AIX

 View Only
Expand all | Collapse all

implementing TE

  • 1.  implementing TE

    Posted Tue February 13, 2024 03:21 PM

    hi guys,

    I am trying to enable the TE but having a harder time than I than expected.  Has anyone sucessfully implemented AIX TE.  My environment is based on sudo usage and i can't even this one command.



    ------------------------------
    aixuser
    ------------------------------


  • 2.  RE: implementing TE

    Posted Tue February 13, 2024 04:57 PM
    I have not personally..
    but, this seems to be a good starting point for reading
    using the trustchk command to build/maintain the TSD.

    The TEP (execution path) and TLP (Libarary path)  I don't readily see where those are defined, but someone else may be able to answer.

    What "errors" are you seeing that indicates to you it's not working..

    ANd what do you mean your system is based on sudo rules?






  • 3.  RE: implementing TE

    IBM Champion
    Posted Wed February 14, 2024 02:11 AM

    Hello, AIX user,

    Currently i write a blog series about TE and posted part1 last week.

    I will post part2 end of this month, but if you indeed can tell me your problems, I am glad to help you with this.

    I use TE from the beginning, and happy to share.

    Please read part1, and explain what are your problems

    AIX and TE (Trusted Execution): an underestimated security feature? part1 (ibm.com)

    The above article is an introduction, part2 will most likely give you the answers you need :) 

    Greetings Christian.



    ------------------------------
    Christian Sonnemans
    Tactical Unix system engineer
    ------------------------------



  • 4.  RE: implementing TE

    Posted Wed February 14, 2024 08:57 AM

    Thanks Guys,

    So I have been trying to implement TE for several days now without any success.  I am trying to add sudo first and this is what I have done thus far.

    1. sudo is /opt/freeware/bin/sudo which is a link to /opt/freeware/bin/sudo_32
    2. Sudo version 1.9.5p2
    3. I have added /opt/freeware/bin/sudo_32 and the symlink /opt/freeware/bin/sudo to the tsd
    4. I also had to add /opt/freeware/libexec/sudo/libsudo_util.so.0.0.0 and 2 symlinks /opt/freeware/libexec/sudo/libsudo_util.so,/opt/freeware/libexec/sudo/libsudo_util.so.0
    5. Also added /etc/sudoers to tsd
    6. added /opt/freeware/bin:/opt/freeware/sbin to TEPPATH
    7. added /opt/freeware/libexec:/opt/freewrae/libexec64:/opt/freeware/lib:/opt/freeware/lib64:/usr/opt/rpm/lib to TLPPATH

    Then i run sudo trustchk -p TE=OFF TEP=OFF TLP=OFF, sudo trustchk -p TE=ON TEP=ON TLP=ON and when I try to execute the sudo command, get the following error:

    exec(): 0509-036 Cannot load program sudo because of the following errors:

            0509-150   Dependent module /opt/freeware/libexec/sudo/libsudo_util.so could not be loaded.

            0509-022 Cannot load module /opt/freeware/libexec/sudo/libsudo_util.so.

            0509-026 System error: Cannot run the specified program in a trusted environment.

    I look at the /opt/freeware/libexec/sudo/libsudo_util.so.0.0.0 file in tsd and it looks fine:

      sudo trustchk -q /opt/freeware/libexec/sudo/libsudo_util.so.0.0.0
    /opt/freeware/libexec/sudo/libsudo_util.so.0.0.0:
            type = FILE
            owner = root
            group = system
            mode = 755
            symlinks = /opt/freeware/libexec/sudo/libsudo_util.so,/opt/freeware/libexec/sudo/libsudo_util.so.0

    I'm not sure why I am still getting those two errors and IBM support has not been able to solve the issue thus far.



