Security hardening with the security_compliance_manager tool

You can apply STIG hardening to the system with the security_compliance_manager command.

Important: This tool needs to be run by Platform Administrator such as apadmin or equivalent.

security_compliance_manager command syntax

usage: security_compliance_manager [-h] [--restoreAll]
                                   [--restoreSingleFile <restore_file_path>]
                                   [--stigAll] [--skipIntegrityCheck]
                                   [--stigSingleFile STIGSINGLEFILE]

The script manages security compliance on the system.

Optional arguments:
Displays help for the command.
Performs restore on all files.
--restoreSingleFile <restore_file_path>
Restores a single file with its full path provided.
Performs STIG on all files.
Runs the process without running file integrity checker utility.
--stigSingleFile <stig_file_path>
Performs STIG on a file with a given full path. Examples of <stig_file_path>:
You can edit the template files corresponding to the above list of files that are kept in /opt/ibm/appliance/storage/platform/security/stig_templates directory before running the security_compliance_manager with the --stigSingleFile option.
Displays the status of each STIG file.


  1. Run the security_compliance_manager command with --stigAll option in order to prepare the system for STIG hardening:
    security_compliance_manager --stigAll

Example usage

Full STIG hardening:
security_compliance_manager --stigAll
/etc/issue file STIG hardening:
security_compliance_manager --stigSingleFile /etc/issue
Note: The tool can be run on any node, and the result will apply to all the nodes.