Customizable security policy with user-defined AIX Security Expert XML rules

Edit online

You can use XML files to configure unique security policies.

AIX® Security Expert dynamically recognizes these XML files. Any custom XMLsecurity policy files created should be placed in the directory /etc/security/aixpert/custom/ with a descriptive file. Therefore, when AIX Security Expert is accessed via a console graphical interface, the rich set of graphical XML features in the aixpert DTD will be fully realized.

The DTD is as follows:
<?xml version='1.0'?>

<!--START-->

<!ELEMENT AIXPertSecurityHardening (AIXPertEntry+)>

<!-- AIXPertEntry should contain only one instance of the following elements. -->

<!ELEMENT AIXPertEntry (AIXPertRuleType,     
		AIXPertDescription, AIXPertPrereqList, AIXPertCommand,
		AIXPertArgs,AIXPertGroup)>

<!-- AIXPertEntry's name should be unique. -->

<!ATTLIST AIXPertEntry
	name ID #REQUIRED
	function CDATA ""
>

<!ELEMENT AIXPertRuleType EMPTY>
<!ATTLIST AIXPertRuleType    type (LLS|MLS|HLS|DLS|SCBPS|Prereq) "DLS">
<!ELEMENT AIXPertDescription (#PCDATA)>
<!ELEMENT AIXPertPrereqList (#PCDATA)>
<!ELEMENT AIXPertCommand (#PCDATA)>
<!ELEMENT AIXPertArgs (#PCDATA)*>
<!ELEMENT AIXPertGroup (#PCDATA)*>
The AIXPertEntry name is a unique name within the XMLfile. This name will be the name of the selectable graphic button when this file is viewed via a system console via the path Aix Security Expert -> Overview and Tasks -> Customized Options -> <xml file=""></xml>.
<!ELEMENT AIXPertRuleType EMPTY>
This XML file should be specified as custom.
<!ATTLIST AIXPertRuleType type (LLS|MLS|HLS|DLS|SCBPS|Prereq|Custom) "DLS"
This XML file should be specified as custom.
<!ELEMENT AIXPertDescription (#PCDATA)>
When viewed via the above mentioned graphical interface, the description text is displayed as a pop-up window then the mouse is placed on this button.
<!ELEMENT AIXPertPrereqList (#PCDATA)>
It is possible to select a prerequisite rule to this rule. The prerequisite rule must return 0, before aixpert will implement this rule. If this XML file is viewed through a graphical interface, thisrule will be grayed-out if the prerequisite rule is not satisfied. If you are creating a prerequisite rule, the AIXPertRuleType must be 'Prereq'.

The AIXPertDescription field of the prerequisite rule should describe what should be done to satisfy the prereq rule. If the Custom rules is grayed-out because one of its Prereq rules is not satisfied, then the user is shown the description pop-up window of the Prereq rule, which explains what the user must do to correct the prerequisite condition.

<!ELEMENT AIXPertCommand (#PCDATA)>
This element must be the full path and command which aixpert will execute for this security rule, e.g. /usr/bin/ls.
<!ELEMENT AIXPertArgs (#PCDATA)*>
This element must contain any arguments to the above command, e.g. -l
<!ELEMENT AIXPertGroup (#PCDATA)*>
It is possible to group a set of aixpert rules when they are displayed via a graphical interfaces. For example, a common set of rules might all specify a AIXPertGroup name of "Network Security".