Checking the current Security Settings of a System

Under Construction

Working with AIX > AIX Security > AIX Security Expert (AIXPert) > Introduction to AIX Security Expert

Checking the current Security Settings of a System

After a security level is applied to a system, the system conforms to the settings specified by the security level. However, over time, changes typically occur on a system, such as:

- The operating system version is being updated.
- Settings are reconfigured.
- Configuration data is restored from a backup.
- Installing software changes security settings.
- …

Therefore, it is quite possible and very likely that after some time, some of the security settings will no longer correspond to the configured security level. This makes the system less secure. To avoid this, the current security settings should be checked regularly and compared against the applied security level. The “-c” (check) option of the aixpert command is used for this purpose. An example run immediately after applying the low security level shows the following output:

# aixpert -c
Processedrules=45       Passedrules=45  Failedrules=0   Level=LLS
        Input file=/etc/security/aixpert/core/appliedaixpert.xml
#

All 45 rules of the applied low security level (LLS) have been successfully checked. The system thus meets the requirements of the low security level.

To show that a check detects and displays deviations, we make the following two changes:

- We set maxage to 20 for user user01 (the default value is 13 due to the security level low).
- We set the default value for histsize to 1 (the value 4 is specified by the security level low).

# chuser maxage=20 user01
# chsec -f /etc/security/user -s default -a histsize=1
#

Now we start the check again:

# aixpert -c
Processedrules=45       Passedrules=43  Failedrules=2   Level=LLS
        Input file=/etc/security/aixpert/core/appliedaixpert.xml
#

As expected, two rules have now failed (Failedrules=2). You can find out which rules failed from the log file log/FAILEDRULES.log:

/etc/security/aixpert # cat log/FAILEDRULES.log
do_action(): rule(lls_maxage_7B65452F) : failed.
do_action(): rule(lls_histsize_7B65452F) : failed.
/etc/security/aixpert #

As the names of the failed rules suggest, these are the rules for maxage and histsize.

But why did the rules fail? For which user(s) did they fail? Another file provides some insight: /etc/security/aixpert/check_report.txt. This file records every run of aixpert. If a rule fails, a message is recorded for that rule with the exact reason:

/etc/security/aixpert # cat /etc/security/aixpert/check_report.txt
…
***** aix01 : Nov 19 11:33:36 ******

chusrattr.sh: User attribute maxage, for user01 should have value 13, but it is 20 now
chusrattr.sh: User attribute histsize, for default should have value 4, but it is 1 now

Processedrules=45       Passedrules=43  Failedrules=2   Level=LLS
        Input file=/etc/security/aixpert/core/appliedaixpert.xml

/etc/security/aixpert #

The messages are very clear. User user01 has a maxage attribute value of 20, but it should have a value of 13. And the default for the histsize attribute is currently 1, but it should be 4.