Getting to know the AIX Security Expert

The AIX Security Expert—AIXPert, for short—combines more than 300 security settings under a single point of control. That makes securing your IBM® AIX® LPAR—or even hundreds of LPARs—simple. So easy, in fact, that when I first ran it on a test LPAR, I managed to lock myself out completely! (I never intended my system to be that secure.) Here's your chance to learn from my mistakes.

Once you get a feel for AIXPert's use of XML config files for its security scripts, you'll see that the tool is a smart and simple way of hardening your AIX system. You can implement high security with a single command. If you want to drill down, you can. AIXPert is granular enough to let you tailor rules to suit your needs. You can choose which rules you want to enable or disable. You can even set up your own rules. AIXPert also provides an Undo option, which lets you roll back your security changes in one step.

Here is my list of the AIXPert gotchas that got me. Don't say I didn't warn you:

• AIXPert needs to apply security before it can check security.
• AIXPert can't undo what it hasn't done.
• Undo has some exceptions.
• AIXPert doesn't run automatically.
• Sarbanes Oxley (SOX) Act Control Objectives for Information and Related Technologies (COBIT) settings don't imply high-security settings.

Back to top

Gotcha 1: AIXPert needs to apply security before it can check it

AIXPert has an option that allows you to check the security settings (aixpert -c) against a previously applied set of rules. If you haven't implemented that set of rules first using AIXPert, the tool can't check the security of your system. So, if you've started locking down security yourself—for example, by editing files, setting password rules, and so on—the AIXPert security check won't work.

The reason is simple: AIXPert needs to work against its own baseline of applied settings, stored in a file called /etc/security/aixpert/core/appliedaixpert.xml. Without that baseline, the check option reports the error shown in Listing 1.

	
# aixpert -c -l d
File /etc/security/aixpert/core/appliedaixpert.xml does not exist

The file the check option is looking for contains all of the security settings you have applied via AIXPert.

Resolution

Before you use AIXPert to check security, you need to set security using AIXPert. The list of rules you have applied is contained in the appliedaixpert.xml file. This file is created when you implement security using any of the AIXPert interfaces.

In Listing 2, you can see how to implement the default level of security using the aixpert command. The last two lines of the output are also shown, indicating how many rules were processed and the number of rules that passed and failed.

	
# aixpert -l default

# Processedrules=117      Passedrules=110 Failedrules=7   Level=DLS
#        Input file=/etc/security/aixpert/core/aixpertall.xml

Now, there is a baseline file called appliedaixpert.xml, as you can see in Listing 3.

	
# cd /etc/security/aixpert/core
# ls -l appliedaixpert.xml
-rw-r--r--    1 root   system    109237 Oct 07 07:40 appliedaixpert.xml

Running the check option using aixpert -c should now work. This check function reports the number of rules processed and how many passed or failed.

Back to top

Gotcha 2: AIXPert can't undo what it hasn't done

One of the great features of AIXPert is that it can easily back out the security settings that it has applied. When you apply rules successfully, the corresponding Undo action rules are written to the undo.xml file. That's a pretty clever back-out plan, if you need to reverse your security changes. If you decide to bypass AIXPert and lock down some settings yourself, the Undo action rules don't get written to that undo.xml file, so AIXPert can't back them out.

Resolution

AIXPert provides a single, consistent security configuration that is easy to replicate across multiple systems. The appliedaixpert.xml file allows you to have all your security settings in a single file, and the undo.xml file allows you to reverse them (with some exceptions—see Gotcha 3).

To secure your AIX system, you may need to implement hundreds of security settings. That's a high-risk task if you're doing them one at a time, and it could take hours to change on a single LPAR and even longer to undo. With all that security hardening work to do, it's far smarter, simpler, and safer to leave security hardening to the AIXPert.

Back to top

Gotcha 3: The Undo option has some exceptions

The Undo option in AIXPert (aixpert -u) reverses the security changes made using AIXPert, but there are a few actions that you can't undo.

Resolution

Forewarned is forearmed, and it's important to be aware of the few exceptions to the Undo option. They include:

• Checking password, user, and group definitions for High, Medium, and Low security levels
• Changes to the login banner
• Removal of the guest account

These and the other settings that you can't undo using the AIXPert Undo option are outlined in the AIX Version 6 Advanced Security Redbook (see Resources for a link).

Back to top

Gotcha 4: AIXPert doesn't run automatically

If you've been administering AIX systems for a while, you might expect that editing a configuration file (such as resolv.conf or sendmail.cf) would be enough for the change to take effect—at least after refreshing a daemon or, at the very most, following the next reboot. With AIXPert, there is no daemon. If you decide to edit the config file, you may be surprised to see that the security rules in it aren't applied, even after a reboot.

Resolution

After you have added, deleted, or changed the rules in the XML file to a state you're happy with, you need to apply these rules using aixpert -f followed by a file name, as in the example in Listing 4.

	
# aixpert -f appliedaixpert.xml

AIXPert only applies the security rules when you want it to. If you were to break a rule yourself—which, as the systems administrator, you are entitled to do—you wouldn't want the aixpert command to undo it without your knowledge. For example, if you opened Telnet or FTP temporarily, it would be frustrating to have it disabled a moment later by some overzealous security daemon.

If you wanted to, you could set up a cron job to enforce the rules periodically. Or, you may prefer simply to report your system compliance using aixpert -c instead. That way, you can decide which rules have been broken since the last time you applied AIXPert, and then implement them again, if you want to.

Back to top

Gotcha 5: SOX COBIT settings don't include high security

There are several levels of security in AIXPert—from AIX Default through Low, Medium, High, and Advanced. There's also SOX COBIT, which applies SOX COBIT Best Practices Security (SCBPS).

Now, you may think (as I did) that if you apply the SOX COBIT rules, your system's locked down, with all the high-level security rules in place. That's not the case. When you apply the AIXPert settings for SOX COBIT, you implement the SCBPS options for password policy enforcement, security violations and activity report, malicious software detection and correction, and firewall setup. As important as these are, they don't include all the security settings that you might want to apply by selecting High security, for example.

Resolution

If you want the High security settings, run the aixpert command with the High level first using aixpert -l high, and then apply SOX COBIT settings with aixpert -l sox-cobit.

Back to top

Hardening made easy

The AIX Security Expert really provides a simple, quick, and comprehensive way of applying security standards. It has several easy interfaces that allow you to apply a security level to your AIX system with a single command. It also allows you to customize your security via the XML configuration files and the command line.

Once you realize that AIXPert leaves you in control, you can apply security that is robust and consistent. You'll see what a time saver this security tool is for you—as long as the gotchas don't get you.

Resources

Learn

• Ken Milberg has an excellent overview of the AIX Security Expert in his developerWorks article Using AIX Security Expert (December 2008).
  
  
• The AIXPert hints and tips wiki shows the different interfaces you can use when setting security. It also lists the AIXPert rules, taken from /usr/security/aixpert/core/aixpertall.xml.
  
  
• Documentation on the commands, files, and settings that AIXPert uses is available at the IBM Infocenter.
  
  
• For a detailed outline of the security enhancements in AIX 6 along with practical examples, see the Redbook AIX V6 Advanced Security Features Introduction and Configuration.
  
  
• AIX and UNIX developerWorks zone: The AIX and UNIX zone provides a wealth of information relating to all aspects of AIX systems administration and expanding your UNIX skills.
  
  
• New to AIX and UNIX? Visit the New to AIX and UNIX page to learn more.
  
  
• Technology bookstore: Browse the technology bookstore for books on this and other technical topics.
  
  

Discuss

• Check out my AIX blog on IBM developerWorks. It has lots of tips and practical examples for AIX administrators, and has tips for beginners as well as some more advanced topics. AIX Down Under.
  
  
• Follow me on Twitter and keep up with my blog updates.
  
  
• Get involved in the My developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.
  
  
• Follow developerWorks on Twitter.
  
  
• Follow developerWorks on Twitter.
  
  
• Participate in developerWorks blogs and get involved in the developerWorks community.
  
  
• Get involved in the My developerWorks community.
  
  
• Participate in the AIX and UNIX® forums:
  • AIX Forum
  • AIX Forum for developers
  • Cluster Systems Management
  • Performance Tools Forum
  • Virtualization Forum
  • More AIX and UNIX Forums
  
  

About the author

Anthony English is an independent contractor from Sydney, Australia. He has worked on AIX systems since 1991 and writes the IBM developerWorks blog, AIX Down Under. He is also recognized as an IBM Champion for Power Systems. You can reach Anthony at anthonyenglish@levitar.com.au.

Rate this article

Comments

Back to top

Table of contents

• Getting to know the AIX Security Expert
• Gotcha 1: AIXPert needs to apply security before it can check it
• Gotcha 2: AIXPert can't undo what it hasn't done
• Gotcha 3: The Undo option has some exceptions
• Gotcha 4: AIXPert doesn't run automatically
• Gotcha 5: SOX COBIT settings don't include high security
• Hardening made easy
• Resources
• About the author
• Comments

Next steps from IBM

WebSphere Portal can help your small and midsize business achieve better website security, along with faster time to value with easily deployable and customizable example Web sites.

---

• Try: Download a free trial version of IBM WebSphere Portal Express V6.1, which offers collaboration, document management, and secure Web content management.
• Article: This article provides an overview of the WebSphere Portal security architecture, including internet security, and secure connections between clients.
• Tutorial: This tutorial take you through the steps to develop and test your first portlet WebSphere Portal Test Environment.
• Demo: These demos show Web 2.0 features available today within WebSphere Portal, as well as several features planned for the future.
• Buy: IBM WebSphere Portal Express

Dig deeper into AIX and UNIX on developerWorks

IBM SmartCloud trial. No charge.

Unleash the power of hybrid cloud computing today!

---

Public and private solutions in one trial.

Special offers