tcbck Command

AIX Version 4.3 Commands Reference, Volume 5

tcbck Command

Purpose

Audits the security state of the system.

Syntax

Check Mode

tcbck { -n | -p | -t| -y } [ -i ] { ALL | tree | { Name ... Class ... } }

Update Mode

tcbck -a -f File | PathName Attribute =  Value ...

tcbck -d -fFile | { PathName ... | Class ... }

tcbck -l /dev/filename /dev/filename

Description

The tcbck command audits the security state of the system by checking the installation of the files defined in the /etc/security/sysck.cfg file (the sysck database). Each file definition in the /etc/security/sysck.cfg file can include one or more attributes that describe proper installation. When invoked with no flags and with no parameters, the tcbck command prints a synopsis of its syntax.

The tcbck database usually defines all the files and programs that are part of the trusted computing base, but the root user or a member of the security group can choose to define only those files considered to be security-relevant.

Note: This command writes its messages to stderr.

Flags

-a	Adds or updates file definitions in the sysck database.
-d	Deletes file definitions from the sysck database.
-f File	Specifies that file definitions be read from File.
-i	Excludes filesystems under directories listed in the treeck_nodir attribute when the tree option is specified. This flag only applies to AIX Version 4.2 and above.
-l	(Lowercase L) Adds entries to the sysck.cfg file for /dev/ files that the administrator would like registered with the Trusted Computing Base.
-n	Specifies the checking mode and indicates that errors are to be reported, but not fixed.
-p	Specifies the checking mode and indicates that errors are to be fixed, but not reported.
-t	Specifies the checking mode and indicates that errors are to be reported with a prompt asking whether the error should be fixed.
-y	Specifies the checking mode and indicates that errors are to be fixed and reported.

Modes of Operation

The tcbck command has two modes of operation: check mode, and update mode. A description of each mode follows:

Check Mode

In Check mode, the tcbck command checks file definitions against the installed files. You can check all the file definitions in the sysck database (the /etc/security/sysck.cfg file) by specifying the ALL value, or all the files in the file system tree by specifying the tree value. If you prefer to check specific files, you can use the Name parameter to give the path names of individual files or the Class parameter to group several files into a logical group that is defined by a class name, such as audit. You must select one of the following: the ALL or tree values, or one or more files identified by the Class or Name parameter.

If the tree value is the selection criterion, all the files in the file system tree are checked to ensure that all the relevant files are defined in the sysck database. Files defined in the tcbck database are checked against their definitions. Files not in the tcbck database must not:

Have the trusted computing base attribute set.
Be setuid or setgid to an administrative ID.
Be linked to a file in the tcbck database.
Be a device special file.

If the tcbck command is running in check mode with both the tree value and the -t flag and an error occurs, the command provides an error message and prompts you for a decision on how or whether the error should be corrected. If you decide not to delete the file or turn off illegal permissions, you are prompted for a decision on updating the database. If you request an update, the system supplies missing information, such as the name of the file, the link, or the unregistered device name.

A flag ( -n, -p, -t, -y ) also must be included to specify check mode and identify the method of error handling. If there is a duplicate stanza in the /etc/security/sysck.cfg file, an error is reported, but not fixed.

Updating the Vital Product Database (VPD) involves defining the type, checksum, and size attributes of each file to the VPD manager. This information is used to verify a correct installation. If these attributes are not defined in -f File, they are computed when the program is installed or updated. The checksum attribute is computed with a method specifically defined for the VPD manager. Refer to the "Fixing Errors" section for more information on file attributes.

The only file definitions modified during an update are the new definitions that indicate a file is part of the trusted computing base (TCB). The File parameter is the stanza file that contains the file definitions in tcbck format, and is defined in the /etc/security/sysck.cfg file. When the update is complete, the files are checked against their file definitions in the stanza file and errors are fixed and reported.

Programs that require setuid or setgid privilege must be in the tcbck database, or these privileges will be cleared when the tcbck command runs in Check mode.

Update Mode

In update mode, the tcbck command adds (-a), deletes (-d), or modifies file definitions in the /etc/security/sysck.cfg file for the file specified by the File parameter, the PathName parameter, or the Class parameter. The Class parameter permits you to group several files into a logical group that is defined by a class name, such as audit. The tcbck command also deletes the specified stanzas from the /etc/security/sysck.cfg file.

