Administration of Trusted Signature Database (TSD) and Trusted Execution function.
Add Files to TSD
trustchk [ -R module name ] -s <private key file> -v <certificate file> [ -P ] -a [tree] { filename [ size=VOLATILE ] [ hardlinks=value ] [ symlinks=value ]...| -f filename }
Delete Files from TSD
trustchk -d { filename...| ALL | -f filename }
Query TSD
trustchk -q { filename...| ALL |-f filename }
Switch to New Hashing Algorithm
trustchk -g [ SHA1 | SHA256 | SHA512 ]
System Scan
trustchk [-i] [ -x ] { -n | -t | -y } tree [dirpath…….]
Configure Policies
trustchk [ -@ { WparName | ALL } ] -p { [ TE [ = ON | OFF ] ] [ CHKEXEC [ = ON | OFF ] ] [ CHKSHLIB [ = ON | OFF ] ] [ CHKSCRIPT [ = ON | OFF ] ] [ CHKKERNEXT [ = ON | OFF ] ] [ STOP_UNTRUSTD [ = ON | OFF | TROJAN ] ] [ STOP_ON_CHKFAIL [ = ON | OFF ] ] [ LOCK KERN POLICIES [ = ON | OFF ] ] [ TEP [ = ON | OFF | PathList ] ] [ TLP [ = ON | OFF | PathList [ TSD_FILES_LOCK [ = ON | OFF | EXVOL] ] [ TSD_LOCK [ = ON | OFF ] ] }
System Audit
trustchk [ -l ] [ -r ] { -n | -t | -y } { filename... | ALL } }
Using Alternate TSD File
trustchk -F TSDFile { -a | -d | -g | -q | -y | -n | -t }
Update TSD trustchk
trustchk -u <filename>[<attr>=value]
trustchk -k -s <private key file> -v certificate file [ -N ] { [ -D ] "OU = distinguished name"}
Managing the Trusted Signature Database
| Attributes | Usage |
|---|---|
| Owner | Name of the owner of the file. The owner ID cannot be used. |
| Group | Name of the group of the file. The group ID cannot be used. |
| Type | Type of the definition. Specifies if the definition belongs to a file, directory, first-in-first-out special files (FIFO), character device, block device, or a multiplexed device . |
| Mode | Permission bits, along with additional parameters specifying whether SETUID, SETGID, TCB, or SVTX bits are set in the file. |
| hardlink | Colon-separated list of hard links pointing to the file. |
| symlink | Colon-separated list of symbolic links pointing to the file. |
| size | Size of the file in bytes. |
| cert_tag | ID of the digital certificate that was used to calculate the signature of this file. |
| signature | Digital signature of the file calculated using RSA algorithm. |
| hash_value | Cryptographic hash value of the file. By default, the SHA256 value is used to calculate the hash value. |
| accessauths | Access authorization on the object. |
| innateprivs | Innate privileges for the file. |
| inheritprivs | Inheritable privileges for the file. |
| authprivs | Privileges that will be assigned to users if they have the given authorizations. |
| secflags | File security flags associated with the object. |
| minslabel | Minimum sensitivity label for the object. This is valid only on a Trusted AIX® system. If no value is specified, the system low sensitivity label (SLSL) is assumed. |
| maxslabel | Maximum sensitivity label for the object. This is valid only on a Trusted AIX system. This attribute is not applicable to regular files and FIFO. If no value is specified, the system low sensitivity label (SLSL) is assumed. |
| intlabel | Integrity label for the object. This is valid only on a Trusted AIX system. If no value is specified, the system high integrity label (SHTL) is assumed. |
Audit the security state of the system
To audit the security state of the system, you must check the security parameters stored in the TSD against the parameters of the actual files present on the system. Use the trustchk command to do so. Any discrepancy in the values is pointed to the user based on the input flags specified. To check all of the files that are listed in the TSD, use the ALL parameter in place of filename. You can specify a list of files separated by spaces on the command line.
Enabling the Trusted Execution function
To enable or disable the runtime integrity-verification function that is responsible for verifying of a file's cryptographic hash before being started, use the trustchk command. To turn the Trusted Execution function on or off, use the TE -p flag.
