Under Construction
Process when Checking a Security Level
Once a security level has been applied to a system, the associated rules are stored in the file /etc/security/aixpert/core/appliedaixpert.xml. When a system is checked, the rules from this file are processed sequentially. The following steps are performed:
Step 1: Check if AIX Security Expert is already running.
Um mehrfache parallele Läufe des AIX Security Expert zu verhindern, wird als erstes überprüft ob schon ein aixpert (oder pscxpert) Prozess läuft. Wenn dies der Fall ist, wird mit der folgenden Fehlermeldung abgebrochen:
# aixpert -l low
Another instance of pscxpert or aixpert is already running.
#
Step 2: Check if LiveUpdate is active
AIX Security Expert should not be used while a LiveUpdate operation is running. To rule this out, a check is performed to see if LiveUpdate is currently active. If this is the case, aixpert terminates the run with the following error message:
# aixpert -l low
lvupdate
Live Kernel Update in Progress. Exiting aixpert.
#
Step 3: Checking appliedaixpert.xml
A check can only be performed if there are rules to be checked in the /etc/security/aixpert/core/appliedaixpert.xml file. If the file does not exist, the following error message is displayed:
# aixpert -c
File /etc/security/aixpert/core/appliedaixpert.xml does not exist
#
If the file exists but does not contain any rules to be checked, an error message is also displayed:
# aixpert -c
There are no security rules are applied in file /etc/security/aixpert/core/appliedaixpert.xml
#
The following steps are executed in a loop for each rule.
Step 4: Checking the rule
To verify the implementation of a rule, the command stored in the rule (AIXPertCommand) is executed with the specified arguments (AIXPertArgs). Two variables are set for the execution of the command:
- AIXPERT_CHECK_REPORT: is set to the value 1. This allows the command to recognize whether the rule should be applied or whether a check should be performed.
- TMPREPT: Path where the report to be created should be temporarily saved.
The command always checks the AIXPERT_CHECK_REPORT variable. If the variable is set to “1,” a check is performed and no changes are made.
If a rule/security setting is not met, the rule in question is recorded in the log file /etc/security/aixpert/log/FAILEDRULES:
# cat /etc/security/aixpert/log/FAILEDRULES.log
do_action(): rule(hls_minlen_A8EED4FB) : failed.
#
Note: Prereq-rules are not executed during the check.
Step 5: Output statistics on the execution of the rules
After all rules have been processed, a short statistic is displayed:
# aixpert -c
…
Processedrules=10 Passedrules=9 Failedrules=1 Level=HLS
Input file= /etc/security/aixpert/core/appliedaixpert.xml
#
A total of 10 rules were checked (Processedrules), of which 9 were fulfilled (Passedrules) and one was not fulfilled (Failedrules).
All failed rules are recorded in /etc/security/aixpert/log/FAILEDRULES.
The output statistics are automatically appended to the file /etc/security/aixpert/check_report.txt (together with a timestamp) and can therefore be viewed at any time later.