Enabling MD5 or SHA1 Checksums With TCB

Answer

This can be done using the tcbck command, which can audit the state of objects on the system. Part of this auditing is to compare a checksum included in the database to the object for a match. By default tcbck uses the output of the command "sum -r" as a checksum. Some institutions may require more secure checksums to be used.

It is possible to configure TCB to use alternate checksums, such as MD5 or SHA1. There is a small amount of information about this in the man pages of AIX:


In the tcbck man page:

File definitions to be added or modified with the -a flag can be
specified on the command line or in a file as Attribute=Value
statements. The following attributes can be used:

checksum
The checksum of the file. If the value is blank, the checksum
attribute is removed. If no value is specified, the command
computes a value, according to the format given in the sum
command. The value is the output of the sum -r command, including
spaces.

The section relating to the 'sysck' stanza, which configures the behavior of tcbck says:

You can add, delete, or modify the attributes of the tcbck command by creating or modifying a sysck stanza in the /etc/security/sysck.cfg file. The following attributes can be used:

checksum

An alternate checksum command to compute the checksum value of
files. The system appends the name of each file to the command. If
the value is blank, this alternate checksum attribute is removed.
The value is the command string to be run on each file. The
default string is /usr/bin/sum -r <.

In the AIX Security Manual we find this statement about using MD5 checksums:

Although not cryptographically secure, the TCB uses the sum command for checksums. The TCB database can be set up manually with a different checksum command, for example, the md5sum command that is shipped in the textutils RPM Package Manager package with AIX Toolbox for Linux Applications CD.

Note: It's actually in coreutils now, included with other packages.

TCB can also be set up to use SHA1 checksums using the /usr/linux/bin/sha1sum command included in the coreutils package. The example below will show how to enable MD5 checksums, but setting up TCB for SHA1 checksums can be done by following the same steps, but instead of using the md5sum command substitute the sha1sum command.


Steps To Enable MD5 Checksum Use In TCB

1. Install the coreutils RPM from the AIX Linux Toolkit

Either load coreutils.rpm from the AIX Linux Toolbox CDs or download it from the IBM website:

http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/download.html

Install the coreutils RPM:

# rpm -ivh coreutils-5.2.1-2.aix5.1.ppc.rpm
coreutils
##################################################

Make sure md5sum command was installed:

# which md5sum
/usr/bin/md5sum


2. Set up TCB to use md5sum instead of sum for generating and validating checksums

Check the /etc/security/sysck.cfg file stanza for 'sysck'. The default stanza is:

sysck:
        treeck_novfs = "/proc"

Use tcbck to add a 'checksum' attribute to the sysck stanza, and set it to use the md5sum binary for checksum generation and computation:

*See Note below before running tcbck!

# tcbck -a sysck checksum="/usr/bin/md5sum <"

The sysck stanza will now look like:

sysck:
        treeck_novfs = "/proc"
        checksum = "/usr/bin/md5sum <"


3. Change each entry containing a checksum to use the md5sum result.

So as an example we'll use the passwd command and change its checksum.

Check that the binary for the passwd command is in the TCB database:

# chtcb query /usr/bin/passwd
/usr/bin/passwd is in the TCB

If we take a look at the stanza for passwd here's what we have:
# grep -p /usr/bin/passwd sysck.cfg

/usr/bin/passwd:
        type = FILE
        class = apply,inventory,bos.rte.security
        owner = root
        group = security
        mode = TCB,SUID,r-xr-xr-x
        checksum = "10346    28 "
        size = 27868

To change this individual entry run:

# tcbck -a /usr/bin/passwd checksum

Now view the entry to see how it's changed.
# grep -p /usr/bin/passwd sysck.cfg

/usr/bin/passwd:
        type = FILE
        class = apply,inventory,bos.rte.security
        owner = root
        group = security
        mode = TCB,SUID,r-xr-xr-x
        checksum = "91f9715806bf2566e4444b6ca909aae9  -"
        size = 27868

We now see that the entry has a different checksum computed for it.

Check that the entry for /usr/bin/passwd now passes TCB checking:

# tcbck -n /usr/bin/passwd

If this simply returns the prompt then the file has passed the TCB Check.


Checking another file that has not been converted to use the new MD5 checksum will fail with a bad checksum error. We expect this, since it has not been converted to contain the proper MD5 checksum yet.

# tcbck -n /usr/bin/stopsrc
3001-028 The file /usr/bin/stopsrc has the wrong checksum value.

# grep -p /usr/bin/stopsrc sysck.cfg
/usr/bin/stopsrc:
          owner = root
          group = system
          mode = TCB,SGID,550
          type = FILE
          class = apply,inventory,bos.rte.SRC
          size = 4460
          checksum = "12325     5 "

Each individual entry in the /etc/security/sysck.cfg file that has a numeric result for the checksum value will have to be changed in this manner. Entries where the checksum value is set to the keyword VOLATILE are understood by TCB to be files that may change over time, and do not need to
be changed. However this still leaves 1286 entries in the file that all need to be changed via tcbck.

Also, each time one of the filesets containing a file listed in the sysck.cfg database is updated, an entry for it will be created with the ORIGINAL checksum that was computed using 'sum -r' when it was packaged at IBM. So if any updates are performed on the system the entries of files updated will have to be manually recomputed with the MD5 checksum.


* NOTE: Defect APAR IY87424 CAPP PROFILE CORRUPTS LINES IN SYSCK.CFG exists in AIX 5.3 TL5 and below where running tcbck -a will corrupt the stanza for the file you are trying to update. Please insure you are at TL6 or higher and have this APAR installed before running tcbck -a.