tncconsole Command

Purpose

Reports and manages the trusted network connect (TNC) server, the TNC client, the TNC IP Referrer (IPRef), and Service Update Management Assistant (SUMA). It manages fileset and patch management policies regarding endpoint (server and client) integrity at or after network connection to protect the network from threats and attacks.

Note: This command is used to demonstrate TNC options and has limited functionality. To use the full function of this command, install PowerSC Standard Edition. In PowerSC Standard Edition, the name of the tncconsole command was changed to the psconf command.

Syntax

TNC server operations:

tncconsole mkserver [ tncport=<port> ] pmserver=<host:port> [tsserver=<host>] [ recheck_interval=<time_in_minutes> | d (days) : h (hours) : m (minutes) ] [dbpath = <user-defined directory> ]

tncconsole { rmserver | status }

tncconsole { start | stop | restart } server

tncconsole chserver attribute = value

tncconsole add -F <FSPolicyname> -r <buildinfo> [apargrp= [±]<apargrp1, apargrp2.. >] [ifixgrp=[+|-]<ifixgrp1,ifixgrp2...>]

tncconsole add { -G <ipgroupname> ip=[±]<host1, host2...> | {-A<apargrp> [aparlist=[±]apar1, apar2... | {-V <ifixgrp> [ifixlist=[+|-]ifix1,ifix2...]}

tncconsole add -P <policyname> { fspolicy=[±]<f1,f2...> | ipgroup=[±]<g1,g2...> }

tncconsole add -e emailid [-E FAIL | COMPLIANT | ALL ] [ipgroup= [± ]<g1,g2...>]

tncconsole add -I ip= [±]<host1, host2...>

tncconsole delete { -F <FSPolicyname> | -G <ipgroupname> | -P <policyname> | -A <apargrp> | -V <ifixgrp>}

tncconsole delete -H -i <host | ALL> -D <yyyy-mm-dd>

tncconsole certadd -i <host> -t <TRUSTED | UNTRUSTED>

tncconsole certdel -i <host>

tncconsole verify -i <host> | -G <ipgroup>

tncconsole update [-p] {-i< host >| -G <ipgroup> [-r <buildinfo> | -a <apar1, apar2...> | [-u] -v <ifix1, ifix2,...>}

tncconsole log loglevel=<info | error | none>

tncconsole import -C -i <host> -f <filename> | –d <import database filename>

tncconsole { import -k <key_filename> | export} -S -f <filename>

tncconsole list { -S | -G < ipgroupname | ALL > | -F < FSPolicyname | ALL > | -P < policyname | ALL > | -r < buildinfo | ALL > | -I -i < ip | ALL > | -A < apargrp | ALL > | -V <ifixgrp>} [-c] [-q]

tncconsole list { -H | -s <COMPLIANT | IGNORE | FAILED | ALL> } -i <host | ALL> [-c] [-q]

tncconsole export -d <path to export directory>

tncconsole report -v <CVEid|ALL> -o <TEXT|CSV>

tncconsole report -A <advisoryname>

tncconsole report -P <policyname|ALL> -o <TEXT|CSV>

tncconsole report -i <ip|ALL> -o <TEXT|CSV>

tncconsole report -B <buildinfo|ALL> -o <TEXT|CSV>

TNC client operations:

tncconsole mkclient [ tncport=<port> ] tncserver=<host:port>

tncconsole mkclient tncport=<port> -T

tncconsole { rmclient | status }

tncconsole {start | stop | restart } client

tncconsole chclient attribute = value

tncconsole list { -C | -S }

tncconsole export { -C | -S } -f <filename>

tncconsole import { -S | -C -k <key_filename> } -f <filename>

TNC IPRef operations:

tncconsole mkipref [ tncport=<port> ] tncserver=<host:port>

tncconsole { rmipref | status}

tncconsole { start | stop | restart} ipref

tncconsole chipref attribute = value

tncconsole { import -k <key_filename> | export } -R -f <filename>

tncconsole list -R

Description

The TNC technology is an open standard-based architecture for endpoint authentication, platform integrity measurement, and integrating security systems. The TNC architecture inspects endpoints (network clients and servers) for compliance with security policies before allowing them on the protected network. The TNC IPRef notifies the TNC server about any new IPs that are detected on the virtual I/O server (VIOS).

