Verify System Integrity
AIX 6.1 and Trusted Execution help ensure secure systems
System security is a multifaceted issue and requires different tools and frameworks to thwart threats. Some of the security mechanisms provide for protection against attacks and some provide active monitoring against any successful attacks and denying the attacker of powers, privileges and data access.
System administrators must be able to verify, at any point in time, that the system hasn’t been compromised. Additionally, a system-integrity mechanism is required to provide a means to spoil attacker attempts to compromise the baseline system-integrity information itself. It’s also a necessary for the security policies to be easily applied across various systems.
Guaranteeing System Integrity
System integrity involves capturing the good state of the system in a non-modifiable form and using it as a reference to check the state of the system periodically. The requirements of a good system-integrity tool can be listed as follows:
- Integrity Measurement: Provide administrator tools to detect changes to the system. The changes are identified by comparing the current state to a well-known previous state (also called as the baseline).
- Lockdown: Provide an administrator means to lock down the information established as baseline. This lockdown will prevent an intruder from modifying the state of the system and then recreate the baseline such that later the administrator won’t be able to detect the modifications.
- Monitor and Protect: Provide a means to monitor executions of executables, libraries, kernel extensions etc.
One of the key security features introduced in AIX 6.1 is Trusted Execution (TE). TE meets all the above requirements and provides offline and runtime control mechanisms to keep the system secure.
TE Architecture Establishes Baseline
AIX 6.1 ships IBM-signed signatures for the important system files in the AIX OS. These signatures are populated into a database called Trusted Signature Database (TSD). This TSD forms one component of the baseline. On a fully installed AIX system, TSD is populated for most AIX files and is ready to be used for integrity checking. Administrators, while building their production system, can add entries into the TSD for their custom tools and as well for as any commercial middleware or application they plan to deploy. Once the production-level TSD is established, it could be used as a reference baseline for all similar systems in the environment. See Figure 1.
TE functions and policies on AIX are supported through a single command interface called trustchk. This command manages TE polices and the TSD database. It can also do the offline system-integrity verification and generate a report. For example, to get a report of system integrity, you can run command: trustchk -n ALL.
For any integrity verification to be successful, it’s necessary to establish a clear baseline for the system. It’s important that a baseline is established for a production-level server and thereafter any changes to baseline be carefully controlled. AIX by default stores the baseline-related information in TSD database file, /etc/security/tsd/tsd.dat.
TE provides excellent support in regards to establishing and managing the baseline information for the server.
- AIX ships SHA256 hashes and signatures for various system files that are critical for system operation and hence need to be monitored. These hashes/signatures (and other file-security attributes) are automatically included during various package installations and are captured in the TSD, along with the signatures and corresponding digital certificates required for signature verification.
- trustchk can be used to add/modify/delete entries to the TSD. For example, if administrators need to monitor a few files related an application or middleware, they can insert the entries into the TSD. While doing so, administrators can provide their own private key/certificate pair to sign the application/middleware files related hashes.
- The administrator can choose to lock down the baseline file on a production system. This would mean no modifications to the baseline will be allowed in the system (even by root).
- The TSD database has a limited set of entries, which are added based on the security attributes of each file. For example, if a file is has SUID bit set, it’ll have a TSD entry. Administrators will have to decide on an exact set of entries they want to have in the TSD. For example, the TSD can be configured such that it only allows a small set of DB2 applications to run on the system.
- AIX provides a framework for ISVs to use to ship integrity information as part of their software packages. This properly formatted integrity information will be recognized by the installp command on AIX and the integrity information will be automatically populated in the baseline database.