Differences

This shows you the differences between two versions of the page.

--- aix:powersc [2024/09/06 23:24]
manu [Check compliance to applied policy]
+++ aix:powersc [2025/04/01 15:04] (current)
manu [Check CIS policy]
@@ Line 1: / Line 1: @@
 ====== AIX Security PowerSC centralized (CIS...) ======
+https://issuu.com/realbjornroden/docs/ibm_powersc___aix_security_compliance
+Requirement for AIX
+  installing **powerscStd** package (included in AIX 7.2 / 7.3 Entreprise edition)
+<cli prompt='>'>
+root@nim ~ > lslpp -Lc | grep -i powersc
+powerscStd.ice:powerscStd.ice:2.2.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/:
+powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/:
+powerscStd.msg:powerscStd.msg.en_US:2.2.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/:
+</cli>
+Provides security and compliance profiles for:
+  * DoD – Department of Defense STIG
+  * HIPAA – Health Insurance Portability and Accountability Act
+  * NERC – North American Electric Reliability Corporation compliance
+  * PCIv3 – The Payment Card Industry – Data Security Standard
+  * SOX-COBIT – Sarbanes-Oxley Act and COBIT compliance
+  * Database – Provides general purpose database security hardening
+  * additionnal like CIS, and predefined aixpert policies
 ===== Apply the accurate policy =====
-Alternative is to use a client PowerSC (apply the right security level)
+Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice)
-<cli>
+<cli prompt='#'>
-% pscxpert -f /etc/security/aixpert/custom/CISv1.xml 	CIS Security Benchmark for AIX 7.1
+# pscxpert -f /etc/security/aixpert/custom/CISv1.xml 	CIS Security Benchmark for AIX 7.1
-% pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml 	CIS Security Benchmark for AIX 7.2
+# pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml 	CIS Security Benchmark for AIX 7.2
-% pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml 	CIS Security Benchmark for AIX 7.2
+# pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml 	CIS Security Benchmark for AIX 7.2
-% pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml	General Data Protection Regulation (GDPR)
+# pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml	General Data Protection Regulation (GDPR)
 </cli>
+Or apply a predefined level (-p verbose mode)
+<cli prompt='#'>
+# pscxpert -l medium -p
+</cli>
+Dump an aixpert default level, in order to modify it and apply then using PowerSC
+<cli prompt='#'>
+# pscxpert -l high -n /etc/security/aixpert/custom/mycustomfile.xml
+</cli>
+Now you are able to change some parameters for example maxage and then apply it using **-f** option
 ===== Check compliance to applied policy =====
-Alternative is to use a client PowerSC (apply the right security level) (/etc/security/aixpert/coreappliedaixpert.xml)
+Alternative is to use a client PowerSC (apply the right security level) (/etc/security/aixpert/core/appliedaixpert.xml)
 <cli prompt='#'>
 # pscxpert -c
 </cli>
+Report is produced in /etc/security/aixpert/check_report.txt
+To display the security profile applied:
+<cli prompt='#'>
+# pscxpert -t
+</cli>
+Compare to a custom security level with a specific Profile
+<cli prompt='#'>
+# pscxpert -c -P /etc/security/aixpert/custom/mysecurity.xml
+</cli>
+Add the option at end **-p -r** to generate a CSV report
+Undo security settings (-p verbose mode)
+<cli prompt='#'>
+# pscxpert -u -p
+</cli>
+===== Check CIS policy =====
+Compare current settings to CISv2 level 1
+<cli prompt='#'>
+root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv2_Lev1.xml -p -r
+Processing cisv2_sysintegrity : failed.
+Processing cisv2_brokenlinks : failed.
+Processing cisv2_find_worldwritables : failed.
+Processing cisv2_find_staffwritables :done.
+...
+Processing cisv2_ipsecfilter :done.
+Processedrules=200      Passedrules=149 Failedrules=51  Level=CISv2
+        Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml
+</cli>
+Check the CSV report
+<cli prompt='#'>
+root@nim ~# cat /etc/security/aixpert/check_report.txt
+...
+nim,10.x.x.x,"Implements CIS Recommendation 3.3: Ensure default umask is 027 or more restrictive.","/etc/security/pscexpert/bin/chusrattr umask=27 ALL cisv1_umask",FAIL," The attribute umask for user root should have value 27, but it is 22.
+ The attribute umask for user srvproxy should have value 27, but it is 2.
+ The attribute umask for user esaadmin should have value 27, but it is 22.
+"
+nim,10.x.x.x,"Implements CIS Recommendation 7.2: Install flrtvc tool.","/etc/security/pscexpert/dodv7/checkcmd flrtvc.ksh",PASS
+nim,10.x.x.x,"Implements CIS Recommendation 4.3.2: Ensure loopback is blocked on external interfaces.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecloopbk",PASS
+nim,10.x.x.x,"Implements CIS Recommendation 4.3.3: Ensure filters are active.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecfilter",PASS
+Processedrules=200      Passedrules=149 Failedrules=51  Level=CISv2
+        Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml
+</cli>
+{{:aix:CIS_IBM_AIX_7_Benchmark_v1.0.0.pdf|}}
+{{:aix:CIS_IBM_AIX_7_Benchmark_v1.0.0.xlsx|}}

wiki

User Tools

Site Tools

Differences

Page Tools