====== AIX Security PowerSC centralized (CIS...) ====== 

===== PowerSC Central Server =====

==== Server installation ====

IBM PowerSC is a product to check security and compliance for AIX and Linux servers

{{aix:powersc01.png?600}}

=== Requirements for server ===


Supported OS:
  * AIX 7.3
  * Linux RHEL9

Filesystems:
  * /var/log/powersc
  * /var/powersc
  * /opt/powersc
  * /etc/security/powersc

<cli prompt='#'>
[root@lnxpwrsc01 etc]# df -h | grep data
/dev/mapper/datavg-opt_powersc         8.0G   89M  7.9G   2% /opt/powersc
/dev/mapper/datavg-var_powersc          20G  175M   20G   1% /var/powersc
/dev/mapper/datavg-var_log_powersc      20G  175M   20G   1% /var/log/powersc
/dev/mapper/datavg-etc_secu_pwrsc      960M   39M  922M   5% /etc/security/powersc
</cli>

Prerequisites installation (s-nail replace mailx in RHEL9):
<cli prompt='#'>
[root@lnxpwrsc01 v2.2]# dnf -y install java-1.8.0-openjdk sendmail-cf s-nail
[root@lnxpwrsc01 v2.2]# dnf install perl-NetAddr-IP
</cli>

Force install as **mailx** package is no more available
<cli prompt='#'>
[root@lnxpwrsc01 v2.2]# pwd
/tmp/sources/powersc/v2.2
[root@lnxpwrsc01 v2.2]# dnf --skip-broken localinstall psad-3.0-1.x86_64.rpm

[root@lnxpwrsc01 v2.2.0.4]# dnf localinstall psad-3.0-7.el9.x86_64.rpm
[root@lnxpwrsc01 v2.2.0.4]# dnf --skip-broken localinstall fapolicyd-1.1.7-1.sles15.x86_64.rpm
[root@lnxpwrsc01 v2.2.0.4]# dnf localinstall powersc-xerces-c-3.2.4-4.el9.x86_64.rpm
</cli>

<cli prompt='#'>
[root@lnxpwrsc01 v2.2.0.4]# ./powersc-pscxpert-2.2.0.4-el9.x86_64.sh
x - created lock directory _sh3694117.
x - removed lock directory _sh3694117.
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:powersc-pscxpert-2.2.0.4-1.el9   ################################# [100%]
</cli>

<cli prompt='#'>
[root@lnxpwrsc01 v2.2.0.4]# ./powersc-uiServer-2.2.0.4-el9.x86_64.sh
x - created lock directory _sh3696241.
x - removed lock directory _sh3696241.
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:powersc-uiServer-2.2.0.4-1.el9   ################################# [100%]
</cli>

<cli prompt='#'>
[root@lnxpwrsc01 powersc]# cat /var/log/powersc/uiServer/pscUIServer_install.log
webApps/ws/usage/en/systems/delete/index.html
webApps/ws/usage/en/systems/index.html
logonGroupList=security
security=*
Certificate was added to keystore
Certificate was added to keystore
Copy /etc/security/powersc/uiServer/endpointTruststore.p12 to /etc/security/powersc/uiAgent/endpointTruststore.p12 on every endpoint.
Certificate stored in file </etc/security/powersc/uiServer/psc_signing_cert.pem>
Certificate was added to keystore
httpPort=80
httpsPort=443
Created symlink /etc/systemd/system/multi-user.target.wants/powersc-uiServer.service → /usr/lib/systemd/system/powersc-uiServer.service.
</cli>
Start PowerSC server
<cli prompt='#'>
[root@lnxpwrsc01 v2.2.0.4]# systemctl status powersc-uiServer.service
● powersc-uiServer.service - PowerSC UI Server
     Loaded: loaded (/usr/lib/systemd/system/powersc-uiServer.service; enabled; preset: disabled)
     Active: active (running) since Tue 2025-07-15 16:19:42 CEST; 1min 49s ago
   Main PID: 16985 (uiServer.sh)
      Tasks: 165 (limit: 100413)
     Memory: 731.2M
        CPU: 12.650s
     CGroup: /system.slice/powersc-uiServer.service
             ├─16985 /bin/sh /opt/powersc/uiServer/bin/uiServer.sh
             └─17269 /opt/powersc/uiServer/bin/uiserver /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.452.b09-3.el9.x86_64/jre /opt/powersc/uiS>

Jul 15 16:19:42 lnxpwrsc01 systemd[1]: Started PowerSC UI Server.
Jul 15 16:19:42 lnxpwrsc01 uiServer.sh[16985]: Starting PowerSC UI server with maximum memory allocation of 2000, and redirecting the o>
Jul 15 16:19:43 lnxpwrsc01 uiServer.sh[17269]: log file: /var/log/powersc/uiServer/pscuiserver_2025-07-15_16-19.43.0.log
</cli>

=== Add groups to login to Web GUI ===

<cli prompt='#'>
[root@lnxpwrsc01 powersc]# groupadd -g 10000 powersc

[root@lnxpwrsc01 powersc]# grep powersc /etc/group
powersc:x:10000:qualysagent

[root@lnxpwrsc01 powersc]# pscuiserverctl set logonGroupList powersc
logonGroupList=powersc

[root@lnxpwrsc01 powersc]# pscuiserverctl set administratorGroupList powersc
administratorGroupList=powersc
</cli>

<cli prompt='#'>
[root@lnxpwrsc01 powersc]# pscuiserverctl set bindAddress 192.168.85.8
bindAddress=192.168.1.2

[root@lnxpwrsc01 powersc]# cat /etc/security/powersc/uiServer/uiServer.conf.properties
logonGroupList=powersc
httpPort=80
httpsPort=443
administratorGroupList=powersc
bindAddress=192.168.1.2
</cli>

=== Creating more security certificates ===

By using the IBM PowerSC GUI server, you can use shell scripts to create or import security
certificates that can be found in the /opt/powersc/uiServer/bin/ directory:
  generate_server_keystore_uiServer.sh
  generate_signing_keystore_uiServer.sh
  generate_endpoint_keystore_uiServer.sh
  import_well_known_certificate_uiServer.sh
  convertProfileToBean.sh
  
===== Register a new host (endpoint) on PowerSC Server UI =====

=== On AIX ===

Install the following packages using smit installp
<cli prompt='>'>
root@nim /var/log/powersc/uiAgent> lslpp -Lc | grep powersc
powerscStd.ice:powerscStd.ice:2.3.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/:
powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/:
powerscStd.msg:powerscStd.msg.en_US:2.3.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/:
powerscStd.uiAgent:powerscStd.uiAgent.rte:2.3.0.0: : :C: :PowerSC User Interface Agent: : : : : : :0:0:/:
</cli>

From /etc/security/powersc/uiAgent remove endpointTruststore and endpointKeystore files if you have any other files Truststore/ KeyStore please remove it.

Copy only **endpointTruststore.p12** from (server) /etc/security/powersc/uiServer to /etc/security/powersc/uiAgent\\
Now restart the agent

To start the Agent on AIX:
<cli prompt='>'>
root@nim /var/log/powersc/uiAgent> lssrc -s pscuiagent
Subsystem         Group            PID          Status
 pscuiagent                        12517660     active
root@nim /var/log/powersc/uiAgent> stopsrc -s pscuiagent
0513-044 The pscuiagent Subsystem was requested to stop.
root@nim /var/log/powersc/uiAgent> startsrc -s pscuiagent
0513-059 The pscuiagent Subsystem has been started. Subsystem PID is 12517662.
</cli>

For info logs are available in /var/log/powersc/uiAgent

=== On PowerSC server ===

On the UI go to Endpint Admin--> KeyStore Request, select it and generate new keystore\\
Now you check whether the client is connected.

{{:aix:powersc_gui01.png?600|}}

{{:aix:powersc_gui02.png?600|}}

You have first to verify and validate your new endpoint

{{:aix:powersc_gui03.png?600|}}

===== PowerSC standalone command line =====

Requirement for AIX
  installing **powerscStd** package (included in AIX 7.2 / 7.3 Entreprise edition)

<cli prompt='>'>
root@nim ~ > lslpp -Lc | grep -i powersc
powerscStd.ice:powerscStd.ice:2.2.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/:
powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/:
powerscStd.msg:powerscStd.msg.en_US:2.2.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/:
</cli>

Provides security and compliance profiles for:
  * DoD – Department of Defense STIG
  * HIPAA – Health Insurance Portability and Accountability Act
  * NERC – North American Electric Reliability Corporation compliance
  * PCIv3 – The Payment Card Industry – Data Security Standard
  * SOX-COBIT – Sarbanes-Oxley Act and COBIT compliance
  * Database – Provides general purpose database security hardening
  * additionnal like CIS, and predefined aixpert policies
   
