|
There are many changes starting with AIX6.1 One of theses are the additional messages the console displays as AIX boots.
The importance of these messages is to know what security policy settings are in effect once AIX was started (in case you need to compare current values with boot values).
AIX 6.1 and AIX 7.1 can behave very similiar to AIX 5.3 and earlier. The boot
messages are the first indication of how the system has been setup and how new features such as Trusted Execution (TE) have been enabled, or the
classic root user has been disabled (e.g. a Trusted AIX installation).
Read Further for brief descriptions of Trusted Execution Policies and AIX Operational Modes
Changes reflected in Boot Settings
The changes that are new starting aith AIX 6.1 reflect how files are verified - passive or active, the "operational" mode: is the
system in maintence or normal mode, and whether root is defined as
superuser or not (normal or disabled).
Trusted Execution (TE)
Trusted Executition verifies that files are as they should be: owner/mode/permssions/links at a minimum. This may also include filesize and a checksum for files that are not to be modified. The new boot messages regarding TE are:
TE=OFF
CHKEXEC=OFF
CHKSHLIB=OFF
CHKSCRIPT=OFF
CHKKERNEXT=OFF
STOP_UNTRUSTD=OFF
STOP_ON_CHKFAIL=OFF
LOCK_KERN_POLICIES=OFF
TSD_FILES_LOCK=OFF
TSD_LOCK=OFF
TEP=OFF
TLP=OFF
These are all settings for Trusted Execution (OFF|ON). If TE is OFF
(default installation) the other settings have no effect.
How TE differs from TCB
TCB - or Trusted Computing Base - was added to AIX Security back in the early 90's with AIX 3.2.4 as an addon (could be installed later) and as an installation option (could only be installed as part of a fresh install) starting with AIX 4.1 in 1995. Generally, TCB was an IBM supported substitute for any product similiar to something like Tripwire. The biggest technical difference with Tripwire was the quality of the checksum. TCB's checksum was relatively simple. If TCB was installed AIX fileset installations using installp updated the TCB database with information to simplify fileset verification.
Example: michael@x054:[/etc/security]grep -p lssrc /etc/security/sysck.cfg
/usr/bin/lssrc:
owner = root
group = system
mode = TCB,SGID,555
type = FILE
class = apply,inventory,bos.rte.SRC
size = 4622
checksum = "12673 5 "
TE - Trusted Executition - is installed by default "in passive mode". In passive mode TE behaves similiar to TCB but has a much better checksum validation.The big changes compared to AIX 5.3 and earlier (i.e. TCB technology) level is the ability to activate real-time checking of the file security and regulate the behavior when a file fails verification. The list of policies (see below) are only effective when TE is in active mode (TE=ON). Again, by default TE (and all policies) are passive (OFF).
In passive mode the behavior is very similiar to TCB but the implementation is more specific.
Example: michael@x054:[/etc/security/tsd]grep -p lssrc /etc/security/tsd/tsd.dat
/usr/bin/lssrc:
owner = root
group = system
mode = TCB,SGID,555
type = FILE
hardlinks =
symlinks =
size = 4622
cert_tag = 00af4b62b878aa47f7
signature = 9b97938a283917c21f42da2e191089961b4d62acfff71d8d52d3b7cc91ca7639cec743e57bf57c5c776ed0041c62102523433f322d4ed1569502e2e22c32ff01ef5907ecab5b33e20d192681f5f48c5218004e151f5d6089569cabdfae2d253386c669372207ecf7860140cf6a5bddf433ae58db2553caa45431a97432b680e0
hash_value = b911ad5748d64ad6724febab1dd807972bf7b90322c0f51d2ecfa5c8cdab6e6d
minslabel = SLSL
maxslabel = SLSL
intlabel = SHTL
accessauths = aix.system.config.src
innateprivs = PV_DAC_GID,PV_TCB,PV_DAC_R,PV_DAC_O,PV_NET_CNTL,PV_NET_PORT,PV_PROC_,PV_FS_
inheritprivs =
authprivs =
secflags = FSF_EPS
t_accessauths =
t_innateprivs = PV_MAC_R,PV_MAC_W,PV_MIC
t_inheritprivs =
t_authprivs =
t_secflags =
| LABEL |
DESCRIPTION |
| TE |
Enable/Disable Trusted Execution functionality. Only when this is enabled are the policies below in effect.
|
| CHKEXEC |
Check hash value of only the trusted executables before loading them in memory for execution. |
CHKSHLIB
|
Check the hash value of only the trusted shared libraries before loading them in memory for execution.
|
CHKSCRIPT
|
Check the hash value of only the trusted shell scripts before loading them in memory.
|
| CHKKERNEXT |
Check the hash value of only the kernel extension before loading it in memory.
|
| STOP_UNTRUSTD |
Stop loading of files that are not trusted. Only files belonging to TSD are loaded. This policy only works in combination with any of the CHK* policies mentioned above. For example, if CHKEXEC=ON and STOP_UNTRUSTD=ON, then any executable binary that does not belong to TSD is blocked from execution.
|
| STOP_CHK_FAIL |
Stop loading of trusted files that fail hash value check. This policy also works in combination with CHK* policies. For example, if CHKSHLIBS=ON and STOP_ON_CHKFAIL=ON, then any shared library not belonging to the TSD is blocked from being loaded into memory for use.
|
| LOCK_KERN_POLICIES |
Lock current current policies. A reboot of AIX will be required to enable any changes made.
|
| TSD_FILES_LOCK |
Lock trusted files. This does not allow opening of trusted files in write mode.
|
| TSD_LOCK |
Lock TSD so it is not available for editing.
|
| TEP |
Trusted Execution Path (TEP) defines a list of directories that contain the trusted executables. Once TEP verification is enabled, the system loader allows only binaries in the specified paths to execute.
|
| TLP |
Trusted Library Path (TLP) defines a list of directories that contain the trusted libraries of the
system. Once TLP is enabled, the system loader allows only the libraries from this path to be linked to the binaries. |
Operation Modes
Configuration startup mode
Configuration mode is used to maintain and recover the system. When the system is booted in single-user mode, the system is minimally configured and networking is disabled.
Operational startup mode
Operational mode is used for daily operation. Normally, the system should be booted directly into multiuser mode. If the boot authorization program receives a valid username and password, the system enters operational mode, a console login authentication screen is displayed, and valid users can then log in.
Root modes
Traditionally, the UID value of 0 (named root in /etc/passwd) has been treated as a privileged ID by the operating system and is allowed to bypass enforced security checks. Disabling the root user effectively removes the checks in the operating system that only test for UID or EUID of 0 (zero). Instead a process is required to have privileges to satisify the security checks. System administration must be performed by users who have been assigned privileged roles when the boot console messages say ROOT : DISABLED.
The root powers can be disabled with the /usr/sbin/setsecconf command. Run the following command and then reboot the system to disable the powers of the root user: setsecconf –o root=disable
Example AIX Boot Console messages
Saving Base Customize Data to boot disk
Starting the sync daemon
Starting the error daemon
System initialization completed.
TE=OFF
CHKEXEC=OFF
CHKSHLIB=OFF
CHKSCRIPT=OFF
CHKKERNEXT=OFF
STOP_UNTRUSTD=OFF
STOP_ON_CHKFAIL=OFF
LOCK_KERN_POLICIES=OFF
TSD_FILES_LOCK=OFF
TSD_LOCK=OFF
TEP=OFF
TLP=OFF
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
OPERATIONAL MODE Security Flags
ROOT : ENABLED
System runtime mode is now OPERATIONAL MODE.
Setting tunable parameters...complete
Starting Multi-user Initialization
Performing auto-varyon of Volume Groups
Activating all paging spaces
swapon: Paging device /dev/hd6 is already active.
The current volume is: /dev/hd1
Primary superblock is valid.
The current volume is: /dev/hd10opt
Primary superblock is valid.
Performing all automatic mounts
Multi-user initialization completed
|
