viosecure command

Purpose

Activates, deactivates, and displays security hardening rules. Configures, unconfigures, or displays firewall settings.

Syntax

viosecure -level LEVEL [-apply] [ -rule ruleName] [-outfile filename]

viosecure -view [ -actual | -latest] [-rule ruleName | -nonint]

viosecure -file rulesFile

viosecure -changedRules

viosecure -undo

viosecure -firewall {on [[ -force] -reload] | off} [-ip6]

viosecure -firewall {allow | deny} -port number [-interface ifname] [-address IPaddress] [-timeout Timeout] [-remote] [-ip6]

viosecure -firewall view [-fmt delimiter] [-ip6]

Description

The viosecure activates, deactivates, and displays security hardening rules. By default, none of the security strengthening features are activated after installation. Upon running the viosecure command, the command guides the user through the proper security settings, which can be high, medium, or low. After this initial selection, a menu is displayed itemizing the security configuration options that are associated with the selected security level in sets of 10. These options can be accepted in whole, individually toggled off or on, or ignored. After any changes, viosecure continues to apply the security settings to the computer system.

Note: If no rules exist on the system, running the viosecure command creates a set of default level rules. These rules might be different from the actual current system configuration.

The viosecure command also configures, unconfigures, and displays the firewall settings of the network. You can use the viosecure command to activate and deactivate specific ports and to specify the interface and IP address of the connection. You can also specify to use the IPv6 version of the viosecure command to configure, unconfigure, and display the firewall settings of the IPv6 network.

Note: For a complete listing of rules that apply to each security level, see AIX Security Expert .

Flags

Flag name Description
-level LEVEL Specifies the security LEVEL settings to choose, where LEVEL is low, medium, high, or default. The default LEVEL deactivates any previous security LEVEL system settings. Except for the default LEVEL, 10 security LEVEL settings are displayed at a time. The user can then choose the necessary security settings by entering comma-separated numbers, the word ALL to choose all of the settings, A to apply the selected settings, NONE to choose none of the settings, q to exit, or h for help. The security settings chosen are then applied to the system.
-view Displays the current security level settings. All of the security setting names start with 3 characters Xls, where X means l (low), m (medium), h (high), or d (default). For example, the security level name lls_minlenl is the low-level security setting for the minimum length of a password.
-apply Applies all of the LEVEL security settings to the system. There is no user-selectable option.
-nonint Specifies non-interactive mode.
-outfile Specifies that security rules be sent to a specific file.
-file Specifies the security rules file to be applied.
-rule Specifies the name of the rule, for example, lls_maxexpired, hls_telnet.
-changedRules Displays new values, if they are changed by any other commands.
-latest Displays last applied rules.
-actual Displays the actual values for the rules that are set.
-undo Undoes the latest security settings that have been applied. Use -latest to view the latest security settings.
-firewall on [[-force] -reload] [-ip6] Configures the default firewall settings from the filter rules in Object Data Manager (ODM). If you use the reload option, the ODM rules are deleted and the default values are loaded from the /home/ios/security/viosecure.ctl file. If the viosecure.ctl file does not exist, the force option specifies to use the hard-coded, default firewall settings. The -ip6 flag specifies to use the IPv6 version of this command. If the -ip6 flag is not used, the default version is IPv4.
-firewall off Unconfigures the firewall settings and saves all the firewall filter rules to the /home/padmin/viosfirewall.rules file. The -ip6 flag specifies to use the IPv6 version of this command. If the -ip6 flag is not used, the default version is IPv4.
-firewall allow -port Port [-interface ifname ] [-address IPaddress ] [-timeout Timeout] [-source] [-remote] [-ip6] Activates IP for each port with optional parameters according to the interface, IP address, and the duration of the activity. The port option can be a number or a service name from the /etc/services file. The remote option specifies that the port is a remote port. All the IP activity to and from that remote port is allowed. The default is that all IP activity to and from a local port is allowed. The timeout period can be specified as a number (in seconds), or with a number followed by m (minutes), h (hours), or d (days). The maximum timeout period is 30 days. The -ip6 flag specifies to use the IPv6 version of this command. If the -ip6 flag is not used, the default version is IPv4.
-firewall deny -port Port [-interface Ifname] [-address IPaddress] [-timeout Timeout] [-source] [-remote] [-ip6] Removes the previous firewall -allow setting. The Port argument can be a number or a service name from the /etc/services file. If -port 0 is specified, then all allow settings are removed. The remote option specifies that the port is the remote port. The default is local port. The timeout period can be specified as a number (in seconds), or with a number followed by m (minutes), h (hours), or d (days). The maximum timeout period is 30 days. The -ip6 flag specifies to use the IPv6 version of this command. If the -ip6 flag is not used, the default version is IPv4.
-firewall view [-fmt delimiter] [-ip6] Displays the available ports. If the -fmt option is specified, the viosecure command divides the output by a user-specified delimiter. The -ip6 flag specifies to use the IPv6 version of this command. If the -ip6 flag is not used, the default version is IPv4.

