Table of Contents
AIX Security PowerSC centralized (CIS...)
https://issuu.com/realbjornroden/docs/ibm_powersc___aix_security_compliance
Requirement for AIX
installing **powerscStd** package (included in AIX 7.2 / 7.3 Entreprise edition)
root@nim ~ > lslpp -Lc | grep -i powersc powerscStd.ice:powerscStd.ice:2.2.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/: powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/: powerscStd.msg:powerscStd.msg.en_US:2.2.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/:
Provides security and compliance profiles for:
- DoD – Department of Defense STIG
- HIPAA – Health Insurance Portability and Accountability Act
- NERC – North American Electric Reliability Corporation compliance
- PCIv3 – The Payment Card Industry – Data Security Standard
- SOX-COBIT – Sarbanes-Oxley Act and COBIT compliance
- Database – Provides general purpose database security hardening
- additionnal like CIS, and predefined aixpert policies
Apply the accurate policy
Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice)
# pscxpert -f /etc/security/aixpert/custom/CISv1.xml CIS Security Benchmark for AIX 7.1 # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml CIS Security Benchmark for AIX 7.2 # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml CIS Security Benchmark for AIX 7.2 # pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml General Data Protection Regulation (GDPR)
Or apply a predefined level (-p verbose mode)
# pscxpert -l medium -p
Dump an aixpert default level, in order to modify it and apply then using PowerSC
# pscxpert -l high -n /etc/security/aixpert/custom/mycustomfile.xml
Now you are able to change some parameters for example maxage and then apply it using -f option
Check compliance to applied policy
Alternative is to use a client PowerSC (apply the right security level) (/etc/security/aixpert/core/appliedaixpert.xml)
# pscxpert -c
Report is produced in /etc/security/aixpert/check_report.txt
To display the security profile applied:
# pscxpert -t
Compare to a custom security level with a specific Profile
# pscxpert -c -P /etc/security/aixpert/custom/mysecurity.xml
Add the option at end -p -r to generate a CSV report
Undo security settings (-p verbose mode)
# pscxpert -u -p
Check CIS policy
Compare current settings to CISv2 level 1
root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv2_Lev1.xml -p -r Processing cisv2_sysintegrity : failed. Processing cisv2_brokenlinks : failed. Processing cisv2_find_worldwritables : failed. Processing cisv2_find_staffwritables :done. ... Processing cisv2_ipsecfilter :done. Processedrules=200 Passedrules=149 Failedrules=51 Level=CISv2 Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml
Check the CSV report
root@nim ~# cat /etc/security/aixpert/check_report.txt ... nim,10.x.x.x,"Implements CIS Recommendation 3.3: Ensure default umask is 027 or more restrictive.","/etc/security/pscexpert/bin/chusrattr umask=27 ALL cisv1_umask",FAIL," The attribute umask for user root should have value 27, but it is 22. The attribute umask for user srvproxy should have value 27, but it is 2. The attribute umask for user esaadmin should have value 27, but it is 22. " nim,10.x.x.x,"Implements CIS Recommendation 7.2: Install flrtvc tool.","/etc/security/pscexpert/dodv7/checkcmd flrtvc.ksh",PASS nim,10.x.x.x,"Implements CIS Recommendation 4.3.2: Ensure loopback is blocked on external interfaces.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecloopbk",PASS nim,10.x.x.x,"Implements CIS Recommendation 4.3.3: Ensure filters are active.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecfilter",PASS Processedrules=200 Passedrules=149 Failedrules=51 Level=CISv2 Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml
