Most security rules have prerequisites that must be met before a security setting can be applied. There are two different types of prerequisites: file sets that must be installed, and prereq scripts that must be successfully executed. If at least one of the prerequisites for a security rule is not met, the security rule will not be applied to the system. This also means that such a security rule will not be stored in /etc/security/aixpert/core/appliedaixpert.xml, and therefore, when the system is checked against the applied security rules, this security rule will not be checked!

If a necessary fileset for a security rule is not installed, a message is displayed:

/etc/security/aixpert # aixpert -f custom/failed.xml
do_action(): rule(hls_minlen): warning.
do_action(): Warning: Prereq failed for does.not.exist
Processedrules=1        Passedrules=0   PrereqFailedrules=1     Failedrules=0   Level=HLS
        Input file=custom/minlen.xml
/etc/security/aixpert # 

In the security profile custom/failed.xml, the fileset does.not.exist was specified as a dependency, which, of course, is not installed. The message is very clear. Since the prerequisite is not met, the rule is not applied and is not included in /etc/security/aixpert/core/appliedaixpert.xml.

If a security setting is not applied when applying a security profile due to an unsuccessful prereq script, it is important to investigate why the prereq script failed. The following errors occurred when applying the low security level:

/etc/security/aixpert # cat log/FAILEDRULES.log
do_action(): rule(prereqtcb) :Warning: Prereq failed for prereqtcb.
do_action(): rule(lls_binaudit) : failed.
do_action(): rule(lls_crontabperm) : failed.
do_action(): rule(prereqlh) :Warning: Prereq failed for prereqlh.
do_action(): rule(prereqRSSSFull) :Warning: Prereq failed for prereqRSSSFull.
do_action(): rule(prereqRSSSLite) :Warning: Prereq failed for prereqRSSSLite.
/etc/security/aixpert # 

The first unsuccessful prereq script is prereqtcb. This script checks whether TCB (Trusted Computing Base) is enabled on a system:

# ODMDIR=/usr/lib/objrepos odmget -q attribute=TCB_STATE PdAt
PdAt:
        uniquetype = ""
        attribute = "TCB_STATE"
        deflt = "tcb_disabled"
        values = ""
        width = ""
        type = ""
        generic = ""
        rep = ""
        nls_index = 0
# 

TCB is not enabled on our system. Security settings based on TCB make no sense in this case and are therefore not applied or included in /etc/security/aixpert/core/appliedaixpert.xml. This is consistent with the current system configuration.

The second unsuccessful prereq script is prereqlh. This checks whether a login herald is configured:

# lssec -f /etc/security/login.cfg -s default -a herald
default herald="Welcome to aix01\!\n\rlogin:"
# 

This prereq script is a prerequisite for the security rule lls_loginherald, which configures the following text as the login message:

Unauthorized use of this system is prohibited.\n\rlogin:

If a login herald has been configured, you must decide whether you want to keep the already configured herald or whether the lls_loginherald security rule should replace the login herald. If you want to keep the configured herald, you don’t need the lls_loginherald security rule, and since it is not applied due to a requirement not met, the configured herald remains. However, no further verification will be performed. If the login herald is later manually removed, this may not be noticed because AIX Security Expert does not perform any verification of the login herald.

In our case, the message isn’t good; it invites you to log in and also reveals the hostname. We therefore decide that the lls_loginherald security rule is appropriate and desirable in our situation. To apply the rule, we delete the current message:

# chsec -f /etc/security/login.cfg -s default -a herald= 
# 

If the security level low is applied again, the prereq script would succeed and the dependent rule lls_loginherald would be applied accordingly.

For unsuccessful prereq scripts, it should be checked on a case-by-case basis whether the dependent security rules are desired or not. If dependent security rules are desired, the system configuration must be modified so that the corresponding prereq script is successful. In the example above, the existing login herald was deleted.