wiki

User Tools

Site Tools

Trace:
aix:powersc

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
aix:powersc [2024/09/11 16:20]
manu 		aix:powersc [2025/08/06 11:54] (current)
manu
Line 1: Line 1:
 ====== AIX Security PowerSC centralized (CIS...) ====== ​ ====== AIX Security PowerSC centralized (CIS...) ====== ​
  
-https://​issuu.com/​realbjornroden/​docs/​ibm_powersc___aix_security_compliance+===== PowerSC Central Server =====
  
 +==== Server installation ====
 +
 +IBM PowerSC is a product to check security and compliance for AIX and Linux servers
 +
 +=== Requirements for server ===
 +
 +{{:​aix:​powersc01.png?​600}}
 +
 +Supported OS:
 +  * AIX 7.3
 +  * Linux RHEL9
 +
 +Filesystems:​
 +  * /​var/​log/​powersc
 +  * /​var/​powersc
 +  * /​opt/​powersc
 +  * /​etc/​security/​powersc
 +
 +<cli prompt='#'>​
 +[root@lnxpwrsc01 etc]# df -h | grep data
 +/​dev/​mapper/​datavg-opt_powersc ​        ​8.0G ​  ​89M ​ 7.9G   2% /​opt/​powersc
 +/​dev/​mapper/​datavg-var_powersc ​         20G  175M   ​20G ​  1% /​var/​powersc
 +/​dev/​mapper/​datavg-var_log_powersc ​     20G  175M   ​20G ​  1% /​var/​log/​powersc
 +/​dev/​mapper/​datavg-etc_secu_pwrsc ​     960M   ​39M ​ 922M   5% /​etc/​security/​powersc
 +</​cli>​
 +
 +Prerequisites installation (s-nail replace mailx in RHEL9):
 +<cli prompt='#'>​
 +[root@lnxpwrsc01 v2.2]# dnf -y install java-1.8.0-openjdk sendmail-cf s-nail
 +[root@lnxpwrsc01 v2.2]# dnf install perl-NetAddr-IP
 +</​cli>​
 +
 +Force install as **mailx** package is no more available
 +<cli prompt='#'>​
 +[root@lnxpwrsc01 v2.2]# pwd
 +/​tmp/​sources/​powersc/​v2.2
 +[root@lnxpwrsc01 v2.2]# dnf --skip-broken localinstall psad-3.0-1.x86_64.rpm
 +
 +[root@lnxpwrsc01 v2.2.0.4]# dnf localinstall psad-3.0-7.el9.x86_64.rpm
 +[root@lnxpwrsc01 v2.2.0.4]# dnf --skip-broken localinstall fapolicyd-1.1.7-1.sles15.x86_64.rpm
 +[root@lnxpwrsc01 v2.2.0.4]# dnf localinstall powersc-xerces-c-3.2.4-4.el9.x86_64.rpm
 +</​cli>​
 +
 +<cli prompt='#'>​
 +[root@lnxpwrsc01 v2.2.0.4]# ./​powersc-pscxpert-2.2.0.4-el9.x86_64.sh
 +x - created lock directory _sh3694117.
 +x - removed lock directory _sh3694117.
 +Verifying... ​                         #################################​ [100%]
 +Preparing... ​                         #################################​ [100%]
 +Updating / installing...
 +   ​1:​powersc-pscxpert-2.2.0.4-1.el9 ​  #################################​ [100%]
 +</​cli>​
 +
 +<cli prompt='#'>​
 +[root@lnxpwrsc01 v2.2.0.4]# ./​powersc-uiServer-2.2.0.4-el9.x86_64.sh
 +x - created lock directory _sh3696241.
 +x - removed lock directory _sh3696241.
 +Verifying... ​                         #################################​ [100%]
 +Preparing... ​                         #################################​ [100%]
 +Updating / installing...
 +   ​1:​powersc-uiServer-2.2.0.4-1.el9 ​  #################################​ [100%]
 +</​cli>​
 +
 +<cli prompt='#'>​
 +[root@lnxpwrsc01 powersc]# cat /​var/​log/​powersc/​uiServer/​pscUIServer_install.log
 +webApps/​ws/​usage/​en/​systems/​delete/​index.html
 +webApps/​ws/​usage/​en/​systems/​index.html
 +logonGroupList=security
 +security=*
