What is TE (Trusted Execution)?
TE is one of the ways to protect AIX against intruders and hackers.
Last year I had some discussions with audit people that we should use a malware and intrusion detection system on our AIX Lpar’s. My answer to their arguments was, it’s already in place we use TE on AIX for this.
My goal for this blog series is to share knowledge about this very powerful easy to use feature.And in my humble opinion it should be used on every mission critical system with AIX, especially in a secure environment.
What are the arguments to use it and what are the benefits?
Thats what I like to explain in this first part of this blog series.
Securing an operating system is getting more and more attention, and if I speak for myself it always got my special attention, working for a Dutch bank.
Well, speaking of benefits, TE fulfills perfectly the needs of a system administrator, see the list below:
When the right TE policies are enabled:
- You can prove the integrity of the system.
- Reliable proof that executables, libraries, scripts and files that belong to AIX are not tampered or modified and when they are tampered with they can no longer can be executed.
- Since AIX 7.2 TL 05 the same for AIX shared libraries, with lib.tsd.dat stored on LDAP.
- Critical configuration files are locked and cannot be modified.
- Add and sign your own executables and scripts to the database(s).
- TE database for ALL the AIX commands are signed and approved by IBM, for every TL and SP.
- TE-runtime is part of the AIX kernel and therefore abnormalities are immediately logged via syslog.
- Manual checks can be done via one single command, that can be used for auditing and prove the security state and sanity of the system and it identifies files that has changed.
- Even if configuration files are under control of automation tools, such as Ansible, TE locks all important configuration files, thus they cannot be modified without intervention of TE and/or RBAC commands.
- For Ansible a default RBAC role can be put in place so that only Ansible is allowed to maintain config changes.
- Increase the trust level of the system, when the right policies are enabled, a malicious user cannot harm the system, because files are locked (read-only).
- In the case that a script or executable or library is tampered with, execution is prohibited and the attempt to execute is logged *(runtime-TE).
And there are probably more arguments to give.
See also this link:
https://www.ibm.com/support/pages/node/6223934
A brief history:
TE was the successor or TCB (Trusted Computing Base) and was first introduced in AIX 6.1.
Even now in AIX 7.3 TCB is still available, but also IBM recommends to use TE instead of TCB.
TE is installed by default when on AIX 6.1 and higher and has much more flexibility than TCB and much better verification methods. See Note from IBM security_7.3:
TE is a more powerful and enhanced mechanism that overlaps some of the TCB functionality and provides advance security policies to better control the integrity of the system. While the Trusted Computing Base is still available, Trusted Execution introduces a new and more advanced concept of verifying and guarding the system integrity.
Basic knowledge:
How does it work and why it is fast and reliable?
TE in integrated into the AIX kernel and has it’s own database files: tsd.dat, tepolicies.dat and libtsd.dat. Because it’s integrated into the kernel it’s fast.
Reliable, because every item that belongs to AIX has an entry in the tsd / lib.tsd.dat is signed by IBM.
Database file by themselves are also locked (read only) if configured properly.
Those databases by default exist into the directory /etc/security/tsd and the last mentioned in /etc/security/tsd/lib.
The database files that are actually used are determined by the configuration file /etc/nscontrol.conf.
The last one is only important if you decide to store the database files on an secure Ldap sever (I will cover this setup in one of my next blogs).
So far this first blog about the AIX feature TE, my goal is to get your attention, and interest with this first part of the blog.
In the next blog I will explain more in depth the difference between passive and active mode and why they both are useful.
Furter I will explain the database files more in depth. And if this blog series is liked I can also share also how TE database files can be shared via Ldap server(s). And give some practical examples how to maintain TE after a SP or TL update.