pscxpert command

Purpose

Aids the system administrator in setting the security configuration.

Syntax

pscxpert -l {high|medium|low|default|sox-cobit} [ -p ]

pscxpert -l {h|m|l|d|s} [ -p ]

pscxpert -f Profile [ -p ] [-r|-R]

pscxpert -u [ -p ]

pscxpert -c [ -p ] [-r|-R] [-P Profile] [-l {Level|Rule_Type}]

pscxpert -t

pscxpert -l Level [ -p ] {-a File1 | -n File2 | -a File3 -n File4}

pscxpert -f Profile -a File [ -p ]

pscxpert -d

Description

The pscxpert command sets various system configuration settings to enable the specified security level.

Running the pscxpert command with only the -l flag set implements the security settings promptly without allowing the user to configure the settings. For example, running the pscxpert -l high command applies all of the high-level security settings to the system automatically. However, running the pscxpert -l command with the -n and -a flags saves the security settings to a file specified by the File parameter. The -f flag then applies the new configurations.

After the initial selection, a menu is displayed itemizing all security configuration options that are associated with the selected security level. These options can be accepted in whole or individually toggled off or on. After any secondary changes, the pscxpert command continues to apply the security settings to the computer system.

Run the pscxpert command as the root user of the target Virtual I/O Server. When you are not logged in as the root user of the target Virtual I/O Server, run the oem_setup_env command before you run the command.

If you run the pscxpert command when another instance of the pscxpert command is already running, the pscxpert command exits with an error message.

Note: Rerun the pscxpert command after any major systems changes, such as the installation or updates of software. If a particular security configuration item is not selected when the pscxpert command is rerun, that configuration item is skipped.

Flags

Item	Description
-a	The settings with the associated security level options are written to the specified file in an abbreviated format.
-c	Checks the security settings against the previously applied set of rules. If the check against a rule fails, the previous versions of the rule are also checked. This process continues until the check passes, or until all of the instances of the failed rule in the /etc/security/aixpert/core/appliedaixpert.xml file are checked. You can run this check against any default profile or custom profile.
-d	Displays the document type definition (DTD).
-f	Applies the security settings that are provided in the specified Profile file. The profiles are in the /etc/security/aixpert/custom directory. The available profiles include the following standard profiles: DataBase.xml This file contains the requirements for the default database settings. DoDv2.xml This file contains the requirements for version 2 of the Department of Defense Security Technical Implementation Guide (STIG) settings. DoDv2_to_AIXDefault.xml This changes the settings to the default AIX® settings. GDPRv1.xml This file contains the requirements for General Data Protection Regulation (GDPR) settings. Hipaa.xml This file contains the requirements for the Health Insurance Portability and Accountability Act (HIPAA) settings. NERCv5.xml This file contains the requirements for the North American Electric Reliability Corporation (NERC) settings. NERCv5_to_AIXDefault.xml This file changes the NERC settings to the default AIX settings. PCIv3.xml This file contains the requirements for the Payment card industry Data Security Standard Version 3 settings. PCIv3_to_AIXDefault.xml This file changes the settings to the default AIX settings. SAPv1.xml This file contains the requirements for the SAP settings. SOX-COBIT.xml This file contains the requirements for the Sarbanes-Oxley Act and COBIT settings.
	You can also create custom profiles in the same directory and apply them to your settings by renaming and modifying the existing XML files. For example, the following command applies the HIPAA profile to your system: `pscxpert -f /etc/security/aixpert/custom/Hipaa.xml` When you specify the -f flag, the security settings are consistently applied from system to system by securely transferring and applying an appliedaixpert.xml file from system to system. All of the successfully applied rules are written to the /etc/security/aixpert/core/appliedaixpert.xml file and the corresponding `undo` action rules are written to the /etc/security/aixpert/core/undo.xml file.
-l	Sets the system security settings to the specified level. This flag has the following options: h\|high Specifies high-level security options. m\|medium Specifies medium-level security options. l\|low Specifies low-level security options. d\|default Specifies AIX standards-level security options. s\|sox-cobit Specifies the Sarbanes-Oxley Act and COBIT security options. If you specify both the -l and -n flags, the security settings are not implemented on the system; however, they are only written to the specified file. All the successfully applied rules are written to the /etc/security/aixpert/core/appliedaixpert.xml file and the corresponding undo action rules are written to the /etc/security/aixpert/core/undo.xml file. Attention: When you use the d\|default flag, the flag can overwrite the configured security settings that you had previously set by using the pscxpert command or independently, and restores the system to its traditional open configuration.
-l Level	This flag is used to check the compatibility of the system with the type of rules that are included in the profile that is specified in the Level parameter. The possible values for Level can be a built-in profile such as PCIv3 or GDPRv1; or a custom profile that contains rule types created by the end user. For example, “PCIv3_cus” or “PVP_type”.
-n	Writes the settings with the associated security level options to the specified file.
-p	Specifies that the output of the security rules is displayed by using verbose output. The -p flag logs the rules that are processed in to the audit subsystem if the auditing option is turned on. This option can be used with any of the -l, -u, -c, and -f flags. The flag -p flag enables verbose output to both the terminal and the aixpert.log file.
-P	Accepts the profile name as input. This option is used along with the -c flags. The -c and -P flags are used to check the compatibility of the system with the profile passed.
-r	Writes the existing settings of the system to the /etc/security/aixpert/check_report.txt file. You can use the output in security or compliance audit reports. The report describes each setting, how it might relate to a regulatory compliance requirement, and whether the check passed or failed. Note: The -r flag only supports the apply operation for profiles. It does not support the apply operation for levels. The -r option displays the entire message (one or more lines) for a rule.
-R	Produces the same output as the -r flag. In addition, this flag also appends a description of the rule script or program that is used to implement the configuration setting. Note: The -R flag only supports the apply operation for profiles. It does not support the apply operation for levels.
-t	Displays the type of the profile that is applied on the system.
-u	Undoes the security settings that are applied. Note: You cannot use the -u flag to reverse the application of the DoDv2, NERC, or PCIv3 profiles. To remove these profiles after they are added, apply the profile that ends with _AIXDefault.xml. For example, to remove the NERC.xml profile, you must apply the NERC_to_AIXDefault.xml profile. Changes to the system after an apply operation are lost with an undo operation. Settings are returned to the value as it existed before the apply operation.

