subscribe iconSubscribe to this information

viosecure command

Purpose

Activates, deactivates, and displays security hardening rules. Configures, unconfigures, or displays firewall settings.

Syntax

viosecure -level LEVEL [-apply] [ -rule ruleName] [-outfile filename]

viosecure -view [ -actual | -latest] [-rule ruleName | -nonint]

viosecure -file rulesFile

viosecure -changedRules

viosecure -undo

viosecure -firewall on [[ -force] -reload]

viosecure -firewall allow | deny -port number [-interface ifname] [-address IPaddress] [-timeout Timeout] [-remote]

viosecure -firewall view [-fmt delimiter]

Description

The viosecure activates, deactivates, and displays security hardening rules. By default, none of the security strengthening features are activated after installation. Upon running the viosecure command, the command guides the user through the proper security settings, which can be high, medium, or low. After this initial selection, a menu is displayed itemizing the security configuration options that are associated with the selected security level in sets of 10. These options can be accepted in whole, individually toggled off or on, or ignored. After any changes, viosecure continues to apply the security settings to the computer system.

The viosecure command also configures, unconfigures, and displays network firewall settings. Using the viosecure command, you can activate and deactivate specific ports and specify the interface and IP address from which connections are allowed.

Flags

-level LEVEL Specifies the security LEVEL settings to choose, where LEVEL is low, medium, high, or default. The default LEVEL deactivates any previous security LEVEL system settings. Except for the default LEVEL, ten security LEVEL settings are displayed at a time. The user can then choose the desired security settings by entering comma-separated numbers, the word ALL to choose all of the settings, A to apply the selected settings, NONE to choose none of the settings, q to exit, or h for help. The security settings chosen are then applied to the system.
-view Displays the current security level settings. All of the security setting names start with 3 characters Xls, where X means l (low), m (medium), h (high) or d (default). For example, the security level name lls_minlenl is the low-level security setting for the minimum length of a password.
-apply Applies all of the LEVEL security settings to the system. There is no user-selectable option.
-nonint Specifies non-interactive mode.
-outfile Specifies that security rules be sent to a specific file.
-file Specifies the security rules file to be applied.
-rule Specifies the name of the rule, for example, lls_maxexpired, hls_telnet.
-changedRules Displays new values, if they are changed by any other commands.
-latest Displays last applied rules.
-actual Displays actual values for the rules that are set.
-undo Undoes the latest security settings that have been applied. Use -latest to view the latest security settings.
-firewall on [[-force] -reload] Configures the default firewall settings from the filter rules in ODM. If you use the reload option, then the ODM rules are deleted and the default values are loaded from the /home/ios/security/viosecure.ctl file. If the viosecure.ctl file does not exist, the force option specifies to use the hard-coded, default firewall settings.
-firewall off Unconfigures the firewall settings and saves all the firewall filter rules to the /home/padmin/viosfirewall.rules file.
-firewall allow -port Port [-interface ifname ] [-address IPaddress ] [-timeout Timeout] [-source] Permits IP activity per port with optional parameters according to interface, IP address, and time that it is effective. The Port argument can be a number or a service name from the /etc/services file. The remote option specifies that the port is a remote port. All IP activity to and from that remote port is allowed. The default is all IP activity to and from a local port is allowed. The timeout period can be specified as a number (in seconds), or with a number followed by m(minutes), h(hours), or d(days). The maximum timeout period is 30 days.
-firewall deny -port Port [-interface Ifname] [-address IPaddress] [-timeout Timeout] [-source] Removes a previous firewall -allow setting. The Port argument can be a number or a service name from the /etc/services file. If -port 0 is specified, then all allow settings are removed. The remote option specifies that the port is the remote port. The default is local port. The timeout period can be specified as a number (in seconds), or with a number followed by m(minutes), h(hours) or d(days). The maximum timeout period is 30 days.
-firewall view [-fmt delimiter] Displays the current allowable ports. If the -fmt option is specified, then it divides output by a user-specified delimiter.

Examples

  1. To display the high system security settings, and to select which of the high security settings to apply to the system, type: 
    viosecure -level high
  2. To apply all of the 'high' system security settings to the system, type: 
    viosecure -level high -apply
  3. To display the current system security settings, type: 
    viosecure -view
  4. To unconfigure the previous system security settings, type: 
    viosecure -level default
  5. To allow IP activity on the ftp-data, ftp, ssh, www, https, rmc, and cimon ports, and to deny other IP activity, type: 
    viosecure -firewall on
  6. To allow IP activity on all ports, type: 
    viosecure -firewall off
  7. To allow users from IP address 10.10.10.10 to rlogin, type: 
    viosecure -firewall allow -port login -address 10.10.10.10
  8. To allow users to rlogin for seven days, type: 
    viosecure -firewall allow -port login -timeout 7d
  9. To allow rsh client activity through interface en0, type: 
    viosecure -firewall allow -port 514 -interface en0 -remote
  10. To removes the rule that allows users from IP address 10.10.10.10 to rlogin, type: 
    viosecure -firewall deny -port login -address 10.10.10.10
  11. To display the list of allowed ports, type: 
    viosecure -firewall view
  12. To undo the security settings that have been applied, type: 
    viosecure -undo /etc/security/aixpert/core/undo.xml
    Note: This command removes all the security settings specified in the undo.xml file.
  13. To write low-level security rules to myfile, type: 
    viosecure -level low -outfile myfile
  14. To apply security rules from myfile, type: 
    viosecure -file myfile
  15. To display recently applied rules, type: 
    viosecure -view -latest
  16. To display rules that are changed after they are applied with the viosecure command, type: 
    viosecure -changedRules
  17. To apply the single rule lls_maxage, type: 
    viosecure -level low -rule lls_maxage -apply
  18. To view the applied rule ll_maxage, type: 
    viosecure -view -rule lls_maxage
  19. To view the rule lls_maxage if it exists during last applied rules, type: 
    viosecure -view -rule lls_maxage -latest
  20. To display the actual values of rules, even if they are changed by another command, type: 
    viosecure -view -actual
Parent topic: Virtual I/O Server and Integrated Virtualization Manager commands listed alphabetically
Parent topic: Security commands
Send feedback | Rate this page

Last updated: Fri, Oct 30, 2009