Under Construction

Working with AIX > AIX Security > Trusted Execution (TE) > Trusted Signature Database (TSD)

Creating your own TSD

By default, the trustchk command uses the TSD located in /etc/security/tsd/tsd.dat. However, other TSDs can also be used, for example, those created by copying and modifying, creating a new one, or by other means. To use such a TSD, simply use the “-F” option along with the path to the TSD. Below, we’ll show you how to create your own TSDs using a few examples. The decisive factor for a TSD is the format (stanza) and the content, not how the TSD was created.

Example 1: Creating an empty TSD.

In the simplest case, an empty TSD can be created simply by creating an empty file:

# touch mytsd.dat
#

Listing the entries of this empty TSD shows nothing as expected:

# trustchk -F mytsd.dat -q ALL
# echo $?
0
#

but it doesn’t give any errors!

You can also copy the system TSD (/etc/security/tsd/tsd.dat) and then delete all entries:

# cp /etc/security/tsd/tsd.dat mytsd2.dat
# trustchk -F mytsd2.dat -d ALL
#

If you list the resulting TSD using “-q” (query), you get:

# trustchk -F mytsd2.dat -q ALL
default:
        hash_algorithm = SHA256
        encrypt_algorithm = RSA

#

This stanza specifies the algorithms for hashing file contents (SHA1, SHA256 or SHA512) and for encryption (RSA).

In general, an empty (or almost empty) TSD isn’t very useful. However, you can add desired entries starting from an empty TSD. Reasons for this could include the following:

    • A TSD with a subset of entries, e.g. only entries for executables with set-UID bit, which should be checked more frequently.
    • TSD with entries for an application that is used independently of the system TSD.
    • TSD with entries for important configuration files, for which it should be ensured that no changes have taken place.

Example 2: Add selected entries to your own TSD

Using “trustchk -q” and “grep -p” you can filter out desired entries from an existing TSD and add them to your own TSD.

As an example, we add all entries to set-UID-bit Executables to the TSD from the previous example:

# trustchk -q ALL | grep -p SUID >>mytsd2.dat
#

This TSD can be used to verify changes to trusted set-UID bit executables:

# time trustchk -F mytsd2.dat -n ALL

real   2.03
user   0.40
sys    0.20
#

The verification took about 2 seconds. The verification against the system TSD takes significantly longer:

# time trustchk -n ALL

real   113.18
user   15.87
sys    14.80
#

TSDs could be stored on a remote system and used for occasional review.