Bookmark and Share
RSS

Recent Posts

AIX Hardening 101

March 4, 2013

Roughly eight years ago, in AIX V5.3 ML5, IBM introduced a tool known as AIX Security Expert or aixpert. The goal was simple—provide a simple “push-button” or “1-2-3” method to harden AIX—releasing the administrator from the task of creating and updating customized hardening scripts.

The initial release only had three levels (four if you count default): low, medium and high. Later, a way to customize aixpert was added. Later still, a new level, sox-cobit, was added.

The command aixpert is part of bos.security.rte, so it’s always there for you to try out.

Still using your own hardening scripts?

Here’s a simple way to compare how well your scripts stack up to aixpert levels. First, choose your level of comparison: low, medium or high. For SOX, I recommend PowerSC, because it includes an extended SOX-COBIT XML file. Then, run the tests. For the appliedaixpert.xml file, the test can be ignored if you’ve never used aixpert.

AIXPERT CHECK as Test Drive

So, to test drive your AIX hardening with no configuration changes made to your system, use:

# [[ -e /etc/security/aixpert/core/appliedaixpert.xml ]] /

   && mv /etc/security/aixpert/core/appliedaixpert.xml /etc/security/aixpert/core/appliedaixpert.xml.save

# aixpert -l high|medium|low|default|sox-cobit -n -o /etc/security/aixpert/core/appliedaixpert.xml

# aixpert –c

# rm /etc/security/aixpert/core/appliedaixpert.xml

# [[ -e /etc/security/aixpert/core/appliedaixpert.xml.save ]] \

   && mv  /etc/security/aixpert/core/appliedaixpert.xml.save  /etc/security/aixpert/core/appliedaixpert.xml

# more /etc/security/aixpert/check_report.txt

During the test drive, let it tell you what it finds wrong (note: wrong means different). If the level you choose thinks 4 is the right number and you get a different number (3 or 5, for example) it will say it failed. In other words, there might be some false negatives.

Reasons to Adopt aixpert

1. Consider how many days you would need to get your hardening scripts ready before—and after—the next visit from the IT auditor.
2. Instead of spending all that time maintaining scripts you can inform the IT auditor, “My hardening scripts are from IBM.”
3. It’s really, really easy.
4. Starting with AIX V6.1, you can manage and apply the settings via the Lightweight Directory Access Protocol (LDAP) model!

Posted March 4, 2013| Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus