Under Construction
Applying a Security Level
Before applying one of the predefined security levels to a system, it should be thoroughly tested on a test system. Otherwise, especially with higher security levels, it’s easy to inadvertently restrict access to the system or, in the worst case, lose all access options.
All security settings for all predefined security levels are documented on the AIX Security Expert – IBM Documentation. It’s definitely worth checking out beforehand!
To demonstrate that applying a security level actually changes security settings on a system, let’s display the default value of the user attribute histsize:
# lssec -f /etc/security/user -s default -a histsize
default histsize=1
#
Currently, only the last used password may not be used again.
Before we apply the low security level (LLS) below, let’s take a quick look at some subdirectories of /etc/security/aixpert:
/etc/security/aixpert # find core log undo -type f -ls
1762 245 -r-x------ 1 root system 249969 Oct 6 10:32 core/aixpertall.xml
/etc/security/aixpert #
A predefined security level can be applied using the aixpert command and the “-l” (level) option:
# aixpert -l low
do_action(): rule(lls_tcbupdate): warning.
do_action(): Warning: Prereq failed for prereqtcb
do_action(): rule(lls_loginherald): warning.
do_action(): Warning: Prereq failed for prereqlh
do_action(): rule(lls_ISSServerSensorFull): warning.
do_action(): Warning: Prereq failed for prereqRSSSFull
do_action(): rule(lls_ISSServerSensorLite): warning.
do_action(): Warning: Prereq failed for prereqRSSSLite
Processedrules=50 Passedrules=44 PrereqFailedrules=4 Failedrules=2 Level=LLS
Input file=/etc/security/aixpert/core/aixpertall.xml
#
For the specified security level low (LLS), 50 rules were processed, of which 44 were successfully processed. Of the 6 failed rules, 4 were prerequisite rules.
Note: We will discuss failed rules and prereq rules in more detail later.
Now that a security level has been applied, we check the value of the histsize attribute again:
# lssec -f /etc/security/user -s default -a histsize
default histsize=4
#
The value was changed from 1 to 4, according to the corresponding rule (lls_histsize) of the security level low.
Let’s check the subdirectories of /etc/security/aixpert mentioned above:
/etc/security/aixpert # find core log undo -type f -ls
1762 245 -r-x------ 1 root system 249969 Oct 6 10:32 core/aixpertall.xml
1761 34 -rw------- 1 root system 34183 Dec 10 11:59 core/appliedaixpert.xml
4746 21 -rw------- 1 root system 20541 Dec 10 11:59 core/undo.xml
4130 1 -rw------- 1 root system 377 Dec 10 11:59 log/FAILEDRULES.log
4160 3 -rw------- 1 root system 2097 Dec 10 11:59 log/PASSESRULES.log
4161 462 -rw------- 1 root system 472373 Dec 10 11:59 log/aixpert.log
4555 2 -rwx--x--- 1 root system 1803 Dec 10 11:59 undo/Undolls_crontabperm
4663 1 -rwx--x--- 1 root system 286 Dec 10 11:59 undo/Undolls_filepermgr1670669942
4750 1 -rwx--x--- 1 root system 299 Dec 10 11:59 undo/Undolls_rmdotfrmpathroot1670669944
4670 1 -rwx--x--- 1 root system 220 Dec 10 11:59 undo/Undolls_rmetchostsequiv1670669942
4662 1 -rwx--x--- 1 root system 316 Dec 10 11:53 undo/Undolls_rmsuidfrmrcmds1670669581
4749 1 -rwx------ 1 root system 988 Dec 10 11:59 undo/data/rmdotfrmpathroot_.kshrc.1670669944
4667 1 -rwx------ 1 root system 907 Dec 10 11:59 undo/data/rmdotfrmpathroot_.profile.1670669944
4541 2 -rw------- 1 root system 2048 Dec 10 11:59 undo/data/rmetchostsequiv_hosts.equiv.1670669942
/etc/security/aixpert#
The two files appliedaixpert.xml and undo.xml were created in the core subdirectory. The appliedaixpert.xml file contains all security settings (rules) from aixpertall.xml that belong to the low security level. The file specifies which rules have been applied to the system and serves as a reference (target state) for later audits.
When applying rules, the initial state before the security setting was changed, is saved whenever possible. This makes it easy to restore changed security settings to their original state later, if necessary. To do this, the corresponding rules are entered in the undo.xml file. To restore the original state, use “aixpert -u” (undo).
The log subdirectory stores information about aixpert‘s operation. Rules that resulted in an error during the application are logged in log/FAILEDRULES.log:
/etc/security/aixpert # cat log/FAILEDRULES.log
do_action(): rule(prereqtcb) :Warning: Prereq failed for prereqtcb.
do_action(): rule(lls_binaudit) : failed.
do_action(): rule(lls_crontabperm) : failed.
do_action(): rule(prereqlh) :Warning: Prereq failed for prereqlh.
do_action(): rule(prereqRSSSFull) :Warning: Prereq failed for prereqRSSSFull.
do_action(): rule(prereqRSSSLite) :Warning: Prereq failed for prereqRSSSLite.
/etc/security/aixpert #
For example, the prereqtcb rule failed because TCB is not configured on the system.
Rules that were successfully executed are recorded in log/PASSESRULES.log:
/etc/security/aixpert # cat log/PASSESRULES.log
process_entry():: rule(lls_maxage):PASSED.
process_entry():: rule(lls_maxexpired):PASSED.
process_entry():: rule(lls_minlen):PASSED.
process_entry():: rule(lls_minalpha):PASSED.
…
/etc/security/aixpert #
The log/aixpert.log contains a recording of the scripts executed by the rules (debug output of the scripts):
/etc/security/aixpert # cat log/aixpert.log
+ date
Sat Dec 10 11:52:50 CET 2022
+ echo /etc/security/aixpert/bin/chusrattr maxage=13 ALL lls_maxage AIXPERT_CHECK_REPORT= BASE_REPT= DETAILED_REPT=
/etc/security/aixpert/bin/chusrattr maxage=13 ALL lls_maxage AIXPERT_CHECK_REPORT= BASE_REPT= DETAILED_REPT=
+ [ 3 -lt 2 ]
+ [ 3 -gt 3 ]
+ [ ALL != ALL ]
+ undo=0
+ retc=0
+ + echo
report=
+ + echo
BrType=
+ + echo
DrType=
+ + echo maxage=13
+ awk -F = {print $1; if(NF != 2) exit 1}
usrattr=maxage
+ [ 0 -ne 0 ]
+ [ maxage = ]
+ + echo maxage=13
+ awk -F = {print $2}
value=13
+ [ 3 -eq 3 ]
+ cat /etc/passwd
+ grep -v ^\+
+ awk -F : { print $1 }
+ read username
+ /bin/lslpp -h ios.cli.rte
+ 2> /dev/null + [ 1 -eq 0 ]
…
/etc/security/aixpert #
However, this is usually only of interest when troubleshooting.
The undo subdirectory contains automatically generated scripts and data required to restore the initial state. These are called via corresponding entries in the XML file core/undo.xml.