Using AIX Security Expert
AIXPert features new to AIX V6.1
Beginning with AIX V5.3 TL05, IBM introduced a new feature called AIX Security Expert, or AIXPert for short. So what is it exactly? AIXPert is not a single system or utility; in actuality, it is a system that centralizes many security controls within one interface. Back in its infancy, the most important capabilities provided were for the setting up of security levels and for controlling settings for key areas. These areas included rules for enabling remote services, IP security filtering, and more granular control for startup files, which included inittab, rc.tcpip, and inetd.
With the introduction of AIX V6.1, many new features were added to the system. These enhancements include:
- The ability to customize user-defined policies.
- More stringent checks for root passwords.
- Support for Sarbones-Oxley (SOX)-COBIT best practices.
- A stronger interface to help you configure the environment, along with GUI performance enhancements.
- Centralized policy distribution through LDAP (although this article doesn't delve into an actual LDAP implementation).
The essence of AIXPert is that it is a network and security hardening tool, which incorporates many functions into one system. Prior to AIXPert, you needed to remember many different commands. AIXPert incorporates over 300 security configuration settings, while still providing control over each element. In other words, it provides a center for all security settings, including TCP, IPSEC, and auditing. Essentially, there are four different levels that can be defined as part of the system: high, medium, low, and advanced.
- High should be used in environments where security and controls are of paramount importance. Note that applications such as telnet, rlogin, and FTP, and other systems that transmit non-encrypted passwords will not work, so be careful when turning this high level on. Understand that most ports will be blocked in this scenario. Systems that may be connected directly to the Internet that have sensitive data are good examples of a system that would be run with this level.
- Medium levels are appropriate for systems that reside behind a firewall, where users need to use services such as telnet, but still want protection. This setting also provides port scan and password-setting protections.
- Low-level security is configured usually when the system is in an isolated and secured type of LAN. This is used where system administrators need to be careful not to interrupt any services to the environment. This article shows you how to configure these settings.
- The Advanced level is for customization. It allows you to use different rules from different levels, the rules themselves being mutually exclusive of one another. It does not in itself provide a higher level of security.
More than any specific feature, it is the consolidation of security that really adds the value to AIXPert. For example, AIXPert incorporates the File Permissions Manager in the form of the fpm command to also help manage SUID programs. This feature is demonstrated later in the article.
Another important feature is the ability to take snapshots of your system and reproduce
these settings through the enterprise. This allows you to clone your security features across the organization. This feature includes the ability to undo settings and also checks the overall security health of the systems to report back on settings that may have been changed. The ease with which you can undo security levels cannot be overstated. It's as simple as running this command from the command line:
# aixpert - u undo.xml. This undo feature is one of the enhancements that were made part of the AIX V6.1 release.
This article illustrates how to configure security using all the methods that are available to you: through the command line, through smit (or smitty), and through the GUI (in this case, using AIX Systems Director).
Looking around the AIXPert system
It's vital to understand what the important files are for AIXPert so you know what you are working with and what is being modified when the system is running. This can also help you troubleshoot problems that may develop.
The configuration data itself starts from the parent directory, /etc/security/aixpert. The most important files of the system are all accessible from here.
The first file is aixpertall.xml, which can be found in the following directory: /etc/security/aixpert/core/aixpertall.xml (see Figure 1). This is the file that contains the XML listings of all possible system settings.
Figure 1. aixpertall.xml
The next file is the appliedaixpert file, and it contains the listing of applied security settings (see Figure 2). This file is used most commonly to take a security snapshot for use as a documentation tool on one's own system or to take the configuration data and apply it on other systems. You would do this using the
-f command. It's as simple as running this command:
# aixpert -f appliedaixpert.xml.
Figure 2. appliedaixpert.xml
The /etc/security/aixpert/log/aixpert.log file is the tracelog file. Since AIXPert does not use syslog, you will need to look at this file to look at all of the applied security settings.
If you're going to use auditing, then you'll need to look at the etc/security/aixpert/check_report.txt file, as well. Furthermore, when AIXpert is used to configure systems, this file will report back any configuration changes that are made outside of AIXPert. When applied security settings have not been changed, this file should be empty.
Now that you understand where AIXPert keeps all of its crucial files, let's run fpm.
The fpm command allows system administrators to harden their system by disabling the setuid and setgid bits on many commands. This is important because like most UNIX systems, AIX has a history of having many setuid and setgid programs. For the most part, the command is intended to remove the setuid permissions from commands and daemons owned by privileged users, but it can also be used to address the specific needs of computer environments. Prior to this command, you needed to work with Role-Based Access Control (RBAC) to help remedy the problem of setuid and setgid programs. Using fpm actually helps cut down on the number of these files, whether one uses RBAC or not.
Let's look at some examples.
To check if the system commands are presently set to fpm low-level permissions, enter the command in Listing 1.
Listing 1. Check that system commands are set to fpm low-level permissions
# fpm -c -l low Success, no files had the suid bit set
In this case, no files had the suid bit set.
Listing 2 shows the permission changes needed to make the system compliant with the fpm command's high-level security without changing any actual file permissions.
Listing 2. Listing permission changes needed for fpm high-level security
# fpm -l high -p
One or more files is already secure. Therefore, the current file permissions may not match the default permissions. If you wish to return to the snapshot of permissions prior to running this command, then use this command:
# fpm -l default.
This will restore all AIX permissions to the installed settings, and any customized settings you already had in /usr/lib/security/fpm/custom/default.
Up to now, the article has focused on discussing AIXPert at a high level, along with its features and recent innovations. You've also looked at one of its utilities: fpm. In the next section, you'll see the three different ways of executing actual AIXPert commands.
