Using AIX Security Expert

AIXPert features new to AIX V6.1

AIXPert is an all-purpose GUI and command-line security tool that incorporates over 300 security configuration settings. Learn about recent enhancements implemented with IBM® AIX® V6.1, including SOX auditing support, and go through real scenarios to show how AIXPert can be used from the command line, smit, and the GUI.

Share:

Ken Milberg, Writer/site expert, Future Tech

Ken Milberg is a technology writer and site expert for Techtarget.com and provides Linux technical information and support at Searchopensource.com. He is also a writer and technical editor for IBM Systems Magazine, Power Systems edition, and a frequent contributor of content for IBM developerWorks. He holds a bachelor's degree in computer and information science, as well as a master's degree in technology management from the University of Maryland University College. He is the founder and group leader of the N.Y. Metro POWER-AIX/Linux Users Group. Through the years, he has worked for both large and small organizations and has held diverse positions from CIO to senior AIX engineer. He is currently president and managing consultant for UNIX-Linux Solutions, is a PMI-certified Project Management Professional (PMP), an IBM Certified Advanced Technical Expert (CATE), and is also IBM SCon certified.



09 December 2008

Also available in Chinese Russian

Introduction

Develop skills on this topic

This content is part of a progressive knowledge path for advancing your skills. See AIX security: Learn the basics

Beginning with AIX V5.3 TL05, IBM introduced a new feature called AIX Security Expert, or AIXPert for short. So what is it exactly? AIXPert is not a single system or utility; in actuality, it is a system that centralizes many security controls within one interface. Back in its infancy, the most important capabilities provided were for the setting up of security levels and for controlling settings for key areas. These areas included rules for enabling remote services, IP security filtering, and more granular control for startup files, which included inittab, rc.tcpip, and inetd.

With the introduction of AIX V6.1, many new features were added to the system. These enhancements include:

  • The ability to customize user-defined policies.
  • More stringent checks for root passwords.
  • Support for Sarbones-Oxley (SOX)-COBIT best practices.
  • A stronger interface to help you configure the environment, along with GUI performance enhancements.
  • Centralized policy distribution through LDAP (although this article doesn't delve into an actual LDAP implementation).

Using AIXPert

The essence of AIXPert is that it is a network and security hardening tool, which incorporates many functions into one system. Prior to AIXPert, you needed to remember many different commands. AIXPert incorporates over 300 security configuration settings, while still providing control over each element. In other words, it provides a center for all security settings, including TCP, IPSEC, and auditing. Essentially, there are four different levels that can be defined as part of the system: high, medium, low, and advanced.

  • High should be used in environments where security and controls are of paramount importance. Note that applications such as telnet, rlogin, and FTP, and other systems that transmit non-encrypted passwords will not work, so be careful when turning this high level on. Understand that most ports will be blocked in this scenario. Systems that may be connected directly to the Internet that have sensitive data are good examples of a system that would be run with this level.
  • Medium levels are appropriate for systems that reside behind a firewall, where users need to use services such as telnet, but still want protection. This setting also provides port scan and password-setting protections.
  • Low-level security is configured usually when the system is in an isolated and secured type of LAN. This is used where system administrators need to be careful not to interrupt any services to the environment. This article shows you how to configure these settings.
  • The Advanced level is for customization. It allows you to use different rules from different levels, the rules themselves being mutually exclusive of one another. It does not in itself provide a higher level of security.

More than any specific feature, it is the consolidation of security that really adds the value to AIXPert. For example, AIXPert incorporates the File Permissions Manager in the form of the fpm command to also help manage SUID programs. This feature is demonstrated later in the article.

Another important feature is the ability to take snapshots of your system and reproduce these settings through the enterprise. This allows you to clone your security features across the organization. This feature includes the ability to undo settings and also checks the overall security health of the systems to report back on settings that may have been changed. The ease with which you can undo security levels cannot be overstated. It's as simple as running this command from the command line: # aixpert - u undo.xml. This undo feature is one of the enhancements that were made part of the AIX V6.1 release.

This article illustrates how to configure security using all the methods that are available to you: through the command line, through smit (or smitty), and through the GUI (in this case, using AIX Systems Director).


Looking around the AIXPert system

It's vital to understand what the important files are for AIXPert so you know what you are working with and what is being modified when the system is running. This can also help you troubleshoot problems that may develop.

The configuration data itself starts from the parent directory, /etc/security/aixpert. The most important files of the system are all accessible from here.

The first file is aixpertall.xml, which can be found in the following directory: /etc/security/aixpert/core/aixpertall.xml (see Figure 1). This is the file that contains the XML listings of all possible system settings.

Figure 1. aixpertall.xml
aixpertall.xml

The next file is the appliedaixpert file, and it contains the listing of applied security settings (see Figure 2). This file is used most commonly to take a security snapshot for use as a documentation tool on one's own system or to take the configuration data and apply it on other systems. You would do this using the -f command. It's as simple as running this command: # aixpert -f appliedaixpert.xml.

Figure 2. appliedaixpert.xml
appliedaixpert.xml

The /etc/security/aixpert/log/aixpert.log file is the tracelog file. Since AIXPert does not use syslog, you will need to look at this file to look at all of the applied security settings.

If you're going to use auditing, then you'll need to look at the etc/security/aixpert/check_report.txt file, as well. Furthermore, when AIXpert is used to configure systems, this file will report back any configuration changes that are made outside of AIXPert. When applied security settings have not been changed, this file should be empty.

Now that you understand where AIXPert keeps all of its crucial files, let's run fpm.


