aix:powersc
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
aix:powersc [2025/04/01 15:04] manu [Check CIS policy] |
aix:powersc [2025/10/01 15:40] (current) manu [Server installation] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== AIX Security PowerSC centralized (CIS...) ====== | ====== AIX Security PowerSC centralized (CIS...) ====== | ||
| - | https://issuu.com/realbjornroden/docs/ibm_powersc___aix_security_compliance | + | ===== PowerSC Central Server ===== |
| + | ==== Server installation ==== | ||
| + | |||
| + | IBM PowerSC is a product to check security and compliance for AIX and Linux servers | ||
| + | |||
| + | {{aix:powersc01.png?600}} | ||
| + | |||
| + | === Requirements for server === | ||
| + | |||
| + | |||
| + | Supported OS: | ||
| + | * AIX 7.3 | ||
| + | * Linux RHEL9 | ||
| + | |||
| + | Filesystems: | ||
| + | * /var/log/powersc | ||
| + | * /var/powersc | ||
| + | * /opt/powersc | ||
| + | * /etc/security/powersc | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | [root@lnxpwrsc01 etc]# df -h | grep data | ||
| + | /dev/mapper/datavg-opt_powersc 8.0G 89M 7.9G 2% /opt/powersc | ||
| + | /dev/mapper/datavg-var_powersc 20G 175M 20G 1% /var/powersc | ||
| + | /dev/mapper/datavg-var_log_powersc 20G 175M 20G 1% /var/log/powersc | ||
| + | /dev/mapper/datavg-etc_secu_pwrsc 960M 39M 922M 5% /etc/security/powersc | ||
| + | </cli> | ||
| + | |||
| + | Prerequisites installation (s-nail replace mailx in RHEL9): | ||
| + | <cli prompt='#'> | ||
| + | [root@lnxpwrsc01 v2.2]# dnf -y install java-1.8.0-openjdk sendmail-cf s-nail | ||
| + | [root@lnxpwrsc01 v2.2]# dnf install perl-NetAddr-IP | ||
| + | </cli> | ||
| + | |||
| + | Force install as **mailx** package is no more available | ||
| + | <cli prompt='#'> | ||
| + | [root@lnxpwrsc01 v2.2]# pwd | ||
| + | /tmp/sources/powersc/v2.2 | ||
| + | [root@lnxpwrsc01 v2.2]# dnf --skip-broken localinstall psad-3.0-1.x86_64.rpm | ||
| + | |||
| + | [root@lnxpwrsc01 v2.2.0.4]# dnf localinstall psad-3.0-7.el9.x86_64.rpm | ||
| + | [root@lnxpwrsc01 v2.2.0.4]# dnf --skip-broken localinstall fapolicyd-1.1.7-1.sles15.x86_64.rpm | ||
| + | [root@lnxpwrsc01 v2.2.0.4]# dnf localinstall powersc-xerces-c-3.2.4-4.el9.x86_64.rpm | ||
| + | </cli> | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | [root@lnxpwrsc01 v2.2.0.4]# ./powersc-pscxpert-2.2.0.4-el9.x86_64.sh | ||
| + | x - created lock directory _sh3694117. | ||
| + | x - removed lock directory _sh3694117. | ||
| + | Verifying... ################################# [100%] | ||
| + | Preparing... ################################# [100%] | ||
| + | Updating / installing... | ||
| + | 1:powersc-pscxpert-2.2.0.4-1.el9 ################################# [100%] | ||
| + | </cli> | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | [root@lnxpwrsc01 v2.2.0.4]# ./powersc-uiServer-2.2.0.4-el9.x86_64.sh | ||
| + | x - created lock directory _sh3696241. | ||
| + | x - removed lock directory _sh3696241. | ||
| + | Verifying... ################################# [100%] | ||
| + | Preparing... ################################# [100%] | ||
| + | Updating / installing... | ||
| + | 1:powersc-uiServer-2.2.0.4-1.el9 ################################# [100%] | ||
| + | </cli> | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | [root@lnxpwrsc01 powersc]# cat /var/log/powersc/uiServer/pscUIServer_install.log | ||
| + | webApps/ws/usage/en/systems/delete/index.html | ||
| + | webApps/ws/usage/en/systems/index.html | ||
| + | logonGroupList=security | ||
| + | security=* | ||
| + | Certificate was added to keystore | ||
| + | Certificate was added to keystore | ||
| + | Copy /etc/security/powersc/uiServer/endpointTruststore.p12 to /etc/security/powersc/uiAgent/endpointTruststore.p12 on every endpoint. | ||
| + | Certificate stored in file </etc/security/powersc/uiServer/psc_signing_cert.pem> | ||
| + | Certificate was added to keystore | ||
| + | httpPort=80 | ||
| + | httpsPort=443 | ||
| + | Created symlink /etc/systemd/system/multi-user.target.wants/powersc-uiServer.service → /usr/lib/systemd/system/powersc-uiServer.service. | ||
| + | </cli> | ||
| + | Start PowerSC server | ||
| + | <cli prompt='#'> | ||
| + | [root@lnxpwrsc01 v2.2.0.4]# systemctl status powersc-uiServer.service | ||
| + | ● powersc-uiServer.service - PowerSC UI Server | ||
| + | Loaded: loaded (/usr/lib/systemd/system/powersc-uiServer.service; enabled; preset: disabled) | ||
| + | Active: active (running) since Tue 2025-07-15 16:19:42 CEST; 1min 49s ago | ||
| + | Main PID: 16985 (uiServer.sh) | ||
| + | Tasks: 165 (limit: 100413) | ||
| + | Memory: 731.2M | ||
| + | CPU: 12.650s | ||
| + | CGroup: /system.slice/powersc-uiServer.service | ||
| + | ├─16985 /bin/sh /opt/powersc/uiServer/bin/uiServer.sh | ||
| + | └─17269 /opt/powersc/uiServer/bin/uiserver /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.452.b09-3.el9.x86_64/jre /opt/powersc/uiS> | ||
| + | |||
| + | Jul 15 16:19:42 lnxpwrsc01 systemd[1]: Started PowerSC UI Server. | ||
| + | Jul 15 16:19:42 lnxpwrsc01 uiServer.sh[16985]: Starting PowerSC UI server with maximum memory allocation of 2000, and redirecting the o> | ||
| + | Jul 15 16:19:43 lnxpwrsc01 uiServer.sh[17269]: log file: /var/log/powersc/uiServer/pscuiserver_2025-07-15_16-19.43.0.log | ||
| + | </cli> | ||
| + | |||
| + | === Add groups to login to Web GUI === | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | [root@lnxpwrsc01 powersc]# groupadd -g 10000 powersc | ||
| + | |||
| + | [root@lnxpwrsc01 powersc]# grep powersc /etc/group | ||
| + | powersc:x:10000:qualysagent | ||
| + | |||
| + | [root@lnxpwrsc01 powersc]# pscuiserverctl set logonGroupList powersc,root | ||
| + | logonGroupList=powersc,root | ||
| + | |||
| + | [root@lnxpwrsc01 powersc]# pscuiserverctl set administratorGroupList powersc,root | ||
| + | administratorGroupList=powersc,root | ||
| + | </cli> | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | [root@lnxpwrsc01 powersc]# pscuiserverctl set bindAddress 192.168.85.8 | ||
| + | bindAddress=192.168.1.2 | ||
| + | |||
| + | [root@lnxpwrsc01 powersc]# cat /etc/security/powersc/uiServer/uiServer.conf.properties | ||
| + | logonGroupList=powersc,root | ||
| + | httpPort=80 | ||
| + | httpsPort=443 | ||
| + | administratorGroupList=powersc,root | ||
| + | bindAddress=192.168.1.2 | ||
| + | powervcKeystoneUrl=https://lnxpwrsc01.test.lu/ | ||
| + | </cli> | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | [root@lnxpwrsc01 powersc]# cat /etc/security/powersc/uiServer/groups.txt | ||
| + | security=* | ||
| + | pscadm=* | ||
| + | powersc=* | ||
| + | </cli> | ||
| + | |||
| + | === Creating more security certificates === | ||
| + | |||
| + | By using the IBM PowerSC GUI server, you can use shell scripts to create or import security | ||
| + | certificates that can be found in the /opt/powersc/uiServer/bin/ directory: | ||
| + | generate_server_keystore_uiServer.sh | ||
| + | generate_signing_keystore_uiServer.sh | ||
| + | generate_endpoint_keystore_uiServer.sh | ||
| + | import_well_known_certificate_uiServer.sh | ||
| + | convertProfileToBean.sh | ||
| + | | ||
| + | ===== Register a new host (endpoint) on PowerSC Server UI ===== | ||
| + | |||
| + | === On AIX === | ||
| + | |||
| + | Install the following packages using smit installp | ||
| + | <cli prompt='>'> | ||
| + | root@nim /var/log/powersc/uiAgent> lslpp -Lc | grep powersc | ||
| + | powerscStd.ice:powerscStd.ice:2.3.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/: | ||
| + | powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/: | ||
| + | powerscStd.msg:powerscStd.msg.en_US:2.3.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/: | ||
| + | powerscStd.uiAgent:powerscStd.uiAgent.rte:2.3.0.0: : :C: :PowerSC User Interface Agent: : : : : : :0:0:/: | ||
| + | </cli> | ||
| + | |||
| + | From /etc/security/powersc/uiAgent remove endpointTruststore and endpointKeystore files if you have any other files Truststore/ KeyStore please remove it. | ||
| + | |||
| + | Copy only **endpointTruststore.p12** from (server) /etc/security/powersc/uiServer to /etc/security/powersc/uiAgent\\ | ||
| + | Now restart the agent | ||
| + | |||
| + | To start the Agent on AIX: | ||
| + | <cli prompt='>'> | ||
| + | root@nim /var/log/powersc/uiAgent> lssrc -s pscuiagent | ||
| + | Subsystem Group PID Status | ||
| + | pscuiagent 12517660 active | ||
| + | root@nim /var/log/powersc/uiAgent> stopsrc -s pscuiagent | ||
| + | 0513-044 The pscuiagent Subsystem was requested to stop. | ||
