Trusted Signature Database
The Trusted Signature Database is a database that is used to store critical security parameters of trusted files present on the system. This database resides in the /etc/security/tsd/tsd.dat directory.
/usr/bin/ps:
owner = bin
group = system
mode = 555
type = FILE
hardlinks = /usr/sbin/ps
symlinks =
size = 1024
cert_tag = bbe21b795c550ab243
signature =
f7167eb9ba3b63478793c635fc991c7e9663365b2c238411d24c2a8a
hash_value = c550ab2436792256b4846a8d0dc448fc45
maxslabel = SLSL
intlabel = SHTL
accessauths = aix.mls.pdir, aix.mls.config
innateprivs = PV_LEF
proxyprivs = PV_DAC
authprivs =
aix.security.cmds:PV_DAC,aix.ras.audit:PV_AU_ADMIN
secflags = FSF_EPS
- owner
- Owner of the file. This value is computed by the trustchk command when the file is being added to TSD.
- group
- Group of the file. This value is computed by the trustchk command.
- mode
- Comma-separated list of values. The permissible values are SUID (SUID set bit), SGID (SGID set bit), SVTX (SVTX set bit), and TCB (Trusted Computing Base). The file permissions must be the last value and can be specified as an octal value. For example, for a file that is set with uid and has permission bits as rwxr-xr-x, the value for mode is SUID, 755. The value is computed by the trustchk command.
- type
- Type of the file. This value is computed by the trustchk command. The possible values are FILE, DIRECTORY, MPX_DEV, CHAR_DEV, BLK_DEV, and FIFO.
- hardlinks
- List of hardlinks to the file. This value cannot be computed by the trustchk command. It must be supplied by the user when adding a file to the database.
- symlinks
- List of symbolic links to the file. This value cannot be computed by the trustchk command. It must be supplied by the user when adding a file to the database.
- size
- Defines size of the file. The VOLATILE value means that the file gets changed frequently.
- cert_tag
- This field maps the digital signature of the file with the associated certificate that can be used to verify the signature of the file. This field stores the certificate ID and is computed by the trustchk command at the time of addition of the file to the TSD. The certificates are stored in /etc/security/certificates directory.
- signature
- Digital signature of the file. The VOLATILE value means that the file gets changed frequently. This field is computed by the trustchk command.
- hash_value
- Cryptographic hash of the file. The VOLATILE value means that the file gets changed frequently. This field is computed by the trustchk command.
- innateprivs
- Defines the innate privileges for the file.
- proxyprivs
- Defines the proxy privileges for the file.
- authprivs
- Defines the privileges that are assigned to the user after given authorizations.
- secflags
- Defines the file security flags associated with the object.
When you add a new entry to TSD, if a trusted file has some symbolic or hard links pointing to it, then these links can be added to the TSD by using symlinks and hardlinks attributes at the command line, along with the trustchk command. If the file being added is expected to change frequently, then use VOLATILE keyword at the command line. Then the trustchk command would not calculate the hash_value and signature fields when it generates the file definition for addition into the TSD. During integrity verification of this file, the hash_value and signature fields are ignored.
During addition of regular file definitions to the TSD, it is necessary to provide a private key (ASN.1/DER format). Use the -s flag and digital certificate with the corresponding public key by using the -v flag. The private key is used to generate the signature of the file and then discarded. It is up to the user to store this key securely. The certificate is stored into a certificate store in the/etc/security/certificates file for the signatures to be verified whenever you request integrity verification. Since signature calculation is not possible for non-regular files like directory and device files, it is not mandatory to supply the private key and certificate while adding such files to TSD.
You can also supply the pre-computed file definition through a file by using the -f option to be added to the TSD. In this case the trustchk command does not compute any of the values and stores the definitions into TSD without any verification. The user is responsible for sanity of the file definitions in this case.
Supporting library verification
To support
the library verification, the tsd.dat
file is added
in the /etc/security/tsd/lib/directory. The name
of the database is /etc/security/tsd/lib/lib.tsd.dat
. This database is specifically for libraries that include the stanzas
for the .o
files of a corresponding trusted library.
The stanza for every.o
file of a library is in the
format as specified in the following example.
libc.a
if the strcmp.o
file is one of the.o
file type, then the stanza for strcmp.o
file in /etc/security/tsd/lib/lib.tsd.dat is
similar to the following example:/usr/lib/libc.a/strcmp.o:
Type = OBJ
Size = 2345
Hash value
Signature =
Cert_tag =
This database has the entries corresponding
to type, size hash, cert tag, and signature of the .o
file. The hash of the library is updated
in the /etc/security/tsd/tsd.dat file for the
corresponding stanza. These attribute values are dynamically generated
during the build, and the values are moved into the /etc/security/tsd/lib/lib.tsd.dat database during installation.
In the /etc/security/tsd/tsd.dat file, the stanzas for the libraries are modified to reflect the type attribute as LIB
and the size and signature attributes are empty. Currently the values for the dynamica attributes size, hash, signature are maintained as a VOLATILE value. Therefore, the library
verification is skipped during system boot. Beginning with the release
of AIX 6.1.0, the size, hash, and signature of the trusted library stanzas
are computed with the .o
files of a library. During
installation, the tsd.dat
database is populated to
reflect the computed values and the corresponding .o
file stanza for a trusted library is stored in the /etc/security/tsd/lib/lib.tsd.dat database.