Hello,
Just like to respond again, because at this moment I am prepare my second and third blogs about this subject, but for the impatient people, Bernhard is right, before you can add your own stuff to the tsd.dat you must have a valid certificate, see below a part of my upcoming blog(s).
Steps to add your own signed set of executables scripts or config files to the tsd.dat
Before you can add and sign your set to the tsd.dat you have to create a valid certificate self signed or an official signed certificate. For now I explain how to create an self-signed.
Also on AIX you need the fileset CryptoLite for C library (CLiC) and the kernel extentions need to be loaded, (check if still needed on AIX 7.2 and 7.3)
lslpp -l |grep clic
clic.rte.kernext 4.7.0.0 COMMITTED CryptoLite for C Kernel
clic.rte.lib 4.7.0.0 COMMITTED CryptoLite for C Library
clic.rte.kernext 4.7.0.0 COMMITTED CryptoLite for C Kernel
This can be checked with:
# /usr/lib/methods/loadkclic -q
/usr/lib/drivers/crypto/clickext is loaded, ID = 1346473984
Version number is 4.7
If kernel extention is not loaded then run command:
/usr/lib/methods/loadkclic –l
The next step is to create a certificate, in this example I create a self-singed cert
Please follow the following steps:
- openssl genrsa -out privkey.pem 2048
- openssl req -new -x509 -key privkey.pem -outform DER -out cert.der -days 3650
- openssl pkcs8 -inform PEM -in privkey.pem -topk8 -nocrypt -outform DER -out privkey.der
- copy the cert.der en de privkey.der to a save directory
- copy the cert.der to /etc/security/certificates
Now that you have a valid certificate you can add your own set to the /etc/security/tsd/tsd.dat
Please make a copy before you start of the current tsd.dat database.
Go to the directory where you saved both the cert.der and the private key privkey.der
Form there you can run:
trustchk -s privkey.der -v cert.der -a /user/local/example/test.ksh93
After this command you wil notice that the /etc/security/tsd.dat is changed.
You can have a look with view /etc/security/tsd/tsd.dat and lookup your stanza you just add.
Also if everything went well you, you can verify your action with:
trustchk -n /path/to/file/just/added/test.ksh93
After this I recommend first before you enable the runtime TE
trustchk -n ALL
this to check the complete tsd.dat on errors.
to enable and set the policies, I will explain more in detail in my blog, what the function of each policy is
to enable the runtime run trustchk -p te=on
and set at least the policies such as:
CHKEXEC, CHKSCRIPTS / STOP_ON_CHKFAIL / TSD_FILES_LOCK
Please be carefull with policy stop_on_chkfail the script or executable wil not be executed when failed.
Also the policy TSD_FILES_LOCK will prevent modification of configuration files.
Greetings Christian Sonnemans
------------------------------
Christian Sonnemans
Tactical Unix system engineer
Original Message:
Sent: Tue February 13, 2024 03:21 PM
From: AIX USER
Subject: implementing TE
hi guys,
I am trying to enable the TE but having a harder time than I than expected. Has anyone sucessfully implemented AIX TE. My environment is based on sudo usage and i can't even this one command.
------------------------------
aixuser
------------------------------