Differences

This shows you the differences between two versions of the page.

--- aix:powersc [2024/09/06 23:49]
manu [Apply the accurate policy]
+++ aix:powersc [2025/08/06 11:54] (current)
manu
@@ Line 1: / Line 1: @@
 ====== AIX Security PowerSC centralized (CIS...) ======
-===== Apply the accurate policy =====
+===== PowerSC Central Server =====
-Alternative is to use a client PowerSC (apply the right security level)
+==== Server installation ====
+IBM PowerSC is a product to check security and compliance for AIX and Linux servers
+=== Requirements for server ===
+{{:aix:powersc01.png?600}}
+Supported OS:
+  * AIX 7.3
+  * Linux RHEL9
+Filesystems:
+  * /var/log/powersc
+  * /var/powersc
+  * /opt/powersc
+  * /etc/security/powersc
+<cli prompt='#'>
+[root@lnxpwrsc01 etc]# df -h | grep data
+/dev/mapper/datavg-opt_powersc         8.0G   89M  7.9G   2% /opt/powersc
+/dev/mapper/datavg-var_powersc          20G  175M   20G   1% /var/powersc
+/dev/mapper/datavg-var_log_powersc      20G  175M   20G   1% /var/log/powersc
+/dev/mapper/datavg-etc_secu_pwrsc      960M   39M  922M   5% /etc/security/powersc
+</cli>
+Prerequisites installation (s-nail replace mailx in RHEL9):
+<cli prompt='#'>
+[root@lnxpwrsc01 v2.2]# dnf -y install java-1.8.0-openjdk sendmail-cf s-nail
+[root@lnxpwrsc01 v2.2]# dnf install perl-NetAddr-IP
+</cli>
+Force install as **mailx** package is no more available
+<cli prompt='#'>
+[root@lnxpwrsc01 v2.2]# pwd
+/tmp/sources/powersc/v2.2
+[root@lnxpwrsc01 v2.2]# dnf --skip-broken localinstall psad-3.0-1.x86_64.rpm
+[root@lnxpwrsc01 v2.2.0.4]# dnf localinstall psad-3.0-7.el9.x86_64.rpm
+[root@lnxpwrsc01 v2.2.0.4]# dnf --skip-broken localinstall fapolicyd-1.1.7-1.sles15.x86_64.rpm
+[root@lnxpwrsc01 v2.2.0.4]# dnf localinstall powersc-xerces-c-3.2.4-4.el9.x86_64.rpm
+</cli>
+<cli prompt='#'>
+[root@lnxpwrsc01 v2.2.0.4]# ./powersc-pscxpert-2.2.0.4-el9.x86_64.sh
+x - created lock directory _sh3694117.
+x - removed lock directory _sh3694117.
+Verifying...                          ################################# [100%]
+Preparing...                          ################################# [100%]
+Updating / installing...
+:powersc-pscxpert-2.2.0.4-1.el9   ################################# [100%]
+</cli>
+<cli prompt='#'>
+[root@lnxpwrsc01 v2.2.0.4]# ./powersc-uiServer-2.2.0.4-el9.x86_64.sh
+x - created lock directory _sh3696241.
+x - removed lock directory _sh3696241.
+Verifying...                          ################################# [100%]
+Preparing...                          ################################# [100%]
+Updating / installing...
+:powersc-uiServer-2.2.0.4-1.el9   ################################# [100%]
+</cli>
+<cli prompt='#'>
+[root@lnxpwrsc01 powersc]# cat /var/log/powersc/uiServer/pscUIServer_install.log
+webApps/ws/usage/en/systems/delete/index.html
+webApps/ws/usage/en/systems/index.html
+logonGroupList=security
+security=*
+Certificate was added to keystore
+Certificate was added to keystore
+Copy /etc/security/powersc/uiServer/endpointTruststore.p12 to /etc/security/powersc/uiAgent/endpointTruststore.p12 on every endpoint.
+Certificate stored in file </etc/security/powersc/uiServer/psc_signing_cert.pem>
+Certificate was added to keystore
+httpPort=80
+httpsPort=443
+Created symlink /etc/systemd/system/multi-user.target.wants/powersc-uiServer.service → /usr/lib/systemd/system/powersc-uiServer.service.
+</cli>
+Start PowerSC server
+<cli prompt='#'>
+[root@lnxpwrsc01 v2.2.0.4]# systemctl status powersc-uiServer.service
+● powersc-uiServer.service - PowerSC UI Server
+     Loaded: loaded (/usr/lib/systemd/system/powersc-uiServer.service; enabled; preset: disabled)
+     Active: active (running) since Tue 2025-07-15 16:19:42 CEST; 1min 49s ago
+   Main PID: 16985 (uiServer.sh)
+      Tasks: 165 (limit: 100413)
+     Memory: 731.2M
+        CPU: 12.650s
+     CGroup: /system.slice/powersc-uiServer.service
+             ├─16985 /bin/sh /opt/powersc/uiServer/bin/uiServer.sh
+             └─17269 /opt/powersc/uiServer/bin/uiserver /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.452.b09-3.el9.x86_64/jre /opt/powersc/uiS>
+Jul 15 16:19:42 lnxpwrsc01 systemd[1]: Started PowerSC UI Server.
+Jul 15 16:19:42 lnxpwrsc01 uiServer.sh[16985]: Starting PowerSC UI server with maximum memory allocation of 2000, and redirecting the o>
+Jul 15 16:19:43 lnxpwrsc01 uiServer.sh[17269]: log file: /var/log/powersc/uiServer/pscuiserver_2025-07-15_16-19.43.0.log
+</cli>
+=== Add groups to login to Web GUI ===
+<cli prompt='#'>
+[root@lnxpwrsc01 powersc]# groupadd -g 10000 powersc
+[root@lnxpwrsc01 powersc]# grep powersc /etc/group
+powersc:x:10000:qualysagent
+[root@lnxpwrsc01 powersc]# pscuiserverctl set logonGroupList powersc
+logonGroupList=powersc
+[root@lnxpwrsc01 powersc]# pscuiserverctl set administratorGroupList powersc
