4.8.1 TE - implementation

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The recommendation is to implement TE to protect the system from Trojan horse style attacks. TE provides a robust system integrity checking process.

Rationale:

One of the common ways a hacker infiltrates a system is through file tampering or the use of a Trojan horse. The implementation of TE can provide a number of integrity checks prior to loading a program into memory, any deviations can also be highlighted when programs and files are validated offline. This ensures that the programs executed are those which are intended to be and not malicious code masquerading as a true program.

When a discrepancy is identified it is classified as either minor or major. A minor discrepancy is automatically reset to the value defined in the TSD. In the event of a major discrepancy the file access permissions are changed to make the file inaccessible.

There is a pre-requisite requirement to install CLiC and SSL software.

Solution

It is recommended that TE is configured in online mode. This provides real time protection against Trojan horse attacks.
The tsd.dat file contains the important security attributes relating to all of the managed files:

cat /etc/security/tsd/tsd.dat

NOTE: The trustchk command is used to manage the entries in this file.
To enable TE, firstly enable online checking of executables and shell scripts:

trustchk -p CHKEXEC=ON
trustchk -p CHKSCRIPT=ON

Stop the execution or loading of binaries and files into memory when the integrity checks fail:

trustchk -p STOP_ON_CHKFAIL=ON

Enable online TE based on the policy selections above:

trustchk -p TE=ON

To set a Trusted Execution Path or TEP:

trustchk -p TEP=<PATH variable>

Enable the TEP:

trustchk -p TEP=ON

NOTE: Commands will not be executed if they reside outside of the TEP.
Further details regarding planning and implementation of TE can be found within the IBM AIX 7.1 Infocentre:
https://www.ibm.com/docs/en/aix/7.1?topic=configuration-trusted-execution
NOTE: The configuration of TE is dependant on the unique requirements of a given environment.

Default Value:

Not enabled

See Also

https://workbench.cisecurity.org/benchmarks/13069