In update mode, the tcbck command (-l) adds or modifies /dev/ entry definitions in the /etc/security/sysck.cfg file for the specified /dev entry. This flag should be run by the administrator to add newly created devices that are trusted to the sysck.cfg file. If new devices are not added to the sysck.cfg file the tree option produces warnings of unregistered devices.

The -l flag creates a stanza for each /dev/ entry listed on the command line. The information for the stanza is taken from the current status of the /dev entry. The stanza includes:

Device name	/dev/ entry name
File type	Either FILE, DIRECTORY, FIFO, SYMLINK, BLK_DEV, CHAR_DEV, or MPX_DEV
Owner id	Owner name
Group id	Group name
Permissions	Read/write/execute permissions for owner, group and other. SUID, SGID, SVTX and TCB attribute bits
Target	If the file is a symbolic link, the target file will be listed.

File definitions to be added or modified with the -a flag can be specified on the command line or in a file as Attribute=Value statements. The following attributes can be used:

acl	The access control list for the file. If the value is blank, the acl attribute is removed. If no value is specified, the command computes a value, according to the format described in Access Control Lists.
class	The logical group of the file. A value must be specified, since it cannot be computed. If the value is blank, the class attribute is removed from the specified file stanza. The value is ClassName [ClassName].
checksum	The checksum of the file. If the value is blank, the checksum attribute is removed. If no value is specified, the command computes a value, according to the format given in the sum command. The value is the output of the sum -r command, including spaces.
group	The file group. If the value is blank, the group attribute is removed. If no value is specified, the command computes a value, which can be a group ID or a group name.
links	The hard links to this file. If the value is blank, the links attribute is removed. A value must be specified, since it cannot be computed. The value must be an absolute path name, expressed as Path [,Path ...].
mode	The File mode. If the value is blank, the mode attribute is removed. If no value is specified, the command computes a value, which can be an octal number or string (rwx), and have the tcb, SUID, SGID, and SVTX attributes.
owner	The file owner. If the value is blank, the owner attribute is removed. If no value is specified, the command computes a value, which can be a user ID or a user name.
program	The associated checking program for the file. If the value is blank, the program attribute is removed. A value must be specified, since it cannot be computed. The value must be an absolute path name. If flags are specified, the value should be expressed as Path ,Flag.
symlinks	The symbolic links to the file. If the value is blank, the symlinks attribute is removed. A value must be specified, since it cannot be computed. The value must be an absolute path name, expressed as Path [,Path..].
size	The size of the file in bytes. If the value is blank, the size attribute is removed. If no value is specified, the command computes a value. The value is a decimal number.
source	The source for the file. If the value is blank, the source attribute is removed. If no value is specified, an empty file of the appropriate type is created. The value must be an absolute path name.
type	The type of file. This value cannot be blank. If no value is specified, the command computes a value, which can be the FILE, DIRECTORY, FIFO, BLK_DEV, CHAR_DEV, or MPX_DEV keywords.

You can add, delete, or modify the attributes of the tcbck command by creating or modifying a sysck stanza in the /etc/security/sysck.cfg file. The following attributes can be used:

checksum	An alternate checksum command to compute the checksum value of files. The system appends the name of each file to the command. If the value is blank, this alternate checksum attribute is removed. The value is the command string to be run on each file. The default string is /usr/bin/sum -r <.
setgids	An additional list of administrative groups to be checked for setgid programs that are not valid (groups with ID numbers above 200). If the value is blank, the setgids attribute is removed. The value is a comma separated list of group names.
setuids	An additional list of administrative users to be checked for setuid programs that are not valid (users with ID numbers above 200). If the value is blank, the setuids attribute is removed. The value is a comma separated list of user names.
treeck_novfs	A list of file systems to be excluded from verification by the tcbck command during a check of an installed file system tree. If the value is blank, the treeck_novfs attribute is removed. The value is a comma separated list of file systems.

treeck_nodir

A list of directories to be excluded from verification by the tcbck command. If the value is blank, the treeck_nodir attribute is removed. The value is a comma separated list of directories. File systems that exist under directories contained in this attribute are NOT excluded. Use the -i flag to exclude these file systems.

