pscxpert for linux command

Purpose

Aids the system administrator in setting the security configuration.

Syntax

pscxpert -f Profile [ -k rule_name ] [ -p ] [-r|-R] [-x log directory] [-y tmp directory]

pscxpert -u [ -p] [-x log directory] [-y tmp directory]

pscxpert -c [ -p ] [-r|-R] [-P Profile] [-l Rule_Type] [-x log directory] [-y tmp directory]

pscxpert -t [-x log directory] [-y tmp directory]

pscxpert -d [-x log directory] [-y tmp directory]

Description

The pscxpert command sets various system configuration settings to enable the specified security standard.

If you run the pscxpert command when another instance of the pscxpert command is already running, the pscxpert command exits with an error message.

Note: Rerun the pscxpert command after any major systems changes, such as the installation or updates of software. If a particular security configuration item is not selected when the pscxpert command is rerun, that configuration item is skipped.

Flags

Item Description
-c Checks the security settings against the previously applied set of rules. If the check against a rule fails, the previous versions of the rule are also checked. This process continues until the check passes, or until all of the instances of the failed rule in the /etc/security/pscxpert/core/appliedrules.xml file are checked. You can run this check against any default profile or custom profile.
-d Displays the document type definition (DTD).
-f
Applies the security settings that are provided in the specified Profile file. The profiles are in the /etc/security/pscxpert/custom directory. The available profiles include the following standard profiles:
  • Linux_PCIv3.xml contains the requirements for the Payment card industry Data Security Standard Version 3 for Linux® settings.
  • Linux_PCIv4.xml contains the requirements for the Payment card industry Data Security Standard Version 4 for Linux settings.
  • Linux_GDPRv1.xml contains the requirements for the General Data Protection Regulation (GDPR) compliance for Linux settings.
  • Linux_CISv1.xml contains the settings that implement the PCI DSS version 3.0 compliance standard for Linux.
  • Linux_CISv2_Lev1.xml contains the Payment Card Industry DSS compliance for Linux.
  • Linux_CISv2_Lev2.xml contains the Payment Card Industry DSS compliance for Linux.
  • Linux_DoDv7.xml contains the requirements of the Department of Defense Red Hat Enterprise Linux 8 STIG.
  • Linux_HMCv1.xml contains the requirements for hardening security on the HMC appliance.
  • Linux_SAPHANAv1.xml contains the requirements for hardening the Linux systems with SAP HANA software.
-k Specifies that only the named rule will be enforced for the applied profile. The -f flag must specify Applied. The -k flag must match the rule in the applied file, including the unique ID.
 

You can also create custom profiles in the same directory and apply them to your settings by renaming and modifying the existing XML files.

For example, the following command applies the Linux PCIv3 profile to your system:
pscxpert -f /etc/security/pscxpert/custom/Linux_PCIv3.xml

All of the successfully applied rules are written to the /etc/security/pscxpert/core/appliedrules.xml file and the corresponding undo action rules are written to the /etc/security/pscxpert/core/undo.xml file.
-t Displays the type of the profile that is applied on the system.
-u Undoes the security settings that are applied.
Note:
  • Changes to the system after an apply operation are lost with an undo operation. Settings are returned to the value as it existed before the apply operation.

Parameters for -c

Item Description
-p Specifies that the output of the security rules is displayed by using verbose output. The -p flag logs the rules that are processed in to the audit subsystem if the auditing option is turned on.

The flag -p flag enables verbose output to both the terminal and the /var/powersc/log/check_report.txt file.
-r Writes the existing settings of the system to the /var/powersc/log/check_report.txt file. You can use the output in security or compliance audit reports. The report describes each setting, how it might relate to a regulatory compliance requirement, and whether the check passed or failed.

The -r flag supports the apply and check operations for profiles.

The -r option displays the entire message (one or more lines) for a rule.
-R Produces the same output as the -r flag. In addition, this flag also appends a description of the rule script or program that is used to implement the configuration setting.
-P This flag is used to check the compatibility of the system with the profile specified in the Profile parameter passed as input.
Profile Specifies the file name of the profile that provides compliance rules for the system.
-l This flag is used to check the compatibility of the system with the type of rules that are included in the profile that is specified in the Rule_Type parameter.
Rule_Type Specifies a compliance profile. The possible values for Level can be a built-in profile such as PCIv3 or GDPRv1; or a custom profile that contains rule types created by the end user. For example, “PCIv3_cus” or “PVP_type”.
-x Specifies a user-defined location for the log directory. The directory must already exist.
-y Specifies a user-defined location for the tmp directory. The directory must already exist.

Parameters for -f

Item Description
-p Specifies that the output of the security rules is displayed by using verbose output. The -p flag logs the rules that are processed in to the audit subsystem if the auditing option is turned on.

The flag -p flag enables verbose output to both the terminal and the pscx/var/powersc/log/check_report.txt file.
Profile The file name of the profile that provides compliance rules that are applied for the system.
rule_name The name of the rule to enforce. The -k flag must match the rule in the applied file, including the unique ID. Successfully applied rules are written to the /etc/security/pscxpert/core/appliedrules.xml file. Check this file to get the exact rule name and its unique indentifier.
-r Writes the existing settings of the system to the /var/powersc/log/check_report.txt file. You can use the output in security or compliance audit reports. The report describes each setting, how it might relate to a regulatory compliance requirement, and whether the check passed or failed.

The -r flag supports the apply and check operations for profiles.

The -r option displays the entire message (one or more lines) for a rule.
-R Produces the same output as the -r flag. In addition, this flag also appends a description of the rule script or program that is used to implement the configuration setting.
-x Specifies a user-defined location for the log directory. The directory must already exist.
-y Specifies a user-defined location for the tmp directory. The directory must already exist.

Parameters for -u

Item Description
-p Specifies that the output of the security rules is displayed by using verbose output. The -p flag logs the rules that are processed in to the audit subsystem if the auditing option is turned on.

The flag -p flag enables verbose output to both the terminal and the /var/powersc/log/pscxpert.log file.
-x Specifies a user-defined location for the log directory. The directory must already exist.
-y Specifies a user-defined location for the tmp directory. The directory must already exist.

Examples

  1. To apply the security settings from the PCIv3 configuration file, enter the following command: 
    pscxpert -f /etc/security/pscxpert/custom/Linux_PCIv3.xml
  2. To check the security settings of the system, and to log the rules that failed in to the audit subsystem, enter the following command: 
    pscxpert -c -p
  3. To enable verbose output: 
    pscxpert -u -p
  4. To generate reports:
    pscxpert -c -r
  5. To enforce only the named rules for the applied profile:
    pscxpert -f Applied -k ruleName_09E788E8
Note: The standard location for administrative programs is /usr/sbin (and /sbin). If /usr/sbin (and /sbin) is not in the PATH environment variable, it needs to be added. If you do not add it to the PATH environment variable the pscxpert command can be called with the absolute path /usr/sbin/pscxpert.