An aixpert script must support several required functions. Every aixpert script must at least implement the checking and setting of security settings. If undo is to be possible, the script must create an undo entry in the XML file /etc/security/aixpert/core/undo.xml. Then, script must either be able to perform an undo itself, use another script for the undo, or generate a script that performs an undo.

Which of these functions should be performed by the script is determined when the script is called by the AIX Security Expert (aixpert) using some variables that are passed to the script by the environment.

Checking security settings (“aixpert -c”)

When checking the security settings, aixpert scripts are called as follows:

AIXPERT_CHECK_REPORT=1 TMPREPT=/tmp/report.txt /etc/security/aixpert/bin/<SCRIPT> [<arg> …]

The two variables AIXPERT_CHECK_REPORT and TMPREPT are set by aixpert and passed to the script via the environment. Command-line arguments come from the corresponding AIXPertEntry and depend on the specific script.

If the check is started with the additional option “-r” (basic compliance report), the variable BASE_REPT with the value “1” is also passed:

AIXPERT_CHECK_REPORT=1 BASE_REPT=1 TMPREPT=/tmp/report.txt /etc/security/aixpert/bin/<SCRIPT> [<arg> …]

If the check is started with the additional option “-R” (description report), the variable DETAILED_REPT with the value “1” is also passed:

AIXPERT_CHECK_REPORT=1 DETAILED_REPT=1 TMPREPT=/tmp/report.txt /etc/security/aixpert/bin/<SCRIPT> [<arg> …]

An aixpert script to be implemented can therefore use these variables to determine whether a check should be performed and the type of report (BASE_REPT or DETAILED_REPT).

Setting security settings (“aixpert -l” or “aixpert -f”)

When setting security settings, you have to distinguish between two possible cases:

1. 1. Only the security settings are set; an undo is not provided or implemented.
   2. In addition to setting the security settings, an undo option is also set up. This must be implemented in the script.

Since the AIX Security Expert itself doesn’t know whether a script provides and implements the undo functionality, the script is called in the same way in both cases. For an undo, the script must create an entry in /etc/security/aixpert/core/undo.xml. The entry must have the following format:

        <AIXPertEntry name="hls_minlen_0549FBA5">
                <AIXPertRuleType type="Undo"/>
                <AIXPertDescription catalog="aixpert.cat" setNum="101" msgNum="24">Undo action for:  "Minimum length for password: Specifies the minimum length of a password to 8."</AIXPertDescription>
                <AIXPertPrereqList/>
                <AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand>
                <AIXPertArgs>minlen=8 ALL</AIXPertArgs>
                <AIXPertGroup>Password policy rules</AIXPertGroup>
        </AIXPertEntry>

Note: This is an example entry of the rule hls_minlen.

The entry requires a unique name (name attribute in AIXPertEntry). The name is generated by the AIX Security Expert by extending the rule name of the security setting with a unique 8-digit hexadecimal ID. This name is passed to the script via the AIXPERT_NAME variable. The type (AIXPertRuleType) of the rule is always “Undo.” The description (AIXPertDescription) is essentially the description from the rule for the security setting. The text of the description is passed via the AIXPERT_DESC variable. The script then prepends the string “Undo action for:“. Catalog, setNum, and msgNum are passed via the AIXPERT_DESC_CATMSGINFO variable. The script must decide on the command and arguments to be used. The group (AIXPertGroup) is also defined by the script and not passed via variables. The script is then called as follows:

AIXPERT_DESC_CATMSGINFO=" catalog=\"aixpert.cat\" setNum=\"101\" msgNum=\"24\"" AIXPERT_DESC="description from appliedaixpert.xml" AIXPERT_NAME="rulename_C1A84345" /etc/security/aixpert/bin/<SCRIPT> [<arg> …]

If no undo is implemented, these variables can simply be ignored.

If an undo is to be implemented, an XML entry is generated in /etc/security/aixpert/core/undo.xml using this variable.

Undo security settings (“aixpert -u”)

If the script performs an undo itself, the script is called with the arguments specified when generating the undo entry in /etc/security/aixpert/core/undo.xml. No variables are passed via the environment:

/etc/security/aixpert/bin/<SCRIPT> [<arg> …]

Of course, the script should not generate a new undo entry during an undo run!