Refer to the /etc/security/sysck.cfg file for more information about these attributes and to the "Examples" section for an example of a typical stanza.

If Attributes are included without values, the command tries to compute the value from the file to be changed. The type attribute is mandatory, but the others do not need to be specified.

Fixing Errors

To fix errors, the tcbck command usually resets the attribute to the defined value. For the following attributes, the command modifies its actions as described:

checksum	Disables the file by clearing its access control list, but does not stop any further checks.
links	Creates any missing hard links. If a link exists to another file, the link is deleted.
program	Invokes the program, which must exist and have an absolute path name. A message is printed if an error occurs, but no additional action is taken.
size	Disables the file by clearing its access control list, but does not stop any further checks.
source	Copies the source file to the file identified by the File parameter. If the source is null, any existing file is deleted and a file of the correct type is created.
symlinks	Creates any missing symbolic links. If a link exists to another file, the link is deleted.
type	Disables the file by clearing its access control list, and stops any further checks.

If you used the -t flag with the tcbck command, you are prompted for a decision on fixing errors. If you answer yes, errors are fixed. If you give any other response, errors are not fixed.

Security

Access Control: This command should grant execute (x) access only to the root user and members of the security group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed:

Mode	File
r	/etc/passwd
r	/etc/group
r	/etc/security/user
rw	/etc/security/sysck.cfg
x	/usr/bin/aclget
x	/usr/bin/aclput
x	/usr/bin/sum

Auditing Events:

Event	Information
TCBCK_Check	file, error, status
TCBCK_Update	file, function

Examples

To add the /bin/boo file with acl, checksum, class, group, owner, and program attributes to the tcbck database, enter:
```
tcbck -a /bin/boo acl checksum class=audit group owner\
program=/bin/boock
```
The resulting stanza will contain the attributes given above, with computed values inserted for those attributes you do not define. The database will contain a stanza like the following:
```
/bin/boo:
       acl = 
       checksum = 48235
       class = audit
       group = system
       owner = root
       program = /bin/boock
       type = FILE          
```
The attribute values are added to the installation definition but are not checked for correctness. The program attribute value comes from the command line, the checksum attribute value is computed with the checksum program, and all the others, except acl, are computed from the file i-node.
To indicate that the size of a file should be checked but not added to the database, since it can expand during installation, use the VOLATILE keyword, as in the following example for the /etc/passwd file:
```
/etc/passwd:
        type =  FILE
        owner = root
        group = system
        size  = 1234,VOLATILE
```
To delete the /bin/boo file definition from the tcbck database, enter:
```
tcbck -d /bin/boo 
```
To delete all definitions with a class of audit from the tcbck database, enter:
```
tcbck -d audit
```
To check all the files in the tcbck database, and fix and report all errors, enter:
```
tcbck -y ALL
```
To exclude the /calvin and the /hobbes file systems from verification during a security audit of an installed file system tree, enter:
```
tcbck -a sysck treeck_novfs=/calvin,/hobbes 
```
To exclude a directory from verification during a security audit, enter:
```
tcbck -a sysck treeck_nodir=/home/john
```
To add jfh and jsl as administrative users and developers as an administrative group to be verified during a security audit of an installed file, enter:
```
tcbck -a sysck setuids=jfh,jsl setgids=developers
```
To create/modify sysck.cfg stanza entries for the newly created /dev entries foo and bar, enter:
```
tcbck -l /dev/foo /dev/bar
```
Note: By adding these entries you are registering them as part of the Trusted computing base.

Warning: Although the special characters "$" and "?" are allowed in this routine, using them in filenames may result in potential problems such as ambiguous files.

Files

/usr/bin/tcbck	Specifies the path to the tcbck command.
/etc/security/sysck.cfg	Specifies the path to the system configuration database.

Related Information

The aclget command, grpck command, installp command, pwdck command, sum command, usrck command.

The Software Vital Product Data (SWVPD) Overview in AIX Version 4.3 General Programming Concepts: Writing and Debugging Programs.

Access Control Lists in AIX Version 4.3 System User's Guide: Operating System and Devices discusses the format of an access control list and provides an example of one.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX Version 4.3 System Management Guide: Operating System and Devices.