 +Certificate was added to keystore
 +Certificate was added to keystore
 +Copy /​etc/​security/​powersc/​uiServer/​endpointTruststore.p12 to /​etc/​security/​powersc/​uiAgent/​endpointTruststore.p12 on every endpoint.
 +Certificate stored in file </​etc/​security/​powersc/​uiServer/​psc_signing_cert.pem>​
 +Certificate was added to keystore
 +httpPort=80
 +httpsPort=443
 +Created symlink /​etc/​systemd/​system/​multi-user.target.wants/​powersc-uiServer.service → /​usr/​lib/​systemd/​system/​powersc-uiServer.service.
 +</​cli>​
 +Start PowerSC server
 +<cli prompt='#'>​
 +[root@lnxpwrsc01 v2.2.0.4]# systemctl status powersc-uiServer.service
 +● powersc-uiServer.service - PowerSC UI Server
 +     ​Loaded:​ loaded (/​usr/​lib/​systemd/​system/​powersc-uiServer.service;​ enabled; preset: disabled)
 +     ​Active:​ active (running) since Tue 2025-07-15 16:19:42 CEST; 1min 49s ago
 +   Main PID: 16985 (uiServer.sh)
 +      Tasks: 165 (limit: 100413)
 +     ​Memory:​ 731.2M
 +        CPU: 12.650s
 +     ​CGroup:​ /​system.slice/​powersc-uiServer.service
 +             ​├─16985 /bin/sh /​opt/​powersc/​uiServer/​bin/​uiServer.sh
 +             ​└─17269 /​opt/​powersc/​uiServer/​bin/​uiserver /​usr/​lib/​jvm/​java-1.8.0-openjdk-1.8.0.452.b09-3.el9.x86_64/​jre /​opt/​powersc/​uiS>​
 +
 +Jul 15 16:19:42 lnxpwrsc01 systemd[1]: Started PowerSC UI Server.
 +Jul 15 16:19:42 lnxpwrsc01 uiServer.sh[16985]:​ Starting PowerSC UI server with maximum memory allocation of 2000, and redirecting the o>
 +Jul 15 16:19:43 lnxpwrsc01 uiServer.sh[17269]:​ log file: /​var/​log/​powersc/​uiServer/​pscuiserver_2025-07-15_16-19.43.0.log
 +</​cli>​
 +
 +=== Add groups to login to Web GUI ===
 +
 +<cli prompt='#'>​
 +[root@lnxpwrsc01 powersc]# groupadd -g 10000 powersc
 +
 +[root@lnxpwrsc01 powersc]# grep powersc /etc/group
 +powersc:​x:​10000:​qualysagent
 +
 +[root@lnxpwrsc01 powersc]# pscuiserverctl set logonGroupList powersc
 +logonGroupList=powersc
 +
 +[root@lnxpwrsc01 powersc]# pscuiserverctl set administratorGroupList powersc
 +administratorGroupList=powersc
 +</​cli>​
 +
 +<cli prompt='#'>​
 +[root@lnxpwrsc01 powersc]# pscuiserverctl set bindAddress 192.168.85.8
 +bindAddress=192.168.1.2
 +
 +[root@lnxpwrsc01 powersc]# cat /​etc/​security/​powersc/​uiServer/​uiServer.conf.properties
 +logonGroupList=powersc
 +httpPort=80
 +httpsPort=443
 +administratorGroupList=powersc
 +bindAddress=192.168.1.2
 +</​cli>​
 +
 +=== Creating more security certificates ===
 +
 +By using the IBM PowerSC GUI server, you can use shell scripts to create or import security
 +certificates that can be found in the /​opt/​powersc/​uiServer/​bin/​ directory:
 +  generate_server_keystore_uiServer.sh
 +  generate_signing_keystore_uiServer.sh
 +  generate_endpoint_keystore_uiServer.sh
 +  import_well_known_certificate_uiServer.sh
 +  convertProfileToBean.sh
 +  ​
 +===== Register a new host (endpoint) on PowerSC Server UI =====
 +
 +{{:​aix:​powersc_gui01.png?​600|}}
 +
 +{{:​aix:​powersc_gui02.png?​600|}}
 +
 +You have first to verify and validate your new endpoint
 +
 +{{:​aix:​powersc_gui03.png?​600|}}
 +
 +===== PowerSC standalone command line =====
  
