Trusted Signature Database

Edit online

The Trusted Signature Database (TSD) is a database that stores critical security parameters of the trusted files present on the system. The TSD is located in the /etc/security/tsd/tsd.dat directory.

Every trusted file must have an associated stanza or a file definition that is stored in the TSD. Every trusted file is associated with a unique cryptographic hash and a digital signature. The cryptographic hash of the default set of the trusted files is generated by using the SHA-256 algorithm and the digital signature that is generated by using Rivest-Shamir-Adleman (RSA) algorithm by the AIX® build environment and packaged as part of the AIX installation filesets. The cryptographic hash values and the signatures are shipped as part of respective AIX installation images and stored in the TSD (/etc/security/tsd/tsd.dat) on the destination machine, in the following sample stanza format:

/usr/bin/ps:
           owner          = bin
           group          = system
           mode           = 555
           type           = FILE
           hardlinks      = /usr/sbin/ps
           symlinks       = 
           size           = 1024
           cert_tag       = bbe21b795c550ab243
           signature      = 
f7167eb9ba3b63478793c635fc991c7e9663365b2c238411d24c2a8a
           hash_value     = c550ab2436792256b4846a8d0dc448fc45
           maxslabel      = SLSL
           intlabel       = SHTL
           accessauths    = aix.mls.pdir, aix.mls.config
           innateprivs    = PV_LEF                   
           proxyprivs     = PV_DAC
           authprivs      = 
aix.security.cmds:PV_DAC,aix.ras.audit:PV_AU_ADMIN
           secflags       = FSF_EPS

owner: Owner of the file. The owner value is computed by the trustchk command when you add the file to the TSD.
group: Group of the file. This value is computed by the trustchk command.
mode: Comma-separated list of values. The values that are permitted are SUID set bit (SUID), SGID set bit (SGID), SVTX set bit (SVTX), and Trusted Computing Base (TCB). The file permissions must be the last value and can be specified as an octal value, for example, a file that is set with uid and has permission bits as rwxr-xr-x, the value for mode is SUID, 755. The value is computed by the trustchk command.
type: Type of the file. This value is computed by the trustchk command. The possible values are FILE, DIRECTORY, MPX_DEV, CHAR_DEV, BLK_DEV, and FIFO.
hardlinks: List of hardlinks to the file. This value cannot be computed by the trustchk command. The value must be supplied by the user when you add a file to the database.
symlinks: List of symbolic links to the file. This value cannot be computed by the trustchk command. The value must be supplied by the user when you add a file to the database.
size: Defines the size of the file. The VOLATILE value means that the file gets changed frequently.
cert_tag: The cert_tag field maps the digital signature of the file with the associated certificate that can be used to verify the signature of the file. The cert_tag field stores the certificate ID and is computed by the trustchk command at the time of addition of the file to the TSD. The certificates are stored in the /etc/security/certificates directory.
signature: Digital signature of the file. The VOLATILE value means that the file gets changed frequently. The signature field is computed by the trustchk command.
hash_value: Cryptographic hash of the file. The VOLATILE value means that the file gets changed frequently. The hash_value field is computed by the trustchk command.
innateprivs: Defines the innate privileges of the file.
proxyprivs: Defines the proxy privileges of the file.
authprivs: Defines the privileges that are assigned to the user after given authorizations.
secflags: Defines the file security flags that are associated with the object.

When you add a new entry to the TSD, if a trusted file has some symbolic links or hard links that points to the TSD, you can add the symbolic links or hard links to the TSD by using the symlinks and hardlinks attributes at the command line, along with the trustchk command. If the file that you added is expected to change frequently, use the VOLATILE keyword at the command line. The trustchk command does not calculate the hash_value and the signature fields when the trustchk command generates the file definition for addition into the TSD. The hash_value and signature fields are ignored during the integrity verification of this file.

Provide a private key in the ASN.1/DER format during addition of regular file definitions to the TSD. Specify the -s flag and digital certificate with the corresponding public key by using the -v flag of the trustchk command. The private key is used to generate the signature of the file and then discarded. It is up to the user to store this key securely. The certificate is stored into a certificate store in the /etc/security/certificates file for the signatures to be verified whenever you request integrity verification. It is not mandatory to supply the private key and certificate while adding such files to TSD as signature calculation is not possible for nonregular files like directory and device files.

You can supply the pre-computed file definition through a file by using the -f flag of the trustchk command to be added to the TSD. In this case, the trustchk command does not compute any of the values and stores the definitions into a TSD without any verification. The user is responsible for the sanity of the file definitions.

Supporting library verification

To support the library verification, the tsd.dat file is added to the /etc/security/tsd/lib/ directory. The name of the database is /etc/security/tsd/lib/lib.tsd.dat and is specifically for libraries that include the stanzas for the .o files of a corresponding trusted library. The stanza for every .o file of a library is in the format as specified in the following example.

For library libc.a if the strcmp.o file is one of the .o file type, the stanza for the strcmp.o file in the /etc/security/tsd/lib/lib.tsd.dat file is similar to the following example:

/usr/lib/libc.a/strcmp.o:
			Type = OBJ
			Size = 2345
			Hash value
			Signature =    
			Cert_tag =

This database has the entries corresponding to the type, size hash, cert tag, and signature of the .o file. The hash of the library is updated in the /etc/security/tsd/tsd.dat file for the corresponding stanza. The attribute values are dynamically generated during the build, and the values are moved into the /etc/security/tsd/lib/lib.tsd.dat database during installation.

In the /etc/security/tsd/tsd.dat file, the stanzas for the libraries are modified to reflect the type attribute as LIB and the size and signature attributes are empty. The values for the dynamica attributes size, hash, signature are maintained as a VOLATILE value. Therefore, the library verification is skipped during the system boot. Starting from the AIX 6.1, the size, hash, and the signature of the trusted library stanzas are computed with the .o files of a library. During installation, the tsd.dat database is populated to reflect the computed values and the corresponding .o file stanza for a trusted library is stored in the /etc/security/tsd/lib/lib.tsd.dat database.

Starting from AIX 7.3 technology Level (TL) 4, the trusted execution (TE) policy CHKHSOBJS is available to be enabled. The CHKHSOBJS policy controls the runtime verification of shared objects. Enabling the CHKHSOBJS policy performs the verification of the hash or signature fields for shared object entries from the lib.tsd.dat database for the corresponding shared library (lib<>.a). The CHKHSOBJS policy and the CHKSHLIBS=ON policy must be set to ON to be effective.