Security Guide

The Trusted Computing Base

The system administrator must determine how much trust can be given to a particular program. This determination includes considering the value of the information resources on the system in deciding how much trust is required for a program to be installed with privilege.

The Trusted Computing Base (TCB) is the part of the system that is responsible for enforcing systemwide information security policies. By installing and using the TCB, you can define user access to the trusted communication path, which allows for secure communication between users and the TCB. TCB features can only be enabled when the operating system is installed. To install TCB on an already installed machine, you will have to perform a Preservation installation. Enabling TCB allows you to access the trusted shell, trusted processes, and the Secure Attention Key (SAK).

This section discusses the following topics:

Installing a System with the Trusted Computing Base

The TCB is the part of the system that is responsible for enforcing the information security policies of the system. All of the computer's hardware is included in the TCB, but a person administering the system should be concerned primarily with the software components of the TCB.

If you install a system with the Trusted Computing Base option, you enable the trusted path, trusted shell, and system-integrity checking (tcbck command). These features can only be enabled during a base operating system (BOS) installation. If the TCB option is not selected during the initial installation, the tcbck command is disabled. The command can be correctly enabled only by reinstalling the system with the TCB option turned on.

To set the TCB option during a BOS installation, select More Options from the Installation and Settings screen. In the Installation Options screen, the default for the Install Trusted Computing Base selection is no. To enable the TCB, type 2 and press Enter.

Because every device is part of the TCB, every file in the /dev directory is monitored by the TCB. In addition, the TCB automatically monitors over 600 additional files, storing critical information about these files in the /etc/security/sysck.cfg file. If you are installing the TCB, immediately after installing, back up this file to removable media, such as tape, CD, or disk, and store the media in a secure place.

Checking the Trusted Computing Base

The tcbck command audits the security state of the Trusted Computing Base. The security of the operating system is jeopardized when the TCB files are not correctly protected or when configuration files have unsafe values. The tcbck command audits this information by reading the /etc/security/sysck.cfg file. This file includes a description of all TCB files, configuration files, and trusted commands.

The /etc/security/sysck.cfg file is not offline and, could therefore be altered by a hacker. Make sure you create an offline read-only copy after each TCB update. Also, copy this file from the archival media to disk before doing any checks.

Installing the TCB and using the tcbck command do not guarantee that a system is operating in a Controlled Access Protection Profile (CAPP) and Evaluation Assurance Level 4+ (EAL4+) compliant mode. For information on the CAPP/EAL4+ option, see Controlled Access Protection Profile and Evaluation Assurance Level 4+.

Structure of the sysck.cfg file

The tcbck command reads the /etc/security/sysck.cfg file to determine which files to check. Each trusted program on the system is described by a stanza in the /etc/security/sysck.cfg file.

Each stanza has the following attributes:

class	Name of a group of files. This attribute allows several files with the same class name to be checked by specifying a single argument to the tcbck command. More than one class can be specified, with each class being separated by a comma.
owner	User ID or name of the file owner. If this does not match the file owner, the tcbck command sets the owner ID of the file to this value.
group	Group ID or name of the file group. If this does not match the file owner, the tcbck command sets the owner ID of the file to this value.
mode	Comma-separated list of values. The allowed values are SUID, SGID, SVTX, and TCB. The file permissions must be the last value and can be specified either as an octal value or as a 9-character string. For example, either 755 or rwxr-xr-x are valid file permissions. If this does not match the actual file mode, the tcbck command applies the correct value.
links	Comma-separated list of path names linked to this file. If any path name in this list is not linked to the file, the tcbck command creates the link. If used without the tree parameter, the tcbck command prints a message that there are extra links but does not determine their names. If used with the tree parameter, the tcbck command also prints any additional path names linked to this file.
symlinks	Comma-separated list of path names symbolically linked to this file. If any path name in this list is not a symbolic link to the file, the tcbck command creates the symbolic link. If used with the tree argument, the tcbck command also prints any additional path names that are symbolic links to this file.
program	Comma-separated list of values. The first value is the path name of a checking program. Additional values are passed as arguments to the program when it is executed. Note: The first argument is always one of -y, -n, -p, or -t, depending on which flag the tcbck command was used with.
acl	Text string representing the access control list for the file. It must be of the same format as the output of the aclget command. If this does not match the actual file ACL, the sysck command applies this value using the aclput command. Note: The SUID, SGID, and SVTX attributes must match those specified for the mode, if present.
source	Name of a file this source file is to be copied from prior to checking. If the value is blank, and this is either a regular file, directory, or a named pipe, a new empty version of this file is created if it does not already exist. For device files, a new special file is created for the same type device.

If a stanza in the /etc/security/sysck.cfg file does not specify an attribute, the corresponding check is not performed.

Using the tcbck Command

The tcbck command is normally used to do the following:

Ensure the proper installation of security-relevant files
Ensure that the file system tree contains no files that clearly violate system security
Update, add, or delete trusted files

The tcbck command can be used in the following ways:

Normal use
- Noninteractive at system initialization
- With the cron command
Interactive use
- Useful for checking out individual files and classes of files
Paranoid use
- Store the sysck.cfg file offline and restore it periodically to check out the machine

Although not cryptographically secure, the TCB uses the UNIX sum command for checksums. The TCB database can be set up manually with a different checksum command, for example, the md5sum command (shipped in the textutils RPM package with AIX Toolbox for Linux Applications CD).

Checking Trusted Files

To check all the files in the tcbck database, and fix and report all errors, type:

tcbck -y ALL

This causes the tcbck command to check the installation of each file in the tcbck database described by the /etc/security/sysck.cfg file.

To perform this automatically during system initialization, and produce a log of what was in error, add the previous command string to the /etc/rc file.

Checking the File System Tree

Whenever you suspect the integrity of the system might have been compromised, run the tcbck command to check the file system tree any time. This is done by running the following command:

tcbck -t tree

When the tcbck command is used with the tree value, all files on the system are checked for correct installation (this could take a long time). If the tcbck command discovers any files that are potential threats to system security, you can alter the suspected file to remove the offending attributes. In addition, the following checks are performed on all other files in the file system:

If the file owner is root and the file has the SetUID bit set, the SetUID bit is cleared.
If the file group is an administrative group, the file is executable, and the file has the SetGID bit set, the SetGID bit is cleared.
If the file has the tcb attribute set, this attribute is cleared.
If the file is a device (character or block special file), it is removed.
If the file is an additional link to a path name described in /etc/security/sysck.cfg file, the link is removed.
If the file is an additional symbolic link to a path name described in /etc/security/sysck.cfg file, the symbolic link is removed.

Note: All device entries must have been added to the /etc/security/sysck.cfg file prior to execution of the tcbck command or the system is rendered unusable. To add trusted devices to the /etc/security/sysck.cfg file, use the -l flag.

Attention: Do not run the tcbck -y tree command option. This option deletes and disables devices that are not properly listed in the TCB, and might disable your system.

Adding a Trusted Program

To add a specific program to the /etc/security/sysck.cfg file, type:

tcbck -a PathName [attribute=value]

Only attributes whose values are not deduced from the current state of the file need be specified on the command line. All attribute names are contained in the /etc/security/sysck.cfg file.

For example, the following command registers a new SetUID root program named /usr/bin/setgroups, which has a link named /usr/bin/getgroups:

tcbck -a /usr/bin/setgroups links=/usr/bin/getgroups

To add jfh and jsl as administrative users and developers as an administrative group to be verified during a security audit of the file /usr/bin/abc, type:

tcbck -a /usr/bin/abc setuids=jfh,jsl setgids=developers

After installing a program, you might not know which new files are registered in the /etc/security/sysck.cfg file. These can be found and added with the following command:

tcbck -t tree

This command string displays the name of any file that is to be registered in the /etc/security/sysck.cfg file.

Deleting a Trusted Program

If you remove a file from the system that is described in the /etc/security/sysck.cfg file, you need to also remove the description of this file from the /etc/security/sysck.cfg file. For example, if you have deleted the /etc/cvid program, the following command string will cause an error message to be shown:

tcbck -t ALL

The error message shown is:

3001-020 The file /etc/cvid was not found.

The description for this program is still in the /etc/security/sysck.cfg file. To remove the description of this program type the following command:

tcbck -d /etc/cvid

Configuring Additional Trusted Options

The following sections provide information about how to configure additional options for the TCB.

Restricting Access to a Terminal

The getty and shell commands change the owner and mode of a terminal to prevent untrusted programs from accessing the terminal. The operating system provides a way to configure exclusive terminal access.

Using the Secure Attention Key

A trusted communication path is established by pressing the Secure Attention Key (SAK) reserved key sequence (Ctrl-X, and then Ctrl-R). A trusted communication path is established under the following conditions:

When logging in to the system
After you press the SAK:
- If a new login screen displays, you have a secure path.
- If the trusted shell prompt displays, the initial login screen was an unauthorized program that might have been trying to steal your password. Determine who is currently using this terminal by using the who command and then log off.
When you want the command you enter to result in a trusted program running. Some examples of this include:
- Running as root user. Run as root user only after establishing a trusted communication path. This ensures that no untrusted programs are run with root user authority.
- Running the su -, passwd, and newgrp commands. Run these commands only after establishing a trusted communication path.

Attention: Use caution when using SAK because it kills all processes that attempt to access the terminal and any links to it (for example, /dev/console can be linked to /dev/tty0).

Configuring the Secure Attention Key

Each terminal can be independently configured so that pressing SAK at that terminal creates a trusted communication path. This is specified by the sak_enabled attribute in /etc/security/login.cfg file. If the value of this attribute is True, the SAK is enabled.

If a port is to be used for communications, (for example, by the uucp command), the specific port used has the following line in its stanza of the /etc/security/login.cfg file:

sak_enabled = false

This line (or no entry in that stanza) disables the SAK for that terminal.

To enable SAK on a terminal, add the following line to the stanza for that terminal:

sak_enabled = true