AIX

Excellent info guys. Thanx

This limitation only exists when performing nimadm operations on TCB enabled systems over NFS. That's right, NFS.

If you use the caching feature of nimadm, instead of NFS, then you can use nimadm to migrate TCB enabled systems. That's right, no need to disable TCB. No need to tempt fate and try enabling TCB after the migration.

Ensure you have TL6 installed and APAR IY87344.

I have tested this in both a lab and customer environment. It worked great.

Cheers.

Excellent feedback, thanx Gibbo.
I will defiantly check this out.
Sounds like you have some practical experience working with TCB. Do you have any info with regards to the daily CPU and MEM overhead of TCB?

thanx

No problem. At the time the Redbook was written, the fix for nimadm+cache & TCB was not available to customers. It was released some time after the Redbook was published, so the book missed out on this new information.

Indeed I do have some experience with TCB.

I have 150 AIX LPARs, all with TCB enabled. We run a TCB script to check system integrity once a day. From what I've seen, there is no performance (resource usage) impact at all.

Cheers.

Good to know that you have it working and see no performance degradation. That was a big concern I had.
Sorry to throw all these questions your way, but it's tough to find somebody who uses TCB. I have 1 more question, if your rootvg is on internal mirrored SCSI and your data/config files to be monitored are on SAN, would this cause an I/O lag? As TCB would be SCSI based.

thanx

Generally speaking I don't think you'll see any I/O issues. Of course, it can depend on things like your I/O config in terms of number of disks and adapters and your file system and LV layout. But as far as TCB is concerned it shouldn't matter at all.

Just curious. What are planning on doing with TCB? What are you trying to achieve?

Yes, I have TCB on my systems but apart from the occassional interesting report we get, it's not much use to us. Even our security team are disinterested in the information and integrity checking it can provide.

Cheers.

Once again great info , thanx

Well I have a client that is interested in TCB. They have fraud issues on their servers and need to secure them. They have done the standard stuff like stop ftp/tn, etc enable ssh, tcp wrappers, check umask, permissions, etc. However we have explained that TCB will not show what is happening in the database, only flat files, user details, etc. So I am just trying to confirm what I have "heard" about TCB and find out as much info as I can (very little at this stage). It is always tough to explain to none technical management that 9 out of 10 times there is no "quick-fix" for security issues. Especially on systems that have been running for ages and have multiple child dependencies!

Anyway thank you again for the excellent feedback. If I could just ask, what would your personal opinion be of TCB in AIX? worth installing and leaving dormant, it does provide some use, not worth the effort & complicates systems.

regards