > Well I didn't find TCB nor in my server neither in the web. > > But I found the tripwire installarion tutorial ay IBM, but I > got compilation > errors, so I don't know if someone of you guys have it > compiled for 4.3 and > 5.1? > > I've found fcheck and another soft more, but I still have to > compile or > configure them... > > Regards, > Gustavo.- > > > -----Original Message----- > From: IBM AIX Discussion List [mailto:aix-l@Princeton.EDU] On > Behalf Of Bill > Verzal > Sent: Friday, February 13, 2004 4:24 PM > To: aix-l@Princeton.EDU > Subject: Re: OS binaries integrity check > > You install it with the OS. If it is not there now, you can't use it. > > BV > -------------------------------------------------------- > > "If everything is coming your way, then you are in the wrong lane" > > Bill Verzal > AIX Administrator, Komatsu America > (847) 970-3726 - direct > (847) 970-4184 - fax > > > > "Fette, Gustavo" > <gustavo.fette@ED > S.COM> > To > Sent by: IBM AIX aix-l@Princeton.EDU > Discussion List > cc > <aix-l@Princeton. > EDU> > Subject > Re: OS binaries integrity check > > 02/13/2004 12:59 > PM > > > Please respond to > IBM AIX > Discussion List > <aix-l@Princeton. > EDU> > > > > > > > And where I can get it? > > > -----Original Message----- > From: IBM AIX Discussion List [mailto:aix-l@Princeton.EDU] On > Behalf Of Bill > Verzal > Sent: Friday, February 13, 2004 3:51 PM > To: aix-l@Princeton.EDU > Subject: Re: OS binaries integrity check > > TCB > -------------------------------------------------------- > > "If everything is coming your way, then you are in the wrong lane" > > Bill Verzal > AIX Administrator, Komatsu America > (847) 970-3726 - direct > (847) 970-4184 - fax > > > > "Fette, Gustavo" > <gustavo.fette@ED > S.COM> > To > Sent by: IBM AIX aix-l@Princeton.EDU > Discussion List > cc > <aix-l@Princeton. > EDU> > Subject > OS binaries integrity check > > 02/13/2004 12:38 > PM > > > Please respond to > IBM AIX > Discussion List > <aix-l@Princeton. > EDU> > > > > > > > Hello: > Does anyone know about a free tool to check > the integrity of > the binaries of my system? > > I mean, some kind of tools that run against ie: ls, shutdown, > etc give me a > hash that I can have to compare with a new hash ie every month... > > Thanks in advance. > > Regards, > > Gustavo Fette > MMH - GOSD > EDS Argentina > Arias 1851 - Buenos Aires > Phone: +54 11 4704-3403 > Mobile: +54 9 11 5110-2325 >
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:36 EDT