 Requirement for AIX Requirement for AIX
   installing **powerscStd** package (included in AIX 7.2 / 7.3 Entreprise edition)   installing **powerscStd** package (included in AIX 7.2 / 7.3 Entreprise edition)
-  ​+ 
 +<cli prompt='>'>​ 
 +root@nim ~ > lslpp -Lc | grep -i powersc 
 +powerscStd.ice:​powerscStd.ice:​2.2.0.0:​ : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/: 
 +powerscStd.license:​powerscStd.license:​7.1.3.0:​ : :C: :PowerSC Standard Edition: : : : : : :0:0:/: 
 +powerscStd.msg:​powerscStd.msg.en_US:​2.2.0.0:​ : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/: 
 +</​cli>​ 
 Provides security and compliance profiles for: Provides security and compliance profiles for:
   * DoD – Department of Defense STIG   * DoD – Department of Defense STIG
Line 16: Line 168:
   * additionnal like CIS, and predefined aixpert policies   * additionnal like CIS, and predefined aixpert policies
     ​     ​
-===== Apply the accurate policy ​=====+==== Apply the accurate policy ====
  
 Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice) Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice)
Line 38: Line 190:
 Now you are able to change some parameters for example maxage and then apply it using **-f** option Now you are able to change some parameters for example maxage and then apply it using **-f** option
  
-===== Check compliance to applied policy ​=====+==== Check compliance to applied policy ====
  
 Alternative is to use a client PowerSC (apply the right security level) (/​etc/​security/​aixpert/​core/​appliedaixpert.xml) Alternative is to use a client PowerSC (apply the right security level) (/​etc/​security/​aixpert/​core/​appliedaixpert.xml)
Line 63: Line 215:
 </​cli>​ </​cli>​
  
-===== Check CIS policy ​=====+==== Check CIS policy ====
  
 Compare current settings to CISv2 level 1 Compare current settings to CISv2 level 1
 <cli prompt='#'>​ <cli prompt='#'>​
-root@nim ~pscxpert -c -P /​etc/​security/​aixpert/​custom/​CISv2_Lev1.xml -p -r+root@nim ~pscxpert -c -P /​etc/​security/​aixpert/​custom/​CISv2_Lev1.xml -p -r
 Processing cisv2_sysintegrity : failed. Processing cisv2_sysintegrity : failed.
 Processing cisv2_brokenlinks : failed. Processing cisv2_brokenlinks : failed.
Line 80: Line 232:
 Check the CSV report Check the CSV report
 <cli prompt='#'>​ <cli prompt='#'>​
-root@nim ~cat /​etc/​security/​aixpert/​check_report.txt+root@nim ~cat /​etc/​security/​aixpert/​check_report.txt
 ... ...
 nim,​10.x.x.x,"​Implements CIS Recommendation 3.3: Ensure default umask is 027 or more restrictive.","/​etc/​security/​pscexpert/​bin/​chusrattr umask=27 ALL cisv1_umask",​FAIL,"​ The attribute umask for user root should have value 27, but it is 22. nim,​10.x.x.x,"​Implements CIS Recommendation 3.3: Ensure default umask is 027 or more restrictive.","/​etc/​security/​pscexpert/​bin/​chusrattr umask=27 ALL cisv1_umask",​FAIL,"​ The attribute umask for user root should have value 27, but it is 22.
Line 96: Line 248:
 </​cli>​ </​cli>​
  
 +{{:​aix:​CIS_IBM_AIX_7_Benchmark_v1.0.0.pdf|}}
  
 +{{:​aix:​CIS_IBM_AIX_7_Benchmark_v1.0.0.xlsx|}}
aix/powersc.1726064419.txt.gz · Last modified: 2024/09/11 16:20 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki