IBM Support

AIX Security: Correcting trustchk errors

Question & Answer


Question

How can I resolve these trustchk errors?
# bosboot -a
trustchk: /sbin/rc.boot: Verification of attributes failed: hashvalue signature
# trustchk -y /sbin/rc.boot
trustchk: Verification of attributes failed: hash
trustchk: Verification of attributes failed: signature
trustchk: Verification of stanza failed:

Cause

Some products might modify existing AIX base files in the Trusted Signature Database (TSD).
The SHA-256 algorithm generates the cryptographic hash for the default set of trusted files. The AIX build environment creates a digital signature, included in AIX installation file sets, and stored in the Trusted Software Database (/etc/security/tsd/tsd.dat). Failure to update the TSD in application scripts results in errors when running trustchk.
For example, a PowerHA command with an option modifies /sbin/rc.boot.
This command:
/usr/es/sbin/cluster/utilities/clchsyncd 10 
changes:
- nohup /usr/sbin/syncd 60 > /dev/null 2>&1 &
+ nohup /usr/sbin/syncd 10 > /dev/null 2>&1 &:
Subsequent bosboot commands fail with the following error:
# bosboot -a
trustchk: /sbin/rc.boot: Verification of attributes failed: hashvalue signature
Attempts to correct the TSD fail:
# trustchk -y /sbin/rc.boot
trustchk: Verification of attributes failed: hash
trustchk: Verification of attributes failed: signature
trustchk: Verification of stanza failed:
The "-y" results in the command being disabled since discrepancies were discovered. So, the next check reports a mode discrepancy.
# trustchk -y /sbin/rc.boot
trustchk: Verification of attributes failed: mode
trustchk: Verification of attributes failed: hash
trustchk: Verification of attributes failed: signature
trustchk: Verification of stanza failed:

Answer

To resolve the errors, and allow execution in a trusted environment, update the TSD (/etc/security/tsd/tsd.dat) with a new hash and signature.
1) Remove the failing file stanza from TSD
# trustedFile=/sbin/rc.boot
# trustchk -d $trustedFile
2) Generate a 2048-bit private key in PEM format
# openssl genrsa -out /etc/security/TSDprivkey.pem 2048
3) Create the corresponding certificate in DER format (valid for 3650 days, or 10 years)
# openssl req -new -x509 -key /etc/security/TSDprivkey.pem -outform DER -out /etc/security/TSDcertificate.der -days 3650
4) Convert the private key from PEM into DER format
# openssl pkcs8 -inform PEM -in /etc/security/TSDprivkey.pem -topk8 -nocrypt -outform DER -out /etc/security/TSDprivkey.der
5) Invoke trustchk to include an entry for the file
# trustchk -s /etc/security/TSDprivkey.der -v /etc/security/TSDcertificate.der -a $trustedFile
6) Check the stanza
# trustchk -n $trustedFile

IBM recommends that you report the issue to the product team that provides the scripts or commands, so they can review their packaging or documentation to avoid causing trustchk errors.
SUPPORT

If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

 - For more information, see: Working with IBM AIX Support: Describing the problem.

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For more information, see: Working with IBM AIX Support: Collecting snap data

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzhAAA","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Document Information

Modified date:
14 November 2023

UID

ibm17074527

Page Feedback