Configure different policies for Trusted Execution
| Item | Description |
|---|---|
| CHKEXEC | Checks the integrity of executable file that belongs to the TSD before starting it. |
| CHKKERNEXT | Checks the integrity of the kernel extensions that belong to the TSD before loading them. |
| CHKSHLIB | Checks the integrity of shared libraries that belong to the TSD before loading them. |
| CHKSCRIPT | Checks the integrity of shell scripts that belong to the TSD before starting them. |
| LOCK_KERN_POLICIES | If this policy is disabled, then any policies can be enabled or disabled at any time. If this policy is enabled, then all of the other policies will be locked. To enable or disable a policy in such condition, disable the LOCK_KERN_POLICIES policy and then restart the system. |
| STOP_ON_CHKFAIL | Stops the loading of files whose integrity check fails. |
| STOP_UNTRUSTD | Stops the loading of files that do not belong to the TSD. TROJAN Stops the loading of files that do not belong to the TSD and have one of the following security settings: |
| TE | Enables or disables Trusted Execution. Policies can only be activated when the TE option is set to ON. |
| TEP | Sets the value of Trusted Execution path, and enables or disables it. The Trusted Execution path consists of a list of colon-separated absolute paths, for example, the /usr/bin:/usr/sbin. When this policy is enabled, the files belonging to only these directory paths are allowed to be started. If an executable program that does not belong to the TEP is to be loaded, the program is blocked. |
| TLP | Sets the value of Trusted Library path, and enables or disables it. The Trusted Library Path consists of a list of colon-separated absolute paths, for example, the /usr/lib:/usr/ccs/lib. When this policy is enabled, the libraries belonging to only these directory paths can be loaded. If a program tries to load a library that does not belong to the TLP, the program is blocked. |
| TSD_FILES_LOCK | Disables opening of files belonging to the TSD in write mode. EXVOL Disables the opening of only the nonvolatile files that belong to the TSD in write mode. The volatile files can be changed. |
| TSD_LOCK | Disallows opening of a TSD file (/etc/security/tsd/tsd.dat) in write mode to disable editing of the TSD. |
By default, the TSD defines all the files and programs that are part of the trusted computing base, but the privileged user or a member of the security group can choose to define only those files considered to be security-relevant.
The TE policies are stored in the /etc/security/tsd/tepolicies.dat file.
This command writes messages to the standard error log (stderr).
Scanning the system for TROJAN detection
| Item | Description |
|---|---|
| -a filename | Adds file definitions in the TSD. The definitions
are read from a file (the -f option) or are calculated by the
command if you specify the absolute file name. The following parameters
can be specified by the user with the file name:
To add a regular file to the TSD, you must specify the private key, or specify the signing key with the -s flag in ASN.1/DER in PKCS#8 format without pass phrase (that is, password) protection. You must also specify the associated certificate with the -v flag in ASN.1/DER. The associated certificate contains the public key that will be used to verify the signature of the file. The digital certificate that you specified is copied to a certificate store in the /etc/security/certificates file so that it can be used during system audits to verify the signatures of the file. To add non-regular files, such as devices, directories and FIFO (that is, the first-in-first-out file), the private key and certificate is not required. |
| -d | Deletes file definitions from the TSD. The name of the file whose stanza needs to be deleted from the TSD is specified at command line, or is placed in a file that can be specified with the -f flag. |
| -D | This flag is used along with the –k flag when you want to enter the issuer DN and the Subject DN from the command-line interface. |
| -f filename | Specifies that file definitions are to be read from the file specified with the filename parameter. The file (or stanza) name must end with a colon. |
| -F | Specifies that a different the TSD file be used as a reference. This flag can be used with the -a, -d, -g, -q, -n, -t, or -y flags. |
| -g [ SHA1 | SHA256 | SHA512 ] | Migrates the TSD to a new hashing algorithm. All of the hash_value fields
in the file definitions are recomputed and updated in the TSD. The
following algorithms are supported: SHA1, SHA256 and SHA512. To see the currently active algorithm, specify the -g flag without any algorithm names. |
| -i | Only used with –n,-t,-y options and long with tree parameter. It will ignore the scanning of NFS mounted filesystem. |
| -l | Specifies that only the Trusted AIX label attributes are to be verified. The -l option is valid only on a Trusted AIX system. |
| -k | Generates the certificate and the private key files by using the trustchk command. The key file name and certificate file names must be specified by -s and -v flag. The generated keys are saved in the files that are specified files by the -s and -v flags. |
| -n | Specifies the auditing mode, and indicates that the errors are to be reported. Any discrepancy between the attributes in the TSD and the actual file parameters are printed to the stderr. error file. To check all of the entries in the TSD, use the ALL parameter. To scan the entire system or directories for TROJAN detection, use with tree parameter. |
| -p | Configures Trusted Execution policies. You can turn on the
policy configuration from command line, for example, policyA=ON. Specify
a policy name to retrieve its current state (for example, trustchk -p CHKEXEC).
