aix:powersc
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
aix:powersc [2025/08/06 11:54] manu |
aix:powersc [2025/10/01 15:40] (current) manu [Server installation] |
||
|---|---|---|---|
| Line 6: | Line 6: | ||
| IBM PowerSC is a product to check security and compliance for AIX and Linux servers | IBM PowerSC is a product to check security and compliance for AIX and Linux servers | ||
| + | |||
| + | {{aix:powersc01.png?600}} | ||
| === Requirements for server === | === Requirements for server === | ||
| - | {{:aix:powersc01.png?600}} | ||
| Supported OS: | Supported OS: | ||
| Line 108: | Line 109: | ||
| powersc:x:10000:qualysagent | powersc:x:10000:qualysagent | ||
| - | [root@lnxpwrsc01 powersc]# pscuiserverctl set logonGroupList powersc | + | [root@lnxpwrsc01 powersc]# pscuiserverctl set logonGroupList powersc,root |
| - | logonGroupList=powersc | + | logonGroupList=powersc,root |
| - | [root@lnxpwrsc01 powersc]# pscuiserverctl set administratorGroupList powersc | + | [root@lnxpwrsc01 powersc]# pscuiserverctl set administratorGroupList powersc,root |
| - | administratorGroupList=powersc | + | administratorGroupList=powersc,root |
| </cli> | </cli> | ||
| Line 120: | Line 121: | ||
| [root@lnxpwrsc01 powersc]# cat /etc/security/powersc/uiServer/uiServer.conf.properties | [root@lnxpwrsc01 powersc]# cat /etc/security/powersc/uiServer/uiServer.conf.properties | ||
| - | logonGroupList=powersc | + | logonGroupList=powersc,root |
| httpPort=80 | httpPort=80 | ||
| httpsPort=443 | httpsPort=443 | ||
| - | administratorGroupList=powersc | + | administratorGroupList=powersc,root |
| bindAddress=192.168.1.2 | bindAddress=192.168.1.2 | ||
| + | powervcKeystoneUrl=https://lnxpwrsc01.test.lu/ | ||
| + | </cli> | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | [root@lnxpwrsc01 powersc]# cat /etc/security/powersc/uiServer/groups.txt | ||
| + | security=* | ||
| + | pscadm=* | ||
| + | powersc=* | ||
| </cli> | </cli> | ||
| Line 138: | Line 147: | ||
| | | ||
| ===== Register a new host (endpoint) on PowerSC Server UI ===== | ===== Register a new host (endpoint) on PowerSC Server UI ===== | ||
| + | |||
| + | === On AIX === | ||
| + | |||
| + | Install the following packages using smit installp | ||
| + | <cli prompt='>'> | ||
| + | root@nim /var/log/powersc/uiAgent> lslpp -Lc | grep powersc | ||
| + | powerscStd.ice:powerscStd.ice:2.3.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/: | ||
| + | powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/: | ||
| + | powerscStd.msg:powerscStd.msg.en_US:2.3.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/: | ||
| + | powerscStd.uiAgent:powerscStd.uiAgent.rte:2.3.0.0: : :C: :PowerSC User Interface Agent: : : : : : :0:0:/: | ||
| + | </cli> | ||
| + | |||
| + | From /etc/security/powersc/uiAgent remove endpointTruststore and endpointKeystore files if you have any other files Truststore/ KeyStore please remove it. | ||
| + | |||
| + | Copy only **endpointTruststore.p12** from (server) /etc/security/powersc/uiServer to /etc/security/powersc/uiAgent\\ | ||
| + | Now restart the agent | ||
| + | |||
| + | To start the Agent on AIX: | ||
| + | <cli prompt='>'> | ||
| + | root@nim /var/log/powersc/uiAgent> lssrc -s pscuiagent | ||
| + | Subsystem Group PID Status | ||
| + | pscuiagent 12517660 active | ||
| + | root@nim /var/log/powersc/uiAgent> stopsrc -s pscuiagent | ||
| + | 0513-044 The pscuiagent Subsystem was requested to stop. | ||
| + | root@nim /var/log/powersc/uiAgent> startsrc -s pscuiagent | ||
| + | 0513-059 The pscuiagent Subsystem has been started. Subsystem PID is 12517662. | ||
| + | </cli> | ||
| + | |||
| + | For info logs are available in /var/log/powersc/uiAgent | ||
| + | |||
| + | === On PowerSC server === | ||
| + | |||
| + | On the UI go to Endpint Admin--> KeyStore Request, select it and generate new keystore\\ | ||
| + | Now you check whether the client is connected. | ||
| {{:aix:powersc_gui01.png?600|}} | {{:aix:powersc_gui01.png?600|}} | ||
| Line 167: | Line 210: | ||
| * Database – Provides general purpose database security hardening | * Database – Provides general purpose database security hardening | ||
| * additionnal like CIS, and predefined aixpert policies | * additionnal like CIS, and predefined aixpert policies | ||
| - | | + | |
| + | Consider the following recommendations, as specified in https://www.cisecurity.org/benchmark/ibm_aix/: | ||
| + | * Level 1 benchmark recommendations are intended to: | ||
| + | <code> | ||
| + | Be practical and prudent | ||
| + | Provide a clear security benefit | ||
| + | Do not inhibit the utility of the technology beyond acceptable means | ||
| + | </code> | ||
| + | * Level 2 benchmark recommendations exhibit one or more of the following characteristics: | ||
| + | <code> | ||
| + | Are intended for environments or use cases where security is paramount | ||
| + | Acts as defense in depth measure | ||
| + | May negatively inhibit the utility or performance of the technology | ||
| + | </code> | ||
| + | |||
| + | **<color #ed1c24>Best practice for AIX is to use CISv3_Lev1.xml</color>**, it combine the best practice for AIX 7.2 and 7.3 | ||
| ==== Apply the accurate policy ==== | ==== Apply the accurate policy ==== | ||
| Line 175: | Line 233: | ||
| # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml CIS Security Benchmark for AIX 7.2 | # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml CIS Security Benchmark for AIX 7.2 | ||
| # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml CIS Security Benchmark for AIX 7.2 | # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml CIS Security Benchmark for AIX 7.2 | ||
| + | # pscxpert -f /etc/security/aixpert/custom/CISv3_Lev1.xml CIS Security Benchmark for AIX 7 | ||
| + | # pscxpert -f /etc/security/aixpert/custom/CISv3_Lev2.xml CIS Security Benchmark for AIX 7 | ||
| # pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml General Data Protection Regulation (GDPR) | # pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml General Data Protection Regulation (GDPR) | ||
| </cli> | </cli> | ||
| Line 219: | Line 279: | ||
| Compare current settings to CISv2 level 1 | Compare current settings to CISv2 level 1 | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv2_Lev1.xml -p -r | + | root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv3_Lev1.xml -p -r |
| Processing cisv2_sysintegrity : failed. | Processing cisv2_sysintegrity : failed. | ||
| Processing cisv2_brokenlinks : failed. | Processing cisv2_brokenlinks : failed. | ||
aix/powersc.1754474070.txt.gz · Last modified: 2025/08/06 11:54 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
