====== AIX Security PowerSC centralized (CIS...) ======
https://issuu.com/realbjornroden/docs/ibm_powersc___aix_security_compliance
Requirement for AIX
installing **powerscStd** package (included in AIX 7.2 / 7.3 Entreprise edition)
root@nim ~ > lslpp -Lc | grep -i powersc
powerscStd.ice:powerscStd.ice:2.2.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/:
powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/:
powerscStd.msg:powerscStd.msg.en_US:2.2.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/:
Provides security and compliance profiles for:
* DoD – Department of Defense STIG
* HIPAA – Health Insurance Portability and Accountability Act
* NERC – North American Electric Reliability Corporation compliance
* PCIv3 – The Payment Card Industry – Data Security Standard
* SOX-COBIT – Sarbanes-Oxley Act and COBIT compliance
* Database – Provides general purpose database security hardening
* additionnal like CIS, and predefined aixpert policies
===== Apply the accurate policy =====
Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice)
# pscxpert -f /etc/security/aixpert/custom/CISv1.xml CIS Security Benchmark for AIX 7.1
# pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml CIS Security Benchmark for AIX 7.2
# pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml CIS Security Benchmark for AIX 7.2
# pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml General Data Protection Regulation (GDPR)
Or apply a predefined level (-p verbose mode)
# pscxpert -l medium -p
Dump an aixpert default level, in order to modify it and apply then using PowerSC
# pscxpert -l high -n /etc/security/aixpert/custom/mycustomfile.xml
Now you are able to change some parameters for example maxage and then apply it using **-f** option
===== Check compliance to applied policy =====
Alternative is to use a client PowerSC (apply the right security level) (/etc/security/aixpert/core/appliedaixpert.xml)
# pscxpert -c
Report is produced in /etc/security/aixpert/check_report.txt
To display the security profile applied:
# pscxpert -t
Compare to a custom security level with a specific Profile
# pscxpert -c -P /etc/security/aixpert/custom/mysecurity.xml
Add the option at end **-p -r** to generate a CSV report
Undo security settings (-p verbose mode)
# pscxpert -u -p
===== Check CIS policy =====
Compare current settings to CISv2 level 1
root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv2_Lev1.xml -p -r
Processing cisv2_sysintegrity : failed.
Processing cisv2_brokenlinks : failed.
Processing cisv2_find_worldwritables : failed.
Processing cisv2_find_staffwritables :done.
...
Processing cisv2_ipsecfilter :done.
Processedrules=200 Passedrules=149 Failedrules=51 Level=CISv2
Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml
Check the CSV report
root@nim ~# cat /etc/security/aixpert/check_report.txt
...
nim,10.x.x.x,"Implements CIS Recommendation 3.3: Ensure default umask is 027 or more restrictive.","/etc/security/pscexpert/bin/chusrattr umask=27 ALL cisv1_umask",FAIL," The attribute umask for user root should have value 27, but it is 22.
The attribute umask for user srvproxy should have value 27, but it is 2.
The attribute umask for user esaadmin should have value 27, but it is 22.
"
nim,10.x.x.x,"Implements CIS Recommendation 7.2: Install flrtvc tool.","/etc/security/pscexpert/dodv7/checkcmd flrtvc.ksh",PASS
nim,10.x.x.x,"Implements CIS Recommendation 4.3.2: Ensure loopback is blocked on external interfaces.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecloopbk",PASS
nim,10.x.x.x,"Implements CIS Recommendation 4.3.3: Ensure filters are active.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecfilter",PASS
Processedrules=200 Passedrules=149 Failedrules=51 Level=CISv2
Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml
{{:aix:CIS_IBM_AIX_7_Benchmark_v1.0.0.pdf|}}
{{:aix:CIS_IBM_AIX_7_Benchmark_v1.0.0.xlsx|}}