aix:powersc
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
aix:powersc [2025/08/05 17:05] manu |
aix:powersc [2025/08/21 17:43] (current) manu [Check CIS policy] |
||
|---|---|---|---|
| Line 6: | Line 6: | ||
| IBM PowerSC is a product to check security and compliance for AIX and Linux servers | IBM PowerSC is a product to check security and compliance for AIX and Linux servers | ||
| + | |||
| + | {{aix:powersc01.png?600}} | ||
| === Requirements for server === | === Requirements for server === | ||
| + | |||
| Supported OS: | Supported OS: | ||
| Line 136: | Line 139: | ||
| | | ||
| ===== Register a new host (endpoint) on PowerSC Server UI ===== | ===== Register a new host (endpoint) on PowerSC Server UI ===== | ||
| + | |||
| + | === On AIX === | ||
| + | |||
| + | Install the following packages using smit installp | ||
| + | <cli prompt='>'> | ||
| + | root@nim /var/log/powersc/uiAgent> lslpp -Lc | grep powersc | ||
| + | powerscStd.ice:powerscStd.ice:2.3.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/: | ||
| + | powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/: | ||
| + | powerscStd.msg:powerscStd.msg.en_US:2.3.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/: | ||
| + | powerscStd.uiAgent:powerscStd.uiAgent.rte:2.3.0.0: : :C: :PowerSC User Interface Agent: : : : : : :0:0:/: | ||
| + | </cli> | ||
| + | |||
| + | From /etc/security/powersc/uiAgent remove endpointTruststore and endpointKeystore files if you have any other files Truststore/ KeyStore please remove it. | ||
| + | |||
| + | Copy only **endpointTruststore.p12** from (server) /etc/security/powersc/uiServer to /etc/security/powersc/uiAgent\\ | ||
| + | Now restart the agent | ||
| + | |||
| + | To start the Agent on AIX: | ||
| + | <cli prompt='>'> | ||
| + | root@nim /var/log/powersc/uiAgent> lssrc -s pscuiagent | ||
| + | Subsystem Group PID Status | ||
| + | pscuiagent 12517660 active | ||
| + | root@nim /var/log/powersc/uiAgent> stopsrc -s pscuiagent | ||
| + | 0513-044 The pscuiagent Subsystem was requested to stop. | ||
| + | root@nim /var/log/powersc/uiAgent> startsrc -s pscuiagent | ||
| + | 0513-059 The pscuiagent Subsystem has been started. Subsystem PID is 12517662. | ||
| + | </cli> | ||
| + | |||
| + | For info logs are available in /var/log/powersc/uiAgent | ||
| + | |||
| + | === On PowerSC server === | ||
| + | |||
| + | On the UI go to Endpint Admin--> KeyStore Request, select it and generate new keystore\\ | ||
| + | Now you check whether the client is connected. | ||
| + | |||
| + | {{:aix:powersc_gui01.png?600|}} | ||
| + | |||
| + | {{:aix:powersc_gui02.png?600|}} | ||
| + | |||
| + | You have first to verify and validate your new endpoint | ||
| + | |||
| + | {{:aix:powersc_gui03.png?600|}} | ||
| ===== PowerSC standalone command line ===== | ===== PowerSC standalone command line ===== | ||
| Line 157: | Line 202: | ||
| * Database – Provides general purpose database security hardening | * Database – Provides general purpose database security hardening | ||
| * additionnal like CIS, and predefined aixpert policies | * additionnal like CIS, and predefined aixpert policies | ||
| - | | + | |
| - | ===== Apply the accurate policy ===== | + | Consider the following recommendations, as specified in https://www.cisecurity.org/benchmark/ibm_aix/: |
| + | * Level 1 benchmark recommendations are intended to: | ||
| + | <code> | ||
| + | Be practical and prudent | ||
| + | Provide a clear security benefit | ||
| + | Do not inhibit the utility of the technology beyond acceptable means | ||
| + | </code> | ||
| + | * Level 2 benchmark recommendations exhibit one or more of the following characteristics: | ||
| + | <code> | ||
| + | Are intended for environments or use cases where security is paramount | ||
| + | Acts as defense in depth measure | ||
| + | May negatively inhibit the utility or performance of the technology | ||
| + | </code> | ||
| + | |||
| + | **<color #ed1c24>Best practice for AIX is to use CISv3_Lev1.xml</color>**, it combine the best practice for AIX 7.2 and 7.3 | ||
| + | ==== Apply the accurate policy ==== | ||
| Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice) | Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice) | ||
| Line 165: | Line 225: | ||
| # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml CIS Security Benchmark for AIX 7.2 | # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml CIS Security Benchmark for AIX 7.2 | ||
| # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml CIS Security Benchmark for AIX 7.2 | # pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml CIS Security Benchmark for AIX 7.2 | ||
| + | # pscxpert -f /etc/security/aixpert/custom/CISv3_Lev1.xml CIS Security Benchmark for AIX 7 | ||
| + | # pscxpert -f /etc/security/aixpert/custom/CISv3_Lev2.xml CIS Security Benchmark for AIX 7 | ||
| # pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml General Data Protection Regulation (GDPR) | # pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml General Data Protection Regulation (GDPR) | ||
| </cli> | </cli> | ||
| Line 180: | Line 242: | ||
| Now you are able to change some parameters for example maxage and then apply it using **-f** option | Now you are able to change some parameters for example maxage and then apply it using **-f** option | ||
| - | ===== Check compliance to applied policy ===== | + | ==== Check compliance to applied policy ==== |
| Alternative is to use a client PowerSC (apply the right security level) (/etc/security/aixpert/core/appliedaixpert.xml) | Alternative is to use a client PowerSC (apply the right security level) (/etc/security/aixpert/core/appliedaixpert.xml) | ||
| Line 205: | Line 267: | ||
| </cli> | </cli> | ||
| - | ===== Check CIS policy ===== | + | ==== Check CIS policy ==== |
| Compare current settings to CISv2 level 1 | Compare current settings to CISv2 level 1 | ||
| <cli prompt='#'> | <cli prompt='#'> | ||
| - | root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv2_Lev1.xml -p -r | + | root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv3_Lev1.xml -p -r |
| Processing cisv2_sysintegrity : failed. | Processing cisv2_sysintegrity : failed. | ||
| Processing cisv2_brokenlinks : failed. | Processing cisv2_brokenlinks : failed. | ||
aix/powersc.1754406359.txt.gz · Last modified: 2025/08/05 17:05 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