Using fpm

The fpm command allows system administrators to harden their system by disabling the setuid and setgid bits on many commands. This is important because like most UNIX systems, AIX has a history of having many setuid and setgid programs. For the most part, the command is intended to remove the setuid permissions from commands and daemons owned by privileged users, but it can also be used to address the specific needs of computer environments. Prior to this command, you needed to work with Role-Based Access Control (RBAC) to help remedy the problem of setuid and setgid programs. Using fpm actually helps cut down on the number of these files, whether one uses RBAC or not.

Let's look at some examples.

To check if the system commands are presently set to fpm low-level permissions, enter the command in Listing 1.

Listing 1. Check that system commands are set to fpm low-level permissions
# fpm -c -l low

Success, no files had the suid bit set

In this case, no files had the suid bit set.

Listing 2 shows the permission changes needed to make the system compliant with the fpm command's high-level security without changing any actual file permissions.

Listing 2. Listing permission changes needed for fpm high-level security
# fpm -l high -p

One or more files is already secure. Therefore, the current file permissions may not match the default permissions. If you wish to return to the snapshot of permissions prior to running this command, then use this command: # fpm -l default.

This will restore all AIX permissions to the installed settings, and any customized settings you already had in /usr/lib/security/fpm/custom/default.

Up to now, the article has focused on discussing AIXPert at a high level, along with its features and recent innovations. You've also looked at one of its utilities: fpm. In the next section, you'll see the three different ways of executing actual AIXPert commands.


Using the command line

AIXPert has a very powerful command line. In fact, it is much more powerful than anything you can run either from smit or the GUI.

Some of the more popular flags are:

-p
To display using verbose output
-c
Checks the overall security settings
-l
Checks all the rules in the /etc/security/aixpert/core/appliedaixpert.xml file
-f
Applies the security settings in the provided filename.
-l
Sets the system security settings to the level specified with this option. All the successfully applied rules are written to /etc/security/aixpert/core/appliedaixpert.xml. The options are:
h|high
Specifies high-level security options
m|medium
Specifies medium-level security options
l|low
Specifies low-level security options
d|default
Specifies AIX standards-level security options
s|sox-cobit
Specifies SOX-COBIT best practices-level security options
-o
Stores security output to the file pointed to by filename
-u
Undoes the security settings that have been applied
-d
Displays the document type definition (DTD)

Listing 3 explicitly tells the system to use low-level security options.

Listing 3. Telling the system to use low-level security options
# aixpert -l low -n -o /etc/security/aixpert/core/mySettings.xml

To apply the settings from a file, use the -f command (see Listing 4).

Listing 4. Applying the settings from a file
# aixpert -f /etc/security/aixpert/core/mySettings.xml

This article is not going to go over every single scenerio. Look at the manpages on AIXPert for more information on everything you can do (see Resources for a link).

Next, we'll use smit to work with AIXPert.


Using smit

Most AIX administrators prefer smit to any other method of running commands and utilities. There is no exception here either, unless you need to really drill down and use some of the low-level commands, which are just not available here. Using smit, you can clearly see all the high-level commands available to you; including setting the security levels, implementing and viewing SOX-COBIT practices, and checking and undoing security levels.

In this example, you'll start by using the fastpath smit AIXPert: # smit aixpert. You'll then configure the system for low-level security.

Toggle the cursor down to low-level security, as shown in Figure 3. After you hit the Enter key, the system will prompt you to make sure you want to continue running the command.

Figure 3. Launching smit
launching smit

In this example, you'll start up SOX-COBIT best practices (see Figure 4).

Figure 4. Launching SOX-COBIT best practices
Launching SOX-COBIT Best Practices

The Audit feature will report to the auditor whether the system is currently configured for SOX compliance. The configuration assistant itself automatically implements security settings that are commonly associated with COBIT best practices for SOX. The objectives include password policy enforcement, violation and security activity reports, and malicious software detection and correction.

To generate a detailed compliance audit report, you can use the following command from the command line: # aixpert -c -l s -p.

Next, you'll use the GUI to configure AIXPert.


Using the GUI

Prior to VAIX 6.1, you would use WebSM to access the GUI for AIXpert. With AIX V6.1, make sure that you use the IBM Systems Director for the AIX console instead. Open up your browser to the following link: http://hostname:5335/ibm/console.

If your hostname does not work, try your IP address. Use the root password when logging into Systems Director. If you haven't used AIX Systems Director, I can guarantee you that you will love the look and feel of it. After logging in, you will see the main screen (see Figure 5). Go to System Environments.

Figure 5. System Environments screen
System Environments screen

Let's choose the AIX Security Expert as shown in Figure 6.

Figure 6. Choosing AIX Security Expert
Choosing AIX Security Expert

You will notice that from here you'll have similar options that you had when using smit. Choose ,Medium-Level Security. Similar to smit, the system will prompt you to make sure you want to continue to run the command (see Figure 7).

Figure 7. Prompting to make sure you want to run the command
Prompting to make sure you want to run the command

After choosing Yes, the system processes the information and finishes successfully (see Figure 8).

Figure 8. Success
success

You are now ready to take advantage of the power of AIXPert from the convenience of the GUI.


Summary

This article introduced AIXPert, the all-purpose GUI and command-line security tool. It discussed what the system could do and the recent enhancements implemented with AIX V6.1, including SOX auditing support. It elaborated on the four different security levels that can be defined as part of the system: high, medium, low, and advanced. It also examined different ways to configure AIXPert, including the command line, smit, and the the GUI, and looked at utilities that are part of the system, such as the File Permissions Manager (fpm).

Resources

Learn

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=357829
ArticleTitle=Using AIX Security Expert
publish-date=12092008