How to Update sysck.cfg in the TCB Database

Contents

About this document

This document, which applies to AIX Versions 4.x, describes how to update the /etc/security/sysck.cfg TCB database to match what is currently installed on your system.

The Trusted Computing Base enforces the information security policies of the system.

WARNING: Do not run tcbck -y ALL unless you are sure the files on the system match the contents of the sysck.cfg database. This command will disable the ACLs of any files that do not match.

Please read about the the tcbck command in the AIX product documentation and become familiar with its options and functions.

Related documentation

The AIX and hardware product documentation library is also available:
http://www.rs6000.ibm.com/resource/aix_resource/Pubs/index.html

Procedure

Following are some examples for using the tcbck command. Please refer to the tcbck man page for a full description of function, flags and attributes.

NOTE: Since device configuration and the sysck.cfg database are independent and are not integrated, there is no automatic addition of new devices to the sysck.cfg database when a device is added to the system. Consequently, given the automatic configuration of devices at boot time, it is the responsibility of the system administrator to maintain the /etc/security/sysck.cfg database.

This is also true in the case of mirrored rootvg, since the /dev/ipldevice is relinked dynamically to the other disk when the system is rebooted off the mirrored disk.

If a device is added to the system, the sysck.cfg database must be updated manually using the procedures outlined in this document.

1. Log in as root.

2. Run the following script:

   NOTE: This will overwrite /etc/security/sysck.cfg. Save a copy of this file before starting this script.

   #!/bin/ksh 
   for x in $( grep : /etc/security/sysck.cfg | sed 's/://g' | tail +2 ) 
     do 
           echo "working on" $x 
           if [ -d "$x" -o  -c "$x" -o -b "$x" ] 
           then 
   #   if directory or special file - size and checksum do not apply 
                   tcbck -a $x owner group type mode 
           else 
                   tcbck -a $x owner group type mode size checksum 
           fi 
       done 
   

3. If you want to add a new file to the TCB database, enter:

   tcbck -a /path_name/new_file  owner group type mode size checksum 
   

   This will create a new stanza in /etc/security/sysck.cfg with these attributes: owner, group, type, mode, size and checksum.

4. To remove an attribute like a symbolic link, enter:

      tcbck -a tcb_file_name symlinks= 
   

5. Periodically you can enter tcbck -n ALL to check the integrity of your system.

6. The tcbck -n tree command checks all files in the file system to ensure that all relevant files are defined in the sysck database. Files defined in the database are checked against their definitions. Files that are not in the database and have the following attributes will be reported:
   • trusted computing base attribute set
   • setuid or setgid to an administrative ID
   • linked to a file in the tcbck database
   • device special file

   If there are specific directories you would like tcbck to ignore when using the tree option, add a stanza like the following to the /etc/security/sysck.cfg file:

     sysck: 
        treeck_nodir = /dir1,/dir2 
   

   dir1 and dir2 are directories that tcbck will ignore.

7. If the TCB attribute is defined in the sysck.cfg database for a specific file but is not set on the file on your system, you will receive the following error:

   3001-027 The file /usr/bin/acledit has the wrong TCB attribute value. 
   

   This message is not referring to the rwx attributes of the module. It is referring to the Trusted Computing Base attribute. In /etc/security/sysck.cfg, the stanza for a module will have line mode = TCB,555. This means the permissions are r-xr-xr-x and the TCB flag is set.

   The following command can be used to modify and query the TCB attribute of the file:

      chtcb query /usr/bin/acledit    -- will display the attribute 
      chtcb on    /usr/bin/acledit    -- will set the attribute 
      chtcb off   /usr/bin/acledit    -- will reset the attribute 
   

8. After applying PTFs (fixes) to your system, tcbck -n ALL may report errors for the newly installed files such as the size and checksum. To correct the size and checksum in the database to match your system, execute:

      tcbck -a /path_name/changed_file size checksum 
   

   This command will re-calculate the size and checksum of the changed file and update the sysck database.

[ Doc Ref: 90605224214660     Publish Date: Jan. 30, 2001     4FAX Ref: 1074 ]