tcbck Command

Purpose

Audits the security state of the system.

Syntax

Check Mode

tcbck { -n | -p | -t| -y } [ -i ] [-o] { ALL | tree | { Name ... Class ... } }

Update Mode

tcbck -a -f File | PathName Attribute = Value ...

OR

tcbck -d -fFile | { PathName ... | Class ... }

OR

tcbck -l /dev/filename /dev/filename

Exit Status

This command returns the following exit values:
0
User definition files are appropriate.
>0
An error occurred or there is an error in one or more user definition files.
The following error codes are returned:
EINVAL (22)
Invalid command line arguments
ENOENT (2)
One or more user definition files do not exist
ENTRUST (114)
Errors in user definitions in the database files

Description

The tcbck command audits the security state of the system by checking the installation of the files defined in the /etc/security/sysck.cfg file (the sysck database). Each file definition in the /etc/security/sysck.cfg file can include one or more attributes that describe proper installation. When invoked with no flags and with no parameters, the tcbck command prints a synopsis of its syntax.

The tcbck database usually defines all the files and programs that are part of the trusted computing base, but the root user or a member of the security group can choose to define only those files considered to be security-relevant.

Note: This command writes its messages to stderr.

Flags

Item Description
-a Adds or updates file definitions in the sysck database.
-d Deletes file definitions from the sysck database.
-f File Specifies that file definitions be read from File.
-i Excludes filesystems under directories listed in the treeck_nodir attribute when the tree option is specified.
-l (Lowercase L) Adds entries to the sysck.cfg file for /dev/ files that the administrator would like registered with the Trusted Computing Base.
-n Specifies the checking mode and indicates that errors are to be reported, but not fixed.
-o Writes output to syslog.
-p Specifies the checking mode and indicates that errors are to be fixed, but not reported.
-t Specifies the checking mode and indicates that errors are to be reported with a prompt asking whether the error should be fixed.
-y Specifies the checking mode and indicates that errors are to be fixed and reported.

Modes of Operation

The tcbck command has two modes of operation: check mode and update mode. A description of each mode follows.

Check Mode

In check mode, the tcbck command checks file definitions against the installed files. You can check all the file definitions in the sysck database (the /etc/security/sysck.cfg file) by specifying the ALL value, or all the files in the file system tree by specifying the tree value. If you prefer to check specific files, you can use the Name parameter to give the path names of individual files or the Class parameter to group several files into a logical group that is defined by a class name, such as audit. You must select one of the following: the ALL or tree values, or one or more files identified by the Class or Name parameter.

If the tree value is the selection criterion, all the files in the file system tree are checked to ensure that all the relevant files are defined in the sysck database. Files defined in the tcbck database are checked against their definitions. Files not in the tcbck database must not:

If the tcbck command is running in check mode with both the tree value and the -t flag and an error occurs, the command provides an error message and prompts you for a decision on how or whether the error should be corrected. If you decide not to delete the file or turn off illegal permissions, you are prompted for a decision on updating the database. If you request an update, the system supplies missing information, such as the name of the file, the link, or the unregistered device name.

A flag ( -n, -p, -t, -y ) also must be included to specify check mode and identify the method of error handling. If there is a duplicate stanza in the /etc/security/sysck.cfg file, an error is reported, but not fixed.

Updating the Vital Product Database (VPD) involves defining the type, checksum, and size attributes of each file to the VPD manager. This information is used to verify a correct installation. If these attributes are not defined in -f File, they are computed when the program is installed or updated. The checksum attribute is computed with a method specifically defined for the VPD manager. Refer to Fixing Errors for more information on file attributes.

The only file definitions modified during an update are the new definitions that indicate a file is part of the trusted computing base (TCB). The File parameter is the stanza file that contains the file definitions in tcbck format, and is defined in the /etc/security/sysck.cfg file. When the update is complete, the files are checked against their file definitions in the stanza file and errors are fixed and reported.

Programs that require setuid or setgid privilege must be in the tcbck database, or these privileges will be cleared when the tcbck command runs in Check mode.

