This document, which applies to AIX Versions 3.2 through 4.x, describes how to update the /etc/security/sysck.cfg TCB database to match what is currently installed on your system.
The Trusted Computing Base enforces the information security policies of the system.
WARNING: Do not run tcbck -y ALL unless you are sure the files on the system match the contents of the sysck.cfg database. This command will disable the ACLs of any files that do not match.
Please read about the the tcbck command in the AIX product documentation and become familiar with its options and functions.
Following are some examples for using the tcbck command. Please refer to the man page for the tcbck command for a full description of function, flags and attributes.
NOTE: Since device configuration and the sysck.cfg database are independent and are not integrated, there is no automatic addition of new devices to the sysck.cfg database when a device is added to the system. Hence, given the automatic configuration of devices at boot time, it is the responsibility of the system administrator to maintain the /etc/security/sysck.cfg database.
This is also true in the case of mirrored rootvg, since the /dev/ipldevice is relinked dynamically to the other disk when the system is rebooted off the mirrored disk.
If a device is added to the system, the sysck.cfg database must be updated manually using the procedures outlined in this document.
NOTE: This will overwrite /etc/security/sysck.cfg. Save a copy of this file before starting this script.
#!/bin/ksh
for x in $( grep : /etc/security/sysck.cfg | sed 's/://g' | tail +2 )
do
echo "working on" $x
if [ -d "$x" -o -c "$x" -o -b "$x" ]
then
# if directory or special file - size and checksum do not apply
tcbck -a $x owner group type mode
else
tcbck -a $x owner group type mode size checksum
fi
done
tcbck -a /path_name/new_file owner group type mode size checksum
This will create a new stanza in /etc/security/sysck.cfg with these attributes: owner, group, type, mode, size and checksum.
tcbck -a tcb_file_name symlinks=
tcbck -n treechecks all files in the file system to ensure that all relevant files are defined in the sysck database. Files defined in the database are checked against their definitions. Files that are not in the database and have the following attributes will be reported:
If there are specific directories you would like tcbck to ignore when using the tree option, add a stanza like the following to the /etc/security/sysck.cfg file:
sysck:
treeck_nodir = /dir1,/dir2
dir1 and dir2 are directories that tcbck will ignore.
3001-027 The file /usr/bin/acledit has the wrong TCB attribute value.
This message is not referring to the rwx attributes of the module. It is referring to the Trusted Computing Base attribute. In /etc/security/sysck.cfg, the stanza for a module will have line mode = TCB,555. This means the permissions are r-xr-xr-x and the TCB flag is set.
The following command can be used to modify and query the TCB attribute of the file:
chtcb query /usr/bin/acledit -- will display the attribute chtcb on /usr/bin/acledit -- will set the attribute chtcb off /usr/bin/acledit -- will reset the attribute
tcbck -a /path_name/changed_file size checksum
This command will re-calculate the size and checksum of the changed file and update the sysck database.