trustchk Command

Edit online

Purpose

Administers Trusted Signature Database (TSD) and trusted execution (TE) function.

Syntax

To add files to the TSD
trustchk [ -R module name ] -s <private key file> -v <certificate file> [ -P ] -a [tree] { filename [ size=VOLATILE ] [ hardlinks=value ] [ symlinks=value ]...| -f filename }
To add files to the TSD
trustchk [ -R module name ] -s <private key file> -v <certificate file> [ -P ] -a [tree] { filename [ size=VOLATILE ] [ hardlinks=value ] [ symlinks=value ]...| -f filename }
To delete files from the TSD
trustchk -d { filename...| ALL | -f filename }
To query the TSD
trustchk -q { filename...| ALL |-f filename }
To switch to a new hashing algorithm
trustchk -g [ SHA1 | SHA256 | SHA512 ]
To system scan
trustchk [ -i ] [ -x ] { -n | -t | -y } tree [dirpath…….]
To configure the policies
trustchk [  -@ {  WparName | ALL } ] -p { [ TE [ = ON | OFF ] ] [ CHKEXEC [ = ON | OFF ] ] [ CHKSHLIB [ = ON | OFF ] ] [ start of changeCHKSHOBJSend of change [ = ON | OFF ] ] [ CHKSCRIPT [ = ON | OFF ] ] [ CHKKERNEXT [ = ON | OFF ] ] [ SIG_VER [ = ON | OFF ] ] [ STOP_UNTRUSTD [ = ON | OFF | TROJAN ] ] [ STOP_ON_CHKFAIL [ = ON | OFF ] ] [ LOCK KERN POLICIES [ = ON | OFF ] ] [ TEP [ = ON | OFF | PathList ] ] [ TLP [ = ON | OFF | PathList [ TSD_FILES_LOCK [ = ON | OFF | EXVOL] ] [ TSD_LOCK [ = ON | OFF ] ] }
To system audit
trustchk [ -r ] { -n | -t | -y } { filename... | ALL } }
To use alternative TSD file
trustchk -F TSDFile { -a | -d | -g | -q | -y | -n  | -t }
To update the TSD trustchk command
trustchk -u <filename>[<attr>=value] 
trustchk -k  -s <private key file> -v certificate file [ -N ] { [ -D ] "OU = distinguished name"}
Note: The plus sign (+) is a special character that can be used only with a distinguished name for the -D option.
The following example shows how to use the plus sign (+) as a special character in a distinguished name: 
trustchk -k -s sign-key -v verify-key -N -D 
"OU=IT + OU=jj, OU=zlab037.austin.ibm.com"
You cannot use the plus sign (+) in any other format.

Description

You can use the trustchk command in the following situations:

Managing the Trusted Signature Database

Privileged users use the trustchk command to add, delete, or list entries to the TSD. The TSD is a database of security attributes of the trusted files that are present on the system. The TSD is in the /etc/security/tsd/tsd.dat file. The TSD database is populated at the time of installation and stores the security attributes of the trusted files that are present on the system.

The following attribute lists are part of a file definition or stanza:
Table 1. Attributes and their usage
Attributes Usage
Owner Specifies the name of the owner of the file. You cannot use the owner ID.
Group Specifies the name of the group of the file. You cannot use the group ID.
Type Specifies the type of the definition. Specifies whether the definition belongs to a file, directory, first-in-first-out special files (FIFO), character device, block device, or a multiplexed device.
Mode Specifies the permission bits and additional parameters that specify whether the SETUID, SETGID, TCB, or SVTX bits are set in the file.
hardlink Specifies the colon-separated list of hard links that point to the file.
symlink Specifies the colon-separated list of symbolic links that point to the file.
size Specifies the size of the file in bytes.
cert_tag Specifies the ID of the digital certificate that is used to calculate the signature of this file.
signature Specifies that the digital signature of the file is calculated by using the RSA algorithm.
hash_value Specifies the cryptographic hash value of the file. By default, the SHA256 value calculates the hash value.
accessauths Specifies the access authorization on the object.
innateprivs Specifies the innate privileges for the file.
inheritprivs Specifies the inheritable privileges for the file.
authprivs Specifies the privileges that are assigned to users with authorizations.
secflags Specifies the file security flags that are associated with the object.
Note: Insert a blank line between the stanzas when you specify multiple stanzas in an external file with the -f flag.