    ------------------------------
    AIX USER
    ------------------------------



  • 5.  RE: implementing TE

    Posted Wed February 14, 2024 09:11 AM
    While it may be just a typo while entering this email.... please check your spelling..

    added /opt/freeware/libexec:/opt/freewrae/libexec64:/opt/freeware/lib:/opt/freeware/lib64:/usr/opt/rpm/lib to TLPPATH

    If you cut/pasted from your config files, then you have a typo in. your pathname.

    Tom





  • 6.  RE: implementing TE

    Posted Wed February 14, 2024 09:49 AM

    It was a typo when I was typing here, thanks :-).



    ------------------------------
    AIX USER
    ------------------------------



  • 7.  RE: implementing TE

    Posted Wed February 14, 2024 09:26 AM

    I have the feeling that you got a total missunderstanding of sudo and TE.

    Both are totaly independent solutions with different aims.

    Sudo can be used without TE. And TE does not require sudo.

    You can have both on the same system or just one of it.

     

    Sudo give root like rights to users, groups or programs.

    TE is to checks if the program you want to execute is the original one. If it got changed the execution gets denyed by the AIX kernel.   

     






  • 8.  RE: implementing TE

    Posted Wed February 14, 2024 09:53 AM

    hi Bernhard,

    Well, I want to protect all the commands in /opt/freeware/bin and I picked sudo to start the config/testng of TE.



    ------------------------------
    AIX USER
    ------------------------------



  • 9.  RE: implementing TE

    Posted Wed February 14, 2024 12:04 PM

    Wow ...
    This means a lot of work.

     

    I do not know if or how much of the AIX toolbox components got signed by IBM.

     

    TE can only check signed files. There is a way to manualy sign file. I would need to check the IBM documents. I only remember that the comand trustchk can be used. There are some requirements you have to meet before doing so.

    When you got all the new signed files added to the TSD, you can then start configuring your TE behaviour. At the end you can then turn on TE.

    To check if a file is in the TSD you can use the trustchk command.
    Here an example: trustchk -q /usr/bin/ksh






  • 10.  RE: implementing TE

    Posted Wed February 14, 2024 02:56 AM

    I'm using TE,

     

    if you use trustchk –p you get a list of the TE related options. And it's status (on or off).

    By using trustchk –p TE=ON you are activating TE. However, only doing this does not give you any benefit. You must also turn ON some of the other options.

     

    Before playing with TE you should get more insides first. Using the link Tom sent is a good starting point.

     






  • 11.  RE: implementing TE

    Posted Wed February 14, 2024 04:50 PM

    hi Bernhard,

    I would love to hear how you have implemented TE in your environment.



    ------------------------------
    AIX USER
    ------------------------------



  • 12.  RE: implementing TE

    Posted Wed February 14, 2024 10:39 AM
    As I recall, wasn't TE removed in 7.3 TL1?

    https://www.ibm.com/docs/en/aix/7.3?topic=notes-aix-731-release

    """"
    Security model updates in AIX 7.3.1

    Starting with AIX 7.3, the following security models are not
    available. The following security options are removed from the
    Operating System Install menus and from the bosinst.data templates:

    Trusted AIX
    Trusted AIX LAS/EAL4+ Configuration Install
    BAS and EAL4+ Configuration Install
    """"




    On Tue, Feb 13, 2024 at 08:21:15PM +0000, john chang via IBM TechXchange Community wrote:
    > hi guys,
    >
    >
    > I am trying to enable the TE but having a harder time than I than expected. Has anyone sucessfully implemented AIX TE. My environment is based on sudo usage and i can't even this one command.
    >
    >
    > ------------------------------
    > aixuser
    > ------------------------------
    >
    >
    > Reply to Sender : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6049&MID=397742&SenderKey=c3053a9d-dab7-4d4c-80a4-0189429e6a4e
    >
    > Reply to Discussion : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6049&MID=397742
    >
    >
    >
    > You are subscribed to "AIX" as Russell.Adams@AdamsSystems.nl. To change your subscriptions, go to http://community.ibm.com/community/user/preferences?section=Subscriptions. To unsubscribe from this community discussion, go to http://community.ibm.com/HigherLogic/eGroups/Unsubscribe.aspx?UserKey=c23dfccc-9910-40ae-beeb-fdcbced5bf1f&sKey=KeyRemoved&GroupKey=7b554d78-d4dc-417a-b4dc-017e309e5c91.


