Detections
Analytics

2.2 Scan for TROJAN aka Untrusted/Unauthorized Applications (Implement Allowlist)

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This recommendation is find and report (audit) software on the system that has not been included in the TE (trusted execution) TSD (trusted signature database).

Rationale:

These entries establish a so-called AllowList. Software not included on this AllowList should be generating a syslog and/or audit record whenever it is executed.

Trusted Execution (TE) is an AIX security component that can be used to monitor unauthorized software in real time.

Unauthorized seems a clear definition, but how TE determines unauthorized may not be as clear. Simply put, the goal is that all software is on the AllowList. If not, the software is unauthorized. AIX uses the term TROJAN (see below) to determine that an application is unauthorized. Software that does not require any special kernel privileges to run is also authorized.

What is a Trojan?

For this benchmark we add the AIX concept of TROJAN as a definition of unauthorised. AIX defines Trojan any executable not in the TSD with one or more of the following characteristics:

uses either SUID or SGID

is linked to a command in the TSD (AllowList)

is in the privcmds (aka RBAC definition, ie, may have kernel privileges).

is linked to a command in the privcmds database.

Summary: On AIX the construct AllowList is implemented by the TSD. The clear advantage of an AllowList monitored by a system security component is that the system can enforce and/or report violations of AllowList in real-time.

This recommendation focuses on reporting violations of the AllowList. A later recommendation (update or new version of benchmark) will have a Level 2 recommendation including enforcing violations.

Solution

This will be a manual process. The remediation is to find and remove the offending file (currently the reported file might be the artifact of another error - most common is a symbolic link that points at a non-existent object).
The starting point is running the same command from the AUDIT section:

trustchk -i -n tree / 2>&1 >/dev/null | grep untrusted

Line by line, verify the root cause and act (one of):

remove the offending object

remove SUID/SGID settings

remove privcmds setting

add to TSD aka AllowList

See Also

https://workbench.cisecurity.org/benchmarks/7851

Item Details

References: CSCv7|2.1, CSCv7|2.3, CSCv7|2.6, CSCv7|2.7

Plugin: Unix

Control ID: 2cc6ea2106d08fd7495bbb2ea9fe868b5669e2d9831e5a139d1f892b5848de48