The TE=ON option enables policies except the TEP and TLP policies that are not related to TE The TEP and TLP policies can be automatically turned ON or turn OFF. The TEP=ON option enables the TEP, and the TLP=ON option enables the TLP function. |
| -P | Prompts you to enter the password. This password
is used to encrypt or decrypt the private-key file. This option can
be used along with –a flag. When this flag is used with thetrustchk –a command, it prompts you to enter the password which is used to decrypt the private-key file. |
| -q | Queries the TSD for a file name. Prints the entire list of security attributes, for example, stanza for the specified file name. To retrieve all of the entries of the TSD, use the ALL parameter instead of listing file path names. |
| -r | Specifies check that only the authorizations and privileges are to be checked. This flag is valid only on Enhanced RBAC and a Trusted AIX system. To check all of the entries in the TSD, use the ALL flag. |
| -R module_name | Specifies that the values for the TSD policy and TE policy to be taken from the module specified instead of the local copy. |
| -s | Specifies the signing key used for signature calculation of a file while adding it to the TSD. The signing key is an RSA private key in ASN.1/DER in PKCS#8 format without pass phrase (that is, password) protection. |
| -t | Specifies the auditing mode and indicates that errors are to be reported with a prompt asking whether the error should be fixed. To check all of the entries in TSD, use the ALL option. To scan the entire system or directories for TROJAN detection, use with tree parameter. |
| -u | Updates the value of the specified attribute
in TSD. If any of the rbac attributes are changed using the trustchk –u command,
you must run the setkst explicitly. This updates the kernel
table. Note: This flag supports the following attributes:
Owner, group, mode, Hardlinks, symlinks, accessauths, innateprivs,
inheritprivs, authprivs, secflags, t_innateprivs, t_inheritprivs,
t_secflags, t_authprivs, t_accessauths, and type.
|
| -v | Specifies the verification certificate that is associated with the signing key (using the -s flag). This certificate is copied into a certificate store in the /etc/security/certificate file, and is used to verify the file signature during auditing. If a certificate with the same certificate ID already exists in the store, then it is overwritten with a new certificate. The verification certificate is in ASN.1/DER format. |
| -x | Only used with -n, -t, -y options and long with tree parameter. Do not follow the symbolic link. |
| -y | Specifies the auditing mode, and indicates that errors are
to be fixed and reported. To check all of the entries in the TSD,
use the ALL parameter. To scan the entire system or directories
for TROJAN detection, use with tree parameter. Attention: Use the -y option with care. It might make
a file unusable if the trustchk command encounters a discrepancy.
|
| -@ WparName | Lists the TE polices of a system WPAR. |
This command returns the following exit values:
| Item | Description |
|---|---|
| 0 | Successful completion. |
| >0 | An error has occurred. |
trustchk –s /home/guest/privkey.der –v /home/guest/certificate.der
–a /usr/bin/lstrustchk –s /home/guest/privkey.der –v /home/guest/certificate.der
–a /usr/bin/passwd size=VOLATILE trustchk–s /home/guest/privkey.der –v /home/guest/certificate.der
–a /usr/bin/ls hardlinks=/usr/local/bin/ls trustchk –d /usr/bin/lognametrustchk –s /home/guest/privkey.der
–v /home/guest/certificate.der
–a -f /home/guest/filedef.intrustchk –p CHKEXEC=ONtrustchk –p TE=ONtrustchk –n ALLtrustchk -gtrustchk -@ <wpar> -ptrustchk -@ ALL -ptrustchk –n treetrustchk -y /usrtrustchk –i –t treetrustchk –R LDAP -p