Security hardening with the security_compliance_manager tool

You can apply STIG hardening to the system with the security_compliance_manager command.

Important: This tool needs to be run by Platform Administrator such as apadmin or equivalent.

security_compliance_manager command syntax

usage: security_compliance_manager [-h] [--restoreAll]
                                   [--restoreSingleFile <restore_file_path>]
                                   [--stigAll] [--skipIntegrityCheck]
                                   [--stigSingleFile STIGSINGLEFILE]
                                   [--status]

The script manages security compliance on the system.

Optional arguments:

-h|--help

Displays help for the command.

--restoreAll

Performs restore on all files.

--restoreSingleFile <restore_file_path>

Restores a single file with its full path provided.

--stigAll

Performs STIG on all files.

--skipIntegrityCheck

Runs the process without running file integrity checker utility.

--stigSingleFile <stig_file_path>

Performs STIG on a file with a given full path. Examples of <stig_file_path>:

/etc/aide.conf
/etc/issue
/etc/login.defs
/etc/pam.d/postlogin-ac
/etc/audisp/audispd.conf
/etc/libuser.conf
/etc/pam_ldap.conf

You can edit the template files corresponding to the above list of files that are kept in /opt/ibm/appliance/storage/platform/security/stig_templates directory before running the security_compliance_manager with the --stigSingleFile option.

--status

Displays the status of each STIG file.

Procedure

Run the security_compliance_manager command with --stigAll option in order to prepare the system for STIG hardening:
```
security_compliance_manager --stigAll
```

Example usage

Full STIG hardening:

security_compliance_manager --stigAll

/etc/issue file STIG hardening:

security_compliance_manager --stigSingleFile /etc/issue

Note: The tool can be run on any node, and the result will apply to all the nodes.