Adding non-volatile Files

Under Construction

Working with AIX > AIX Security > Trusted Execution (TE) > Trusted Signature Database (TSD) > Adding TSD Entries > Files whose Content should be monitored

To add non-volatile files to the TSD, a digital signature of the file contents must be generated. This requires a private key file and a corresponding certificate containing the public key. We will use the private key files and certificates generated in the previous subsections.

To add a digitally signed entry to a TSD file, you must specify the private key, certificate, and the absolute path to the file. If the private key file does not have a password, you can use the following command:

# trustchk -s privkey_pwrcmps -v cert_pwrcmps -a /opt/pwrcmps/bin/myscript.ksh
#

The entry in the TSD for the file /opt/pwrcmps/bin/myscript.ksh then looks like this:

# trustchk -q /opt/pwrcmps/bin/myscript.ksh
/opt/pwrcmps/bin/myscript.ksh:
        type = FILE
        owner = root
        group = system
        mode = 755
        size = 34
        hash_value = 17331f6772e71e4f25da5b5b56b563f52f3ace8e2b961d00039c4022de436529
        cert_tag = 37663639
        signature = a6b95af33238fe09aa8811bde252ce4172de1e59235c4640a48bcc72248b69d16ea1bb5f86ccb10848886f6421819b08795c0574878272e29171647af7a906f18235bcf4787c4ba86b24645188fc649e384afca54da4e2971d982970d582ad5956f0bfac2ece266b7043643818c09584a64c8707e765eb446aaee033d7257a45

#

The file type, owner, access rights, and size are simply taken from the file when the entry is added. The hash value (hash_value) and the signature are calculated and also added. The certificate used is referenced via the certificate’s serial number (cert_tag). When a TSD entry is added, the certificate is automatically copied to the /etc/security/certificates directory (if it is not already stored there). The certificate’s serial number is used as the file name:

# openssl x509 -in /etc/security/certificates/37663639 -noout -serial
serial=37663639
#

If the private key file is protected by a password, the above command to add an entry, will fail:

# trustchk -s privkey_pwrcmps -v cert_pwrcmps -a /opt/pwrcmps/bin/myscript.ksh
trustchk: Key file not accessible,Signature calculation failed
trustchk: Error adding stanza: /opt/pwrcmps/bin/myscript.ksh
#

Unlike the openssl command, the trustchk command does not automatically prompt for a passphrase when required. If a private key file is protected by a passphrase, the “-P” (passphrase) option must be used:

# trustchk -s privkey_pwrcmps -v cert_pwrcmps -P -a /opt/pwrcmps/bin/myscript.ksh
Enter the passphrase to protect key file: XXXXXXXX
#