Under Construction

Working with AIX > AIX Security > AIX Security Expert (AIXPert) > How AIX Security Expert works

Process when Applying a Security Level

When applying a security level using “aixpert -l <level>” or “aixpert -f <file>”, the following steps are performed:

Step 1: Check if AIX Security Expert is already running.

To prevent multiple parallel runs of AIX Security Expert, it first checks whether an aixpert (or pscxpert) process is already running. If so, it aborts with the following error message:

# aixpert -l low
Another instance of pscxpert or aixpert is already running.

#

Step 2: Check if LiveUpdate is active

AIX Security Expert should not be used while a LiveUpdate operation is running. To rule this out, a check is performed to see if LiveUpdate is currently active. If this is the case, aixpert terminates the run with the following error message:

# aixpert -l low
lvupdate
Live Kernel Update in Progress. Exiting aixpert.

#

The following steps are executed in a loop for each rule.

Step 3: Checking the prerequisites (prereqs)

Most rules have a list of dependencies. In many cases, these dependencies are filesets that must be installed. A simple check is then performed using “lslpp -l <fileset>“. If a prerequisite for a rule is not met, an error message is displayed, and the rule’s security settings are not applied:

# aixpert -f custom/mypolicy.xml

do_action(): rule(hls_minlen): warning.
do_action(): Warning: Prereq failed for bos.rte.ILS

#

However, this has no effect on other rules. These will continue to be processed sequentially.

If the prerequisites of a rule are not met, the PrereqFailedrules counter is increased by one.

Step 4: Applying the rule

If all requirements for a rule/security setting are met, the command specified with AIXPertCommand is launched with the arguments from AIXPertArgs. To execute the command, several shell variables are set that allow the command to access some of the rule information from the XML file. Specifically, these variables are the following:

    • AIXPERT_DESC_CATMSGINFO: contains a string with catalog, setNum and msgNum from AIXPertDescription.
    • AIXPERT_DESC: The description from AIXPertDescription.
    • AIXPERT_NAME: The rule name from AIXPertEntry, extended by an underscore and an 8-digit hexadecimal ID. The generated name is used for the undo functionality.

The command to be executed implements the rule/security setting. The application, as well as all executed commands, are logged in /etc/security/aixpert/log/aixpert.log.

Most security settings can be undone. To do this, the command starts an undo rule in the file /etc/security/aixpert/core/undo.xml. In many cases, the undo rule looks similar to the implemented rule, with the difference that the original value is used instead of a new value.

Step 5: Output statistics on the execution of the rules

After all rules have been processed, a short statistic is displayed:

# aixpert -f custom/mypolicy.xml

Processedrules=11        Passedrules=10   PrereqFailedrules=1     Failedrules=0   Level=HLS
        Input file=custom/mypolicy.xml
#

A total of 11 rules were processed (Processedrules), 10 of which were successful (Passedrules). For unsuccessful rules, a distinction is made between whether the rule itself failed (Failedrules) or a prerequisite was not met (PrereqFailedrules).

All failed rules are logged in /etc/security/aixpert/log/FAILEDRULES. All successfully executed rules (passed rules) are logged in /etc/security/aixpert/log/PASSEDRULES.