Trusted Execution introduces a new thing to verify a system’s integrity while
The Trusted Computing Base is still available as an alternative.

It implements advance security policies, which together can be used to enhance the
Trust level of the complete system.

It enables or disables the trusted execution function. Only after enabling this policy, the other policies can be realized.

Trusted Execution Path defines a list of directories that contain the trusted commands. When Trusted Execution Path verification is enabled, the system loader allows commands in
The specified paths to run.

Trusted Library Path has the same function, except that it is used to define the
Directories that contain trusted libraries of the system. When Trusted Library Path is enabled, the system loader allows only the libraries from this path to be linked to the commands.

The trustchk command can be used to enable or disable the Trusted Library Path or Trusted Execution Library, and to set the colon-separated path list for both, using Trusted Execution Path and Trusted Library Path command-line attributes of the trustchk command.

Quick reference for security checks
 

Integrity Checking reference:
TE –> System and runtime checking.
TCB –> System checking only.

System Enablement:
TE –> Enabled at any time.
TCB –> Installation time option.

Security Database Files:
TE –> /etc/security/tsd/tsd.dat
TCB –> /etc/security/sysck.cfg

Management Commands:
TE –> trustchk
TCB –> tcbck

Trusted execution Policy Management
TE: Enables or Disables runtime checking.
CHKEXEC: Checks integrity of commands before running the commands.
CHKSHLIBS: Checks integrity of shared libraries before loading the libraries.
CHKSCRIPTS: Checks integrity of shell scripts before running the scripts.
CHKKERNEXT: Checks integrity of kernel extensions before loading the extensions.
LOCK_TSD: Disables modification of TSD.
LOCK_TSD_FILES: Disables modification of TSD files.
STOP_UNTRUSTD: Does not load files unless in TSD.
STOP_ON_CHKFAIL: If integrity check fails, do not load file
TEP: Allows execution of commands from a defined list of directories.
TLP: Allows library loads from a defined list of directories.


In order for TE to work, the CryptoLight for C library (CLiC) and kernel extension
Need to be installed and loaded on your system. These file sets are included on
The AIX Expansion Pack and are provided for free. To check whether they are installed on
Your system and loaded into the kernel, run:

# lslpp -l "clic*"
File set Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
clic.rte.kernext 4.3.0.0 COMMITTED CryptoLite for C Kernel
clic.rte.lib 4.3.0.0 COMMITTED CryptoLite for C Library
Path: /etc/objrepos
clic.rte.kernext 4.3.0.0 COMMITTED CryptoLite for C Kernel

# genkex|grep clic
4562000 37748 /usr/lib/drivers/crypto/clickext

If the file set is not installed, install it on your system and load it into the
Kernel when installation completes successfully, by running:
# /usr/lib/methods/loadkclic


We have a database (Trusted Signature Database) that is used to store critical
Security parameters of trusted files present on the system. This database sits at /etc/security/tsd/tsd.dat and comes with any AIX media. In TE’s context,
Trusted files are files that are critical from the security perspective of a system
And if compromised can jeopardize the security of the entire system. Typically
The files that match this definition are:
- Kernel (operating system)
- All SUID root programs
- All SGID root programs
- Any program that is exclusively run by root or by a member of the system group
- Any program that must be run by the administrator while on the trusted
Communication path (for example, the ls command)
- The configuration files that control system operation
- Any program that is run with the privilege or access rights to alter the kernel
Or the system configuration files

Every trusted file must ideally have an associated stanza or a file definition
Stored in the TSD. A file can be marked as trusted by adding its definition in the TSD that is using the trustchk command. This command can be used to add/delete/list entries from the TSD. The TSD can be locked so even root cannot write to it any longer. (Locking the TSD becomes immediately effective.


Example of ksh command in TSD db file (/etc/security/tsd/tsd.dat):

/usr/bin/ksh:
Owner = bin
Group = bin
Mode = TCB,555
Type = FILE
Hardlinks = /usr/bin/sh,/usr/bin/psh,/usr/bin/tsh,/usr/bin/rksh
Symlinks =
Size = 294254
Cert_tag = 00af4b62b878aa47f7
Signature = 8e8118ec793fd4899ccc38c0f4ab88571b0488024aff80f83d0bde2380f3ae44137a26607cd5d4c5e58e02ad1f872ca1c398f8702ad38f3a0f0a584c2061bb09de3e521840
5f1b07d80efe0be192d3333b8cd49a4ff980ce5e1f15f6b64d3b38f75d0cc6fb5ef9e7d8b410547c40181847c5ae980979abf3279f25c6b512178a
hash_value = f3a2e9b92e2cfc10ffb2274680c97f29742ff2dd12dda04de85544fd8c039fd8
t_accessauths = aix.mls.system.access.dir
t_innateprivs = PV_DAC_R,PV_DAC_X,PV_MAC_R

/usr/lib/drivers/igcts:
Owner = root
Group = system
Mode = 555
Type = HLINK
Size = 7714
Cert_tag = 00af4b62b878aa47f7
Signature = b47d75587bbd4005c3fe98015d9c0776fd8d40f976fb0f529796ffe1b2f9028500ffd2383ca31cd2f39712f70e36c522dc1ba52c44334781a389ea06cdabd82c72d705fd94
bffe59817b5a4d45651e2d5457cb83ebdb3b705a3b5c981c51eae79facfe271fbde0e396b7ea64d4dbd6ab753a3fa7a9578b7f5e6458b83d8f08df
Hash_value = 6d13bbd588ecfdd06cbb2dc3a17eabad6b51a42bd1fd62e7ae5402a75116e8bd


To enable TSD protection, run:
# trustchk -p tsd_lock=on
# trustchk -p te=on

The TSD is immediately protected against any kind of modification then. Neither trustchk
Nor a manual edit of the file is possible:
# trustchk -d /usr/bin/ps
Error writing to database file

# echo >> /etc/security/tsd/tsd.dat
Operation not permitted.

To enable the TSD for write access again, you either need to turn off TE
Completely or set tsd_lock to off.


When the system is blocking any untrusted shell scripts by using the CHKSCRIPT policy,
Make sure all scripts needed by your services are included in the TSD.
For example, if you are using OpenSSH, make sure the Ssshd and Ksshd start and stop
Scripts in /etc/rc.d/rc2.d are in the TSD. Otherwise, sshd does not start upon restart and not be shut down on a system shutdown:
# trustchk -p stop_untrustd=on
# trustchk -p chkscript=on

When you try to start a script with chkscript=on and that script is not included in
The TSD, its execution is denied, regardless of its permissions, even when
Root is starting it:
# ./foo
ksh: ./foo: 0403-006 permission denied.

# ls -l foo
-rwx------- root system 17 May 10 11:51 foo


The Trusted Execution Path defines a list of directories that contain the trusted commands. When Trusted Execution Path verification is enabled, the system loader allows commands in the specified paths to run.

For example,
# trustchk -p tep
TEP=OFF
TEP=/usr/bin:/usr/sbin

# trustchk -p
tep=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/usr/lib/instl:/usr/ccs/bin

# trustchk -p tep
TEP=OFF
TEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/usr/lib/instl:/usr/ccs/bin

# trustchk -p tep=on

# trustchk -p tep
TEP=ON
TEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/usr/lib/instl:/usr/ccs/bin

The Trusted Library Path has the same function as Trusted Execution Path with the only
Difference that it is used to define the directories that contain trusted libraries of
The system. When TLP is enabled, the system loader allows the libraries from this path to be linked to the commands.

The trustchk command can be used to enable or disable the Trusted Execution Path or Trusted Execution Library as well as to set the
Colon-separated path list for both, using Trusted Execution Path and Trusted Library Path command-line attributes of trustchk:
# trustchk -p tlp
TLP=OFF
TLP=/usr/lib:/usr/ccs/lib:/lib:/var/lib

TLP uses a flag to control its operations: FSF_TLIB. If the file has the FSF_TLIB flag set
In its TSD stanza, then the process resulting from sets as a TLIB process.
Processes marked as TLIB processes can link only to *.so libraries that also have the TLIB flag set.

Note: Be careful when you are changing either Trusted Execution Path or Trusted Library Path. We do not recommend removing paths from their
Default settings, which are currently set to:
TEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/sbin/helpers/jfs2:/usr/lib/instl:/usr/ccs/bin
TLP=/usr/lib:/usr/ccs/lib:/lib:/var/lib

Doing so most probably results in a system that will not restart and function
Properly since it cannot access necessary files and data any longer.


Perform a system check comparison with the TSD and report errors:
# trustchk -n ALL

Delete the entry for /usr/bin/ls in the TSD:
# trustchk -d /usr/bin/ls

Enable policy for checking commands listed in TSD on every load:
# trustchk -p CHKEXEC=ON

Turn on runtime TSD checking:
# trustchk -p TE=ON

Check the current runtime policy in effect:
# trustchk -p


Examples




Thank you very much for taking the time to read through this document.
I hope it is helpful. If you feel you found any inconsistencies, don’t hesitate to email me at ahdmashr@eg.ibm.com

Ahmed Mashhour