Cleaning Up the File System & Configuring the Trusted Computing Base

Cleaning Up the File System
AIX does not come with a completely clean file system. The above cleanup operations might delete user IDx that own files on the system. To find all of those unowned files, use the following command:

Find / ( -nouser -o -nogroup ) -print

Another area for concern is files that are world writable. That is, they have permission definitions that allow any user to update or delete them. There are some files and directories that by default are world writeable but should not be. Find them with the following command:

Find / -perm -0002 ( -type f -o -type d ) -print

Only /tmp and some directories under /var should be world writeable. Everything else sound by the command here has incorrect permissions.


Configuring the Trusted Computing Base
The Trusted Computing Base (TCB) is an AIX feature that keeps track of file modifications for critical system file. If you want to work with the TCB, it needs to be activated when you initially install AIX; there is no way to install it later on.

As shipped, the TCB might not list all the files that should be checked (for example, the device entries). To update the TCB with the current sate of the devices run the following script:

for f in $ (find /dev -print)
do
tcbck -1 $f
done

You then need to add any other files that you want to have checked via the TCB by running tcbck -a. There might be a few inconsistencies already, depending on the exact update level you are using. Use the following command to generate a list of the current TCB inconsistencies:

tcbck -n tree > /tmp/tree.out 2>d&1

You can then use the tcbck command in the update mode to fix them, or you can edit the file /etc/security/sysck.cfg.