===== AIX TE (Trust Execution) =====

AIX TE is like SELINUX, check for system and files integrity

TE will prevent you from updating your system, then you have to disable it, and enable at the end of upgrade.

<cli prompt='#'>
[root@aix73]/root# getrunmode
System is currently in OPERATIONAL MODE.
[root@aix73]/root# getsecconf
OPERATIONAL MODE Security Flags
ROOT                      :    ENABLED
TRACEAUTH                 :   DISABLED
</cli>

==== List TE status: ====

<cli prompt='>'>
root@aixsrv1 - /root > for i in TE CHKEXEC CHKSHLIB
CHKSCRIPT CHKKERNEXT STOP_UNTRUSTD STOP_ON_CHKFAIL TEP TLP
TSD_FILES_LOCK TSD_LOCK
do
trustchk -p $i
done
TE=ON
CHKEXEC=ON
CHKSHLIB=ON
CHKSCRIPT=ON
CHKKERNEXT=ON
STOP_UNTRUSTD=OFF
STOP_ON_CHKFAIL=ON
TEP=OFF
TEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/sbin/helpers/jfs2:/usr/lib/instl:/usr/ccs/bin:/usr/lib:/usr/lib/security
TLP=OFF
TLP=/usr/lib:/usr/ccs/lib:/lib:/var/lib
TSD_FILES_LOCK=OFF
TSD_LOCK=ON
</cli>

==== Disable CHKEXEC, TE, TEP, TLP to install AIX package: ====

<cli prompt='>'>
root@aixsrv1 - /root > for i in TE CHKEXEC TEP TLP
do
trustchk -p $i=OFF
done
</cli>

<code>
•	trustchk -t ALL reports an error message for
•	/usr/ccs/lib/.recover/libc.a library.
•	
•	# trustchk -t ALL
•	trustchk: Verification of attributes failed: hash
•	Disable access to the file: /usr/ccs/lib/.recover/libc.a?
•	  (y)es,(n)o,(i)gnore all errors : n
•	trustchk: Verification of stanza failed:
•	/usr/ccs/lib/.recover/libc.a
</code>


Secure boot: Signature verification failed for /usr/sbin/xntpd

This issue can be worked around by deleting the erroneous entry from the Trusted Signature Database (TSD) by running:

trustchk -d /usr/sbin/ntp4/ntpd4

If you are already hitting this problem, then you need to reduce your Secure Boot policy to allow boot.  Then, delete the TSD entry, set the Secure Boot policy back to a level of 2 or less, and boot one more time.



https://www.ibm.com/support/pages/aix-security-considerations-enabling-trusted-execution

https://www.ibm.com/support/pages/node/630713



AIX and TE (Trusted Execution): an underestimated security feature? part1\\
https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2024/02/08/aix-and-te-sec-part1

AIX and TE (Trusted Execution): an underestimated security feature? Part 2\\
https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2024/02/22/aix-and-te-trusted-execution-an-underestimated-sec

AIX and TE (Trusted Execution): an underestimated security feature? Part 3\\
https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2024/03/21/aix-and-te-trusted-execution-an-underestimated-sec

AIX and TE (Trusted Execution): an underestimated security feature? Part 4\\
https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2024/04/15/aix-and-te-trusted-execution-an-underestimated-sec