Differences

This shows you the differences between two versions of the page.

--- aix:powersc [2024/09/07 00:01]
manu
+++ aix:powersc [2025/04/01 15:04] (current)
manu [Check CIS policy]
@@ Line 1: / Line 1: @@
 ====== AIX Security PowerSC centralized (CIS...) ======
+https://issuu.com/realbjornroden/docs/ibm_powersc___aix_security_compliance
+Requirement for AIX
+  installing **powerscStd** package (included in AIX 7.2 / 7.3 Entreprise edition)
+<cli prompt='>'>
+root@nim ~ > lslpp -Lc | grep -i powersc
+powerscStd.ice:powerscStd.ice:2.2.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/:
+powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/:
+powerscStd.msg:powerscStd.msg.en_US:2.2.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/:
+</cli>
 Provides security and compliance profiles for:
-    DoD – Department of Defense STIG
+  * DoD – Department of Defense STIG
-    HIPAA – Health Insurance Portability and Accountability Act
+  * HIPAA – Health Insurance Portability and Accountability Act
-    NERC – North American Electric Reliability Corporation compliance
+  * NERC – North American Electric Reliability Corporation compliance
-    PCIv3 – The Payment Card Industry – Data Security Standard
+  * PCIv3 – The Payment Card Industry – Data Security Standard
-    SOX-COBIT – Sarbanes-Oxley Act and COBIT compliance
+  * SOX-COBIT – Sarbanes-Oxley Act and COBIT compliance
-    Database – Provides general purpose database security hardening
+  * Database – Provides general purpose database security hardening
-    additionnal like CIS, and predefined aixpert policies
+  * additionnal like CIS, and predefined aixpert policies
 ===== Apply the accurate policy =====
-Alternative is to use a client PowerSC (apply the right security level)
+Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice)
 <cli prompt='#'>
 # pscxpert -f /etc/security/aixpert/custom/CISv1.xml 	CIS Security Benchmark for AIX 7.1
@@ Line 39: / Line 52: @@
 </cli>
 Report is produced in /etc/security/aixpert/check_report.txt
+To display the security profile applied:
+<cli prompt='#'>
+# pscxpert -t
+</cli>
 Compare to a custom security level with a specific Profile
@@ Line 52: / Line 70: @@
 </cli>
+===== Check CIS policy =====
+Compare current settings to CISv2 level 1
+<cli prompt='#'>
+root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv2_Lev1.xml -p -r
+Processing cisv2_sysintegrity : failed.
+Processing cisv2_brokenlinks : failed.
+Processing cisv2_find_worldwritables : failed.
+Processing cisv2_find_staffwritables :done.
+...
+Processing cisv2_ipsecfilter :done.
+Processedrules=200      Passedrules=149 Failedrules=51  Level=CISv2
+        Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml
+</cli>
+Check the CSV report
+<cli prompt='#'>
+root@nim ~# cat /etc/security/aixpert/check_report.txt
+...
+nim,10.x.x.x,"Implements CIS Recommendation 3.3: Ensure default umask is 027 or more restrictive.","/etc/security/pscexpert/bin/chusrattr umask=27 ALL cisv1_umask",FAIL," The attribute umask for user root should have value 27, but it is 22.
+ The attribute umask for user srvproxy should have value 27, but it is 2.
+ The attribute umask for user esaadmin should have value 27, but it is 22.
+"
+nim,10.x.x.x,"Implements CIS Recommendation 7.2: Install flrtvc tool.","/etc/security/pscexpert/dodv7/checkcmd flrtvc.ksh",PASS
+nim,10.x.x.x,"Implements CIS Recommendation 4.3.2: Ensure loopback is blocked on external interfaces.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecloopbk",PASS
+nim,10.x.x.x,"Implements CIS Recommendation 4.3.3: Ensure filters are active.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecfilter",PASS
+Processedrules=200      Passedrules=149 Failedrules=51  Level=CISv2
+        Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml
+</cli>
+{{:aix:CIS_IBM_AIX_7_Benchmark_v1.0.0.pdf|}}
+{{:aix:CIS_IBM_AIX_7_Benchmark_v1.0.0.xlsx|}}

wiki

User Tools

Site Tools

Differences

Page Tools