| + | root@nim /var/log/powersc/uiAgent> startsrc -s pscuiagent | ||
| + | 0513-059 The pscuiagent Subsystem has been started. Subsystem PID is 12517662. | ||
| + | </cli> | ||
| + | |||
| + | For info logs are available in /var/log/powersc/uiAgent | ||
| + | |||
| + | === On PowerSC server === | ||
| + | |||
| + | On the UI go to Endpint Admin--> KeyStore Request, select it and generate new keystore\\ | ||
| + | Now you check whether the client is connected. | ||
| + | |||
| + | {{:aix:powersc_gui01.png?600|}} | ||
| + | |||
| + | {{:aix:powersc_gui02.png?600|}} | ||
| + | |||
| + | You have first to verify and validate your new endpoint | ||
| + | |||
| + | {{:aix:powersc_gui03.png?600|}} | ||
| + | |||
| + | ===== PowerSC standalone command line ===== | ||
| Requirement for AIX | Requirement for AIX | ||
| Line 22: | Line 210: | ||
| * Database – Provides general purpose database security hardening | * Database – Provides general purpose database security hardening | ||
| * additionnal like CIS, and predefined aixpert policies | * additionnal like CIS, and predefined aixpert policies | ||
| - | | + | |
| - | ===== Apply the accurate policy ===== | + | Consider the following recommendations, as specified in https://www.cisecurity.org/benchmark/ibm_aix/: |
| + | * Level 1 benchmark recommendations are intended to: | ||
| + | <code> | ||
| + | Be practical and prudent | ||
| + | Provide a clear security benefit | ||
| + | Do not inhibit the utility of the technology beyond acceptable means | ||
| + | </code> | ||
| + | * Level 2 benchmark recommendations exhibit one or more of the following characteristics: | ||
| + | <code> | ||
| + | Are intended for environments or use cases where security is paramount | ||
| + | Acts as defense in depth measure | ||
| + | May negatively inhibit the utility or performance of the technology | ||
| + | </code> | ||
| + | |||
| + | **<color #ed1c24>Best practice for AIX is to use CISv3_Lev1.xml</color>**, it combine the best practice for AIX 7.2 and 7.3 | ||
| + | ==== Apply the accurate policy ==== | ||
| Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice) | Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice) | ||
| Line 30: | Line 233: | ||
| # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml CIS Security Benchmark for AIX 7.2 | # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml CIS Security Benchmark for AIX 7.2 | ||
| # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml CIS Security Benchmark for AIX 7.2 | # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml CIS Security Benchmark for AIX 7.2 | ||
| + | # pscxpert -f /etc/security/aixpert/custom/CISv3_Lev1.xml CIS Security Benchmark for AIX 7 | ||
| + | # pscxpert -f /etc/security/aixpert/custom/CISv3_Lev2.xml CIS Security Benchmark for AIX 7 | ||
| # pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml General Data Protection Regulation (GDPR) | # pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml General Data Protection Regulation (GDPR) | ||
| </cli> | </cli> | ||
| Line 45: | Line 250: | ||
| Now you are able to change some parameters for example maxage and then apply it using **-f** option | Now you are able to change some parameters for example maxage and then apply it using **-f** option | ||
| - | ===== Check compliance to applied policy ===== | + | ==== Check compliance to applied policy ==== |
| Alternative is to use a client PowerSC (apply the right security level) (/etc/security/aixpert/core/appliedaixpert.xml) | Alternative is to use a client PowerSC (apply the right security level) (/etc/security/aixpert/core/appliedaixpert.xml) | ||
| Line 70: | Line 275: | ||
| </cli> | </cli> | ||
| - | ===== Check CIS policy ===== | + | ==== Check CIS policy ==== |
| Compare current settings to CISv2 level 1 | Compare current settings to CISv2 level 1 | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv2_Lev1.xml -p -r | + | root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv3_Lev1.xml -p -r |
| Processing cisv2_sysintegrity : failed. | Processing cisv2_sysintegrity : failed. | ||
| Processing cisv2_brokenlinks : failed. | Processing cisv2_brokenlinks : failed. | ||
aix/powersc.1743512656.txt.gz · Last modified: 2025/04/01 15:04 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
