Security hardening with the security_compliance_manager tool
You can apply STIG hardening to the appliance with security_compliance_manager command.
The command is available to use starting from IAS version 1.0.11.1.The options to enable and disable audit rules are available to use starting from IAS version 1.0.25.0.
Important: This tool needs to be run by
Platform Administrator such as
apuser
or equivalent.security_compliance_manager command syntax
security_compliance_manager [-h] [--enableStig] [--restoreAll]
[--restoreSingleFile <restore_file_path>]
[--stigAll] [--skipIntegrityCheck]
[--stigSingleFile <stig_file_path>]
[--status] [--enableAuditRules]
[--disableAuditRules]
The script manages security compliance on the appliance.
Optional arguments:- -h|--help
- Displays help for the command.
- --enableStig
- Prepares the system for STIG (Security Technical Implementation Guide) hardening.
- --restoreAll
- Performs restore on all files.
- --restoreSingleFile <restore_file_path>
- Restores a single file with its full path provided.
- --stigAll
- Performs STIG on all files.
- --skipIntegrityCheck
- Prevents from running file integrity checker utility.
- --stigSingleFile <stig_file_path>
- Performs STIG on a file with a given full path. Possible
<stig_file_path> arguments are as follows:
You can edit the template files corresponding to the above list of files that are kept in /opt/ibm/appliance/storage/platform/security/stig_templates directory before running the security_compliance_manager with the --stigSingleFile option./etc/aide.conf /etc/issue /etc/login.defs /etc/pam.d/postlogin-ac /etc/audisp/audispd.conf /etc/libuser.conf /etc/pam_ldap.conf
- --status
- Displays the status of each STIG file.
- --enableAuditRules
- Enables the audit rules.
- --disableAuditRules
- Disables the audit rules.
Procedure
- Prepare the system for STIG hardening:
security_compliance_manager --enableStig
- Run the security_compliance_manager command with --stigAll or other STIG options.
Example usage
- Full STIG hardening:
security_compliance_manager --stigAll
/etc/issue
file STIG hardening:security_compliance_manager --stigSingleFile /etc/issue
- Enable the audit rules:
security_compliance_manager –enableAuditRules
- Disable the audit
rules:
security_compliance_manager --disableAuditRules
Note: The tool can be run on any node, and the result will apply to all the nodes.