Question & Answer
Question
What are some virus and malware protection options for AIX?
Answer
Consider AIX Trusted Execution for virus and malware protection:
For UNIX systems, the most common ways for a malicious user to attack the system is to install Trojans, rootkits, or tamper with some security critical files, resulting in a vulnerable or exploitable system. The AIX Trusted Execution feature can be used to effectively prevent the virus or malware execution, and detect the condition when files critical to system security integrity are compromised. At the center of the Trusted Execution is a Trusted Signature Database (TSD), which stores system integrity baselines, including digital signature and other security parameters (for example, ownership and permission) of security critical files (or trusted files) on the system.
Trusted files are typically composed of kernel, device drivers, shared libraries, any programs that must be run by root or the system administration, all setuid and setgid root programs, and configuration files that control system operation. Trusted execution provides two modes of integrity checking:
- Runtime integrity check:
- The system can be configured to check the integrity of the trusted files before every request to access those files and detect tampering of any trusted file (by a malicious user or application).
- If a trusted file is found to be compromised, Trusted Execution can take corrective actions based on pre-configured policies, such as disallowing execution, denying access to the file, or logging an error.
- System integrity check:
- An administrator runs the trustchk command to perform a digital signature and other security parameter comparison of the current system with the TSD.
- If the trustchk command identifies an anomaly, it can be made to automatically correct it or prompt the user before attempting correction.
- If anomalies like signature, cert_tag, hash_value, or size mismatch, the correction is not possible. In such cases, the trustchk command would make the file inaccessible, rendering it useless and containing any damage.
At system configuration time, users can adjust (add/delete/modify entries) the TSD with the trustchk command. When finalized, it is critical to secure the Trusted Signature Database by one of the following options:
- Store the TSD on a write-once media such ad CD-R or DV-R.
- Use the lockdown policy, which disallows subsequent writes to the Trusted Signature Database.
Additionally, Trusted Execution Path (TEP) defines a list of directories that contain the trusted executable files. After TEP verification is enabled, the system loader allows only binary files in the specified paths to execute. Trusted Library Path (TLP) has the same functionality, except that it is used to define the directories that contain trusted libraries of the system.
Learn more about AIX Trusted Execution:
- IBM Documentation:
- IBM Redbook: AIX V6 Advanced Security Features, Introduction and Configuration: Trusted Execution (Chapter 4):
TIP: You can also view the latest the Fix Level Recommendation Tool (FLRT) Security APAR Information
Additional options:
- Read how IBM Technology Services can help:
- Learn more about the PowerSC Trusted Boot and Real-Time Compliance for virus and malware protection:
- Explore other IBM Security Services
| SUPPORT |
|---|
|
**AIX Support does not make specific recommendations to harden your system. Security configuration (for example, RBAC, Trusted AIX, AIX Security Expert, ACLs, auditing) involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements.**
Security consultation and customizations are out of the scope of AIX Support. However, if you have specific questions about the documented usage, we are happy to assist. If you require consulting services, there are fee-based services available.
See how technical questions (Q&A) are handled by IBM Support:
https://www.ibm.com/support/pages/node/796206 Read more about IBM Technology Services (Formerly Systems Lab Services)
- See more details about AIX, Linux, and Red Hat OpenShift Security Services
https://www.ibm.com/support/pages/node/6584155 Or, if you prefer, an AIX Duty Manager can assist in arranging these services.
If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.
1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.
2. Capture any logs or data relevant to the situation.
3. Contact IBM to open a case:
-For electronic support, see the IBM Support Community:
https://www.ibm.com/mysupport -If you require telephone support, see the web page: https://www.ibm.com/planetwide/ 4. Provide a clear, concise description of the issue.
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.
- For guidance, see: Working with IBM AIX Support: Collecting snap data
|
Related Information
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzhAAA","label":"Security"}],"ARM Case Number":"TS003806982","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Was this topic helpful?
Document Information
Modified date:
01 February 2023
UID
ibm16223934