AIXpert settings and compliance

Answer

AIXPERT is an easy to use interface to both harden and verify compliance with
One or more standards.

A standard can be one published by aixpert commands and XML files or PowerSC
Tool.

01- Setting specific AIXpert levels:

# aixpert -l <LEVEL>

This set the system security settings to the level specified with this option.


It has the following options:



h|high

Specifies high-level security options.



m|medium:

Specifies medium-level security options.



l|low:

Specifies low-level security options.



d|default:

Specifies AIX standards-level security options.



s|sox-cobit:

Specifies SOX-COBIT best practices-level security options.




02- Set the mode to "low" as the following example:

# aixpert -l low
This will set low level security, and will take some time to finish




03- To check the security settings in verbose mode after applying a specific level:

# aixpert -cp

Processing lls_maxage_97D38C75 :done.

Processing lls_maxexpired_97D38C75 :done.

Processing lls_minlen_97D38C75 : failed.

Processing lls_minalpha_97D38C75 :done.

Processing lls_minother_97D38C75 :done.

Processing lls_mindiff_97D38C75 :done.

Processing lls_histexpire_97D38C75 :done.

Processing lls_pwdwarntime_97D38C75 :done.

Processing lls_usrck_97D38C75 :done.

Processing lls_pwdck_97D38C75 :done.

Processing lls_grpck_97D38C75 :done.

Processing lls_loginretries_97D38C75 :done.

Processing lls_logindelay_97D38C75 :done.

Processing lls_logintimeout_97D38C75 :done.

Processing lls_binaudit_97D38C75 :done.

Processing lls_distimedmn_97D38C75 :done.

Processing lls_dissnmpdmn_97D38C75 :done.

Processing lls_dissnmpmibddmn_97D38C75 :done.

Processing lls_disaixmibddmn_97D38C75 :done.

Processing lls_dishostmibddmn_97D38C75 :done.

Processing lls_disgateddmn_97D38C75 :done.

Processing lls_shell_97D38C75 :done.

Processing lls_talk_97D38C75 :done.

Processing lls_rquotad_97D38C75 :done.

Processing lls_rexd_97D38C75 :done.

Processing lls_rmsuidfrmrcmds_97D38C75 :done.

Processing lls_filepermgr_97D38C75 :done.

Processing lls_rmrhostsnetrc_97D38C75 :done.

Processing lls_rmetchostsequiv_97D38C75 :done.

Processing lls_bcastping_97D38C75 :done.

Processing lls_clean_partial_conns_97D38C75 :done.

Processing lls_directed_broadcast_97D38C75 :done.

Processing lls_icmpaddressmask_97D38C75 :done.

Processing lls_tcp_pmtu_discover_97D38C75 :done.

Processing lls_udp_pmtu_discover_97D38C75 :done.

Processing lls_tcp_sendspace_97D38C75 :done.

Processing lls_tcp_recvspace_97D38C75 :done.

Processing lls_rfc1323_97D38C75 :done.

Processing lls_tcp_mssdflt_97D38C75 :done.

Processing lls_sb_max_97D38C75 :done.

Processing lls_tcp_tcpsecure_97D38C75 :done.

Processing lls_sockthresh_97D38C75 :done.

Processing lls_crontabperm_97D38C75 :done.

Processing lls_rmdotfrmpathroot_97D38C75 :done.

Processedrules=44 Passedrules=43 Failedrules=1 Level=AllRules

Input file=/etc/security/aixpert/core/appliedaixpert.xm



04- The xml rule file is: /etc/security/aixpert/core/appliedaixpert.xml



05- Sample of the content can be viewed:

# cat /etc/security/aixpert/core/appliedaixpert.xml


<?xml version="1.0" encoding="UTF-8"?>

<AIXPertSecurityHardening>

<AIXPertEntry name="lls_maxage_97D38C75" function="maxage">

<AIXPertRuleType type="LLS"/>

<AIXPertDescription>Maximum age for password: Specifies the maximum number of weeks (13 weeks) that a password is valid</AIXPertDescription>

<AIXPertPrereqList>bos.rte.date</AIXPertPrereqList>

<AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand>

<AIXPertArgs>maxage=52 ALL lls_maxage</AIXPertArgs>

<AIXPertGroup>Password policy rules</AIXPertGroup>

[..]