Update Mode

In update mode, the tcbck command adds (-a), deletes (-d), or modifies file definitions in the /etc/security/sysck.cfg file for the file specified by the File parameter, the PathName parameter, or the Class parameter. The Class parameter permits you to group several files into a logical group that is defined by a class name, such as audit. The tcbck command also deletes the specified stanzas from the /etc/security/sysck.cfg file.

In update mode, the tcbck command (-l) adds or modifies /dev/ entry definitions in the /etc/security/sysck.cfg file for the specified /dev entry. This flag should be run by the administrator to add newly created devices that are trusted to the sysck.cfg file. If new devices are not added to the sysck.cfg file, the tree option produces warnings of unregistered devices.

The -l flag creates a stanza for each /dev/ entry listed on the command line. The information for the stanza is taken from the current status of the /dev entry. The stanza includes:

Device name /dev/ entry name
File type Either FILE, DIRECTORY, FIFO, SYMLINK, BLK_DEV, CHAR_DEV, or MPX_DEV
Owner ID Owner name
Group ID Group name
Permissions Read/write/execute permissions for owner, group and other. SUID, SGID, SVTX and TCB attribute bits
Target If the file is a symbolic link, the target file will be listed.

File definitions to be added or modified with the -a flag can be specified on the command line or in a file as Attribute=Value statements. The following attributes can be used:

Item Description
acl The access control list for the file. If the value is blank, the acl attribute is removed. If no value is specified, the command computes a value, according to the format described in Access Control Lists.
class The logical group of the file. A value must be specified, because it cannot be computed. If the value is blank, the class attribute is removed from the specified file stanza. The value is ClassName [ClassName].
checksum The checksum of the file. If the value is blank, the checksum attribute is removed. If no value is specified, the command computes a value, according to the format given in the sum command. The value is the output of the sum -r command, including spaces.
group The file group. If the value is blank, the group attribute is removed. If no value is specified, the command computes a value, which can be a group ID or a group name.
links The hard links to this file. If the value is blank, the links attribute is removed. A value must be specified, because it cannot be computed. The value must be an absolute path name, expressed as Path [,Path ...].
mode The File mode. If the value is blank, the mode attribute is removed. If no value is specified, the command computes a value, which can be an octal number or string (rwx), and have the tcb, SUID, SGID, and SVTX attributes.
owner The file owner. If the value is blank, the owner attribute is removed. If no value is specified, the command computes a value, which can be a user ID or a user name.
program The associated checking program for the file. If the value is blank, the program attribute is removed. A value must be specified, because it cannot be computed. The value must be an absolute path name. If flags are specified, the value should be expressed as Path, Flag.
symlinks The symbolic links to the file. If the value is blank, the symlinks attribute is removed. A value must be specified, because it cannot be computed. The value must be an absolute path name, expressed as Path [,Path..].
size The size of the file in bytes. If the value is blank, the size attribute is removed. If no value is specified, the command computes a value. The value is a decimal number.
source The source for the file. If the value is blank, the source attribute is removed. If no value is specified, an empty file of the appropriate type is created. The value must be an absolute path name.
type The type of file. This value cannot be blank. If no value is specified, the command computes a value, which can be the FILE, DIRECTORY, FIFO, BLK_DEV, CHAR_DEV, or MPX_DEV keywords.

You can add, delete, or modify the attributes of the tcbck command by creating or modifying a sysck stanza in the /etc/security/sysck.cfg file. The following attributes can be used:

Item Description
checksum An alternate checksum command to compute the checksum value of files. The system appends the name of each file to the command. If the value is blank, this alternate checksum attribute is removed. The value is the command string to be run on each file. The default string is /usr/bin/sum -r <.
setgids An additional list of administrative groups to be checked for setgid programs that are not valid (groups with ID numbers greater than 200). If the value is blank, the setgids attribute is removed. The value is a comma separated list of group names.
setuids An additional list of administrative users to be checked for setuid programs that are not valid (users with ID numbers greater than 200). If the value is blank, the setuids attribute is removed. The value is a comma separated list of user names.
treeck_nodir A list of directories to be excluded from verification by the tcbck command. If the value is blank, the treeck_nodir attribute is removed. The value is a comma separated list of directories. File systems that exist under directories contained in this attribute are not excluded. Use the -i flag to exclude these file systems.

