Security hardening with the security_compliance_manager tool

You can apply STIG hardening to the system with the security_compliance_manager command.

Important: This tool needs to be run by Platform Administrator such as apadmin or equivalent.

security_compliance_manager command syntax

usage: security_compliance_manager [-h] [--restoreAll]
                                   [--restoreSingleFile <restore_file_path>]
                                   [--stigAll] [--skipIntegrityCheck]
                                   [--stigSingleFile STIGSINGLEFILE]
                                   [--status]

The script manages security compliance on the system.

Optional arguments:
-h|--help
Displays help for the command.
--restoreAll
Performs restore on all files.
--restoreSingleFile <restore_file_path>
Restores a single file with its full path provided.
--stigAll
Performs STIG on all files.
--skipIntegrityCheck
Runs the process without running file integrity checker utility.
--stigSingleFile <stig_file_path>
Performs STIG on a file with a given full path. Examples of <stig_file_path>: 
/etc/aide.conf
/etc/issue
/etc/login.defs
/etc/pam.d/postlogin-ac
/etc/audisp/audispd.conf
/etc/libuser.conf
/etc/pam_ldap.conf
You can edit the template files corresponding to the above list of files that are kept in /opt/ibm/appliance/platform/security/stig_templates directory before running the security_compliance_manager with the --stigSingleFile option.
--status
Displays the status of each STIG file.

Procedure

  1. Run the apstop command.
    apstop
    [root@gt15-node1 ~]# apstop
Successfully deactivated system
  2. Verify that the system state is Inactive, application state is Unknown, and the platform management state is Inactive by running the ap state command.
    ap state -d
    [root@gt15-node1 ~]# ap state -d
System state is 'Inactive'
Application state is 'Unknown'
Platform management state is 'Inactive'
  3. Run the security_compliance_manager command with any of the following options in order to prepare the system for STIG hardening.
    • --stigAll: Use this option to apply hardening on all applicable files.
    • --stigSingleFile: Use this option to apply hardening for mentioned file only.
    Example:
    security_compliance_manager --stigAll
  4. Run the apstart command to reactivate the platform.
    apstart
    [root@gt15-node1 ~]# apstart
Successfully activated platform, appliance activation request sent

Example usage

Full STIG hardening: 
security_compliance_manager --stigAll
/etc/issue file STIG hardening: 
security_compliance_manager --stigSingleFile /etc/issue
Note: The tool can be run on any node, and the result will apply to all the nodes.