Security policies are defined in AIX Security Expert using XML files. The security levels supported by AIX Security Expert (low, medium, high, etc.) are defined in the /etc/security/aixpert/core/aixpertall.xml file contained in the bos.aixpert.cmds fileset. Any additional security policies can be defined by the administrator. The associated XML files must conform to the IBM DTD (Document Type Definition) for AIX Security Expert. The DTD can be displayed using the aixpert command and the “-d” option:

# aixpert -d
<?xml version='1.0'?>

<!ELEMENT AIXPertSecurityHardening (AIXPertEntry+)>

<!ELEMENT AIXPertEntry (AIXPertRuleType,
    AIXPertDescription, AIXPertPrereqList, AIXPertCommand,
    AIXPertArgs,AIXPertGroup)
> 

<!ATTLIST AIXPertEntry
   name ID #REQUIRED
   function CDATA ""
> 

<!ELEMENT AIXPertRuleType EMPTY>
<!ATTLIST AIXPertRuleType
type  CDATA #REQUIRED
> 
<!ELEMENT AIXPertDescription (#PCDATA)>
<!ATTLIST AIXPertDescription
   catalog CDATA ""
   setNum CDATA ""
   msgNum CDATA ""
> 
<!ELEMENT AIXPertPrereqList (#PCDATA)>
<!ELEMENT AIXPertCommand (#PCDATA)>
<!ELEMENT AIXPertArgs (#PCDATA)*>
<!ELEMENT AIXPertGroup (#PCDATA)*>

#

A security policy XML file consists of the AIXPertSecurityHardening element, which can contain any number of AIXPertEntry elements. An AIXPertEntry consists of the AIXPertRuleType, AIXPertDescription, AIXPertPrereqList, AIXPertCommand, AIXPertArgs, and AIXPertGroup elements. The following shows such an entry from the aixpertall.xml file:

<AIXPertEntry name="hls_minage" function="minage">
   <AIXPertRuleType type="HLS"/>
   <AIXPertDescription catalog="aixpert.cat" setNum="101" msgNum="15">
      Minimum age for password: Specifies the minimum number of weeks to 1 week, before a password can be changed.
   </AIXPertDescription>
   <AIXPertPrereqList>
      bos.rte.date,bos.rte.commands,bos.rte.security,bos.rte.shell,bos.rte.ILS
   </AIXPertPrereqList>
   <AIXPertCommand>
      /etc/security/aixpert/bin/chusrattr
   </AIXPertCommand>
   <AIXPertArgs>
      minage=1 ALL hls_minage
   </AIXPertArgs>
   <AIXPertGroup>
      Password policy rules
   </AIXPertGroup>
</AIXPertEntry>

Note: In the output above, the formatting has been slightly changed for better readability, but this does not change the content.

Each entry/rule (AIXPertEntry) has a unique name, here hls_minage, and a function name, here minage. First, the type (AIXPertRuleType) of the rule is specified. The values ​​DLS (default level security), HLS (high level security), LLS (low level security), MLS (medium level security), SCBPS (SOX-COBIT), and Prereq (for prerequisites) are predefined by IBM. The type of a rule specifies the security level to which the rule belongs. You can use your own name for the type in your own definitions. Next comes a description of the rule. The attributes catalog, setNum, and msgNum are used to support descriptions in different languages. A default description is specified in English. This describes the purpose of the rule.

A rule can have dependencies, for example, on other rules or on installed filesets. These dependencies can be specified using the AIXPertPrereqList element. Multiple dependencies can be specified here, separated by commas.

The rule is ultimately implemented via a command (in most cases, a shell script). The AIXPertCommand element specifies the command for implementing the rule, including an absolute path. The commands/scripts supplied by IBM can be found under /etc/security/aixpert/bin. In many cases, the command call requires the specification of arguments, as in the case above. If arguments are required, they are specified via the AIXPertArgs element. If no arguments are required, the element simply remains empty (“<AIXPertArgs/>“).

Finally, the rules can be divided into different groups. A group typically contains rules that relate to the same area. In the example above, this is the “Password policy rules” group, which includes several other rules, such as hls_maxage, hls_maxexpired, hls_minlen, and others.

To define your own security rules in your own XML file, it is recommended to either use an XML editor or to copy existing rules in a text editor and then modify them accordingly.