Is it must to enable TCB on AIX LPARs ?


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
Is it must to enable TCB on AIX LPARs ?

Hi,

I've verified my AIX 7.1 LPAR , and TCB is disabled by default.
Code:
#odmget -q attribute=TCB_STATE PdAt

PdAt:
        uniquetype = ""
        attribute = "TCB_STATE"
        deflt = "tcb_disabled"
        values = ""
        width = ""
        type = ""
        generic = ""
        rep = ""
        nls_index = 0

we do not have any kind of anti-virus software and security scanner on my AIX LPARs. (AIX is new in our environment)
What will happen if i enable TCB on running system? will it affect any applications/system in any way ?

Could you give your ideas on this.
# 2  
It does not seem clear what you are asking. TCB stands for the trusted computing base (Trusted AIX) and it's designed to aid in the security of your system. It's also called Multi-Level Security (label-based security). In short, it tracks "objects" like files, IPC, etc to insure they aren't changed or compromised. Enabling TCB is a matter of policy for your business. You usually turn trusted aix on when you're doing an installation. Please refer to the documentation for additional information.
# 3  
Quote:
Originally Posted by blackrageous
You usually turn trusted aix on when you're doing an installation. Please refer to the documentation for additional information.
In fact this is the only point in time where you can switch it on. TCB creates checksums for every file and because the status of a file can only be verified to be uncompromised during an original install this is the only place/time to switch it on. Further, switching on TCB will prevent any further update and/or alt_disk_install of the system because of exactly this fact. (You can indeed do updates but these will disable TCB in the process.)

Best practice is to stay clear of TCB because it creates more problems than it solves, but this is common sense - don't argue that way with managers, only with technical persons.

Quote:
we do not have any kind of anti-virus software and security scanner on my AIX LPARs.
Yes - and i do not have a wheel chair. Not, because i could not get one, but because i do not need one. There are no known viruses for AIX in existence and as long as you follow best practices for administrating AIX systems (for instance, using "root" only for administration, ...) there is no way a virus could affect them. Affording every system to have virus scanners is a plan usually hatched by managers who do not understand the difference between their Windoze-laptop and an AIX-LPAR.

Do not try to educate them (if they could be brought to thinking they wouldn't be in the position they are). The best way to deal with them is to silently ignore them.

I hope this helps.

bakunin
These 3 Users Gave Thanks to bakunin For This Post:
# 4  
Quote:
Originally Posted by blackrageous
It does not seem clear what you are asking. TCB stands for the trusted computing base (Trusted AIX) and it's designed to aid in the security of your system. It's also called Multi-Level Security (label-based security). In short, it tracks "objects" like files, IPC, etc to insure they aren't changed or compromised. Enabling TCB is a matter of policy for your business. You usually turn trusted aix on when you're doing an installation. Please refer to the documentation for additional information.
@ blackrageous
Thanks for your response. We did not enable the TCB (Trusted Computing Base) during installation. My question was " is it MUST to enable TCB on AIX LPARs"
Qn) If yes or no, in what case / situation ?

---------- Post updated at 03:11 PM ---------- Previous update was at 03:03 PM ----------

Quote:
Originally Posted by bakunin
In fact this is the only point in time where you can switch it on. TCB creates checksums for every file and because the status of a file can only be verified to be uncompromised during an original install this is the only place/time to switch it on. Further, switching on TCB will prevent any further update and/or alt_disk_install of the system because of exactly this fact. (You can indeed do updates but these will disable TCB in the process.)

Best practice is to stay clear of TCB because it creates more problems than it solves, but this is common sense - don't argue that way with managers, only with technical persons.



Yes - and i do not have a wheel chair. Not, because i could not get one, but because i do not need one. There are no known viruses for AIX in existence and as long as you follow best practices for administrating AIX systems (for instance, using "root" only for administration, ...) there is no way a virus could affect them. Affording every system to have virus scanners is a plan usually hatched by managers who do not understand the difference between their Windoze-laptop and an AIX-LPAR.

Do not try to educate them (if they could be brought to thinking they wouldn't be in the position they are). The best way to deal with them is to silently ignore them.

I hope this helps.

bakunin

@ bakunin

Thanks much for your explanation. Its sensible and understood. I just want to give some info from my side before i conclude this topic.

We've installed AIX 7.1 (standard edition). and everything seems to be working fine (as we expected). As i said earlier we do not enable accounting/auditing, TCB and no anti-virus.
I just want to confirm , that this is normal and its not must have TCB/anti-virus.
appreciate your help.

Thanks,
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
Changing VLAN on AIX lpars in the same subnet
kaelu26
Hi Guys, Our lpars is currently running on 2 different vlans (20, 30). Now we have a requirement that vlan 30 needs to be change to vlan 31 at the same subnet. I'm not sure on what is the best approach for this or what change is involve on the AIX side. This is our setup. Network switch -...... AIX
5
AIX
Automation of AIX LPARs reboot
System Admin 77
Hello Everyone, Can you please help me with the following questions regarding recycling LPARs. 1) Is it recommended to automate the reboot of AIX LPARs with a script ? i mean we've few App LPARs and Database LPARs. we would like to bring down LPARs on last sunday of every month for about 1...... AIX
4
AIX
Creating LPARS in AIX
sekar52
Hi, I have a p520 with 2 cpus and 10gb of ram.Is it sufficient enough to create 2 lpars.What other things we have to check.... AIX
2
AIX
Implementing a TCB-Environment in AIX
Invisibleye86
Habe folgende Frage an der ich mich schwer tue, Welche Möglichkeiten bietet IBM's Betriebssystem "AIX" hinsichtlich der Ausbildung einer TCB-Umgebung? vielen Dank... AIX
6
AIX
AIX and TCB
kimyo
Hi I have a question with regards to AIX 5.3 & TCB. I have a client that is requesting TCB to be installed in AIX. However it seems that the perception of TCB is that it causes major headaches when it comes to configuring the system in real world environments, such as large scale Oracle...... AIX
15
AIX