wiki

User Tools

Site Tools

Trace: cleanup_odm_soft aix_trustexec
aix:aix_trustexec

Table of Contents

AIX TE (Trust Execution)

AIX TE is like SELINUX, check for system and files integrity

TE will prevent you from updating your system, then you have to disable it, and enable at the end of upgrade. 

[root@aix73]/root# getrunmode
System is currently in OPERATIONAL MODE.
[root@aix73]/root# getsecconf
OPERATIONAL MODE Security Flags
ROOT                      :    ENABLED
TRACEAUTH                 :   DISABLED

List TE status:

root@aixsrv1 - /root > for i in TE CHKEXEC CHKSHLIB
CHKSCRIPT CHKKERNEXT STOP_UNTRUSTD STOP_ON_CHKFAIL TEP TLP
TSD_FILES_LOCK TSD_LOCK
do
trustchk -p $i
done
TE=ON
CHKEXEC=ON
CHKSHLIB=ON
CHKSCRIPT=ON
CHKKERNEXT=ON
STOP_UNTRUSTD=OFF
STOP_ON_CHKFAIL=ON
TEP=OFF
TEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/sbin/helpers/jfs2:/usr/lib/instl:/usr/ccs/bin:/usr/lib:/usr/lib/security
TLP=OFF
TLP=/usr/lib:/usr/ccs/lib:/lib:/var/lib
TSD_FILES_LOCK=OFF
TSD_LOCK=ON

Disable CHKEXEC, TE, TEP, TLP to install AIX package:

root@aixsrv1 - /root > for i in TE CHKEXEC TEP TLP
do
trustchk -p $i=OFF
done
•	trustchk -t ALL reports an error message for
•	/usr/ccs/lib/.recover/libc.a library.
•	
•	# trustchk -t ALL
•	trustchk: Verification of attributes failed: hash
•	Disable access to the file: /usr/ccs/lib/.recover/libc.a?
•	  (y)es,(n)o,(i)gnore all errors : n
•	trustchk: Verification of stanza failed:
•	/usr/ccs/lib/.recover/libc.a

Secure boot: Signature verification failed for /usr/sbin/xntpd

This issue can be worked around by deleting the erroneous entry from the Trusted Signature Database (TSD) by running:

trustchk -d /usr/sbin/ntp4/ntpd4

If you are already hitting this problem, then you need to reduce your Secure Boot policy to allow boot. Then, delete the TSD entry, set the Secure Boot policy back to a level of 2 or less, and boot one more time.

https://www.ibm.com/support/pages/aix-security-considerations-enabling-trusted-execution

https://www.ibm.com/support/pages/node/630713

AIX and TE (Trusted Execution): an underestimated security feature? part1
https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2024/02/08/aix-and-te-sec-part1

AIX and TE (Trusted Execution): an underestimated security feature? Part 2
https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2024/02/22/aix-and-te-trusted-execution-an-underestimated-sec

AIX and TE (Trusted Execution): an underestimated security feature? Part 3
https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2024/03/21/aix-and-te-trusted-execution-an-underestimated-sec

AIX and TE (Trusted Execution): an underestimated security feature? Part 4
https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2024/04/15/aix-and-te-trusted-execution-an-underestimated-sec

aix/aix_trustexec.txt · Last modified: 2025/01/16 16:41 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki