psconf command

Purpose

Reports and manages the Trusted Network Connect (TNC) server, the TNC client, the TNC IP Referrer (IPRef), and Service Update Management Assistant (SUMA). It manages fileset and patch management policies regarding endpoint (server and client) integrity at or after network connection to protect the network from threats and attacks.

Syntax

TNC server operations:

psconf mkserver [ tncport=<port> ] pmserver=<host:port> [tsserver=<host>] [ recheck_interval=<time_in_minutes> | d (days) : h (hours) : m (minutes) ] [dbpath = <user-defined directory> ] [default_policy=<yes | no > ] [clientData_interval=<time_in_minutes> | d (days) : h (hours) : m (minutes) ] [ clientDataPath=<Full_path >]

psconf { rmserver | status }

psconf { start | stop | restart } server

psconf chserver attribute = value

psconf clientData -i host [-l | -g]

psconf add -F <FSPolicyname> -r <buildinfo> [apargrp= [±]<apargrp1, apargrp2.. >] [ifixgrp=[+|-]<ifixgrp1,ifixgrp2...>]

psconf add { -G <ipgroupname> ip=[±]<host1, host2...> | {-A<apargrp> [aparlist=[±]apar1, apar2... | {-V <ifixgrp> [ifixlist=[+|-]ifix1,ifix2...]}

psconf add -P <policyname> { fspolicy=[±]<f1,f2...> | ipgroup=[±]<g1,g2...> }

psconf add -e emailid [-E FAIL | COMPLIANT | ALL ] [ipgroup= [± ]<g1,g2...>]

psconf add -I ip= [±]<host1, host2...>

psconf delete { -F <FSPolicyname> | -G <ipgroupname> | -P <policyname> | -A <apargrp> | -V <ifixgrp>}

psconf delete -H -i <host | ALL> -D <yyyy-mm-dd>

psconf certadd -i <host> -t <TRUSTED | UNTRUSTED>

psconf certdel -i <host>

psconf verify -i <host> | -G <ipgroup> [-u]

psconf update [-p] {-i<host>| -G <ipgroup, ipgroup2,....>[-r <buildinfo> | -a <apar1, apar2,apargrp1,apargrp2,...> | [-u] -v <ifix1, ifix2,ifixgrp1,ifixgrp2,...> | -O <openpkggrp1, openkggrp2,...>}}

psconf log loglevel=<info | error | none>

psconf import -C -i <host> -f <filename> | –d <import database filename>

psconf { import -k <key_filename> | export} -S -f <filename>

psconf list { -S | -G < ipgroupname | ALL > | -F < FSPolicyname | ALL > | -P < policyname | ALL > | -r < buildinfo | ALL > | -I -i < ip | ALL > | -A < apargrp | ALL > | -V <ifixgrp> | -O <openpkggrp|ALL>} [-c] [-q]

psconf list { -H | -s <COMPLIANT | IGNORE | FAILED | ALL> } -i <host | ALL> [-c] [-q]

psconf export -d <path to export directory>

psconf report -v <CVEid|ALL> -o <TEXT|CSV>

psconf report -A <advisoryname>

psconf report -P <policyname|ALL> -o <TEXT|CSV>

psconf report -i <ip|ALL> -o <TEXT|CSV>

psconf report -B <buildinfo|ALL> -o <TEXT|CSV>

psconf clientData {-l | -g} -i <ip|host>

psconf add -O <openpkggrp> <openpkgname:version>

psconf delete -O <openpkggrp> <openpkgname:version>

psconf delete -O <openpkggrp>

psconf delete -O ALL

psconf add -O <openpkggrp> fspolicy=<fspolicy name>

psconf report -O ALL -o TEXT

psconf reboot -i <host> last one

psconf pull

TNC client operations:

psconf mkclient [ tncport=<port> ] tncserver=<host:port>

psconf mkclient tncport=<<port>> -T

psconf { rmclient | status }

psconf {start | stop | restart } client

psconf chclient attribute = value

psconf list { -C | -S }

psconf export { -C | -S } -f <filename>

psconf import { -S | -C -k <key_filename> } -f <filename>

TNC IPRef operations:

psconf mkipref [ tncport=<port> ] tncserver=<host:port>

psconf { rmipref | status}

psconf { start | stop | restart} ipref

psconf chipref attribute = value

psconf { import -k <key_filename> | export } -R -f <filename>

psconf list -R

Description

The TNC technology is an open standard-based architecture for endpoint authentication, platform integrity measurement, and integrating security systems. The TNC architecture inspects endpoints (network clients and servers) for compliance with security policies before allowing them on the protected network. The TNC IPRef notifies the TNC server about any new IPs that are detected on the virtual I/O server (VIOS).

SUMA helps move system administrators away from the task of manually retrieving maintenance updates from the web. It offers flexible options that enable the system administrator to set up an automated interface to download fixes from a fix distribution website to their systems.

The psconf command manages the network server and clients by adding or deleting security policies, validating clients as trusted or untrusted, generating reports, and updating the server and the client.

The following operations can be performed by using the psconf command:

Table 1. psconf command operations
Item	Description
add	Adds a policy, a client, or the email information on the TNC server.
apargrp	Specifies the APAR group names as part of the fileset policy that are used for verification of TNC clients.
aparlist	Specifies the list of APARs that are part of the APAR group.
certadd	Marks the certificate as trusted or untrusted.
certdel	Deletes the client information.
chclient	Changes the attributes in the tnccs.conf file. An explicit start command is required for the changes to take effect in the TNC client. The syntax of attribute=value will be same as that of mkclient.
chipref	Changes the attributes in the tnccs.conf file. An explicit start command is required for the changes to take effect in IPRef. The syntax of attribute=value is the same as that of the mkipref.
chserver	Changes the attributes in the tnccs.conf file. An explicit start command is required for the changes to take effect in the TNC server. The syntax of attribute=value is same as that of mkserver. Note: The dbpath attribute cannot be changed by using the chserver command. It can be set only while running the mkserver.
clientData	Creates a snapshot of information (operating system level and filesets installed) about the TNC client. The `clientDataPath` path identifies where the snapshot collection information is stored. The default location is in the /var/tnc/clientData/ directory on the TNC server. You can change or set the `clientDataPath` path by using the chserver or mkserver subcommand. You can initiate the TNC client snapshot collection from the command line by running the clientData subcommand from the TNC server. The clientData subcommand that is run from the command line is independent of the clientData_interval interval.
clientData_interval	You can use the chserver or mkserver subcommand to configure the snapshot collection to occur at regular intervals by specifying a value for the clientData_interval interval. The snapshot collection starts automatically when the clientData_interval interval has a value other than 0 (zero). By default, the snapshot collection is disabled by the scheduler. To enable the scheduler, specify a clientData_interval value that is greater than or equal to 30. To disable the scheduler, specify a clientData_interval value of 0 (zero). The supported range for the clientData_interval interval is 30 - 525600 minutes.
dbpath	Specifies the TNC database location. The default value is /var/tnc.
default_policy	Enables or disables automatic verification of the TNC clients for the interim fix and APARs at the same level as the client. Specify `yes` to enable automatic verification. Specify `no` to disable automatic verification. For more information about the default_policy subcommand, see the default_policy table.
delete	Deletes a policy or the client information.
export	Exports the client or server certificate, or database on TNC server.
fspolicy	Specifies the fileset policy of the release, technology level and service pack that are used for verification of TNC Clients.
import	Imports a certificate on client or server, or database on TNC server.
ipgroup	Specifies the Internet Protocol (IP) group that contains multiple client IP addresses or host names.
list	Displays information about the TNC server, the TNC client, or the SUMA.
log	Sets the log level for the TNC components.
mkclient	Configures the TNC client.
mkipref	Configures the TNC IPRef.
mkserver	Configures the TNC server.
Openpkggrp	Specifies the openpkg group name as part of fileset policy that is used to verify clients.
pmport	Specifies the port number on which the pmserver listens to. The default value is 38240.
pmserver	Specifies the host name or IP address of the suma command that downloads the latest service packs and security fixes available in the IBM®® ECC website and the IBM Fix Central website.
pull	Retrieves information from the TNC Patch Management repository on the TNC server.
reboot	Reboots the TNC client that is identified by the IP address in the variable `<host>`.
recheck_interval	Specifies the interval in minutes or d (days) : h (hours) : m (minutes) format for the TNC server to verify the TNC clients. The supported range for the recheck_interval interval is 30 - 525600 minutes. Note: A value of recheck_interval=0 means that the scheduler does not initiate verification of the clients at regular intervals and the registered clients are automatically verified when they start. In such cases, the client can be manually verified.
report	Generates a report that has a .txt or .csv file extension.
restart	Restarts the TNC client, the TNC server, or the TNC IPRef.
rmclient	Unconfigures the TNC client.
rmipref	Unconfigures the TNC IPRef.
rmserver	Unconfigures the TNC server.
start	Starts the TNC client, the TNC server, or the TNC IPRef.
status	Shows the status of the TNC configuration.
stop	Stops the TNC client, the TNC server, or the TNC IPRef.
tncport	Specifies the port number on which the TNC server listens to. The default value is 42830.
tncserver	Specifies the TNC server that verifies or updates the TNC clients.
tssserver	Specifies the IP or host name of the Trusted Surveyor server.
update	Installs patches on the client.
verify	Initiates a manual verification of the client.

The following table displays the results of configuring the default_policy subcommand to either yes or no values:

Table 2. Results of default_policy subcommand
FSpolicy (Fileset policy)	default policy=`yes`	default policy=`no`
TNC client belongs to a fileset policy with an interim fix and APARs groups defined	The default policy is overridden by the interim fix and APARs provided in the fileset policy.	The default policy is not used. The interim fix and APARs provided in the fileset policy are considered during the verification process for the TNC client.
TNC client belongs to a fileset policy without an interim fix and APARs groups defined	The default policy is used with the interim fix and APARs during the verification process for the TNC client. Only the interim fix and APARs that match the level of the TNC client are used during the verification process.	The default policy is not used.

Flags

Item	Description
-a `<apar1, apar2,apargrp1,apargrp2,...>`	Specifies a comma-separated APAR list.
-A <advisoryName>	Specifies the advisory name for the report.
-B <buildinfo>	Specifies the build information to prepare a patch report.
-c	Displays the user attributes in colon-separated records as follows: `# name: attribute1: attribute2: ...` `policy: value1: value2: ...`
-C	Specifies that the operation is for client component.
-d `database file location/dir path of database`	Specifies the file path location for import of the database/specifies the directory path location for export of the database.
-D `yyyy-mm-dd`	Specifies the date for a particular client entry in the log history, where `yyyy` is the year, `mm` in the month, and `dd` is the day.
-e `emailid` ipgroup=[±]`g1, g2...`	Specifies the email ID followed by a comma-separated IP group name list.
-E \| FAIL \| COMPLIANT \| ALL \|	Specifies the event for which the emails need to be sent to the configured email id. FAIL- Mails are sent when the verification status of the client is FAILED. COMPLIANT- Mails are sent when the verification status of the client is COMPLIANT. ALL - Mails are sent for all the statuses of the client verification.
-f filename	Specifies the file from which the certificate must be read in case of an import operation, or specifies the location to which the certificate must be written in case of an export operation.
-F `fspolicy buildinfo`	Specifies the file system policy name, followed by the build information. The build information can be provided in the following format: `6100-04-01`, where `6100` represents version 6.1, `04` is the maintenance level, and `01` is the service pack.
-g	Run the clientData subcommand on the specified TNC client. This flag is available only with the clientData subcommand.
-G `ipgroupname` ip=[±]`ip1, ip2...`	Specifies the IP group name followed by a comma-separated IP list.
-H	Lists the history log.
-i `host`	Specifies the IP address or host name.
-I ip=[±]`ip1, ip2...` \| [±] host1,host2...	Specifies the IP/host name that must be ignored during verification.
-k `filename`	Specifies the file from which the certificate key must be read in case of an import operation.
-l	Lists the snapshot details on the TNC server for the specified TNC client. This flag is available only with the clientData subcommand.
-O <openpkggrp>	Specifies the openpkg group name for the policy.
-p	Previews the TNC client update.
-P <policyName>	Specifies the policy name to prepare a client policy report.
-q	Suppresses the header information.
-r `buildinfo`	Generates the report based on the build information. The build information can be provided in the following format: `6100-04-01`, where `6100` represents version 6.1, `04` is the maintenance level, and `01` is the service pack.
-R	Specifies that the operation is for IPRef component.
-s COMPLIANT \| IGNORE \| FAILED \| ALL	Displays the client by status as follows: COMPLIANT Displays the active clients. IGNORE Displays the clients that are excluded from any verification. FAILED Displays the clients that have failed verification as per the configured policy. ALL Displays all the clients irrespective of their statuses.
-S <host>	Specifies the host name to prepare a client security fix report.
-t TRUSTED \| UNTRUSTED	Marks the specified client as trusted or untrusted. Note: Only system administrators can verify the server or client as trusted or untrusted.
-T	Specifies that the client can accept request from any TS server that has a valid certificate.
-u	Uninstalls an interim fix that is installed on a TNC client. When used with verify, uninstalls conflicting interim fixes after verification.
-v`<CVEid\|ALL>`	Displays the common exposures and vulnerabilities for the registered service packs. CVEid All Displays all the common exposures and vulnerabilities for the registered service packs.
-v`<ifix1, ifix2,ifixgrp1,ifixgrp2...>`	Specifies a comma-separated interim fix list.
-V`<ifixgrp>`	Specifies the interim fix group name.

Exit Status

This command returns the following exit values:

Item	Description
0	The command ran successfully, and all the requested changes are made.
>0	An error occurred. The printed error message includes more details about the type of failure.

Examples

To start the TNC server, enter the following command:
```
psconf start server
```
To add a file system policy named 71D_latest for the build 7100-04-02, enter the following command:
```
psconf add -F 71D_latest 7100-04-02
```
To delete a file system policy named 71D_old, enter the following command:
```
psconf delete -F 71D_old
```
To validate that the client that has an IP address of 11.11.11.11 is trusted, enter the following command:
```
psconf certadd -i 11.11.11.11 -t TRUSTED
```
To delete the client that has an IP address of 11.11.11.11 from the server, enter the following command:
```
psconf certdel -i 11.11.11.11
```
To verify the client information that has an IP address of 11.11.11.11, enter the following command:
```
psconf verify -i 11.11.11.11
```
To display the client information that has an IP address of 11.11.11.11, enter the following command:
```
psconf list -i 11.11.11.11
```
To generate the report for clients that are in COMPLIANT status, enter the following command:
```
psconf list -s CPMPLIANT -i ALL
```
To generate the report for the build 7100-04-02, enter the following command:
```
psconf list -r 7100-04-02
```
To display the connection history of a client that has an IP address of 11.11.11.11, enter the following command:
```
psconf list -H -i 11.11.11.11
```
To delete the entry of a client that has an IP address of 11.11.11.11 from the log history older or equal to 1 February, 2009, enter the following command:
```
psconf delete -H -i 11.11.11.11 -D 2009-02-01
```
To import the client certificate of a client that has an IP address of 11.11.11.11 from the server, enter the following command:
```
psconf import -C -i 11.11.11.11 -f /tmp/client.txt
```
To export the server certificate from a client, enter the following command:
```
psconf export -S -f /tmp/server.txt
```
To update the client that has an IP address of 11.11.11.11 to an appropriate level from the server, enter the following command:
```
psconf update -i 11.11.11.11
```
To display the client statuses, enter the following command:
```
psconf status
```
To display the client certificate, enter the following command:
```
psconf list -C
```
To start the client, enter the following command:
```
psconf start client
```
To display the snapshot information that was gathered with the clientData subcommand, enter the following command:
```
psconf clientData -l [ip|host]
```
To display the history for the TNC client, enter the following command:
```
psconf list –H –i [ip|ALL]
```

Security

Attention RBAC users and Trusted AIX® users:

This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand