trustchk Command

Purpose

Administration of Trusted Signature Database (TSD) and Trusted Execution function.

Syntax

Add Files to TSD

trustchk [ -R module name ] -s <private key file> -v <certificate file> [ -P ] -a [tree] { filename [ size=VOLATILE ] [ hardlinks=value ] [ symlinks=value ]...| -f filename }

Delete Files from TSD

trustchk -d { filename...| ALL | -f filename }

Query TSD

trustchk -q { filename...| ALL |-f filename }

Switch to New Hashing Algorithm

trustchk -g [ SHA1 | SHA256 | SHA512 ]

System Scan

trustchk [-i] [ -x ] { -n | -t | -y } tree [dirpath…….]

Configure Policies

trustchk [ -@ { WparName | ALL } ] -p { [ TE [ = ON | OFF ] ] [ CHKEXEC [ = ON | OFF ] ] [ CHKSHLIB [ = ON | OFF ] ] [ CHKSCRIPT [ = ON | OFF ] ] [ CHKKERNEXT [ = ON | OFF ] ] [ STOP_UNTRUSTD [ = ON | OFF | TROJAN ] ] [ STOP_ON_CHKFAIL [ = ON | OFF ] ] [ LOCK KERN POLICIES [ = ON | OFF ] ] [ TEP [ = ON | OFF | PathList ] ] [ TLP [ = ON | OFF | PathList [ TSD_FILES_LOCK [ = ON | OFF | EXVOL] ] [ TSD_LOCK [ = ON | OFF ] ] }

System Audit

trustchk [ -l ] [ -r ] { -n | -t | -y } { filename... | ALL } }

Using Alternate TSD File

trustchk -F TSDFile { -a | -d | -g | -q | -y | -n | -t }

Update TSD trustchk

trustchk -u <filename>[<attr>=value]

trustchk -k -s <private key file> -v certificate file [ -N ] { [ -D ] "OU = distinguished name"}

Description

Managing the Trusted Signature Database

Privileged users use the trustchk command to add, delete, or list entries to the Trusted Signature Database (TSD). The TSD is a database of security attributes of the trusted files that are present on the system. The TSD is in the /etc/security/tsd/tsd.dat file. This database gets populated at installation time. It stores the security attributes of the trusted files that are present on the system. The following attribute list forms a part of a file definition (stanza):
Attributes Usage
Owner Name of the owner of the file. The owner ID cannot be used.
Group Name of the group of the file. The group ID cannot be used.
Type Type of the definition. Specifies if the definition belongs to a file, directory, first-in-first-out special files (FIFO), character device, block device, or a multiplexed device .
Mode Permission bits, along with additional parameters specifying whether SETUID, SETGID, TCB, or SVTX bits are set in the file.
hardlink Colon-separated list of hard links pointing to the file.
symlink Colon-separated list of symbolic links pointing to the file.
size Size of the file in bytes.
cert_tag ID of the digital certificate that was used to calculate the signature of this file.
signature Digital signature of the file calculated using RSA algorithm.
hash_value Cryptographic hash value of the file. By default, the SHA256 value is used to calculate the hash value.
accessauths Access authorization on the object.
innateprivs Innate privileges for the file.
inheritprivs Inheritable privileges for the file.
authprivs Privileges that will be assigned to users if they have the given authorizations.
secflags File security flags associated with the object.
minslabel Minimum sensitivity label for the object. This is valid only on a Trusted AIX® system. If no value is specified, the system low sensitivity label (SLSL) is assumed.
maxslabel Maximum sensitivity label for the object. This is valid only on a Trusted AIX system. This attribute is not applicable to regular files and FIFO. If no value is specified, the system low sensitivity label (SLSL) is assumed.
intlabel Integrity label for the object. This is valid only on a Trusted AIX system. If no value is specified, the system high integrity label (SHTL) is assumed.

Audit the security state of the system

To audit the security state of the system, you must check the security parameters stored in the TSD against the parameters of the actual files present on the system. Use the trustchk command to do so. Any discrepancy in the values is pointed to the user based on the input flags specified. To check all of the files that are listed in the TSD, use the ALL parameter in place of filename. You can specify a list of files separated by spaces on the command line.

Enabling the Trusted Execution function

To enable or disable the runtime integrity-verification function that is responsible for verifying of a file's cryptographic hash before being started, use the trustchk command. To turn the Trusted Execution function on or off, use the TE -p flag.

Configure different policies for Trusted Execution

To enable or disable different security policies that are used with the Trusted Execution mechanism, use the trustchk command. You can specify the following different policies:
Item Description
CHKEXEC Checks the integrity of executable file that belongs to the TSD before starting it.
CHKKERNEXT Checks the integrity of the kernel extensions that belong to the TSD before loading them.
CHKSHLIB Checks the integrity of shared libraries that belong to the TSD before loading them.
CHKSCRIPT Checks the integrity of shell scripts that belong to the TSD before starting them.
LOCK_KERN_POLICIES If this policy is disabled, then any policies can be enabled or disabled at any time. If this policy is enabled, then all of the other policies will be locked. To enable or disable a policy in such condition, disable the LOCK_KERN_POLICIES policy and then restart the system.
STOP_ON_CHKFAIL Stops the loading of files whose integrity check fails.
STOP_UNTRUSTD Stops the loading of files that do not belong to the TSD.

