Distributing security policy through LDAP
LDAP can be used to distribute AIX® Security Expert XML configuration files. You can use AIX Security Expert to copy a security configuration from one system to another. This allows for similar systems to have the same security configuration. This consistency can reduce security vulnerabilities.
The recommended practice is to use AIX Security Expert to configure a single system and set the security level in accordance with corporate security polices and the environment in which the system will operate. This configuration is captured in the /etc/security/aixpert/core/appliedaixpert.xml file. This file can then be moved to a configured and trusted LDAP server. Other systems with connectivity to this LDAP server will automatically discover this XML configuration file via the aixpertldap command.
ldapmodify -c -D <bindDN> -w <bindPwd> -i /etc/security/ldap/sec.ldif
Once the LDAP server is updated with aixpert schema, clients can
place their XML configuration files on LDAP using the -u option of
the aixpertldap command. These configuration files
needs to be updated manually. For example, an appliedaixpert.xml file can be saved on the LDAP server under the name BranchOfficeSecurityProfile. Or a differently configured appliedaixpert.xml file might be saved under the name InternetDirectAttachedSystemsProfile. As other systems with LDAP connectivity are configured with AIX Security Expert, these security profiles are automatically presented as menu options. This allows the system administer to select the security profile which best suites their environment within the guidelines of their corporate security policies.
Then AIX Security Expert is used to secure a system. The complete list of security configuration settings implemented on the system is captured in the file /etc/security/aixpert/core/appliedaixpert.xml. This file is the security policy for this system. The security policy is compared when the AIX Security Expert Check Security option is used. This security policy can also be copied and applied to other systems, which provides consistency in the security of systems throughout your IT environment. There are two ways to copy a security policy onto other systems, manually or through LDAP.