[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]
System Management Guide: Operating System and Devices

Trusted Computing Base

The system administrator must determine how much trust can be given to a particular program. This determination should include considering the value of the information resources on the system in deciding how much trust is required for a program to be installed with privilege.

Checking the Trusted Computing Base

The tcbck command audits the security state of the Trusted Computing Base. The security of the operating system is jeopardized when the TCB files are not properly protected or when configuration files have unsafe values. The tcbck command audits this information by reading the /etc/security/sysck.cfg file. This file includes a description of all TCB files, configuration files, and trusted commands.

Note: If the Install Trusted Computing Base option was not selected during the initial installation, the tcbck command will be disabled. The command can be properly enabled only by reinstalling the system.

Using the tcbck Command

The tcbck command is normally used to:

The tcbck command can be used in three ways:

Checking Trusted Files

Run the tcbck command to check the installation of trusted files at system initialization. To perform this automatically and produce a log of what was in error, add the following command to the /etc/rc file:

tcbck -y ALL

This causes the tcbck command to check the installation of each file described by the /etc/security/sysck.cfg file.

Checking the File System

Run the tcbck command to check the file system any time you suspect the integrity of the system may have been compromised. This is done by issuing the following command:

tcbck -t tree

When the tcbck command is used with the tree parameter, all files on the system are checked for correct installation (this could take a long time). If the tcbck command discovers any files that are potential threats to system security, you can alter the suspected file to remove the offending attributes. In addition, the following checks are performed on all other files in the file system:

Note: All device entries must have been added to the /etc/security/sysck.cfg file prior to execution of the tcbck command or the system is rendered unusable. Use the -l option to add trusted devices to /etc/security/sysck.cfg.

Adding a Trusted Program

To add a specific program to the /etc/security/sysck.cfg file, use the following command:

tcbck -a PathName [attribute=value]

Only attributes whose values can or should not be deduced from the current state of the file need be specified on the command line. All attribute names appear in the /etc/security/sysck.cfg file.

For example, the following command registers a new setuid-root program named /usr/bin/setgroups, which has a link named /usr/bin/getgroups:

tcbck -a /usr/bin/setgroups links=/usr/bin/get
groups

After installing a program, you may not know which new files should be registered in the /etc/security/sysck.cfg file. These can be found and added with the following command:

tcbck -t tree

This command displays the name of any file that should be registered in the /etc/security/sysck.cfg file.

Deleting a Trusted Program

If you remove a file described in the /etc/security/sysck.cfg file, you should also remove the description of this file. For example, if you have deleted the /etc/cvid program, the following command will cause an error message to be shown:

tcbck -t ALL

The error message shown is:

3001-020 The file /etc/cvid was not found.

The description of this program can be removed with the following command:

tcbck -d /etc/cvid

Configuring the tcbck Program

The tcbck command reads the /etc/security/sysck.cfg file to determine which files to check. Each trusted program on the system should be described by a stanza in the /etc/security/sysck.cfg file.

Each stanza has the following attributes:

class Name of a group of files. This attribute allows several files with the same class name to be checked by specifying a single argument to the tcbck command. More than one class can be specified, with each class being separated by a comma.
owner User ID or name of the file owner. If this does not match the file owner, the tcbck command sets the owner ID of the file to this value.
group Group ID or name of the file's group. If this does not match the file owner, the tcbck command sets the owner ID of the file to this value.
mode Comma-separated list of values. The allowed values are SUID, SGID, SVTX, and TCB. The file permissions must be the last value and can be specified either as an octal value or as a 9-character string. For example, either 755 or rwxr-xr-x are valid file permissions. If this does not match the actual file mode, the tcbck command applies the correct value.
links Comma-separated list of path names linked to this file. If any path name in this list is not linked to the file, the tcbck command creates the link. If used without the tree parameter, the tcbck command prints a message that there are extra links but does not determine their names. If used with the tree parameter, the tcbck command also prints any additional path names linked to this file.
symlinks Comma-separated list of path names symbolically linked to this file. If any path name in this list is not a symbolic link to the file, the tcbck command creates the symbolic link. If used with the tree argument, the tcbck command also prints any additional path names that are symbolic links to this file.
program Comma-separated list of values. The first value is the path name of a checking program. Additional values are passed as arguments to the program when it is executed.
Note: The first argument is always one of -y, -n, -p, or -t, depending on which flag the tcbck command was used with.
acl Text string representing the access control list for the file. It must be of the same format as the output of the aclget command. If this does not match the actual file ACL, the sysck command applies this value using the aclput command.
Note: Note that the attributes SUID, SGID, and SVTX must match those specified for the mode, if present.
source Name of a file this source file is to be copied from prior to checking. If the value is blank, and this is either a regular file, directory, or a named pipe, a new empty version of this file is created if it does not already exist. For device files, a new special file is created for the same type device.

If a stanza in the /etc/security/sysck.cfg file does not specify an attribute, the corresponding check is not performed.

The tcbck command provides a way to define and maintain a secure software configuration. The tcbck command also ensures that all files maintained by its database are installed correctly and have not been modified.

Restricting Access to a Terminal

The getty and shell commands change the owner and mode of a terminal to prevent untrusted programs from accessing the terminal. The operating system provides a way to configure exclusive terminal access.

Using the Trusted Communication Path

A trusted communication path is established by pressing the SAK reserved key sequence (Ctrl-X, Ctrl-R). A trusted communication path should be established under the following conditions:

Attention: Use caution when using SAK; it kills all processes that attempt to access the terminal and any links to it (for example, /dev/console can be linked to /dev/tty0).

Configuring the Secure Attention Key

Each terminal can be independently configured so that pressing SAK at that terminal creates a trusted communication path. This is specified by the sak_enabled attribute in /etc/security/login.cfg file. If the value of this attribute is true, recognition of the SAK is enabled.

If a port is to be used for communications, (for example, by the uucp command), the specific port used should have the following line in its stanza of the /etc/security/login.cfg file:

sak_enabled = false

This line or no entry disables the SAK for that terminal.

To enable SAK on a terminal, add the following line to the stanza for that terminal:

sak_enabled = true

[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]