Parameters

Item	Description
File	The output file that stores the security settings. Root permission is required to access this file.
Level	The custom level to check against the previously applied settings.
Profile	The file name of the profile that provides compliance rules for the system.

Security

The pscxpert command can be run only by root.

Examples

To write all of the high-level security options to an output file, enter the following command:
```
pscxpert -l high -n /etc/security/pscexpert/plugin/myPreferredSettings.xml
```
After you run this command, the output file can be edited, and specific security roles can be commented out by enclosing them in the standard XML comment string (<-- begins the comment and -\> closes the comment).
To apply the security settings from the Department of Defense STIG configuration file, enter the following command:
```
pscxpert -f /etc/security/aixpert/custom/DoDv2.xml
```
To apply the security settings from the HIPAA configuration file, enter the following command:
```
pscxpert -f /etc/security/aixpert/custom/Hipaa.xml
```
To check the security settings of the system, and to log the rules that failed in to the audit subsystem, enter the following command:
```
pscxpert -c -p
```
To check the custom level of the security settings for the NERC profile on the system, and to log the rules that failed in to the audit subsystem, enter the following command:
```
pscxpert -c -p -l NERC
```
To generate reports and to write them to the /etc/security/aixpert/check_report.txt file, enter the following command:
```
pscxpert -c -r
```

Location

Item	Description
/usr/sbin/pscxpert	Contains the pscxpert command.

Files

Item	Description
/etc/security/aixpert/log/aixpert.log	Contains a trace log of applied security settings. It contains complete information on all of the rules that were deployed and the scripts and commands that were run to fulfill the rule. This file does not use the syslog standard. The pscxpert command writes directly to the file, has read/write permissions, and requires root security. The contents of this file are useful when there are any issues observed with PowerSC Compliance (pscxpert). In non-verbose mode (that is, without -p flag), the pscxpert command logs very basic information. In verbose mode, a significant amount of information is logged to this file and can fill up the file system. When a system is managed by PowerSC UI server, the pscxpert command is executed in non-verbose mode. If this file is taking too much space, you can archive it and remove it without any impact to the Compliance application.
/etc/security/powersc/uiAgent/uiAgent.json	Provides the source to the PowerSC GUI agent for all compliance-related events, including how many rules were successfully deployed on the client. Reason-for-failure information is also logged in this file. Entries are in JSON representation. The pscxpert command writes directly to the file, has read/write permissions, and requires root security.
/etc/security/aixpert/check_report.txt	Contains all of the check failures. Once a profile is deployed, periodic checks are made for compliance. If there are any discrepancies, the information is logged for audit purpose. The pscxpert command writes directly to the file, has read/write permissions, and requires root security.
/etc/security/aixpert/log/firstboot.log	Contains a trace log of the security settings that were applied during the first boot of a Secure by Default (SbD) installation.
/etc/security/aixpert/core/undo.xml	Contains an XML listing of security settings, which can be undone.