Is it must to enable TCB on AIX LPARs ?

System_Admin_77 · October 17, 2013, 5:10pm

Hi,

I've verified my AIX 7.1 LPAR , and TCB is disabled by default.

#odmget -q attribute=TCB_STATE PdAt

PdAt:
        uniquetype = ""
        attribute = "TCB_STATE"
        deflt = "tcb_disabled"
        values = ""
        width = ""
        type = ""
        generic = ""
        rep = ""
        nls_index = 0

we do not have any kind of anti-virus software and security scanner on my AIX LPARs. (AIX is new in our environment)
What will happen if i enable TCB on running system? will it affect any applications/system in any way ?

Could you give your ideas on this.

blackrageous · October 17, 2013, 6:30pm

It does not seem clear what you are asking. TCB stands for the trusted computing base (Trusted AIX) and it's designed to aid in the security of your system. It's also called Multi-Level Security (label-based security). In short, it tracks "objects" like files, IPC, etc to insure they aren't changed or compromised. Enabling TCB is a matter of policy for your business. You usually turn trusted aix on when you're doing an installation. Please refer to the documentation for additional information.

bakunin · October 18, 2013, 3:51am

In fact this is the only point in time where you can switch it on. TCB creates checksums for every file and because the status of a file can only be verified to be uncompromised during an original install this is the only place/time to switch it on. Further, switching on TCB will prevent any further update and/or alt_disk_install of the system because of exactly this fact. (You can indeed do updates but these will disable TCB in the process.)

Best practice is to stay clear of TCB because it creates more problems than it solves, but this is common sense - don't argue that way with managers, only with technical persons.

Yes - and i do not have a wheel chair. Not, because i could not get one, but because i do not need one. There are no known viruses for AIX in existence and as long as you follow best practices for administrating AIX systems (for instance, using "root" only for administration, ...) there is no way a virus could affect them. Affording every system to have virus scanners is a plan usually hatched by managers who do not understand the difference between their Windoze-laptop and an AIX-LPAR.

Do not try to educate them (if they could be brought to thinking they wouldn't be in the position they are). The best way to deal with them is to silently ignore them.

I hope this helps.

bakunin

System_Admin_77 · October 18, 2013, 3:11pm

@ blackrageous
Thanks for your response. We did not enable the TCB (Trusted Computing Base) during installation. My question was " is it MUST to enable TCB on AIX LPARs"
Qn) If yes or no, in what case / situation ?

---------- Post updated at 03:11 PM ---------- Previous update was at 03:03 PM ----------

bakunin:

In fact this is the only point in time where you can switch it on. TCB creates checksums for every file and because the status of a file can only be verified to be uncompromised during an original install this is the only place/time to switch it on. Further, switching on TCB will prevent any further update and/or alt_disk_install of the system because of exactly this fact. (You can indeed do updates but these will disable TCB in the process.)

Best practice is to stay clear of TCB because it creates more problems than it solves, but this is common sense - don't argue that way with managers, only with technical persons.

Yes - and i do not have a wheel chair. Not, because i could not get one, but because i do not need one. There are no known viruses for AIX in existence and as long as you follow best practices for administrating AIX systems (for instance, using "root" only for administration, ...) there is no way a virus could affect them. Affording every system to have virus scanners is a plan usually hatched by managers who do not understand the difference between their Windoze-laptop and an AIX-LPAR.

Do not try to educate them (if they could be brought to thinking they wouldn't be in the position they are). The best way to deal with them is to silently ignore them.

I hope this helps.

bakunin

@ bakunin

Thanks much for your explanation. Its sensible and understood. I just want to give some info from my side before i conclude this topic.

We've installed AIX 7.1 (standard edition). and everything seems to be working fine (as we expected). As i said earlier we do not enable accounting/auditing, TCB and no anti-virus.
I just want to confirm , that this is normal and its not must have TCB/anti-virus.
appreciate your help.

Thanks,