Security hardening with the security_compliance_manager tool

You can apply STIG hardening to the appliance with security_compliance_manager command.

The command is available to use starting from IAS version 1.0.11.1.

The options to enable and disable audit rules are available to use starting from IAS version 1.0.25.0.

Important: This tool needs to be run by Platform Administrator such as apuser or equivalent.

security_compliance_manager command syntax

security_compliance_manager [-h] [--enableStig] [--restoreAll]
                                   [--restoreSingleFile <restore_file_path>]
                                   [--stigAll] [--skipIntegrityCheck]
                                   [--stigSingleFile <stig_file_path>]
                                   [--status] [--enableAuditRules]
                                   [--disableAuditRules]

The script manages security compliance on the appliance.

Optional arguments:
-h|--help
Displays help for the command.
--enableStig
Prepares the system for STIG (Security Technical Implementation Guide) hardening.
--restoreAll
Performs restore on all files.
--restoreSingleFile <restore_file_path>
Restores a single file with its full path provided.
--stigAll
Performs STIG on all files.
--skipIntegrityCheck
Prevents from running file integrity checker utility.
--stigSingleFile <stig_file_path>
Performs STIG on a file with a given full path. Possible <stig_file_path> arguments are as follows:
/etc/aide.conf
/etc/issue
/etc/login.defs
/etc/pam.d/postlogin-ac
/etc/audisp/audispd.conf
/etc/libuser.conf
/etc/pam_ldap.conf
You can edit the template files corresponding to the above list of files that are kept in /opt/ibm/appliance/storage/platform/security/stig_templates directory before running the security_compliance_manager with the --stigSingleFile option.
--status
Displays the status of each STIG file.
--enableAuditRules
Enables the audit rules.
--disableAuditRules
Disables the audit rules.

Procedure

  1. Prepare the system for STIG hardening:
    security_compliance_manager --enableStig
  2. Run the security_compliance_manager command with --stigAll or other STIG options.

Example usage

  • Full STIG hardening:
    security_compliance_manager --stigAll
  • /etc/issue file STIG hardening:
    security_compliance_manager --stigSingleFile /etc/issue
  • Enable the audit rules:
    security_compliance_manager –enableAuditRules
  • Disable the audit rules:
    security_compliance_manager --disableAuditRules
Note: The tool can be run on any node, and the result will apply to all the nodes.