TROJAN

Stops the loading of files that do not belong to the TSD and have one of the following security settings:
  • Have suid/sgid bit set
  • Linked to a file in the TSD
  • Have entry in the privcmds Database
  • Be linked to a file in the privcmds database
TE Enables or disables Trusted Execution. Policies can only be activated when the TE option is set to ON.
TEP Sets the value of Trusted Execution path, and enables or disables it. The Trusted Execution path consists of a list of colon-separated absolute paths, for example, the /usr/bin:/usr/sbin. When this policy is enabled, the files belonging to only these directory paths are allowed to be started. If an executable program that does not belong to the TEP is to be loaded, the program is blocked.
TLP Sets the value of Trusted Library path, and enables or disables it. The Trusted Library Path consists of a list of colon-separated absolute paths, for example, the /usr/lib:/usr/ccs/lib. When this policy is enabled, the libraries belonging to only these directory paths can be loaded. If a program tries to load a library that does not belong to the TLP, the program is blocked.
TSD_FILES_LOCK Disables opening of files belonging to the TSD in write mode.

EXVOL

Disables the opening of only the nonvolatile files that belong to the TSD in write mode. The volatile files can be changed.
TSD_LOCK Disallows opening of a TSD file (/etc/security/tsd/tsd.dat) in write mode to disable editing of the TSD.

By default, the TSD defines all the files and programs that are part of the trusted computing base, but the privileged user or a member of the security group can choose to define only those files considered to be security-relevant.

The TE policies are stored in the /etc/security/tsd/tepolicies.dat file.

This command writes messages to the standard error log (stderr).

Scanning the system for TROJAN detection

Trustchk has the capability to detect the system for TROJAN, if any executable is present on the system and you do not have the entry in TSD and have one of the following security settings:
  • have suid/sgid bit set
  • linked to a file in the TSD
  • have entry in the privcmds database
  • be linked to a file in the privcmds database

Flags

Item Description
-a filename Adds file definitions in the TSD. The definitions are read from a file (the -f option) or are calculated by the command if you specify the absolute file name. The following parameters can be specified by the user with the file name:
size=VOLATILE
Specifies the size of a file. This attribute can only use the VOLATILE value. The VOLATILE value indicates that the file that this definition belongs to is volatile in nature. The contents of the file change frequently, so during audits, the size, hash value and the signature of this file should not be checked.
hardlinks=value
Supplies the hard links to a file that cannot be computed independently by the trustchk command.
symlinks=value
Supplies the symbolic links to a file.
-tree
This tree parameter is used along with the –a flag. It supports adding of stanzas to the trustchk database recursively when the directory name is provided along with the –a flag. If the file name is mentioned, the stanza for the file name is added.

To add a regular file to the TSD, you must specify the private key, or specify the signing key with the -s flag in ASN.1/DER in PKCS#8 format without pass phrase (that is, password) protection. You must also specify the associated certificate with the -v flag in ASN.1/DER. The associated certificate contains the public key that will be used to verify the signature of the file. The digital certificate that you specified is copied to a certificate store in the /etc/security/certificates file so that it can be used during system audits to verify the signatures of the file. To add non-regular files, such as devices, directories and FIFO (that is, the first-in-first-out file), the private key and certificate is not required.

-d Deletes file definitions from the TSD. The name of the file whose stanza needs to be deleted from the TSD is specified at command line, or is placed in a file that can be specified with the -f flag.
-D This flag is used along with the –k flag when you want to enter the issuer DN and the Subject DN from the command-line interface.
-f filename Specifies that file definitions are to be read from the file specified with the filename parameter. The file (or stanza) name must end with a colon.
-F Specifies that a different the TSD file be used as a reference. This flag can be used with the -a, -d, -g, -q, -n, -t, or -y flags.
-g [ SHA1 | SHA256 | SHA512 ] Migrates the TSD to a new hashing algorithm. All of the hash_value fields in the file definitions are recomputed and updated in the TSD. The following algorithms are supported: SHA1, SHA256 and SHA512.

To see the currently active algorithm, specify the -g flag without any algorithm names.

-i

Only used with –n,-t,-y options and long with tree parameter. It will ignore the scanning of NFS mounted filesystem.

-l Specifies that only the Trusted AIX label attributes are to be verified. The -l option is valid only on a Trusted AIX system.
-k Generates the certificate and the private key files by using the trustchk command. The key file name and certificate file names must be specified by -s and -v flag. The generated keys are saved in the files that are specified files by the -s and -v flags.
-n Specifies the auditing mode, and indicates that the errors are to be reported. Any discrepancy between the attributes in the TSD and the actual file parameters are printed to the stderr. error file. To check all of the entries in the TSD, use the ALL parameter. To scan the entire system or directories for TROJAN detection, use with tree parameter.
-p Configures Trusted Execution policies. You can turn on the policy configuration from command line, for example, policyA=ON. Specify a policy name to retrieve its current state (for example, trustchk -p CHKEXEC).