SUMA helps move system administrators away from the task of manually retrieving maintenance updates from the web. It offers flexible options that enable the system administrator to set up an automated interface to download fixes from a fix distribution website to their systems.

The tncconsole command manages the network server and clients by adding or deleting security policies, validating clients as trusted or untrusted, generating reports, and updating the server and the client.

The following operations can be performed by using the tncconsole command:
Item Description
add Adds a policy, a client, or the email information on the TNC server.
apargrp Specifies the APAR group names as part of the fileset policy that are used for verification of TNC clients.
aparlist Specifies the list of APARs that are part of the APAR group.
certadd Marks the certificate as trusted or untrusted.
certdel Deletes the client information.
chclient Changes the attributes in the tnccs.conf file. An explicit start command is required for the changes to take effect in the TNC client. The syntax of attribute=value will be same as that of mkclient.
chipref Changes the attributes in the tnccs.conf file. An explicit start command is required for the changes to take effect in IPRef. The syntax of attribute=value is the same as that of the mkipref.
chserver Changes the attributes in the tnccs.conf file. An explicit start command is required for the changes to take effect in the TNC server. The syntax of attribute=value is same as that of mkserver.
Note: The dbpath attribute cannot be changed by using the chserver command. It can be set only while running the mkserver.
dbpath Specifies the TNC database location. The default value is /var/tnc.
delete Deletes a policy or the client information.
export Exports the client or server certificate , or database on TNC server.
fspolicy Specifies the fileset policy of the release, technology level and service pack that are used for verification of TNC Clients.
import Imports a certificate on client or server, or database on TNC server.
ipgroup Specifies the Internet Protocol (IP) group that contains multiple client IP addresses or host names.
list Displays information about the TNC server, the TNC client, or the SUMA.
log Sets the log level for the TNC components.
mkclient Configures the TNC client.
mkipref Configures the TNC IPRef.
mkserver Configures the TNC server.
pmport Specifies the port number on which the pmserver listens to. The default value is 38240.
pmserver Specifies the host name or IP address of the suma command that downloads the latest service packs and security fixes available in the IBM®® ECC website and the IBM Fix Central website.
recheck_interval Specifies the interval in minutes or d (days) : h (hours) : m (minutes) format for the TNC server to verify the TNC clients.
Note: A value of recheck_interval=0 means that the scheduler does not initiate verification of the clients at regular intervals and the registered clients are automatically verified during the startup. In such cases, the client can be manually verified.
report Generates a report that has .txt or .csv file extension.
restart Restarts the TNC client, the TNC server, or the TNC IPRef.
rmclient Unconfigures the TNC client.
rmipref Unconfigures the TNC IPRef.
rmserver Unconfigures the TNC srever.
start Starts the TNC client, the TNC server, or the TNC IPRef.
status Shows the status of the TNC configuration.
stop Stops the TNC client, the TNC server, or the TNC IPRef.
tncport Specifies the port number on which the TNC server listens to. The default value is 42830.
tncserver Specifies the TNC server that verifies or updates the TNC clients.
tssserver Specifies the IP or host name of the TS server.
update Installs patches on the client.
verify Initiates a manual verification of the client.

Flags

Item Description
-A <advisoryName> Specifies the advisory name for the report.
-B <buildinfo> Specifies the build information to prepare a patch report.
-i host Specifies the IP address or host name.
-f filename Specifies the file from which the certificate must be read in case of an import operation, or specifies the location to which the certificate must be written in case of an export operation.
-F fspolicy buildinfo Specifies the file system policy name, followed by the build information. The build information can be provided in the following format:

6100-04-01, where 6100 represents version 6.1, 04 is the maintenance level, and 01 is the service pack.
-G ipgroupname ip=[±]ip1, ip2... Specifies the IP group name followed by a comma-separated IP list.
-P policyname fspolicy=[±]fspolicy1, fspolicy2... ipgroup=[±]g1, g2... Specifies the policy name followed by a comma-separated file system policy name list and an IP group name list. File system policies and IP groups can be added or removed from the file system policy name list and IP group name list by using + or - symbols, respectively.
-I ip=[±]ip1, ip2... | [±] host1,host2... Specifies the IP/host name that must be ignored during verification.
-e emailid ipgroup=[±]g1, g2... Specifies the email ID followed by a comma separated IP group name list.
-E | FAIL | COMPLIANT | ALL | Specifies the event for which the emails need to be sent to the configured email id.