Auditing the security state of the system

To audit the security state of the system, you must check the security parameters that are stored in the TSD against the parameters of the actual files present on the system by using the trustchk command. Point the discrepancy to the user based on the input flags specified. Check the files that are listed in the TSD by using the ALL parameter instead of the filename variable. You can specify a list of files that are separated by spaces on the command line.

Enabling the TE function

To enable or disable the runtime integrity-verification function that is responsible for verifying a cryptographic hash of a file or a signature before you start to use the trustchk command. You can use the TE -p flag to turn off or turn on the TE function.

Configuring policies for Trusted Execution

To enable or disable different security policies that are used with the TE mechanism, use the trustchk command. You can specify the following different policies:
Table 2. Policies
Item Description
CHKEXEC Checks the integrity of the executable file that belongs to the TSD before you run the file.
CHKKERNEXT Checks the integrity of the kernel extensions that belong to the TSD before you load them.
CHKSHLIB Checks the integrity of the shared libraries that belong to the TSD before you load them.
start of changeCHKSHOBJSend of change Checks the integrity of the shared objects (.o) file that belongs to the lib.tsd.dat file before you load the corresponding shared library (lib<>.a). Set this policy to ON along with the CHKSHLIBS=ON to be effective.
CHKSCRIPT Checks the integrity of the shell scripts that belong to the TSD before you start them.
LOCK_KERN_POLICIES Enables or disable the other policies, if LOCK_KERN_POLICIES policy is disabled. If LOCK_KERN_POLICIES policy is enabled, other policies are locked. Disable the LOCK_KERN_POLICIES policy and restart the system to enable or disable a policy in such condition.
SIG_VER Enables or disables the Runtime Signature Verification policy. When the Runtime Signature Verification policy and the TE policy are enabled, the signature verifies the integrity of the files instead of the hash value.
Note: The SIG_VER policy is applicable only to AIX® system software files.
STOP_ON_CHKFAIL Stops the loading of files whose integrity check fails.
STOP_UNTRUSTD Stops the loading of files that do not belong to the TSD.

TROJAN

Stops the loading of files that do not belong to the TSD and includes one of the following security settings:
  • suid/sgid bit set
  • Linked to a file in the TSD
  • Entry in the privcmds database
  • Linked to a file in the privcmds database
TE Enables or disables the TE. The TE option must be set to ON to activate the policies.
TEP Sets the value of the TE path, and enables or disables the TE path. The TE path consists of a list of colon-separated absolute paths, for example, the /usr/bin:/usr/sbin. When the TEP policy is enabled, the files of these directory paths are started. If an executable program that is not part of the TEP policy is loaded, the program is blocked.
TLP Sets the value of a Trusted Library path, and enables or disables it. The Trusted Library Path consists of a list of colon-separated absolute paths, for example, the /usr/lib:/usr/ccs/lib. When the TLP policy is enabled, the libraries of these directory paths can be loaded. If a program tries to load a library that is not part of the TLP policy, the program is blocked.
TSD_FILES_LOCK Disables the opening of TSD files in write mode.

EXVOL

Disables the opening of only the nonvolatile TSD files in write mode. The volatile files can be changed.
TSD_LOCK Disallows opening of a TSD file (/etc/security/tsd/tsd.dat) in write mode to disable the editing of the TSD file.

By default, the TSD file defines the files and programs that are part of the trusted computing base. The privileged user or a member of the security group can choose to define only those files that are considered to be security-relevant.

The TE policies are stored in the /etc/security/tsd/tepolicies.dat file.

The Trustchk command writes messages to the standard error log (stderr).

Scanning the system for TROJAN detection

If an executable file is present on the system but there is no entry of the file in TSD and the file has one of the following security settings, the Trustchk command detects the file as a TROJAN:
  • suid/sgid bit set
  • Linked to a file in the TSD
  • Entry in the privcmds database
  • Linked to a file in the privcmds database

Installing the software or interim fixes with TE policies

If the TE policy is turned on along with the TSD_LOCK policy or the TSD_FILE_LOCK policy, the installp and emgr commands fail. To continue with the installation, manually turn off the TSD_LOCK policy or the TSD_FILE_LOCK policy. The emgr and installp commands run successfully with TE policies if the TSD_LOCK policy or the TSD_FILE_LOCK policy is not turned on.