    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/




  • 13.  RE: implementing TE

    Posted Wed February 14, 2024 11:43 AM

    Hello Russell,

     

    TE and Extended RBAC are still there. (At least on our AIX 7.3.2.1 systems).

     

    Yes, as far as I noticed Trused AIX got removed from AIX 7.3. This affected the MLS components only.
    It's what I figured out. No garantie if this was realy all.






  • 14.  RE: implementing TE

    IBM Champion
    Posted Thu February 15, 2024 06:05 AM
    Edited by Christian Sonnemans Thu February 15, 2024 06:20 AM

    Hello,

    Just like to respond again, because at this moment I am prepare my second and third blogs about this subject, but for the impatient people, Bernhard is right, before you can add your own stuff to the tsd.dat you must have a valid certificate, see below a part of my upcoming blog(s).

    Steps to add your own signed set of executables scripts or config files to the tsd.dat

    Before you can add and sign your set to the tsd.dat you have to create a valid certificate self signed or an official signed certificate. For now I explain how to create an self-signed.

    Also on AIX you need the fileset CryptoLite for C library (CLiC) and the kernel extentions need to be loaded, (check if still needed on AIX 7.2 and 7.3)

    lslpp -l |grep clic

      clic.rte.kernext           4.7.0.0  COMMITTED  CryptoLite for C Kernel

      clic.rte.lib               4.7.0.0  COMMITTED  CryptoLite for C Library

      clic.rte.kernext           4.7.0.0  COMMITTED  CryptoLite for C Kernel

    This can be checked with:

    # /usr/lib/methods/loadkclic -q

    /usr/lib/drivers/crypto/clickext is loaded, ID = 1346473984

    Version number is 4.7

    If kernel extention is not loaded then run command:

    /usr/lib/methods/loadkclic –l

    The next step is to create a certificate, in this example I create a self-singed cert

    Please follow the following steps:

    1. openssl genrsa -out privkey.pem 2048
    2. openssl req -new -x509 -key privkey.pem -outform DER -out cert.der -days 3650
    3. openssl pkcs8 -inform PEM -in privkey.pem -topk8 -nocrypt -outform DER -out privkey.der
    4. copy the cert.der en de privkey.der to a save directory
    5. copy the cert.der to /etc/security/certificates

    Now that you have a valid certificate you can add your own set to the /etc/security/tsd/tsd.dat

    Please make a copy before you start of the current tsd.dat database.

    Go to the directory where you saved both the cert.der and the private key privkey.der

    Form there you can run:

    trustchk -s privkey.der -v cert.der -a /user/local/example/test.ksh93

    After this command you wil notice that the /etc/security/tsd.dat is changed.

    You can have a look with view /etc/security/tsd/tsd.dat and lookup your stanza you just add.

    Also if everything went well you, you can verify your action with:

    trustchk -n /path/to/file/just/added/test.ksh93 

    After this I recommend first before you enable the runtime TE

    trustchk -n ALL

    this to check the complete tsd.dat on errors.

    to enable and set the policies, I will explain more in detail in my blog, what the function of each policy is

    to enable the runtime run trustchk -p te=on

    and set at least the policies such as:

    CHKEXEC, CHKSCRIPTS /  STOP_ON_CHKFAIL /  TSD_FILES_LOCK

    Please be carefull with policy stop_on_chkfail  the script or executable wil not be executed when failed.

    Also the policy TSD_FILES_LOCK will prevent modification of configuration files.

    Greetings Christian Sonnemans

     



    ------------------------------
    Christian Sonnemans
    Tactical Unix system engineer