Use this option only when the tree option is specified.

treeck_novfs A list of file systems to be excluded from verification by the tcbck command during a check of an installed file system tree. If the value is blank, the treeck_novfs attribute is removed. The value is a comma separated list of file systems.

Use this option only when the tree option is specified.

Refer to the /etc/security/sysck.cfg file for more information about these attributes and Examples for information about a typical stanza.

If Attributes are included without values, the command tries to compute the value from the file to be changed. The type attribute is mandatory, but the others do not need to be specified.

Fixing Errors

To fix errors, the tcbck command usually resets the attribute to the defined value. For the following attributes, the command modifies its actions as described:

Item Description
checksum Disables the file by clearing its access control list, but does not stop any further checks.
links Creates any missing hard links. If a link exists to another file, the link is deleted.
program Invokes the program, which must exist and have an absolute path name. A message is printed if an error occurs, but no additional action is taken.
size Disables the file by clearing its access control list, but does not stop any further checks.
source Copies the source file to the file identified by the File parameter. If the source is null, any existing file is deleted and a file of the correct type is created.
symlinks Creates any missing symbolic links. If a link exists to another file, the link is deleted.
type Disables the file by clearing its access control list, and stops any further checks.

If you used the -t flag with the tcbck command, you are prompted for a decision on fixing errors. If you answer yes, errors are fixed. If you give any other response, errors are not fixed.

Security

Access Control: This command grants execute (x) access only to the root user and members of the security group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed:

Mode File
r /etc/passwd
r /etc/group
r /etc/security/user
rw /etc/security/sysck.cfg
x /usr/bin/aclget
x /usr/bin/aclput
x /usr/bin/sum

Auditing Events:

Event Information
TCBCK_Check file, error, status
TCBCK_Update file, function

Examples

  1. To add the /bin/boo file with acl, checksum, class, group, owner, and program attributes to the tcbck database, type:
    tcbck -a /bin/boo acl checksum class=audit group owner\
    program=/bin/boock
    The resulting stanza will contain the attributes given previously, with computed values inserted for those attributes you do not define. The database will contain a stanza like the following:
    /bin/boo:
           acl = 
           checksum = 48235
           class = audit
           group = system
           owner = root
           program = /bin/boock
           type = FILE          
    The attribute values are added to the installation definition but are not checked for correctness. The program attribute value comes from the command line, the checksum attribute value is computed with the checksum program, and all the others, except acl, are computed from the file i-node.
  2. To indicate that the size of a file should be checked but not added to the database, because it can expand during installation, use the VOLATILE keyword, as in the following example for the /etc/passwd file:
    /etc/passwd:
            type =  FILE
            owner = root
            group = system
            size  = 1234,VOLATILE
  3. To delete the /bin/boo file definition from the tcbck database, type:
    tcbck -d /bin/boo 
  4. To delete all definitions with a class of audit from the tcbck database, type:
    tcbck -d audit
  5. To check all the files in the tcbck database, and fix and report all errors, type:
    tcbck -y ALL
  6. To exclude the /calvin and the /hobbes file systems from verification during a security audit of an installed file system tree, type:
    tcbck -a sysck treeck_novfs=/calvin,/hobbes 
  7. To exclude a directory from verification during a security audit, type:
    tcbck -a sysck treeck_nodir=/home/john
  8. To add jfh and jsl as administrative users and developers as an administrative group to be verified during a security audit of an installed file, type:
    tcbck -a sysck setuids=jfh,jsl setgids=developers
  9. To create/modify sysck.cfg stanza entries for the newly created /dev entries foo and bar, type:
    tcbck -l /dev/foo /dev/bar
    Note: By adding these entries you are registering them as part of the Trusted computing base.
Attention: Although the special characters "$" and "?" are allowed in this routine, using them in filenames may result in potential problems such as ambiguous files.

Files

Item Description
/usr/bin/tcbck Specifies the path to the tcbck command.
/etc/security/sysck.cfg Specifies the path to the system configuration database.