2017-04-10

Solving tampered system files in AIX

We have a cron script that checks for system files' integrity.  Output shows below.

Malicious Software Prevention, Detection and Correction:
FAIL System files have been tampered with (check output of "trustchk -n ALL" on server for details)

I find this document quite informative and this link as well.

[ldsap04:root]/ # trustchk -n ALL
trustchk: /etc/security/ldap/ldap.cfg: Verification of attributes failed: group mode
trustchk: /lib/wpars/unloadwpar: Verification of attributes failed: accessauths innateprivs inheritprivs

[ldsap04:root]/ # trustchk -t /etc/security/ldap/ldap.cfg
trustchk: Verification of attributes failed: group
Change the file group for /etc/security/ldap/ldap.cfg? [(y)es,(n)o,(i)gnore all errors]: yes
trustchk: Verification of attributes failed: mode
Change the file mode for /etc/security/ldap/ldap.cfg? [(y)es,(n)o,(i)gnore all errors]: yes
trustchk: Verification of stanza failed:
[ldsap04:root]/ # trustchk -u /etc/security/ldap/ldap.cfg

[ldsap04:root]/ # trustchk -t /lib/wpars/unloadwpar
trustchk: Verification of attributes failed: accessauths
Stanza /lib/wpars/unloadwpar has accessauths value "aix.wpar" in /etc/security/privcmds and value "" in TSD.
Change the value in /etc/security/privcmds to that as in TSD? [(y)es,(n)o,(i)gnore all errors]: yes
trustchk: Verification of attributes failed: innateprivs
Stanza /lib/wpars/unloadwpar has innateprivs value "PV_AZ_ADMIN,PV_FS_CHOWN,PV_KER_WLM,PV_KER_WPAR,PV_NET_CNTL,PV_NET_PORT,PV_PROC_PRIV,PV_WPAR_CKPT" in /etc/security/privcmds and value "" in TSD.
Change the value in /etc/security/privcmds to that as in TSD? [(y)es,(n)o,(i)gnore all errors]: yes
trustchk: Verification of attributes failed: inheritprivs
Stanza /lib/wpars/unloadwpar has inheritprivs value "PV_DAC_R,PV_DAC_W,PV_DAC_O,PV_DAC_X,PV_DEV_CONFIG,PV_DEV_QUERY,PV_DEV_LOAD" in /etc/security/privcmds and value "" in TSD.
Change the value in /etc/security/privcmds to that as in TSD? [(y)es,(n)o,(i)gnore all errors]: yes
trustchk: Verification of stanza failed:

[ldsap04:root]/ # trustchk -u /lib/wpars/unloadwpar

[ldsap04:root]/ # trustchk -n ALL
Now the compliance check is PASS.

And according to MANual pages of trustchk, the parameters I used above are:

       -n
            stderr. error file. To check all of the entries in the TSD, use the ALL parameter. To scan the entire system or directories for TROJAN detection, use with tree parameter.

       -t
            Specifies the auditing mode and indicates that errors are to be reported with a prompt asking whether the error should be fixed. To check all of the entries in TSD, use the ALL
            option. To scan the entire system or directories for TROJAN detection, use with tree parameter.

       -q
            Queries the TSD for a file name. Prints the entire list of security attributes, for example, stanza for the specified file name. To retrieve all of the entries of the TSD, use the
            ALL parameter instead of listing file path names.