You are currently on IBM Systems Media’s archival website. Click here to view our new website.

Bookmark and Share

Recent Posts

Back to Basics: aixpert

May 2, 2018

On the road again. Nothing surprising about that because I travel internationally two or more times a month. What is unusual is that this year about half of my trips are security related (the other main topic is performance although I prefer the term resource optimization).

The pleasant surprise this year is that clients are finally using aixpert, and doing some customization as well. Customization can be quite simple, e.g., modify a setting from 3 to 6—or complex where an additional script is needed to set and check a setting. IMHO this is years too late, but I am pleased that security departments are realizing that tools developed for Windows, Linux and/or Solaris are nowhere near best-of-breed for AIX, and actually require a lot more effort to use for a lower level of coverage.

So, getting back to the basics on aixpert. AIXPERT was born in the time frame of AIX 5.3 ML4 announced in 2004. The initial idea was to have AIX hardening as easy as “1-2-3” where 1 was low, 2 was medium and 3 was high. The early adopters wanted customization—so that came. And then came the SOX-COBBIT regulation and “sox” was added as a default profile.

Let’s got back to looking at the basic “low-medium-high” profiles. (FYI: the CIS benchmarks for AIX basically start from high and then customize after expert discussion to what becomes the CIS benchmark). The medium profile was setup so that it would comply with about 80 percent of the default so-called common-criteria requirements. That was 2004, and maybe you would need “high” to reach 80 percent today. But the key here is that aixpert was designed to address two key issues. First, the OS needed to provide a certified mechanism and the needed to be driven by an XML file that could be used both to set and verify compliance of OS security configuration. A problem frequently stated by clients was that they needed to invent and reinvent the wheel of OS hardening with every release and/or update.

From my perspective, sadly, only the early adopters used aixpert from the beginning. That’s why I mentioned that it’s pleasant—and actually a surprise—that rank and file clients are looking at AIX core features for system hardening, i.e., improving their ability to maintain system integrity.

So, before I leave for the gate, I have a simple request: If you’re not using aixpert, please look at it. You don’t necessarily need to set anything with it as you probably have something in place already (a universal tool or self-made scripts). But do use it to see how simple it can be to verify your compliance to the (almost) CIS Benchmark.

# aixpert -c -l high -r -p
Review the screen output (basically the last line – which mentions how many rules failed) – but also load the csv file generated (/etc/security/aixpert/check_report.csv)  into your favorite spreadsheet program – for a “gap analysis” like report.

Posted May 2, 2018| Permalink