Is it must to enable TCB on AIX LPARs ?

Tags
aix

 
Thread Tools Search this Thread
# 1  
Old 10-17-2013
Is it must to enable TCB on AIX LPARs ?

Hi,

I've verified my AIX 7.1 LPAR , and TCB is disabled by default.
Code:
#odmget -q attribute=TCB_STATE PdAt

PdAt:
        uniquetype = ""
        attribute = "TCB_STATE"
        deflt = "tcb_disabled"
        values = ""
        width = ""
        type = ""
        generic = ""
        rep = ""
        nls_index = 0

we do not have any kind of anti-virus software and security scanner on my AIX LPARs. (AIX is new in our environment)
What will happen if i enable TCB on running system? will it affect any applications/system in any way ?

Could you give your ideas on this.
# 2  
Old 10-17-2013
It does not seem clear what you are asking. TCB stands for the trusted computing base (Trusted AIX) and it's designed to aid in the security of your system. It's also called Multi-Level Security (label-based security). In short, it tracks "objects" like files, IPC, etc to insure they aren't changed or compromised. Enabling TCB is a matter of policy for your business. You usually turn trusted aix on when you're doing an installation. Please refer to the documentation for additional information.
# 3  
Old 10-18-2013
Quote:
Originally Posted by blackrageous
You usually turn trusted aix on when you're doing an installation. Please refer to the documentation for additional information.
In fact this is the only point in time where you can switch it on. TCB creates checksums for every file and because the status of a file can only be verified to be uncompromised during an original install this is the only place/time to switch it on. Further, switching on TCB will prevent any further update and/or alt_disk_install of the system because of exactly this fact. (You can indeed do updates but these will disable TCB in the process.)

Best practice is to stay clear of TCB because it creates more problems than it solves, but this is common sense - don't argue that way with managers, only with technical persons.

Quote:
we do not have any kind of anti-virus software and security scanner on my AIX LPARs.
Yes - and i do not have a wheel chair. Not, because i could not get one, but because i do not need one. There are no known viruses for AIX in existence and as long as you follow best practices for administrating AIX systems (for instance, using "root" only for administration, ...) there is no way a virus could affect them. Affording every system to have virus scanners is a plan usually hatched by managers who do not understand the difference between their Windoze-laptop and an AIX-LPAR.

Do not try to educate them (if they could be brought to thinking they wouldn't be in the position they are). The best way to deal with them is to silently ignore them.

I hope this helps.

bakunin
These 3 Users Gave Thanks to bakunin For This Post:
CarloM (10-18-2013) rbatte1 (10-18-2013) System Admin 77 (10-18-2013)
# 4  
Old 10-18-2013
Quote:
Originally Posted by blackrageous
It does not seem clear what you are asking. TCB stands for the trusted computing base (Trusted AIX) and it's designed to aid in the security of your system. It's also called Multi-Level Security (label-based security). In short, it tracks "objects" like files, IPC, etc to insure they aren't changed or compromised. Enabling TCB is a matter of policy for your business. You usually turn trusted aix on when you're doing an installation. Please refer to the documentation for additional information.
@ blackrageous
Thanks for your response. We did not enable the TCB (Trusted Computing Base) during installation. My question was " is it MUST to enable TCB on AIX LPARs"
Qn) If yes or no, in what case / situation ?

---------- Post updated at 03:11 PM ---------- Previous update was at 03:03 PM ----------

Quote:
Originally Posted by bakunin
In fact this is the only point in time where you can switch it on. TCB creates checksums for every file and because the status of a file can only be verified to be uncompromised during an original install this is the only place/time to switch it on. Further, switching on TCB will prevent any further update and/or alt_disk_install of the system because of exactly this fact. (You can indeed do updates but these will disable TCB in the process.)

Best practice is to stay clear of TCB because it creates more problems than it solves, but this is common sense - don't argue that way with managers, only with technical persons.



Yes - and i do not have a wheel chair. Not, because i could not get one, but because i do not need one. There are no known viruses for AIX in existence and as long as you follow best practices for administrating AIX systems (for instance, using "root" only for administration, ...) there is no way a virus could affect them. Affording every system to have virus scanners is a plan usually hatched by managers who do not understand the difference between their Windoze-laptop and an AIX-LPAR.

Do not try to educate them (if they could be brought to thinking they wouldn't be in the position they are). The best way to deal with them is to silently ignore them.

I hope this helps.

bakunin

@ bakunin

Thanks much for your explanation. Its sensible and understood. I just want to give some info from my side before i conclude this topic.

We've installed AIX 7.1 (standard edition). and everything seems to be working fine (as we expected). As i said earlier we do not enable accounting/auditing, TCB and no anti-virus.
I just want to confirm , that this is normal and its not must have TCB/anti-virus.
appreciate your help.

Thanks,

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
Changing VLAN on AIX lpars in the same subnet kaelu26 AIX 5 06-19-2016 10:32 PM
Privacy enable on SNMPv3 AIX) anrivera140 AIX 5 07-08-2015 01:59 PM
Automation of AIX LPARs reboot System Admin 77 AIX 4 09-09-2013 05:01 AM
Creating LPARS in AIX sekar52 AIX 2 08-20-2013 01:25 PM
Cloning OS using alt_disk_install to new LPARs snchaudhari2 AIX 4 05-22-2013 07:13 PM
How can i track the Communication between LPARs? System Admin 77 AIX 5 05-07-2013 02:41 PM
Simple questions about LPARs bstring AIX 1 12-28-2012 02:34 AM
Shared Disk in VIOS between two LPARs ? filosophizer AIX 1 12-17-2012 09:41 AM
How to enable command history in AIX 6 sivakumarl AIX 3 05-22-2012 09:51 PM
Enable large filesize option in NFS mount in AIX 4.3 mad_man12 AIX 1 11-17-2011 09:07 AM
Enable send email through smtp - exchange on AIX 6.1 ichsan AIX 1 08-09-2011 04:03 AM
Implementing a TCB-Environment in AIX Invisibleye86 AIX 6 08-26-2010 08:08 AM
AIX and TCB kimyo AIX 15 09-22-2008 07:42 AM
Switch off TCB (Trusted Computing Base) bakunin AIX 3 02-20-2008 04:30 AM
regular user - enable printer - aix unix naes UNIX for Dummies Questions & Answers 0 09-24-2007 12:47 PM