Contains file definitions for the trusted computing base.
The /etc/security/sysck.cfg file is a stanza file that contains definitions of file attributes for the trusted computing base. The name of each stanza is the pathname of a file, followed by a : (colon). Attributes are in the form Attribute=Value. Each attribute is ended with a new-line character, and each stanza is ended with an additional new-line character.
Each stanza can have one or more of the following attributes, and must have the type attribute:
Item | Description |
---|---|
acl | Defines the access control list of the file, including the SUID, SGID, and SVTX bits. The value is the Access Control List, in the format described in Access control lists in AIX® Version 7.1 Operating system and device management. |
class | Defines a group of files for checking, deleting, or updating. A file can be in more than one class. The value is the ClassName [ClassName]parameter. |
checksum | Defines the checksum, as computed with the sysck checksum program. This attribute is valid only for regular files. The value is the output of the sum -r command, including spaces. |
group | Defines the group name or numeric group ID, expressed as the GroupName or GroupID parameter. |
links | Defines the absolute paths that have hard links to this object. The value must be an absolute pathname, expressed as the Path, [Path ...] parameter. |
mode | Defines the file mode, expressed as the Flag, Flag ..., PBits parameters. The Flag parameter can contain the SUID, SGID, SVTX, and tcb mode attributes. The Pbits parameter contains the base file permissions, expressed either in octal form, such as 640, or symbolic form, such as rw-,r—, r—. The order of the attributes in the Flag parameter is not important, but base permissions must be the last entry in the list. The symbolic form may include only read (r), write (w), and execute (x) access. If the acl attribute is defined in the stanza, the SUID, SGID, and SVTX mode attributes are ignored. For a typical mode specification, see the Examples section. |
owner | Defines the name or numeric ID of the file owner, expressed as the OwnerName or the OwnerID parameter. |
size | Defines the size of the file in bytes. This attribute is valid only for regular files. The value is a decimal number. A VOLATILE value in the size field indicates that the size of the file will change (so no checksum value can be given). |
type | The type of object. Select one of the following keywords: FILE, DIRECTORY, FIFO, BLK_DEV, CHAR_DEV, or MPX_DE. |
Stanzas in this file can be created and altered with the sysck command. Direct alteration by other means should be avoided, since other accesses may not be supported in future releases.
Attributes that span multiple lines must be enclosed in double quotes and have new line characters entered as \n.
Since device configuration and the sysck.cfg database are independent and are not integrated, there is no automatic addition of syck.cfg entries when a device is added. Hence, given the automatic configuration of devices at boot time, it is the responsibility of the administrator to maintain /etc/security/sysck.cfg. This is also true in the case of mirrored rootvg, since /dev/ipldevice gets relinked dynamically to the other disk when the system is rebooted off the mirrored disk.
Access Control: This file should grant read (r) access to the root user and members of the security group, and write (w) access to the root user only. General users do not need read (r) access.
/etc/passwd:
type = file
owner = root
group = passwd
mode = TCB,640
mode = SUID,TP,TCB,rwxr-x---
mode = SUID,TP,TCB,750
Item | Description |
---|---|
/etc/security/sysck.cfg | Specifies the path to the system configuration data base. |