Using the command line
AIXPert has a very powerful command line. In fact, it is much more powerful than anything you can run either from smit or the GUI.
Some of the more popular flags are:
- To display using verbose output
- Checks the overall security settings
- Checks all the rules in the /etc/security/aixpert/core/appliedaixpert.xml file
- Applies the security settings in the provided filename.
- Sets the system security settings to the level specified with this option. All the successfully applied rules are written to /etc/security/aixpert/core/appliedaixpert.xml. The options are:
- Specifies high-level security options
- Specifies medium-level security options
- Specifies low-level security options
- Specifies AIX standards-level security options
- Specifies SOX-COBIT best practices-level security options
- Stores security output to the file pointed to by filename
- Undoes the security settings that have been applied
- Displays the document type definition (DTD)
Listing 3 explicitly tells the system to use low-level security options.
Listing 3. Telling the system to use low-level security options
# aixpert -l low -n -o /etc/security/aixpert/core/mySettings.xml
To apply the settings from a file, use the
-f command (see Listing 4).
Listing 4. Applying the settings from a file
# aixpert -f /etc/security/aixpert/core/mySettings.xml
This article is not going to go over every single scenerio. Look at the manpages on AIXPert for more information on everything you can do (see Related topics for a link).
Next, we'll use smit to work with AIXPert.
Most AIX administrators prefer smit to any other method of running commands and utilities. There is no exception here either, unless you need to really drill down and use some of the low-level commands, which are just not available here. Using smit, you can clearly see all the high-level commands available to you; including setting the security levels, implementing and viewing SOX-COBIT practices, and checking and undoing security levels.
In this example, you'll start by using the fastpath smit AIXPert:
smit aixpert. You'll then configure the system for low-level security.
Toggle the cursor down to low-level security, as shown in Figure 3. After you hit the Enter key, the system will prompt you to make sure you want to continue running the command.
Figure 3. Launching smit
In this example, you'll start up SOX-COBIT best practices (see Figure 4).
Figure 4. Launching SOX-COBIT best practices
The Audit feature will report to the auditor whether the system is currently configured for SOX compliance. The configuration assistant itself automatically implements security settings that are commonly associated with COBIT best practices for SOX. The objectives include password policy enforcement, violation and security activity reports, and malicious software detection and correction.
To generate a detailed compliance audit report, you can use the following command from the command line:
# aixpert -c -l s -p.
Next, you'll use the GUI to configure AIXPert.
Using the GUI
Prior to VAIX 6.1, you would use WebSM to access the GUI for AIXpert. With AIX V6.1,
make sure that you use the IBM Systems Director for the AIX console instead. Open up your browser to the following link:
If your hostname does not work, try your IP address. Use the root password when logging into Systems Director. If you haven't used AIX Systems Director, I can guarantee you that you will love the look and feel of it. After logging in, you will see the main screen (see Figure 5). Go to System Environments.
Figure 5. System Environments screen
Let's choose the AIX Security Expert as shown in Figure 6.
Figure 6. Choosing AIX Security Expert
You will notice that from here you'll have similar options that you had when using smit. Choose ,Medium-Level Security. Similar to smit, the system will prompt you to make sure you want to continue to run the command (see Figure 7).
Figure 7. Prompting to make sure you want to run the command
After choosing Yes, the system processes the information and finishes successfully (see Figure 8).
Figure 8. Success
You are now ready to take advantage of the power of AIXPert from the convenience of the GUI.
This article introduced AIXPert, the all-purpose GUI and command-line security tool. It discussed what the system could do and the recent enhancements implemented with AIX V6.1, including SOX auditing support. It elaborated on the four different security levels that can be defined as part of the system: high, medium, low, and advanced. It also examined different ways to configure AIXPert, including the command line, smit, and the the GUI, and looked at utilities that are part of the system, such as the File Permissions Manager (fpm).
- Read the IBM AIX 6.1 Dfferences Guide to learn about the differences introduced in IBM AIX Version 6.1 when compared to AIX 5L Version 5.3.
- The AIX V6 Advanced Security Features Redbook highlights and explains the security features at the conceptual level, as well as provide practical examples of how they may be implemented.
- See the Command Reference for aixpert.
- Read the IBM Systems Information Center entry on AIX Security Expert.
- Optimizing AIX 5L performance: Tuning network performance, Part 1 (Ken Milberg, developerWorks, November 2007): Read Part 1 of a three-part series on AIX networking, which focuses on the challenges of optimizing network performance.
- For a three-part series on memory tuning on AIX, see Optimizing AIX 5L performance: Tuning your memory settings, Part 1 (Ken Milberg, developerWorks, June 2007).
- Learn about AIX memory affinity support from the IBM System p and AIX InfoCenter.
- The Redbook, Database Performance Tuning on AIX, is designed to help system designers, system administrators, and database adminsitrators design, size, implement, maintain, monitor, and tune a Relational Database Management System (RDMBS) for optimal performance on AIX.
- Learn about IBM's Power Architecture: High-Performance Architecture with a History.
- For a comprehensive guide about the performance monitoring and tuning tools that are provided with AIX 5L Version 5.3, see the IBM Redbook AIX 5L Practical Performance Tools and Tuning Guide.
- Operating System and Device Management from IBM provides users and system administrators with complete information that can affect your selection of options when performing such tasks as backing up and restoring the system, managing physical and logical storage, and sizing appropriate paging space.
- The AIX 5L Differences Guide Version 5.3 Edition (developerWorks, December 2004) redbook focuses on the differences introduced in AIX 5L Version 5.3 when compared to AIX 5L Version 5.2.