wiki

User Tools

Site Tools

Trace: scripts_lv_read_copy installp_change_path wpar_ressource_control proxmoxbacup aix_debug pv_missing tsm_dedup_server tsm_debug_servmon powersc
aix:powersc

Table of Contents

AIX Security PowerSC centralized (CIS...)

PowerSC Central Server

Server installation

IBM PowerSC is a product to check security and compliance for AIX and Linux servers

Requirements for server

Supported OS:

  • AIX 7.3
  • Linux RHEL9

Filesystems:

  • /var/log/powersc
  • /var/powersc
  • /opt/powersc
  • /etc/security/powersc
[root@lnxpwrsc01 etc]# df -h | grep data
/dev/mapper/datavg-opt_powersc         8.0G   89M  7.9G   2% /opt/powersc
/dev/mapper/datavg-var_powersc          20G  175M   20G   1% /var/powersc
/dev/mapper/datavg-var_log_powersc      20G  175M   20G   1% /var/log/powersc
/dev/mapper/datavg-etc_secu_pwrsc      960M   39M  922M   5% /etc/security/powersc

Prerequisites installation (s-nail replace mailx in RHEL9): 

[root@lnxpwrsc01 v2.2]# dnf -y install java-1.8.0-openjdk sendmail-cf s-nail
[root@lnxpwrsc01 v2.2]# dnf install perl-NetAddr-IP

Force install as mailx package is no more available 

[root@lnxpwrsc01 v2.2]# pwd
/tmp/sources/powersc/v2.2
[root@lnxpwrsc01 v2.2]# dnf --skip-broken localinstall psad-3.0-1.x86_64.rpm

[root@lnxpwrsc01 v2.2.0.4]# dnf localinstall psad-3.0-7.el9.x86_64.rpm
[root@lnxpwrsc01 v2.2.0.4]# dnf --skip-broken localinstall fapolicyd-1.1.7-1.sles15.x86_64.rpm
[root@lnxpwrsc01 v2.2.0.4]# dnf localinstall powersc-xerces-c-3.2.4-4.el9.x86_64.rpm
[root@lnxpwrsc01 v2.2.0.4]# ./powersc-pscxpert-2.2.0.4-el9.x86_64.sh
x - created lock directory _sh3694117.
x - removed lock directory _sh3694117.
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:powersc-pscxpert-2.2.0.4-1.el9   ################################# [100%]
[root@lnxpwrsc01 v2.2.0.4]# ./powersc-uiServer-2.2.0.4-el9.x86_64.sh
x - created lock directory _sh3696241.
x - removed lock directory _sh3696241.
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:powersc-uiServer-2.2.0.4-1.el9   ################################# [100%]
[root@lnxpwrsc01 powersc]# cat /var/log/powersc/uiServer/pscUIServer_install.log
webApps/ws/usage/en/systems/delete/index.html
webApps/ws/usage/en/systems/index.html
logonGroupList=security
security=*
Certificate was added to keystore
Certificate was added to keystore
Copy /etc/security/powersc/uiServer/endpointTruststore.p12 to /etc/security/powersc/uiAgent/endpointTruststore.p12 on every endpoint.
Certificate stored in file </etc/security/powersc/uiServer/psc_signing_cert.pem>
Certificate was added to keystore
httpPort=80
httpsPort=443
Created symlink /etc/systemd/system/multi-user.target.wants/powersc-uiServer.service → /usr/lib/systemd/system/powersc-uiServer.service.

Start PowerSC server 

[root@lnxpwrsc01 v2.2.0.4]# systemctl status powersc-uiServer.service
● powersc-uiServer.service - PowerSC UI Server
     Loaded: loaded (/usr/lib/systemd/system/powersc-uiServer.service; enabled; preset: disabled)
     Active: active (running) since Tue 2025-07-15 16:19:42 CEST; 1min 49s ago
   Main PID: 16985 (uiServer.sh)
      Tasks: 165 (limit: 100413)
     Memory: 731.2M
        CPU: 12.650s
     CGroup: /system.slice/powersc-uiServer.service
             ├─16985 /bin/sh /opt/powersc/uiServer/bin/uiServer.sh
             └─17269 /opt/powersc/uiServer/bin/uiserver /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.452.b09-3.el9.x86_64/jre /opt/powersc/uiS>