<AIXPertEntry name="lls_rmdotfrmpathroot_97D38C75" function="rmdotfrmpathroot">

<AIXPertRuleType type="LLS"/>

<AIXPertDescription>Remove dot from path root: Remove dot from PATH environment variable from files .profile, .kshrc, .cshrc and .login in root's home directory</AIXPertDescription>

<AIXPertPrereqList>bos.rte.ILS</AIXPertPrereqList>

<AIXPertCommand>/etc/security/aixpert/bin/rmdotfrmpathroot</AIXPertCommand>

<AIXPertArgs>lls_rmdotfrmpathroot</AIXPertArgs>

<AIXPertGroup>Miscellaneous Rules</AIXPertGroup>

</AIXPertSecurityHardening>




06- Checking and correcting failed rule as per the step 3:

Processing lls_minlen_97D38C75 : failed



# grep minlen /etc/security/aixpert/core/appliedaixpert.xml

<AIXPertEntry name="lls_minlen_97D38C75" function="minlen">

<AIXPertArgs>minlen=8 ALL lls_minlen</AIXPertArgs>



So, correlating this rule to minlen in /etc/security/user file:

# grep "minlen =" /etc/security/user

minlen = 0



07- Changing the value to 8 in /etc/security/user

# grep "minlen =" /etc/security/user

minlen = 8



08- Checking the security settings back in verbose mode:

# aixpert -cp | grep minl

Processing lls_minlen_97D38C75 :done.



09- To generate compliance reports (.txt and .csv), we can use the following:

# pscxpert -c -r



- Two files will be generated:

/etc/security/aixpert/check_report.txt

/etc/security/aixpert/check_report.csv



* powersc filesets should be downloaded and installed:

# lslpp -L powersc*

Fileset Level State Type Description (Uninstaller)

----------------------------------------------------------------------------

powerscExp.ice.cmds 1.1.3.2 C F ICE Express Security Extension

powerscExp.license 1.1.3.0 C F PowerSC Express Edition

powerscExp.rtc.rte 1.1.3.2 C F Real-Time Compliance

powerscStd.ice 1.1.3.2 C F IBM PowerSC Standard Profile

powerscStd.license 6.1.8.0 C F PowerSC Standard Edition

powerscStd.tnc_commands.rte

1.1.3.2 C F Trusted Network Connect Commands

powerscStd.tnc_lib.lib 1.1.3.2 C F Trusted Network Connect
Libraries

powerscStd.tnc_plugins.rte

1.1.3.2 C F Trusted Network Connect

Plugins

powerscStd.tnc_pm.rte 1.1.3.2 C F Trusted Network Connect for
Patch Management

powerscStd.tnc_tscomm.rte 1.1.3.2 C F Trusted Network Connect
Communication Bridge

powerscStd.vlog.rte 1.1.3.2 C F Virtual Log Device Software

powerscStd.vtpm.rte 1.1.3.2 C F Virtual Trusted Platform
Module


10- Sample of .txt compliance file contents:


***** mash.cairo.ibm.com : Aug 29 02:14:43 ******

Admin:root

Report date and Time:Aug 29 04:11:41

Report Version 1.0



HostName,IP,Description,Command Arguments,Result,Reason for failure


mash.cairo.ibm.com,172.16.70.158,Maximum age for password: Specifies the maximum number of weeks (13 weeks) that a password is valid,/etc/security/aixpert/bin/chusrattr maxage=52 ALL lls_maxage,PASS



mash.cairo.ibm.com,172.16.70.158,Time to change password after the expiration: Specifies the maximum number of weeks to 8 weeeks, after maxage that an expired password can be changed by the user,/etc/security/aixpert/bin/chusrattr maxexpired=8 ALL lls_maxexpired,PASS



mash.cairo.ibm.com,172.16.70.158,Minimum length for password: Specifies the minimum length of a password to 8,/etc/security/aixpert/bin/chusrattr minlen=8 ALL lls_minlen,PASS



mash.cairo.ibm.com,172.16.70.158,Minimum number of alphabetic chars: Specifies the minimum number of alphabetic characters in a password to 2,/etc/security/aixpert/bin/chusrattr minalpha=2 ALL lls_minalpha,PASS

[..]

Processedrules=44 Passedrules=44 Failedrules=0 Level=LLS

Input file=/etc/security/aixpert/core/appliedaixpert.xml

***** mash.cairo.ibm.com : Aug 29 04:17:27 ******




11- The .csv can be loaded into a spreadsheet, and the results can be filtered

As well..
Example of contents:



Thank you very much for taking the time to read through this document.
I hope it has been helpful. If you feel you have found any inconsistencies,
Please don’t hesitate to email me at ahdmashr@eg.ibm.com

Ahmed Mashhour