Listing TSD Entries

Under Construction

Working with AIX > AIX Security > Trusted Execution (TE) > Trusted Signature Database (TSD)

Existing entries in the TSD can be listed using the trustchk command and the “-q” (query) option. By default, the command accesses the TSD located at /etc/security/tsd/tsd.dat. Entries for individual files or all entries can be displayed. For example, to display the entry for the /usr/bin/ls command, simply specify the file name as an argument:

# trustchk -q /usr/bin/ls
/usr/bin/ls:
        owner = bin
        group = bin
        mode = 555
        type = FILE
        hardlinks =
        symlinks =
        size = 29261
        cert_tag = 49424d4149583a31324331342d33314332303a324b3a41
        signature = 30da4881530add699f801df2daff6c1ca779fbdd0e28be228e659c5fdf426aa91d489d781634c8650153908f0078e6e169e357102b03056ef673803e0f5fc6f71e4b30e53797a6cdab7fc6493cd27b099e144ffc1d403ef9fbb6e0cb95e501f4d43bd3b4c840f26c52e5a19dd8e0b7469b75a72614130df66972621680c8bf95e861349182b1d65d3cdb8e85923b2df1ab8a3f061781b9b672cd242b4e21530316af4174041c0ac1a440ea02c9710857d0655793c12e019679ec4066553b3b7981ce8407f4a874ea6c4e968b1e9a1ba14b10b50a400146f4816052d9b9d12aaa4ef50bee3737e4d85001d7a99d159905df35caf99bda14bbb193e4efb813e688
        hash_value = 8a106fc9c88a8351c65e866d3b883729c52fd8dbef4035d48f7aadb9901f067c
        minslabel =
        maxslabel =
        intlabel =
        accessauths = aix.fs.object.list
        innateprivs = PV_DAC_R,PV_DAC_X
        inheritprivs =
        authprivs =
        secflags = FSF_EPS
        t_innateprivs = PV_MAC_R,PV_MIC

#

Note: Multiple paths can be specified.

Alternatively, the keyword “ALL” can be specified as an argument. This will list all entries in the TSD:

# trustchk -q ALL
/opt/perl/installsitearch/LibExt/Passwd.pm:
        owner = root
        group = system
        mode = 555
        type = FILE
        hardlinks =
        symlinks =
        size = 2513
        cert_tag = 49424d4149583a31324331342d33314332303a324b3a41
        signature = 6d36c257c2f566a1a293cc752220f3e461faaf68c1ee8c1d02750ad38bf7abd2d002b4582d734a35b4ef90d41f33ce740294605c3fab2f241b2aea24efece61d5c1ce583eb970fffe53d6bdf3bceb8704f4ad18a1cb589310e0a2e7b20bb0e29ff1ebd9a578d06a9955dc7bebc95f93909a59e9f5df0730e5092d31be0bd8df0591aa69c4646732d85276936b9478855f009f87aefbc2e59a4390c50b0bb8ee2b2e11f5768d52d52b9d5b58f59b593e174c041fcb7c75840822bf041f974ffbd093cb057aa8a04c14a8174ab7bcbb8accdd89aeb6d5d6268d18715b9041a49cd96db39c67f695c5924ae059cd706f062486e1b8bb5f318f203a310a40f330c06
        hash_value = b1d41704379df1dafd6dca09d82f7856c6a5da0b8de523b42120bf3dd8a37f94
        accessauths =
        innateprivs =
        inheritprivs =
        authprivs =
        secflags =

/usr/lib/methods/cfgbus_vdevice:
        owner = root
        group = system
        mode = 500
        type = FILE
        hardlinks =
        symlinks =
        size = 29247
        cert_tag = 49424d4149583a31324331342d33314332303a324b3a41
        signature = 381309f6bc4d6044a838654f3d4a8330ca7215776d12c4f43829dac311c50d226a2e2c230379382be91d179989b65ab84c90ed95babb14e84c1dfff979987b4c8db43142cbae47e6e6eaf0c8285f5821de8be1b5dc7cc26bd036f43084511cdab90db12c7a6763e50e088d7f8d55d485c1791feb09ed44aaf760c1f5670dcd31edd03bb207c52fde6f964ec82a655b5a4a0c80d7bd57039e75773f1e2e5b3f39e4941ee2dad8627e587522db4587cf4140abfbfa246d6fba9f10a15f92bcae7302bf00d4ae46c1353a8507623e627fcbd01b3f240af65e311051505e41e1b78f3a4f29fa3d0d7a31b7009bca1a95a0035dc0d91aff84daf1e729ad9cc6e33c63
        hash_value = 5521f1da01f9e34f0c20e2354a94764a1a47f496ca78562cf18892cc2bf90c9e
        minslabel =
        maxslabel =
        intlabel =
        accessauths =
        innateprivs =
        inheritprivs =
        authprivs =
        secflags =