+administratorGroupList=powersc
+</cli>
+<cli prompt='#'>
+[root@lnxpwrsc01 powersc]# pscuiserverctl set bindAddress 192.168.85.8
+bindAddress=192.168.1.2
+[root@lnxpwrsc01 powersc]# cat /etc/security/powersc/uiServer/uiServer.conf.properties
+logonGroupList=powersc
+httpPort=80
+httpsPort=443
+administratorGroupList=powersc
+bindAddress=192.168.1.2
+</cli>
+=== Creating more security certificates ===
+By using the IBM PowerSC GUI server, you can use shell scripts to create or import security
+certificates that can be found in the /opt/powersc/uiServer/bin/ directory:
+  generate_server_keystore_uiServer.sh
+  generate_signing_keystore_uiServer.sh
+  generate_endpoint_keystore_uiServer.sh
+  import_well_known_certificate_uiServer.sh
+  convertProfileToBean.sh
+===== Register a new host (endpoint) on PowerSC Server UI =====
+{{:aix:powersc_gui01.png?600|}}
+{{:aix:powersc_gui02.png?600|}}
+You have first to verify and validate your new endpoint
+{{:aix:powersc_gui03.png?600|}}
+===== PowerSC standalone command line =====
+Requirement for AIX
+  installing **powerscStd** package (included in AIX 7.2 / 7.3 Entreprise edition)
+<cli prompt='>'>
+root@nim ~ > lslpp -Lc | grep -i powersc
+powerscStd.ice:powerscStd.ice:2.2.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/:
+powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/:
+powerscStd.msg:powerscStd.msg.en_US:2.2.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/:
+</cli>
+Provides security and compliance profiles for:
+  * DoD – Department of Defense STIG
+  * HIPAA – Health Insurance Portability and Accountability Act
+  * NERC – North American Electric Reliability Corporation compliance
+  * PCIv3 – The Payment Card Industry – Data Security Standard
+  * SOX-COBIT – Sarbanes-Oxley Act and COBIT compliance
+  * Database – Provides general purpose database security hardening
+  * additionnal like CIS, and predefined aixpert policies
+==== Apply the accurate policy ====
+Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice)
 <cli prompt='#'>
 # pscxpert -f /etc/security/aixpert/custom/CISv1.xml 	CIS Security Benchmark for AIX 7.1
@@ Line 11: / Line 178: @@
 </cli>
-===== Check compliance to applied policy =====
+Or apply a predefined level (-p verbose mode)
+<cli prompt='#'>
+# pscxpert -l medium -p
+</cli>
+Dump an aixpert default level, in order to modify it and apply then using PowerSC
+<cli prompt='#'>
+# pscxpert -l high -n /etc/security/aixpert/custom/mycustomfile.xml
+</cli>
+Now you are able to change some parameters for example maxage and then apply it using **-f** option
+==== Check compliance to applied policy ====
 Alternative is to use a client PowerSC (apply the right security level) (/etc/security/aixpert/core/appliedaixpert.xml)
@@ Line 18: / Line 197: @@
 </cli>
 Report is produced in /etc/security/aixpert/check_report.txt
+To display the security profile applied:
+<cli prompt='#'>
+# pscxpert -t
+</cli>
 Compare to a custom security level with a specific Profile
@@ Line 31: / Line 215: @@
 </cli>
+==== Check CIS policy ====
+Compare current settings to CISv2 level 1
+<cli prompt='#'>
+root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv2_Lev1.xml -p -r
+Processing cisv2_sysintegrity : failed.
+Processing cisv2_brokenlinks : failed.
+Processing cisv2_find_worldwritables : failed.
+Processing cisv2_find_staffwritables :done.
+...
+Processing cisv2_ipsecfilter :done.
+Processedrules=200      Passedrules=149 Failedrules=51  Level=CISv2
+        Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml
+</cli>
+Check the CSV report
+<cli prompt='#'>
+root@nim ~# cat /etc/security/aixpert/check_report.txt
+...
+nim,10.x.x.x,"Implements CIS Recommendation 3.3: Ensure default umask is 027 or more restrictive.","/etc/security/pscexpert/bin/chusrattr umask=27 ALL cisv1_umask",FAIL," The attribute umask for user root should have value 27, but it is 22.
+ The attribute umask for user srvproxy should have value 27, but it is 2.
+ The attribute umask for user esaadmin should have value 27, but it is 22.
+"
+nim,10.x.x.x,"Implements CIS Recommendation 7.2: Install flrtvc tool.","/etc/security/pscexpert/dodv7/checkcmd flrtvc.ksh",PASS
+nim,10.x.x.x,"Implements CIS Recommendation 4.3.2: Ensure loopback is blocked on external interfaces.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecloopbk",PASS
+nim,10.x.x.x,"Implements CIS Recommendation 4.3.3: Ensure filters are active.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecfilter",PASS
+Processedrules=200      Passedrules=149 Failedrules=51  Level=CISv2
+        Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml
+</cli>
+{{:aix:CIS_IBM_AIX_7_Benchmark_v1.0.0.pdf|}}
+{{:aix:CIS_IBM_AIX_7_Benchmark_v1.0.0.xlsx|}}

wiki

User Tools

Site Tools

Differences

Page Tools