TCB Archive


Installing the Trusted Computing Base (TCB) on AIX 6.1

 Technote (FAQ)
How do I install TCB on my host running AIX 6.1?
TCB cannot be added or enabled on a system that has already been installed. It can only be chosen when AIX is first installed.
There are two key points to keep in mind when installing AIX 6.1 with TCB:

1. Change the type of install to "New and Complete Overwrite"
2. Select "Other Security Options" in the Security Model screen.

Welcome to Base Operating System
Installation and Maintenance

Type the number of your choice and press Enter. Choice is indicated by >>>.

>>> 1 Start Install Now with Default Settings
2 Change/Show Installation Settings and Install
3 Start Maintenance Mode for System Recovery
4 Configure Network Disks (iSCSI)
5 Select Storage Adapters

88 Help ?
99 Previous Menu

>>> Choice [1]: 2

Choose 2 here so we can drill down to the security settings screen

Installation and Settings

Either type 0 and press Enter to install with current settings, or type the
number of the setting you want to change and press Enter.

1 System Settings:
Method of Installation.............New and Complete Overwrite
Disk Where You Want to Install.....hdisk2

2 Primary Language Environment Settings (AFTER Install):
Cultural Convention................C (POSIX)
Language...........................C (POSIX)
Keyboard...........................C (POSIX)

3 Security Model.......................Default
4 More Options (Software install options)

>>> 0 Install with the settings listed above.

88 Help ? | WARNING: Base Operating System Installation will
99 Previous Menu | destroy or impair recovery of ALL data on the
| destination disk hdisk2.
>>> Choice [0]: 3

If AIX is already installed on this host the default option for 1 "Method of Installation" will be "Preservation Install". That won't give the option to select TCB, as it has to be a completely new install to select that.

Changing the installation type to "New and Complete Overwrite" will allow TCB install.

After that select 3 to change the Security Model.

Security Models

Type the number of your choice and press Enter.

1. Trusted AIX............................................. no

2. Other Security Options (Trusted AIX and Standard)
Security options vary based on choices.

>>> 0 Continue to more software options.

88 Help ?
99 Previous Menu

>>> Choice [0]: 2

Choose 2 to go to the screen to set other security options.

Standard Security Options

Type the number of your choice and press Enter.

1. Secure by Default....................................... no
2. CAPP and EAL4+ Configuration Install.................... no
3. Trusted Computing Base Install.......................... no

>>> 0 Continue to more software options.

88 Help ?
99 Previous Menu

>>> Choice [0]: 3

Choosing 3 will set TCB to "YES". After setting that, use 99 twice to go back to the installation menu.

Then choose 0 to install with the settings you have chosen.

Enabling MD5 Checksums With TCB

 Technote (FAQ)
Is it possible to use MD5 checksums with the Trusted Computing Base (TCB)?
Some US Government entities require cryptographic hashes be made of files in the Unix environment, and then compared on a regular basis to guarantee file integrity.
From "UNIX Security Technical Implementation Guide, V5R1" written by the Defense Information Systems Agency for the Department of Defense:

6.2 Baseline/File System Integrity Tools

A file system integrity/baseline tool will take a baseline of all files, or a specific subset of files,
to include cryptographic hashes of files in the baseline. The tool must be able to compare the
baseline of the system against the current state of the system later so that unauthorized
modification of the file system can be detected.
It is possible to configure TCB to use MD5 checksums. There is a small amount of information about this in the man pages of AIX:
In the tcbck man page:

File definitions to be added or modified with the -a flag can be
specified on the command line or in a file as Attribute=Value
statements. The following attributes can be used:

The checksum of the file. If the value is blank, the checksum
attribute is removed. If no value is specified, the command
computes a value, according to the format given in the sum
command. The value is the output of the sum -r command, including

The section relating to the 'sysck' stanza, which configures the behavior of tcbck says:

You can add, delete, or modify the attributes of the tcbck command by creating or modifying a sysck stanza in the /etc/security/sysck.cfg file. The following attributes can be used:


An alternate checksum command to compute the checksum value of
files. The system appends the name of each file to the command. If
the value is blank, this alternate checksum attribute is removed.
The value is the command string to be run on each file. The
default string is /usr/bin/sum -r <.

