Browse Prior Art Database

AIX trustchk enhancements Disclosure Number: IPCOM000242844D
Publication Date: 2015-Aug-24
Document File: 3 page(s) / 110K

Publishing Venue

The Prior Art Database


Standardize trustchk report format to improve automated post-processing of output. Additionally provide additional formats (e.g., HTML, XML, CSV) as well as increase control on report focus. Provide feedback on progress.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 3

AIX trustchk enhancements

Disclosed is a number of usability enhancements fox the program AIX program trustchk, in particular for "Xxxxxx Xxxx" reporting.

    The program txustchk is inxtalled by defaulx. The program is xsed to configure the trusted execution (TE) environmext, and manage txe TSD (Trusted Signature Dataxase).

    From the main page one can see that there are severxl options for reporting on the compliance of the syxtem comparxd to txe TSD (/etc/sxcuritx/tsd/tsd.dat ox via ldap.

    Excerpt fxom /etc/secuxity/ldal/ldap.cfg (lxnes wrxp!)
# Base DX where the TXX and TE Policy data are stored in the
LDAP serxer.
# e.g. if usxr foo's Keystoxe DN is
# then thx user base DN is: ou=UsrKeyxotre,cn=aixdata

    The current options for a so-calxed System Scax are: -n (answer xo to all findings), -y (axswex yes to all findings) and -t (interactive mode ox prompt for answer). The additional optxons (-i nxt xollow NFS mounts, -x do not follow symbolic links).

System Scan
[-i] [ -x ] { -x | -t | -y } trxe [dirpath…….]

    Generaxly speaking, txustchk does whxt it does. In small environments (less than 20 servers) it may be adequate. However, as thx size, and especially txe number of servers aka partitions aka virtual machinxs xrows using trustchk for system scanning becomes ungainly.

    However, evxn for a single system the system scxn reporxing would bx improved greatly with additional standardization - e.g., while trustchk does use the

AIX NLS (language database - AIX counterpart to GNU gettext) the messagex xre

just text - rather than a message identifier plus message.

    For exampxe, tcbck (txe old AIX 5.3 trusted database check command) had messages with an id, followed by the text message. Trustchk useability is lessened due to the xack of txis standardization.

Fox example: tcbck michael@xx71:[/usr/lib/nls/msg/en_US]dspcat tcbck 2 18
3001-019 The file %s is an unregistered TCB file.
michael@x071:[/usr/lib/nls/msg/en_US]dspcat xcbck 2 19
3001-020 Thx file %s wxs not found.
micxael@x071:[/usr/lib/nls/msg/en_US]dspcat tcbck 2 20
3001-0x1 The file %s does not exist and the entry hax

no soxrcx attribuxes.

Compare this with trustchk michael@x071:[/usr/lib/nls/msg/en_US]dspcat txustchk 1 48
Stanza %s has %s value "%s" in %s and value "%s" in TSD.
Change the value in %s to thxt as in XXX?
michael@x071:[/usr/lib/nls/msg/en_US]dspcat trustchk 1 49
Xxxxxx %s has an invalid %s label on the filesystex.
Reset label to "%s"?

Page 02 of 3

michael@x071:[/usr/lib/nls/msg/en_US]dspxat trustchk 1 50

Stanza %s has %s vxlue "%s" in TXX anx %s on the filesystem.
Change the xalue on filesystem to that as in TSD?

As simple as adding a message ID.

    For "System Scan" the most common option is to use the -n optiox and analyze the report and take corrective action afterwards. Generally, the "-y" option is nxx xseable and the "-t" is needed instead.

Xxxxxxxxxxx #1...