April 12, 2016
AIXPERT is an easy to use interface to both harden and verify compliance with one or more standards. A standard can be one published by a third party (e.g., CIS), one from core AIX, one from PowerSC or one of these copied and customised for your situation. The format is XML.
The basics of aixpert
The command to harden a system has two variations: either:
where level is low
, medium, high, sox-cobit or default (or the first letter of one of these)
is an XML file in the required format.
To check compliance just use the same command as above, but add the argument -c, e.g.:
- aixpert -c -l <level>
- aixpert -c -P <filename>
The check or comply command appends the details of the results to the file /etc/security/aixpert/check_report.txt
and a summary appears on the screen (stdout).
Compilance Reports (for managers and auditors)
An option introduced in the PowerSC addition to aixpert (now named pscxpert) can be used create a csv format report with the following layout:
Report date and Time:Nov 19 15:37:24
Report Version 1.0
HostName,IP Address,Description,Command Arguments,Result,Reason for failure
<data in csv format>
The command to do this is nearly identical to the comply command – I,e, one of
- aixpert -c -l <level> -r
- aixpert -c -P <filename> -r
Besides the addition to the check_report.txt file a new file (or overwrite is it already exists) is available at /etc/security/aixpert/check_report.csv.
Once this file is loaded into a spreadsheet the results can be filtered to show only the failures – so that it could look something like:
If you use the AIX core levels your output may be “confused” because there are, unfortunately, description texts that include commas ',' in the text. One example:
I have two ways to correct this: a) correct the .csv file; b) correct the core XML file.
Correct the csv file using vi
The vi command to remove unwanted commas in the description text is the following
# vi filename.csv
1,$s/, / /g
Correct the XML file using vi
# vi /etc/security/aixpert/core/aixpertall.xml
- Of course another editor, or sed could be used – these are just examples.
- I feel that if you are facing an IT audit and you are not using aixpert – you deserve to fail as you have not used one of the easiest to use AIX mechanisms for hardening and verifying compliance.
- I hope this helps you get more benefit from using AIXPERT.
Posted April 12, 2016 | Permalink