This document, which applies to AIX Versions 4.x, describes how to update the /etc/security/sysck.cfg TCB database to match what is currently installed on your system.
The Trusted Computing Base enforces the information security policies of the system.
WARNING: Do not run tcbck -y ALL unless you are sure the files on the system match the contents of the sysck.cfg database. This command will disable the ACLs of any files that do not match.
Please read about the the tcbck command in the AIX product documentation and become familiar with its options and functions.
The AIX and hardware product documentation library is also available:
Following are some examples for using the tcbck command. Please refer to the tcbck man page for a full description of function, flags and attributes.
NOTE: Since device configuration and the sysck.cfg database are independent and are not integrated, there is no automatic addition of new devices to the sysck.cfg database when a device is added to the system. Consequently, given the automatic configuration of devices at boot time, it is the responsibility of the system administrator to maintain the /etc/security/sysck.cfg database.
This is also true in the case of mirrored rootvg, since the /dev/ipldevice is relinked dynamically to the other disk when the system is rebooted off the mirrored disk.
If a device is added to the system, the sysck.cfg database must be updated manually using the procedures outlined in this document.
NOTE: This will overwrite /etc/security/sysck.cfg. Save a copy of this file before starting this script.
#!/bin/ksh for x in $( grep : /etc/security/sysck.cfg | sed 's/://g' | tail +2 ) do echo "working on" $x if [ -d "$x" -o -c "$x" -o -b "$x" ] then # if directory or special file - size and checksum do not apply tcbck -a $x owner group type mode else tcbck -a $x owner group type mode size checksum fi done
tcbck -a /path_name/new_file owner group type mode size checksum
This will create a new stanza in /etc/security/sysck.cfg with these attributes: owner, group, type, mode, size and checksum.
tcbck -a tcb_file_name symlinks=
If there are specific directories you would like tcbck to ignore when using the tree option, add a stanza like the following to the /etc/security/sysck.cfg file:
sysck: treeck_nodir = /dir1,/dir2
dir1 and dir2 are directories that tcbck will ignore.
3001-027 The file /usr/bin/acledit has the wrong TCB attribute value.
This message is not referring to the rwx attributes of the module. It is referring to the Trusted Computing Base attribute. In /etc/security/sysck.cfg, the stanza for a module will have line mode = TCB,555. This means the permissions are r-xr-xr-x and the TCB flag is set.
The following command can be used to modify and query the TCB attribute of the file:
chtcb query /usr/bin/acledit -- will display the attribute chtcb on /usr/bin/acledit -- will set the attribute chtcb off /usr/bin/acledit -- will reset the attribute
tcbck -a /path_name/changed_file size checksum
This command will re-calculate the size and checksum of the changed file and update the sysck database.
[ Doc Ref: 90605224214660 Publish Date: Jan. 30, 2001 4FAX Ref: 1074 ]