Flags

Table 3. Flags
Item Description
-a filename Adds file definitions in the TSD. If you specify the absolute file name, the definitions are read from a file (the -f option) or calculated by the command.

You can specify the following parameters with the file name:

size=VOLATILE
Specifies the size of a file. This attribute uses the VOLATILE value. The VOLATILE value indicates that the file that this definition belongs to is volatile in nature. The contents of the file change frequently. Therefore, during audits, the size, hash value, and the signature of this file must not be checked.
hardlinks=value
Supplies the hard links to a file that the trustchk command cannot computed independently.
symlinks=value
Supplies the symbolic links to a file.
-tree
Adds stanzas to the trustchk command database recursively when you provide the directory name along with the -a flag. If you mention the file name, the stanza for the file name is added. Use this parameter along with the -a flag.

To add a regular file to the TSD, you must specify the private key, or the signing key with the -s flag in ASN.1/DER file in PKCS#8 format without pass phrase or password protection. Specify the associated certificate with the -v flag in the ASN.1/DER file. The associated certificate contains the public key that is used to verify the signature of the file. The digital certificate that you specified is copied to a certificate that is stored in the /etc/security/certificates file. You can use the digital certificate during system audits to verify the signatures of the file. You do not need the private key and certificate to add non regular files such as devices, directories, and FIFO.
-d Deletes the file definitions from the TSD. Specify the name of the file whose stanza needs to be deleted from the TSD at the command line, or is placed in a file that you can specify with the -f flag.
-D Use the -D flag along with the -k flag to enter the issuer DN and the Subject DN from the command-line interface.
-f filename Specifies that the file definitions must be read from the file that is specified with the filename parameter. The file or stanza name must end with a colon. Insert a blank line between each file name entry in the external file.
-F Specifies that a different the TSD file be used as a reference. You can use -F flag with the -a, -d, -g, -q, -n, -t, or -y flags.
-g [ SHA1 | SHA256 | SHA512 ] Migrates the TSD to a new hashing algorithm. The hash_value fields in the file definitions are recomputed and updated in the TSD. The -g flag supports the algorithms such as SHA1, SHA256, and SHA512.

To view the active algorithm, you must specify the -g flag without any algorithm names.
-i Ignores the scanning of the NFS-mounted filesystem. Use the -i flag only with -n, -t, -y flags and along with the tree parameter.
-k Generates the certificate and the private key files by using the trustchk command. The -s and -v flag must specify the key file name and the certificate file names. The generated keys are saved in the files that are specified files by the -s and -v flags.
-n Specifies the auditing mode, and indicates that the errors must be reported. Any discrepancy between the attributes in the TSD and the actual file parameters are printed to the stderr. error file. Use the ALL parameter to check the entries in the TSD. Use with tree parameter to scan the entire system or directories for TROJAN detection.
-p Configures Trusted Execution policies. You can turn on the policy configuration from command line, for example policyA=ON. Specify a policy name to retrieve its current state, for example, trustchk -p CHKEXEC.

The TE=ON option enables policies except the TEP and TLP policies that are not related to the TE policy.

You can automatically turn on or turn off the TEP and the TLP policies. The TEP=ON option enables the TEP, and the TLP=ON option enables the TLP function.
-P Prompts you to enter the password that is used to encrypt or decrypt the private-key file. You can specify the -P flag along with -a flag.

When you specify the -P flag with the trustchk -a command, it prompts you to enter the password that is used to decrypt the private-key file.

-q Queries the TSD for a file name. Prints the entire list of the security attributes, for example, stanza for the specified file name. Use the ALL parameter instead of listing file path names to retrieve the entries of the TSD.
-r Specifies the check that only the authorizations and privileges are to be checked. This flag is valid only on the enhanced RBAC system. Use the ALL flag to check the entries in the TSD.
-R module_name Specifies that the values for the TSD policy and the TE policy must be taken from the module that is specified instead of the local copy.
-s Specifies the signing key that is used for a signature calculation of a file while you add it to the TSD. The signing key is an RSA private key in ASN.1/DER file in PKCS#8 format without pass phrase or password protection.
-t Specifies the auditing mode and indicates that errors must be reported with a prompt that asks whether the error must be fixed. Use the ALL option to check the entries in TSD. Use the tree parameter to scan the entire system or directories for the TROJAN detection.
-u Updates the value of the specified attribute in TSD. If the rbac attributes are changed by using the trustchk-u command, you must run the setkst explicitly. This updates the kernel table.
Note: The -u flag supports the attributes such as Owner, group, mode, Hardlinks, symlinks, accessauths, innateprivs, inheritprivs, authprivs, secflags, t_innateprivs, t_inheritprivs, t_secflags, t_authprivs, t_accessauths, and type.
-v Specifies the verification certificate that is associated with the signing key by using the -s flag. The verification certificate is copied into a certificate that is stored in the /etc/security/certificate file, and is used to verify the file signature during auditing. A new certificate overwrites the existing certificate with the same certificate ID in the store. The verification certificate is in a ASN.1/DER format.
-x The -x flag must be used only with the -n, -t, -y flags along with the tree parameter. Do not follow the symbolic link.
-y Specifies the auditing mode, and indicates that errors must be fixed and reported. Use the ALL parameter to check the entries in the TSD. Use the -y flag with the tree parameter to scan the entire system or directories for the TROJAN detection.
Attention: Misuse of the -y option might make a file unusable if the trustchk command encounters a discrepancy.
-@ WparName Lists the TE policies of a system WPAR.

Exit Status

The trustchk command returns the following exit values:

Table 4. Exit values
Item Description
0 Successful completion.
>0 An error occurs.

Examples

  1. To add a new file definition for the /usr/bin/ls file by using a private key that is at the /home/guest/privkey.der file and an associated certificate at the /home/guest/certificate.der file, enter the following command: 
    trustchk -s /home/guest/privkey.der -v /home/guest/certificate.der 
-a  /usr/bin/ls
  2. To add a file as a volatile file to the TSD by using same pair of private key and certificate in the previous example, enter the following command: 
    trustchk -s /home/guest/privkey.der -v /home/guest/certificate.der 
 -a  /usr/bin/passwd size=VOLATILE
  3. To add a file /usr/bin/ls with a /usr/local/bin/ls hardlink to the TSD by using same pair of private key and certificate in the first example, enter the following command: 
     trustchk -s /home/guest/privkey.der -v /home/guest/certificate.der 
-a  /usr/bin/ls hardlinks=/usr/local/bin/ls
  4. To delete a file /usr/bin/logname, enter the following command: 
     trustchk -d  /usr/bin/logname
  5. To add file definitions stored in a file /home/guest/filedef.in, enter the following command: 
    trustchk -s /home/guest/privkey.der 
-v /home/guest/certificate.der 
-a  -f /home/guest/filedef.in
  6. To enable a policy for checking the executable file listed in the TSD on every load, perform the following steps:
    1. To configure the policy, enter the following command: 
      trustchk -p CHKEXEC=ON
    2. To activate the policy, enter the following command: 
      trustchk -p TE=ON
  7. To check the integrity of the files that belong to the TSD, enter the following command: 
    trustchk -n ALL
  8. To print the value of the currently active hash algorithm for TSD, enter the following command: 
    trustchk -g
  9. To list all the policies of a WPAR, enter the following command: 
    trustchk -@ <wpar> -p
  10. To list all the policies of all WPARs, enter the following command: 
    trustchk -@ ALL -p
  11. To scan the whole system only for a TROJAN detection report, enter the following command: 
    trustchk -n tree
  12. To scan only the dir /usr for TROJAN detection and to fix automatically, enter the following command: 
    trustchk  -y /usr
  13. To scan the entire system for TROJAN detection, except the NFS mounts filesystem, and fixes them interactively, enter the following command: 
    trustchk -i -t tree
  14. To take the values from the LDAP server instead of the local copy, enter the following command: 
    trustchk -R LDAP -p