Jul 15 16:19:42 lnxpwrsc01 systemd[1]: Started PowerSC UI Server.
Jul 15 16:19:42 lnxpwrsc01 uiServer.sh[16985]: Starting PowerSC UI server with maximum memory allocation of 2000, and redirecting the o>
Jul 15 16:19:43 lnxpwrsc01 uiServer.sh[17269]: log file: /var/log/powersc/uiServer/pscuiserver_2025-07-15_16-19.43.0.log

Add groups to login to Web GUI

[root@lnxpwrsc01 powersc]# groupadd -g 10000 powersc

[root@lnxpwrsc01 powersc]# grep powersc /etc/group
powersc:x:10000:qualysagent

[root@lnxpwrsc01 powersc]# pscuiserverctl set logonGroupList powersc
logonGroupList=powersc

[root@lnxpwrsc01 powersc]# pscuiserverctl set administratorGroupList powersc
administratorGroupList=powersc
[root@lnxpwrsc01 powersc]# pscuiserverctl set bindAddress 192.168.85.8
bindAddress=192.168.1.2

[root@lnxpwrsc01 powersc]# cat /etc/security/powersc/uiServer/uiServer.conf.properties
logonGroupList=powersc
httpPort=80
httpsPort=443
administratorGroupList=powersc
bindAddress=192.168.1.2

Creating more security certificates

By using the IBM PowerSC GUI server, you can use shell scripts to create or import security certificates that can be found in the /opt/powersc/uiServer/bin/ directory: 

generate_server_keystore_uiServer.sh
generate_signing_keystore_uiServer.sh
generate_endpoint_keystore_uiServer.sh
import_well_known_certificate_uiServer.sh
convertProfileToBean.sh

Register a new host (endpoint) on PowerSC Server UI

On AIX

Install the following packages using smit installp 

root@nim /var/log/powersc/uiAgent> lslpp -Lc | grep powersc
powerscStd.ice:powerscStd.ice:2.3.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/:
powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/:
powerscStd.msg:powerscStd.msg.en_US:2.3.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/:
powerscStd.uiAgent:powerscStd.uiAgent.rte:2.3.0.0: : :C: :PowerSC User Interface Agent: : : : : : :0:0:/:

From /etc/security/powersc/uiAgent remove endpointTruststore and endpointKeystore files if you have any other files Truststore/ KeyStore please remove it.

Copy only endpointTruststore.p12 from (server) /etc/security/powersc/uiServer to /etc/security/powersc/uiAgent
Now restart the agent

To start the Agent on AIX: 

root@nim /var/log/powersc/uiAgent> lssrc -s pscuiagent
Subsystem         Group            PID          Status
 pscuiagent                        12517660     active
root@nim /var/log/powersc/uiAgent> stopsrc -s pscuiagent
0513-044 The pscuiagent Subsystem was requested to stop.
root@nim /var/log/powersc/uiAgent> startsrc -s pscuiagent
0513-059 The pscuiagent Subsystem has been started. Subsystem PID is 12517662.

For info logs are available in /var/log/powersc/uiAgent

On PowerSC server

On the UI go to Endpint Admin–> KeyStore Request, select it and generate new keystore
Now you check whether the client is connected.

You have first to verify and validate your new endpoint

PowerSC standalone command line

Requirement for AIX 

installing **powerscStd** package (included in AIX 7.2 / 7.3 Entreprise edition)
root@nim ~ > lslpp -Lc | grep -i powersc
powerscStd.ice:powerscStd.ice:2.2.0.0: : :C: :IBM PowerSC Standard Profile: : : : : : :0:0:/:
powerscStd.license:powerscStd.license:7.1.3.0: : :C: :PowerSC Standard Edition: : : : : : :0:0:/:
powerscStd.msg:powerscStd.msg.en_US:2.2.0.0: : :C: :PowerSC Standard Edition Messages - U.S. English: : : : : : :0:0:/:

Provides security and compliance profiles for:

  • DoD – Department of Defense STIG
  • HIPAA – Health Insurance Portability and Accountability Act
  • NERC – North American Electric Reliability Corporation compliance
  • PCIv3 – The Payment Card Industry – Data Security Standard
  • SOX-COBIT – Sarbanes-Oxley Act and COBIT compliance
  • Database – Provides general purpose database security hardening
  • additionnal like CIS, and predefined aixpert policies