Consider the following recommendations, as specified in https://www.cisecurity.org/benchmark/ibm_aix/:
  * Level 1 benchmark recommendations are intended to:
<code>
    Be practical and prudent
    Provide a clear security benefit
    Do not inhibit the utility of the technology beyond acceptable means
</code>
  * Level 2 benchmark recommendations exhibit one or more of the following characteristics:
<code>
    Are intended for environments or use cases where security is paramount
    Acts as defense in depth measure
    May negatively inhibit the utility or performance of the technology 
</code>

**<color #ed1c24>Best practice for AIX is to use CISv3_Lev1.xml</color>**, it combine the best practice for AIX 7.2 and 7.3
==== Apply the accurate policy ====

Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice)
<cli prompt='#'>
# pscxpert -f /etc/security/aixpert/custom/CISv1.xml 	CIS Security Benchmark for AIX 7.1
# pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml 	CIS Security Benchmark for AIX 7.2
# pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml 	CIS Security Benchmark for AIX 7.2
# pscxpert -f /etc/security/aixpert/custom/CISv3_Lev1.xml 	CIS Security Benchmark for AIX 7
# pscxpert -f /etc/security/aixpert/custom/CISv3_Lev2.xml 	CIS Security Benchmark for AIX 7
# pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml	General Data Protection Regulation (GDPR)
</cli>

Or apply a predefined level (-p verbose mode)
<cli prompt='#'>
# pscxpert -l medium -p
</cli>

Dump an aixpert default level, in order to modify it and apply then using PowerSC
<cli prompt='#'>
# pscxpert -l high -n /etc/security/aixpert/custom/mycustomfile.xml
</cli>

Now you are able to change some parameters for example maxage and then apply it using **-f** option

==== Check compliance to applied policy ====

Alternative is to use a client PowerSC (apply the right security level) (/etc/security/aixpert/core/appliedaixpert.xml)
<cli prompt='#'>
# pscxpert -c
</cli>
Report is produced in /etc/security/aixpert/check_report.txt

To display the security profile applied:
<cli prompt='#'>
# pscxpert -t
</cli>

Compare to a custom security level with a specific Profile
<cli prompt='#'>
# pscxpert -c -P /etc/security/aixpert/custom/mysecurity.xml
</cli>

Add the option at end **-p -r** to generate a CSV report

Undo security settings (-p verbose mode)
<cli prompt='#'>
# pscxpert -u -p
</cli>

==== Check CIS policy ====

Compare current settings to CISv2 level 1
<cli prompt='#'>
root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv3_Lev1.xml -p -r
Processing cisv2_sysintegrity : failed.
Processing cisv2_brokenlinks : failed.
Processing cisv2_find_worldwritables : failed.
Processing cisv2_find_staffwritables :done.
...
Processing cisv2_ipsecfilter :done.
Processedrules=200      Passedrules=149 Failedrules=51  Level=CISv2
        Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml
</cli>

Check the CSV report
<cli prompt='#'>
root@nim ~# cat /etc/security/aixpert/check_report.txt
...
nim,10.x.x.x,"Implements CIS Recommendation 3.3: Ensure default umask is 027 or more restrictive.","/etc/security/pscexpert/bin/chusrattr umask=27 ALL cisv1_umask",FAIL," The attribute umask for user root should have value 27, but it is 22.
 The attribute umask for user srvproxy should have value 27, but it is 2.
 The attribute umask for user esaadmin should have value 27, but it is 22.
"
nim,10.x.x.x,"Implements CIS Recommendation 7.2: Install flrtvc tool.","/etc/security/pscexpert/dodv7/checkcmd flrtvc.ksh",PASS
nim,10.x.x.x,"Implements CIS Recommendation 4.3.2: Ensure loopback is blocked on external interfaces.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecloopbk",PASS
nim,10.x.x.x,"Implements CIS Recommendation 4.3.3: Ensure filters are active.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecfilter",PASS


Processedrules=200      Passedrules=149 Failedrules=51  Level=CISv2
        Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml

</cli>

{{:aix:CIS_IBM_AIX_7_Benchmark_v1.0.0.pdf|}}

{{:aix:CIS_IBM_AIX_7_Benchmark_v1.0.0.xlsx|}}