/usr/sbin/dadmin:
        owner = root
        group = system
        mode = TCB,554
        type = FILE
        hardlinks =
        symlinks =
        size = 84796
        cert_tag = 49424d4149583a31324331342d33314332303a324b3a41
        signature = b58cbf969f986b78a37e8903833e42da3e95806353d2c180d93721c194e88d8922e1746f7a671e315a94c271d672285fa5e65e675cdbea34588dd5b75cbc7124292a665852a2904acbf73f7af0457c54f0d30598ab94bcb06a82b752f392d1a8f3cf82c3f5fea0afb96b9ad319181ca516437b06b2213ca3b8df7ca01ea4ee753b6c648c40eb3109541472936b6d3322c0a62dffdcc0b1518743e67c65ffb94f61954a08bcb68e04474573f9ec7827779226d9774912ba8cff7ef792f66b9eb3d9c00a63d075e8cd2568ac9c8cb21d75037296a8fd8c2a1079e2e55beccd8d8504f062766b7f816f34a42989061b2856177fbd6129bd76c3a9a3b983967478b2
        hash_value = 7cb6c6cb4ca35bf0e7eeb1d0f4e15acdae5e5234fbb62b142741a77dc5d038b4
        minslabel = SLSL
        maxslabel = SLSL
        intlabel = SHTL
        accessauths = aix.network.config.tcpip
        innateprivs = PV_DAC_R,PV_DAC_W
        inheritprivs =
        authprivs =
        secflags = FSF_EPS
        t_accessauths =
        t_innateprivs = PV_MAC_R,PV_MIC,PV_MAC_W
        t_inheritprivs =
        t_authprivs =
        t_secflags =

…
#

The TSD is in stanza format. Accordingly, the entries are also output in stanza format.

A targeted search for specific entries is not possible with “trustchk -q“. However, the “-p” option of the AIX grep command can be helpful here. Pipe the output of “trustchk -q ALL” to “grep -p“. You can then search for any entries with grep as usual. Using the “-p” option, however, always outputs the entire stanza and not just the line that the grep expression matched. As an example, we search for entries from commands with the set-UID bit set:

# trustchk -q ALL | grep -p SUID
/usr/bin/acctras:
        owner = root
        group = adm
        mode = TCB,SUID,SGID,550
        type = FILE
        hardlinks =
        symlinks =
        size = 27595
        cert_tag = 49424d4149583a31324331342d33314332303a324b3a41
        signature = 352191bce129f2878c393232305f9b7b1543d2c74ddf811b9ba3c0feee9bcff9e070cdd0180bc8e5f288e48fbb547e4e5937f642fb5d5916ed7e12be970ba66f3b37d561963acd6f78e806c42cb3e5c4a84f395e76f0ce0b4a8cc8c656a46e6f1ee2bb1294760c1c3e03855258e06ece2d28a8d1791e966900c83a388d9a579529beaadbe997c3a49dac94ad7138766ae06941535493033bcf4ce8e1362c1032f6de4168776c32a620096ce64a2915bfbd2319a7cdca92ac5d3664e19946ab748fcaacd40d77b3decfc5328610581a255ab45db099089912e1a72026db0a0b57c7eea215932500296970da3271efee71cb4abb4b098f36025134c604b596b4fa
        hash_value = d79838c56d839fa020cad38ff310859a0acabc5ebca6043e622a67cec2db77a0
        minslabel =
        maxslabel =
        intlabel =
        accessauths = aix.system.config.acct
        innateprivs = PV_KER_ACCT
        inheritprivs =
        authprivs =
        secflags = FSF_EPS

/usr/bin/tn:
        owner = root
        group = system
        mode = TCB,SUID,555
        type = HLINK
        size = 281409
        cert_tag = 49424d4149583a31324331342d33314332303a324b3a41
        signature = 1949e135bd0b4c347abc11cf5dc88d3a19cd76af74d8cb51f42df17e296102d053a0f7b6824f76175bf672891d5230c255efebca49b8fbd9a72472e2e254d20f6c95ce7c01c4e55cd0e39211ffb6b461228f28b7b200a89586b86ff8d62b88e0abb867f329cfbd76ffd712d10f5fc778cfbb42b4442f5d8d0f79f4d377c4d71764a197aafd6058a23b37efdbee4404e1cd9cbacecc48915e574da075d76e44173e6eb07538b0ef4edfc92fdea118314ec7a1be7de68c879e957cd7c7c12a534d8c73c6a7e00279ec27d934bb2bbdb9c03ca71af5dbae205ab5a939819397fbefa76bdc393ffee9252e322d373dad97a1ce69b418ee80da82f117e2a141a8a011
        hash_value = 383bfac3cd1d6873c06f5a7522e9ed59b5f0cdb412d363df866ca8dcd9deb7d6
        minslabel = SLSL
        maxslabel = SLSL
        intlabel = SHTL
        accessauths = ALLOW_ALL
        innateprivs = PV_AU_ADD,PV_AU_ADMIN,PV_AU_PROC,PV_DAC_UID
        inheritprivs =
        authprivs =
        secflags =
        t_accessauths =
        t_innateprivs = PV_MAC_W,PV_MIC
        t_inheritprivs =
        t_authprivs =
        t_secflags =

…
#

to be continued