Now in the AIX Security Manual we find this statement about using MD5 checksums:

Although not cryptographically secure, the TCB uses the sum command for checksums. The TCB database can be set up manually with a different checksum command, for example, the md5sum command that is shipped in the textutils RPM Package Manager package with AIX Toolbox for Linux Applications CD.

Note: It's actually in coreutils now, included with other packages.

Steps To Enable MD5 Checksum Use In TCB

1. Install the coreutils RPM from the AIX Linux Toolkit

Either load coreutils.rpm from the AIX Linux Toolbox CDs or download it from the IBM website:

Install the coreutils RPM:

# rpm -ivh coreutils-5.2.1-2.aix5.1.ppc.rpm

Make sure md5sum command was installed:

# which md5sum

2. Set up TCB to use md5sum instead of sum for generating and validating checksums

Check the /etc/security/sysck.cfg file stanza for 'sysck'. The default stanza is:

        treeck_novfs = "/proc"

Use tcbck to add a 'checksum' attribute to the sysck stanza, and set it to use the md5sum binary for checksum generation and computation:

*See Note below before running tcbck!

# tcbck -a sysck checksum="/usr/bin/md5sum <"

The sysck stanza will now look like:

        treeck_novfs = "/proc"
        checksum = "/usr/bin/md5sum <"

3. Change each entry containing a checksum to use the md5sum result.

So as an example we'll use the passwd command and change its checksum.

Check that the binary for the passwd command is in the TCB database:

# chtcb query /usr/bin/passwd
/usr/bin/passwd is in the TCB

If we take a look at the stanza for passwd here's what we have:
# grep -p /usr/bin/passwd sysck.cfg

        type = FILE
        class = apply,inventory,
        owner = root
        group = security
        mode = TCB,SUID,r-xr-xr-x
        checksum = "10346    28 "
        size = 27868

To change this individual entry run:

# tcbck -a /usr/bin/passwd checksum

Now view the entry to see how it's changed.
# grep -p /usr/bin/passwd sysck.cfg

        type = FILE
        class = apply,inventory,
        owner = root
        group = security
        mode = TCB,SUID,r-xr-xr-x
        checksum = "91f9715806bf2566e4444b6ca909aae9  -"
        size = 27868

We now see that the entry has a different checksum computed for it.

Check that the entry for /usr/bin/passwd now passes TCB checking:

# tcbck -n /usr/bin/passwd

If this simply returns the prompt then the file has passed the TCB Check.

Checking another file that has not been converted to use the new MD5 checksum will fail with a bad checksum error. We expect this, since it has not been converted to contain the proper MD5 checksum yet.

# tcbck -n /usr/bin/stopsrc
3001-028 The file /usr/bin/stopsrc has the wrong checksum value.

# grep -p /usr/bin/stopsrc sysck.cfg
          owner = root
          group = system
          mode = TCB,SGID,550
          type = FILE
          class = apply,inventory,bos.rte.SRC
          size = 4460
          checksum = "12325     5 "

Each individual entry in the /etc/security/sysck.cfg file that has a numeric result for the checksum value will have to be changed in this manner. Entries where the checksum value is set to the keyword VOLATILE are understood by TCB to be files that may change over time, and do not need to
be changed. However this still leaves 1286 entries in the file that all need to be changed via tcbck.

Also, each time one of the filesets containing a file listed in the sysck.cfg database is updated, an entry for it will be created with the ORIGINAL checksum that was computed using 'sum -r' when it was packaged at IBM. So if any updates are performed on the system the entries of files updated will have to be manually recomputed with the MD5 checksum.

* NOTE: Defect APAR IY87424 CAPP PROFILE CORRUPTS LINES IN SYSCK.CFG exists in AIX 5.3 TL5 and below where running tcbck -a will corrupt the stanza for the file you are trying to update. Please insure you are at TL6 or higher and have this APAR installed before running tcbck -a.