IBM Support

AIX Security: What are the correct values for Trusted AIX tsd.dat?

Question & Answer


Question

How do I know the correct entries for Trusted AIX tsd.dat?

Answer

There is no reliable way to determine what the tsd.dat values should be, without examining a particular file set for the file's security information.  That information could be updated, though, by other applications.  There is no registration process that keeps track of every call to this database.  You could enable auditing, and track the trustchk command, and any modifications of the tsd.dat.
There is a supported, and highly recommended, way to keep a consistent tsd.dat: Establish a production level Trusted Signature Database, which can be referenced as a baseline for all similar systems in your environment. It is expected that the administrator performs the following, in order:
  1. Install all the software required for their production environment on the AIX server.
  2. Establish the baseline.
  3. Use the established production level Trusted Signature Database as a reference baseline for all similar systems in their environment. 
The baseline must be secured.  The easiest ways to achieve security include:
a) Store the reference baseline on a once-writeable media, such as CD R/DVD R.
b) Store the file in a separate location, on a separate system.
Periodically use this file to check for integrity. 
For example,
# trustchk -F <protected media_backup-tsd> –n ALL

Additionally, you can lock the tsd.dat.
# trustchk –p TE=ON TSD_LOCK=ON
This option protect the Trusted Signature Database. However, the locked option causes intentional trustchk add, or delete calls to fail, so the administrator must plan updates and modifications accordingly.
More details are documented in the following white paper:
SUPPORT
Security configuration (for example, RBAC, Trusted AIX, AIX Security Expert, ACLs, auditing) involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements.

AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, IBM support experts are happy to assist.
If you require AIX defect or usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

 - For more information, see: Working with IBM AIX Support: Describing the problem.

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For more information, see: Working with IBM AIX Support: Collecting snap data

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzhAAA","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
15 February 2023

UID

ibm16540270

Page Feedback