sysck.cfg File

Purpose

Contains file definitions for the trusted computing base.

Description

Note: The sysck command does not update this file. It is only updated by the tcbck command.

The /etc/security/sysck.cfg file is a stanza file that contains definitions of file attributes for the trusted computing base. The name of each stanza is the pathname of a file, followed by a : (colon). Attributes are in the form Attribute=Value. Each attribute is ended with a new-line character, and each stanza is ended with an additional new-line character.

Each stanza can have one or more of the following attributes, and must have the type attribute:

Item Description
acl Defines the access control list of the file, including the SUID, SGID, and SVTX bits. The value is the Access Control List, in the format described in Access control lists in Operating system and device management.
class Defines a group of files for checking, deleting, or updating. A file can be in more than one class. The value is the ClassName [ClassName]parameter.
checksum Defines the checksum, as computed with the sysck checksum program. This attribute is valid only for regular files. The value is the output of the sum -r command, including spaces.
group Defines the group name or numeric group ID, expressed as the GroupName or GroupID parameter.
links Defines the absolute paths that have hard links to this object. The value must be an absolute pathname, expressed as the Path, [Path ...] parameter.
mode Defines the file mode, expressed as the Flag, Flag ..., PBits parameters. The Flag parameter can contain the SUID, SGID, SVTX, and tcb mode attributes. The Pbits parameter contains the base file permissions, expressed either in octal form, such as 640, or symbolic form, such as rw-,r—, r—. The order of the attributes in the Flag parameter is not important, but base permissions must be the last entry in the list. The symbolic form may include only read (r), write (w), and execute (x) access. If the acl attribute is defined in the stanza, the SUID, SGID, and SVTX mode attributes are ignored. For a typical mode specification, see the Examples section.
owner Defines the name or numeric ID of the file owner, expressed as the OwnerName or the OwnerID parameter.
size Defines the size of the file in bytes. This attribute is valid only for regular files. The value is a decimal number. A VOLATILE value in the size field indicates that the size of the file will change (so no checksum value can be given).
type The type of object. Select one of the following keywords: FILE, DIRECTORY, FIFO, BLK_DEV, CHAR_DEV, or MPX_DE.

Stanzas in this file can be created and altered with the sysck command. Direct alteration by other means should be avoided, since other accesses may not be supported in future releases.

Attributes that span multiple lines must be enclosed in double quotes and have new line characters entered as \n.

Since device configuration and the sysck.cfg database are independent and are not integrated, there is no automatic addition of syck.cfg entries when a device is added. Hence, given the automatic configuration of devices at boot time, it is the responsibility of the administrator to maintain /etc/security/sysck.cfg. This is also true in the case of mirrored rootvg, since /dev/ipldevice gets relinked dynamically to the other disk when the system is rebooted off the mirrored disk.

Security

Access Control: This file should grant read (r) access to the root user and members of the security group, and write (w) access to the root user only. General users do not need read (r) access.

Examples

  1. A typical stanza looks like the following example for the /etc/passwd file:
    /etc/passwd:
       type  = file
       owner = root
       group = passwd
       mode  = TCB,640
  2. A typical mode specification looks like the following example for a program that is part of the trusted computing base, that is a trusted process, and that has the setuid attribute enabled:
    mode = SUID,TP,TCB,rwxr-x---
    OR
    mode = SUID,TP,TCB,750

Files

Item Description
/etc/security/sysck.cfg Specifies the path to the system configuration data base.