Examples

  1. To display the high system security settings, and to select which of the high security settings to apply to the system, type the command as follows: 
    viosecure -level high
  2. To apply all of the 'high' system security settings to the system, type the command as follows: 
    viosecure -level high -apply
  3. To display the current system security settings, type the command as follows: 
    viosecure -view
  4. To unconfigure the previous system security settings, type the command as follows: 
    viosecure -level default
  5. To allow IP activity on the ftp-data, ftp, ssh, www, https, rmc, and cimon ports, and to deny other IP activity, type the command as follows:
    viosecure -firewall on
viosecure -firewall on -ip6
  6. To enable IPv4 activity on all the ports, type the command as follows: 
    viosecure -firewall off
  7. To enable IPv6 activity on all the ports, type the command as follows:
    viosecure -firewall off -ip6
  8. To allow the users from IP address 10.10.10.10 to rlogin, type the command as follows: 
    viosecure -firewall allow -port login -address 10.10.10.10
  9. To enable users from IPv6 address ff06:0:0:0:0:0:0:c3 to execute the rlogin command, type the command as follows:
    viosecure -firewall allow -port login -address ff06:0:0:0:0:0:0:c3 -ip6
  10. To allow users to rlogin for seven days, type the command as follows: 
    viosecure -firewall allow -port login -timeout 7d
  11. To allow rsh client activity through interface en0, type the command as follows: 
    viosecure -firewall allow -port 514 -interface en0 -remote
  12. To remove the rule that permits users from IPv4 address 10.10.10.10 to execute the rlogin command, type the command as follows: 
    viosecure -firewall deny -port login -address 10.10.10.10
  13. To remove the rule that permits users from IPv6 address ff06:0:0:0:0:0:0:c3 to execute the rlogin command, type the command as follows: 
    viosecure -firewall deny -port login -address ff06:0:0:0:0:0:0:c3 -ip6
  14. To display the list of available ports, type the command as follows: 
    viosecure -firewall view
  15. To display the list of available ports for IPv6, type the command as follows: 
    viosecure -firewall view -ip6
  16. To undo the security settings that have been applied, type the command as follows: 
    viosecure -undo /etc/security/aixpert/core/undo.xml
    Note: This command removes the latest security settings specified in the undo.xml file.
  17. To write low-level security rules to myfile, type the command as follows: 
    viosecure -level low -outfile myfile
  18. To apply security rules from myfile, type the command as follows: 
    viosecure -file myfile
  19. To display recently applied rules, type the command as follows: 
    viosecure -view -latest
  20. To display rules that are changed after they are applied with the viosecure command, type the command as follows: 
    viosecure -changedRules
  21. To apply the single rule lls_maxage, type the command as follows: 
    viosecure -level low -rule lls_maxage -apply
  22. To view the applied rule ll_maxage, type the command as follows: 
    viosecure -view -rule lls_maxage
  23. To view the rule lls_maxage if it exists during last applied rules, type the command as follows: 
    viosecure -view -rule lls_maxage -latest
  24. To display the actual values of rules, even if they are changed by another command, type the command as follows: 
    viosecure -view -actual