User Tools

Site Tools


aix:powersc

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
aix:powersc [2024/09/07 00:01]
manu
aix:powersc [2025/04/01 15:04] (current)
manu [Check CIS policy]
Line 1: Line 1:
 ====== AIX Security PowerSC centralized (CIS...) ====== ​ ====== AIX Security PowerSC centralized (CIS...) ====== ​
 +
 +https://​issuu.com/​realbjornroden/​docs/​ibm_powersc___aix_security_compliance
 +
 +
 +Requirement for AIX
 +  installing **powerscStd** package (included in AIX 7.2 / 7.3 Entreprise edition)
 +
 +<cli prompt='>'>​
 +root@nim ~ > lslpp -Lc | grep -i powersc
 +powerscStd.ice:​powerscStd.ice:​2.2.0.0:​ : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/:
 +powerscStd.license:​powerscStd.license:​7.1.3.0:​ : :C: :PowerSC Standard Edition: : : : : : :0:0:/:
 +powerscStd.msg:​powerscStd.msg.en_US:​2.2.0.0:​ : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/:
 +</​cli>​
  
 Provides security and compliance profiles for: Provides security and compliance profiles for:
-    ​DoD – Department of Defense STIG +  * DoD – Department of Defense STIG 
-    HIPAA – Health Insurance Portability and Accountability Act +  ​* ​HIPAA – Health Insurance Portability and Accountability Act 
-    NERC – North American Electric Reliability Corporation compliance +  ​* ​NERC – North American Electric Reliability Corporation compliance 
-    PCIv3 – The Payment Card Industry – Data Security Standard +  ​* ​PCIv3 – The Payment Card Industry – Data Security Standard 
-    SOX-COBIT – Sarbanes-Oxley Act and COBIT compliance +  ​* ​SOX-COBIT – Sarbanes-Oxley Act and COBIT compliance 
-    Database – Provides general purpose database security hardening +  ​* ​Database – Provides general purpose database security hardening 
-    additionnal like CIS, and predefined aixpert policies+  ​* ​additionnal like CIS, and predefined aixpert policies
     ​     ​
 ===== Apply the accurate policy ===== ===== Apply the accurate policy =====
  
-Alternative is to use a client PowerSC (apply the right security level)+Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice)
 <cli prompt='#'>​ <cli prompt='#'>​
 # pscxpert -f /​etc/​security/​aixpert/​custom/​CISv1.xml CIS Security Benchmark for AIX 7.1 # pscxpert -f /​etc/​security/​aixpert/​custom/​CISv1.xml CIS Security Benchmark for AIX 7.1
Line 39: Line 52:
 </​cli>​ </​cli>​
 Report is produced in /​etc/​security/​aixpert/​check_report.txt Report is produced in /​etc/​security/​aixpert/​check_report.txt
 +
 +To display the security profile applied:
 +<cli prompt='#'>​
 +# pscxpert -t
 +</​cli>​
  
 Compare to a custom security level with a specific Profile Compare to a custom security level with a specific Profile
Line 52: Line 70:
 </​cli>​ </​cli>​
  
 +===== Check CIS policy =====
 +
 +Compare current settings to CISv2 level 1
 +<cli prompt='#'>​
 +root@nim ~# pscxpert -c -P /​etc/​security/​aixpert/​custom/​CISv2_Lev1.xml -p -r
 +Processing cisv2_sysintegrity : failed.
 +Processing cisv2_brokenlinks : failed.
 +Processing cisv2_find_worldwritables : failed.
 +Processing cisv2_find_staffwritables :done.
 +...
 +Processing cisv2_ipsecfilter :done.
 +Processedrules=200 ​     Passedrules=149 Failedrules=51 ​ Level=CISv2
 +        Input file=/​etc/​security/​aixpert/​custom/​CISv2_Lev1.xml
 +</​cli>​
 +
 +Check the CSV report
 +<cli prompt='#'>​
 +root@nim ~# cat /​etc/​security/​aixpert/​check_report.txt
 +...
 +nim,​10.x.x.x,"​Implements CIS Recommendation 3.3: Ensure default umask is 027 or more restrictive.","/​etc/​security/​pscexpert/​bin/​chusrattr umask=27 ALL cisv1_umask",​FAIL,"​ The attribute umask for user root should have value 27, but it is 22.
 + The attribute umask for user srvproxy should have value 27, but it is 2.
 + The attribute umask for user esaadmin should have value 27, but it is 22.
 +"
 +nim,​10.x.x.x,"​Implements CIS Recommendation 7.2: Install flrtvc tool.","/​etc/​security/​pscexpert/​dodv7/​checkcmd flrtvc.ksh",​PASS
 +nim,​10.x.x.x,"​Implements CIS Recommendation 4.3.2: Ensure loopback is blocked on external interfaces.","/​etc/​security/​pscexpert/​bin/​ipsecshunhostcis cisv2_ipsecloopbk",​PASS
 +nim,​10.x.x.x,"​Implements CIS Recommendation 4.3.3: Ensure filters are active.","/​etc/​security/​pscexpert/​bin/​ipsecshunhostcis cisv2_ipsecfilter",​PASS
 +
 +
 +Processedrules=200 ​     Passedrules=149 Failedrules=51 ​ Level=CISv2
 +        Input file=/​etc/​security/​aixpert/​custom/​CISv2_Lev1.xml
 +
 +</​cli>​
 +
 +{{:​aix:​CIS_IBM_AIX_7_Benchmark_v1.0.0.pdf|}}
 +
 +{{:​aix:​CIS_IBM_AIX_7_Benchmark_v1.0.0.xlsx|}}
aix/powersc.1725660109.txt.gz · Last modified: 2024/09/07 00:01 by manu