I have a question with regards to AIX 5.3 & TCB. I have a client that is requesting TCB to be installed in AIX. However it seems that the perception of TCB is that it causes major headaches when it comes to configuring the system in real world environments, such as large scale Oracle database's with multiple legacy clients using various interfaces. I have surfed to the end of the web and back, as well as exhausting all other avenues to find info about TCB. I understand how it works and to install, etc. However I can not find any views or reviews on expected performance overhead, or even comments on whether it is a good tool or not worth all the effort.
Does anybody have personal experience working with TCB in AIX or know of a secret cave out there on the web with info that I have missed?
System to be configured:
migrating P5-570 AIX 5.3 Oracle 9I to P6-595 (I am aware that I will have to re-install or do a preservation install to enable TCB)
AIX NIM client
All LPAR's AIX 5.3 (app limitation, no AIX 6.1)
No VIO
Boot from internal SCSI(customer request, YES I know that is already an issue with TCB being part of rootvg and will effect I/O performance)
All other VG's SAN
I am looking specifically for info with regards to CPU & MEM overhead. I know I have not provided much info into this forum, but I would appreciate any feedback.
Thanx for the feedback, really appreciate it. I have done some checking on your recommended AIXpert. It looks good and is part of AIX from what I can see. It's also continued in AIX 6.1, so that's great, although AIX 6.1 now has a revised upgraded version of TCB. Now I just need to convince the client AIXpert a better way to go and find out how to use/config it.
As for TCB on AIX 5.3, the best info I could find was actually in the AIX 4.3 Elements of Security red book http://www.redbooks.ibm.com/redbooks/pdfs/sg245962.pdf
And with speaking to IBM it seems like there is not much support/knowledge of/for TCB. This is understanable as not many systems like to be limited to a feature that would reaquire a re-install to disable. However if security is your top concern then there will be sacrifies.
AIX TCB details
TCB must remain part of rootvg (thus make sure rootvg is on optimal disk for high I/O)
Will only monitor static flat files, no database integration (Although it seems as AIX 6.1 has a feature that might provide some type of database monitoring?)
Monitors files/devices/etc listed in /etc/secuirty/sysck.cfg
Can possible be switched off and on with odm commands?
Performance overhead would relate directly to how many alerts/checks are configured in /etc/security/sysck.cfg and how frequently they are monitored
Starting with AIX v5.3 TL6, with APAR IY87344 installed, you can perform migrations of TCB enabled systems if the caching option to nimadm is used. For those that aren't aware, nimadm stands for Network Installation Manager Alternate Disk Migration.
The following redbook has some information on using this tool:
I am a bit confused with regards to this NIM alternate disk install. In the AIX 5L NIM redbook it says:
"Some limitations apply when using the nimadm utility:
If the client's rootvg has TCB turned on, you will need to either disable it (permanently) or perform a conventional migration (for example, using CD or NIM. Refer to 4.4, �Using NIM to perform AIX migrations of the NIM master and clients� on page 153). This limitation exists because TCB needs to access file metadata which is not visible over NFS"
They then go through an example that shows TCB being switch off with odmget, migrated and then enabled again. They specifically state showing an example that "If you try to enable TCB again after the migration you may run into some trouble with files being deactivated which may cause havoc to your running system."
So I think yes you can do an alternate disk install, BUT your alternate install will not have TCB active?
Yes. This is what i meant above: when you go through all the trouble to have TCB enabled during installation you presumably want to retain that feature after the update. But you can only do either a NIM alt-disk-install update and disable TCB permanently or do a conventional update with CDs and retain TCB - these options are, to my knowledge - gibbos information are news to me - mutually exclusive.
This limitation only exists when performing nimadm operations on TCB enabled systems over NFS. That's right, NFS.
If you use the caching feature of nimadm, instead of NFS, then you can use nimadm to migrate TCB enabled systems. That's right, no need to disable TCB. No need to tempt fate and try enabling TCB after the migration.
Ensure you have TL6 installed and APAR IY87344.
I have tested this in both a lab and customer environment. It worked great.
Excellent feedback, thanx Gibbo.
I will defiantly check this out.
Sounds like you have some practical experience working with TCB. Do you have any info with regards to the daily CPU and MEM overhead of TCB?
No problem. At the time the Redbook was written, the fix for nimadm+cache & TCB was not available to customers. It was released some time after the Redbook was published, so the book missed out on this new information.
Indeed I do have some experience with TCB.
I have 150 AIX LPARs, all with TCB enabled. We run a TCB script to check system integrity once a day. From what I've seen, there is no performance (resource usage) impact at all.
Good to know that you have it working and see no performance degradation. That was a big concern I had.
Sorry to throw all these questions your way, but it's tough to find somebody who uses TCB. I have 1 more question, if your rootvg is on internal mirrored SCSI and your data/config files to be monitored are on SAN, would this cause an I/O lag? As TCB would be SCSI based.
Generally speaking I don't think you'll see any I/O issues. Of course, it can depend on things like your I/O config in terms of number of disks and adapters and your file system and LV layout. But as far as TCB is concerned it shouldn't matter at all.
Just curious. What are planning on doing with TCB? What are you trying to achieve?
Yes, I have TCB on my systems but apart from the occassional interesting report we get, it's not much use to us. Even our security team are disinterested in the information and integrity checking it can provide.
Well I have a client that is interested in TCB. They have fraud issues on their servers and need to secure them. They have done the standard stuff like stop ftp/tn, etc enable ssh, tcp wrappers, check umask, permissions, etc. However we have explained that TCB will not show what is happening in the database, only flat files, user details, etc. So I am just trying to confirm what I have "heard" about TCB and find out as much info as I can (very little at this stage). It is always tough to explain to none technical management that 9 out of 10 times there is no "quick-fix" for security issues. Especially on systems that have been running for ages and have multiple child dependencies!
Anyway thank you again for the excellent feedback. If I could just ask, what would your personal opinion be of TCB in AIX? worth installing and leaving dormant, it does provide some use, not worth the effort & complicates systems.
My personal experience with TCB has been that it provides little benefit. If you must install it, then I wouldn't bother configuring it unless you know what you want to do with it.