FAIL- Mails are sent when the verification status of the client is FAILED.

COMPLIANT- Mails are sent when the verification status of the client is COMPLAINT.

ALL - Mails are sent for all the statuses of the client verification.
-d database file location/dir path of database Specifies the file path location for import of the database/specifies the directory path location for export of the database.
-t TRUSTED | UNTRUSTED Marks the specified client as trusted or untrusted.
Note: Only system administrators can verify the server or client as trusted or untrusted.
-c Displays the user attributes in colon-separated records as follows: 
# name: attribute1: attribute2: ...
policy: value1: value2: ...
-p Previews the TNC client update.
-q Suppresses the header information.
-s COMPLIANT | IGNORE | FAILED | ALL Displays the client by status as follows:
COMPLIANT
Displays the active clients.
IGNORE
Displays the clients that are excluded from any verification.
FAILED
Displays the clients that have failed verification as per the configured policy.
ALL
Displays all the clients irrespective of their statuses.
-u Uninstalls an interim fix that is installed on a TNC client.
-r buildinfo Generates the report based on the build information. The build information can be provided in the following format:

6100-04-01, where 6100 represents version 6.1, 04 is the maintenance level, and 01 is the service pack.
-H Lists the history log.
-C Specifies that the operation is for client component.
-S Specifies that the operation is for server component.
-T Specifies that the client can accept request from any TS server that has a valid certificate.
-v Specifies a comma-separated interim fix list.
-V Specifies the interim fix group name.
-R Specifies that the operation is for IPRef component.
-k filename Specifies the file from which the certificate key must be read in case of an import operation.
-D yyyy-mm-dd Specifies the date for a particular client entry in the log history, where yyyy is the year, mm in the month, and dd is the day.
-P <policyName> Specifies the policy name to prepare a client policy report.
-S <host> Specifies the host name to prepare a client security fix report.

Exit Status

This command returns the following exit values:

Item Description
0 The command ran successfully, and all the requested changes are made.
>0 An error occurred. The printed error message includes more details about the type of failure.

Examples

  1. To start the TNC server, enter the following command: 
    tncconsole start server
  2. To add a file system policy named 71D_latest for the build 7100-04-02, enter the following command: 
    tncconsole add -F 71D_latest 7100-04-02
  3. To delete a file system policy named 71D_old, enter the following command: 
    tncconsole delete -F 71D_old
  4. To validate that the client that has an IP address of 11.11.11.11 is trusted, enter the following command: 
    tncconsole certadd -i 11.11.11.11 -t TRUSTED
  5. To delete the client that has an IP address of 11.11.11.11 from the server, enter the following command: 
    tncconsole certdel -i 11.11.11.11
  6. To verify the client information that has an IP address of 11.11.11.11, enter the following command: 
    tncconsole verify -i 11.11.11.11
  7. To display the client information that has an IP address of 11.11.11.11, enter the following command: 
    tncconsole list -i 11.11.11.11
  8. To generate the report for clients that are in COMPLAINT status, enter the following command: 
    tncconsole list -s CPMPLIANT -i ALL
  9. To generate the report for the build 7100-04-02, enter the following command: 
    tncconsole list -r 7100-04-02
  10. To display the connection history of a client that has an IP address of 11.11.11.11, enter the following command: 
    tncconsole list -H -i 11.11.11.11
  11. To delete the entry of a client that has an IP address of 11.11.11.11 from the log history older or equal to 1 February, 2009, enter the following command: 
    tncconsole delete -H -i 11.11.11.11 -D 2009-02-01
  12. To import the client certificate of a client that has an IP address of 11.11.11.11 from the server, enter the following command: 
    tncconsole import -C -i 11.11.11.11 -f /tmp/client.txt
  13. To export the server certificate from a client, enter the following command: 
    tncconsole export -S -f /tmp/server.txt
  14. To update the client that has an IP address of 11.11.11.11 to an appropriate level from the server, enter the following command: 
    tncconsole update -i 11.11.11.11
  15. To display the client statuses, enter the following command: 
    tncconsole status
  16. To display the client certificate, enter the following command: 
    tncconsole list -C
  17. To start the client, enter the following command: 
    tncconsole start client

Security

Attention RBAC users and Trusted AIX® users:

This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand