How to administer an AIX with Trusted AIX

[Nacer2011]

Hello all
I installed an AIX6.1 box with Trusted AIX option.
I'm suufring ... I've some, euh a lot of problems
I use sa, so and isso users/roles to do some things.

I'd like to know how to install a TL or an SP ?
How to install a tiers software ?
How to install an rpm ?

Any help, experience is welcome(documents, best practices, white paprer ....)
Thanks...

 

[itsp1965]

http://www.redbooks.ibm.com

- AIX guides for practically everything can be found here.

 

[Nacer2011]

Thank you for your advice, but I don't find docs that detail the use of Trusted AIX. I know the redbook "AIX V6 Advanced Security Features: Introduction and Configuration" but it still general.

I've also a problem about installing rpms, a lot of errors.

 

[MoreFeo]

Have you tried looking in the Information Center?

http://publib.boulder.ibm.com/infoc...ibm.aix.security/doc/security/trusted_aix.htm

 

[Nacer2011]

Yes I use the information center, but you know there are general purpose ans idea about the the trusted AIX.
For example, I didn't find howto install a TL ? with which user should I do it ? I was obliged to install TL6 of AIX6.1 in single mode
An other example, I cannot install rpm neither neither with root nor with sa user (I did it in single mode)

What I'm looking for is a sort of best practice or a real experence with Trusted AIX and TCB, thanks.

 

[chgwhat]

You will not find best practice for Trusted AIX, as there is only one supported and secured way to maintain that AIX. The only people with that experience are some IBM employees, US Department of Defense (DoD) TCSEC and European ITSEC criteria for enhanced B1 security. The people that support those systems, are very unlike to share any information, as it would most likely violate their security. So you best option would get more info from IBM. Can I ask why you are trying to learn support for a enhanced security system, or will that violate your security.

This is what I got from the docs "Configuration mode is used to maintain and recover the system. When the system is booted in single-user mode, the system is minimally configured and networking is disabled. Configuration mode is used for administration of critical, security-relevant parts of the system.

Operational mode is the standard system operating mode. The system changes to this mode after all tasks required to enter the default run level have been completed.

The system run mode can be displayed with the getrunmode command and can be modified with the setrunmode command."


Tony ... aka chgwhat

When in doubt,,, Power out...

 

[McleanWJM]

AIX TCB - the TRUSTED COMPUTING base -
This is just an ODM flag that enable the creation of a syschk file where it registers the OS file bit size, chksums etc.
AIX TCB is not like solaris Trusted shell, its just an add on.

AIX TCB will not stop TL/SP installs, it only affects migrations. ( the migration script will check for the ODM TCB flag then stop if present - If you twiddle the ODM and remove this flag you can upgrade/migrate just fine. )

Mostly TCB , creates a /etc/syschk.cfg file that it can run utilties against to verify the OS has not been changed or comprimsed. IF you install a TL or SP you should update this file.

I have run TCB at the bank I used to work at , its not that major of a change in AIX functions.

 

[Nacer2011]

Thanks
Now, I experienced the beast.
My probleme is with Trusted AIX.
I use RBAC, but I have always problems to install software like rpms or bff.
This is an example :
$ rpm -i zlib_1_2_3_4_aix5_2_ppc.rpm
failed to open /opt/freeware/packages/packages.rpm: The file access permissions do not allow the specified action.

error: cannot open /opt/freeware/packages/packages.rpm

I did this command with sa, so and isso.


With root it gives :
# rpm -i zlib_1_2_3_4_aix5_2_ppc.rpm
unpacking of archive failed on file /opt/freeware/64: cpio: chown failed - Operation not permitted.


Best regards