Distributing security policy through LDAP

LDAP can be used to distribute AIX® Security Expert XML configuration files. You can use AIX Security Expert to copy a security configuration from one system to another. This allows for similar systems to have the same security configuration. This consistency can reduce security vulnerabilities.

The recommended practice is to use AIX Security Expert to configure a single system and set the security level in accordance with corporate security polices and the environment in which the system will operate. This configuration is captured in the /etc/security/aixpert/core/appliedaixpert.xml file. This file can then be moved to a configured and trusted LDAP server. Other systems with connectivity to this LDAP server will automatically discover this XML configuration file via the aixpertldap command.

Any existing LDAP Server can be updated with the aixpert schema to distribute the aixpert configuration XML files onto each client connected. If the LDAP server does not have the aixpert schema updated, update the aixpert schema onto LDAP with the following command: ldapmodify -c -D <bindDN> -w <bindPwd> -i /etc/security/ldap/sec.ldif Once the LDAP server is updated with aixpert schema, clients can place their XML configuration files on LDAP using the -u option of the aixpertldap command. These configuration files needs to be updated manually.
Note: This feature relies on the trust model LDAP has in place. Users who have privileges to write to LDAP can modify the data uploaded by users of a different machine. Similarly, if an LDAP client has a security vulnerability, then this can be exploited to read and understand the security status of other LDAP clients by reading the AIX Security Expert XML configuration files associated with the client.

For example, an appliedaixpert.xml file can be saved on the LDAP server under the name BranchOfficeSecurityProfile. Or a differently configured appliedaixpert.xml file might be saved under the name InternetDirectAttachedSystemsProfile. As other systems with LDAP connectivity are configured with AIX Security Expert, these security profiles are automatically presented as menu options. This allows the system administer to select the security profile which best suites their environment within the guidelines of their corporate security policies.

Then AIX Security Expert is used to secure a system. The complete list of security configuration settings implemented on the system is captured in the file /etc/security/aixpert/core/appliedaixpert.xml. This file is the security policy for this system. The security policy is compared when the AIX Security Expert Check Security option is used. This security policy can also be copied and applied to other systems, which provides consistency in the security of systems throughout your IT environment. There are two ways to copy a security policy onto other systems, manually or through LDAP.