The TE=ON option enables policies except the TEP and TLP policies that are not related to TE

The TEP and TLP policies can be automatically turned ON or turn OFF. The TEP=ON option enables the TEP, and the TLP=ON option enables the TLP function.
-P Prompts you to enter the password. This password is used to encrypt or decrypt the private-key file. This option can be used along with –a flag.

When this flag is used with thetrustchk –a command, it prompts you to enter the password which is used to decrypt the private-key file.

-q Queries the TSD for a file name. Prints the entire list of security attributes, for example, stanza for the specified file name. To retrieve all of the entries of the TSD, use the ALL parameter instead of listing file path names.
-r Specifies check that only the authorizations and privileges are to be checked. This flag is valid only on Enhanced RBAC and a Trusted AIX system. To check all of the entries in the TSD, use the ALL flag.
-R module_name Specifies that the values for the TSD policy and TE policy to be taken from the module specified instead of the local copy.
-s Specifies the signing key used for signature calculation of a file while adding it to the TSD. The signing key is an RSA private key in ASN.1/DER in PKCS#8 format without pass phrase (that is, password) protection.
-t Specifies the auditing mode and indicates that errors are to be reported with a prompt asking whether the error should be fixed. To check all of the entries in TSD, use the ALL option. To scan the entire system or directories for TROJAN detection, use with tree parameter.
-u Updates the value of the specified attribute in TSD. If any of the rbac attributes are changed using the trustchk –u command, you must run the setkst explicitly. This updates the kernel table.
Note: This flag supports the following attributes: Owner, group, mode, Hardlinks, symlinks, accessauths, innateprivs, inheritprivs, authprivs, secflags, t_innateprivs, t_inheritprivs, t_secflags, t_authprivs, t_accessauths, and type.
-v Specifies the verification certificate that is associated with the signing key (using the -s flag). This certificate is copied into a certificate store in the /etc/security/certificate file, and is used to verify the file signature during auditing. If a certificate with the same certificate ID already exists in the store, then it is overwritten with a new certificate. The verification certificate is in ASN.1/DER format.
-x Only used with -n, -t, -y options and long with tree parameter. Do not follow the symbolic link.
-y Specifies the auditing mode, and indicates that errors are to be fixed and reported. To check all of the entries in the TSD, use the ALL parameter. To scan the entire system or directories for TROJAN detection, use with tree parameter.
Attention: Use the -y option with care. It might make a file unusable if the trustchk command encounters a discrepancy.
-@ WparName Lists the TE polices of a system WPAR.

Exit Status

This command returns the following exit values:

Item Description
0 Successful completion.
>0 An error has occurred.

Examples

  1. To add a new file definition for /usr/bin/ls using private key located at /home/guest/privkey.der and an associated certificate at /home/guest/certificate.der , enter the following command:
    trustchk –s /home/guest/privkey.der –v /home/guest/certificate.der 
    –a  /usr/bin/ls
  2. To add a file as a volatile file to the TSD using same pair of private key and certificate in the previous example, enter the following command:
    trustchk –s /home/guest/privkey.der –v /home/guest/certificate.der 
     –a  /usr/bin/passwd size=VOLATILE
  3. To add a file /usr/bin/ls with a /usr/local/bin/ls hardlink to TSD using same pair of private key and certificate in the first example, enter the following command:
     trustchk–s /home/guest/privkey.der –v /home/guest/certificate.der 
    –a  /usr/bin/ls hardlinks=/usr/local/bin/ls 
  4. To delete a file /usr/bin/logname, enter the following command:
     trustchk –d  /usr/bin/logname
  5. To add file definitions stored in a file /home/guest/filedef.in, enter the following command:
    trustchk –s /home/guest/privkey.der 
    –v /home/guest/certificate.der 
    –a  -f /home/guest/filedef.in
  6. To enable policy for checking executable file listed in the TSD on every load, follow these steps:
    1. Configure the policy by entering the following command:
      trustchk –p CHKEXEC=ON
    2. Activate the policy by entering the following command:
      trustchk –p TE=ON
  7. To check the integrity of all of the files belonging to the TSD, enter the following command:
    trustchk –n ALL
  8. To print the value of the currently active hash algorithm for TSD, enter the following command:
    trustchk -g
  9. To list all the policies of a WPAR, enter the following command:
    trustchk -@ <wpar> -p
  10. To list all the policies of all WPARs, enter the following command:
    trustchk -@ ALL -p
  11. To scan the whole system for a TROJAN detection report only, enter the following command:
    trustchk –n tree
  12. To scan only dir /usr for TROJAN detection and automatically fix them, enter the following command:
    trustchk  -y /usr
  13. To scan the entire system for TROJAN detection, except NFS mounts filesystem, and fixes them interactively, enter the following command:
    trustchk –i –t tree
  14. To take the values from the LDAP server instead of the local copy, enter the following command:
    trustchk –R LDAP -p