The AIX Security Expert can compare a system’s security settings against any XML security profile at any time. This does not make any changes to the system; instead, it simply performs a check of the security settings. The security profile to be used for the check must be specified using the “-P” option. This can be done using either the supplied /etc/security/aixpert/core/aixpertall.xml file or any custom XML file (provided it contains security rules in the correct format).

We have copied three rules from /etc/security/aixpert/core/aixpertall.xml into a separate XML file /etc/security/aixpert/custom/myprofile.xml and demonstrate here how to check the system against these three rules:

/etc/security/aixpert # aixpert -c -P custom/myprofile.xml
Processedrules=3        Passedrules=3   Failedrules=0   Level=HLS
        Input file=custom/myprofile.xml
/etc/security/aixpert # 

Three rules were checked (Processedrules=3), and the check was successful in all three cases (Passedrules=3). Therefore, the system currently complies with the security settings of the specified XML security profile.

If you want to monitor which rule is currently being processed while aixpert is running and whether it was successful or not, it is recommended to use the “-p” option:

/etc/security/aixpert # aixpert -c -P custom/myprofile.xml -p
Processing hls_minage :done.
Processing hls_minlen :done.
Processing hls_minalpha :done.
Processedrules=3        Passedrules=3   Failedrules=0   Level=HLS
        Input file=custom/myprofile.xml
/etc/security/aixpert # 

For each rule that is processed, the rule name (here: hls_minage, hls_minlen and hls_minalpha) is output, as well as whether the rule was successfully checked (done) or not (failed).

If you want to check a system against the currently applied security settings (see Checking the current Security Settings of a System), you do not need to specify the “-P” option or the profile. A comparison will then be performed against /etc/security/aixpert/core/appliedaixpert.xml.