Consider the following recommendations, as specified in https://www.cisecurity.org/benchmark/ibm_aix/:

  • Level 1 benchmark recommendations are intended to:
    Be practical and prudent
    Provide a clear security benefit
    Do not inhibit the utility of the technology beyond acceptable means
  • Level 2 benchmark recommendations exhibit one or more of the following characteristics:
    Are intended for environments or use cases where security is paramount
    Acts as defense in depth measure
    May negatively inhibit the utility or performance of the technology

Best practice for AIX is to use CISv3_Lev1.xml, it combine the best practice for AIX 7.2 and 7.3

Apply the accurate policy

Alternative is to use a client PowerSC (apply the right security level) (package: powerscStd.ice) 

# pscxpert -f /etc/security/aixpert/custom/CISv1.xml 	CIS Security Benchmark for AIX 7.1
# pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml 	CIS Security Benchmark for AIX 7.2
# pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml 	CIS Security Benchmark for AIX 7.2
# pscxpert -f /etc/security/aixpert/custom/CISv3_Lev1.xml 	CIS Security Benchmark for AIX 7
# pscxpert -f /etc/security/aixpert/custom/CISv3_Lev2.xml 	CIS Security Benchmark for AIX 7
# pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml	General Data Protection Regulation (GDPR)

Or apply a predefined level (-p verbose mode) 

# pscxpert -l medium -p

Dump an aixpert default level, in order to modify it and apply then using PowerSC 

# pscxpert -l high -n /etc/security/aixpert/custom/mycustomfile.xml

Now you are able to change some parameters for example maxage and then apply it using -f option

Check compliance to applied policy

Alternative is to use a client PowerSC (apply the right security level) (/etc/security/aixpert/core/appliedaixpert.xml) 

# pscxpert -c

Report is produced in /etc/security/aixpert/check_report.txt

To display the security profile applied: 

# pscxpert -t

Compare to a custom security level with a specific Profile 

# pscxpert -c -P /etc/security/aixpert/custom/mysecurity.xml

Add the option at end -p -r to generate a CSV report

Undo security settings (-p verbose mode) 

# pscxpert -u -p

Check CIS policy

Compare current settings to CISv2 level 1 

root@nim ~# pscxpert -c -P /etc/security/aixpert/custom/CISv3_Lev1.xml -p -r
Processing cisv2_sysintegrity : failed.
Processing cisv2_brokenlinks : failed.
Processing cisv2_find_worldwritables : failed.
Processing cisv2_find_staffwritables :done.
...
Processing cisv2_ipsecfilter :done.
Processedrules=200      Passedrules=149 Failedrules=51  Level=CISv2
        Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml

Check the CSV report 

root@nim ~# cat /etc/security/aixpert/check_report.txt
...
nim,10.x.x.x,"Implements CIS Recommendation 3.3: Ensure default umask is 027 or more restrictive.","/etc/security/pscexpert/bin/chusrattr umask=27 ALL cisv1_umask",FAIL," The attribute umask for user root should have value 27, but it is 22.
 The attribute umask for user srvproxy should have value 27, but it is 2.
 The attribute umask for user esaadmin should have value 27, but it is 22.
"
nim,10.x.x.x,"Implements CIS Recommendation 7.2: Install flrtvc tool.","/etc/security/pscexpert/dodv7/checkcmd flrtvc.ksh",PASS
nim,10.x.x.x,"Implements CIS Recommendation 4.3.2: Ensure loopback is blocked on external interfaces.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecloopbk",PASS
nim,10.x.x.x,"Implements CIS Recommendation 4.3.3: Ensure filters are active.","/etc/security/pscexpert/bin/ipsecshunhostcis cisv2_ipsecfilter",PASS


Processedrules=200      Passedrules=149 Failedrules=51  Level=CISv2
        Input file=/etc/security/aixpert/custom/CISv2_Lev1.xml

cis_ibm_aix_7_benchmark_v1.0.0.pdf

cis_ibm_aix_7_benchmark_v1.0.0.xlsx

aix/powersc.txt · Last modified: 2025/08/21 17:43 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki