AIX Security Expert
AIX® Security Expert provides a center for all security settings (TCP, NET, IPSEC, system, and auditing).
AIX Security Expert is a system security hardening tool. It is part of the bos.aixpert fileset. AIX Security Expert provides
simple menu settings for High Level Security, Medium Level Security, Low Level Security, and AIX Standard Settings
security that integrate over 300 security configuration settings while still providing control over each security element
for advanced administrators. AIX Security Expert can be used to implement the appropriate level of security, without the
necessity of reading a large number of papers on security hardening and then individually implementing each security
element.
‘AIX Security Expert can be used to take a security configuration snapshot. This snapshot can be used to set up the same
security configuration on other systems. This saves time and ensures that all systems have the proper security
configuration in an enterprise environment.
‘AIX Security Expert can be run from SMIT, or you can use the aixpert command.
AIX Security Expert settings
The following coarse-grain security settings are available:
High Level Security
High-level security
Medium Level Security
Medium-level security
Low Level Security
Low-level security
‘Advanced Security
Custom user-specified security
AIX Standard Settings
Original system default security
Undo Security
‘Some AIX Security Expert configuration settings can be undone
Check Security
Provides a detailed report of current security settings
> AIX Security Expert security hardening
Security hardening protects all elements of a system by tightening security or implementing a higher level of
security.
> Secure by default
Secure By Default (SbD) is the concept of installing a minimal set of software in a secure configuration.
> Distributing security policy through LDAP
LDAP can be used to distribute AIX Security Expert XML configuration files. You can use AIX Security Expert to
copy a security configuration from one system to another. This allows for similar systems to have the same
security configuration. This consistency can reduce security vulnerabilities.
> Customizable security policy with user-defined AIX Security Expert XML rulesYou can use XML files to configure unique security policies.
Stringent check for weak passwords
This AIX feature checks for weak passwords when passwords are changed. If this option is selected with AIX
Security Expert, this additional password check is performed when a user selects or changes their password.
This check guards against the use of English dictionary words and the 1000 most common US first names
based ona recent US Census.
COBIT control objectives supported by AIX Security Expert
AIX Security Expert supports the SOB-COBIT Best Practices Security level in addition to the High, Medium, Low,
AIX Default and Advanced Security settings.
Applying COBIT control objectives using AIX Security Expert
You can use the aixpert -1 s command to apply the SCBPS level to the system. The audit log for this can be
generated by turning on the AlXpert_apply event. Any failures (either a prerequisite failure or an apply failure)
are reported to stderr and the audit subsystem if enabled.
‘SOX-COBIT compliance checking, audit, and pre-audit feature
You can use the aixpert ~c -1 s command to check a system's SOX-COBIT compliance. AIX Security
Expert only checks for the supported control objectives compliance. Any violations found during the checking
are reported. By default, any violations are sent to stderr.
AIX Security Expert Password Policy Rules group
AIX Security Expert provides specific rules for password policy.
AIX Security Expert User Group System and Password definitions group
AIX Security Expert performs specific actions for user, group, and password definitions.
AIX Security Expert Login Policy Recommendations group
AIX Security Expert provides specific settings for login policy.
AIX Security Expert Audit Policy Recommendations group
AIX Security Expert provides specific audit policy settings.
AIX Security Expert /etc/inittab Entries group
AIX Security Expert comments out specific entries in /etc/inittab so that they do not start when the
system boots,
AIX Security Expert /etc/rc.tepip Settings group
AIX Security Expert comments out specific entries in /etc/xc.. tepip so that they do not start when the
system boots.
AIX Security Expert /etc/inetd.conf Settings group
AIX Security Expert comments out specific entries in /etc/inetd. cong.
AIX Security Expert Disable SUID of Commands group
By default, the following commands are installed with the SUID bit set. For High, Medium, and Low security,
this bit is unset. For AIX Standard Settings, the SUID bit is restored on these commands.
AIX Security Expert Disable Remote Services group
AIX Security Expert disables unsecure commands for High Level Security and Medium Level Security.
AIX Security Expert Remove access that does not require Authentication group
AIX supports few services that do not require user authentication to log into the network.Parent to}
AIX Security Expert Tuning Network Options group
Tuning network options to the proper values is a large part of security. Setting a network attribute to 0 disables
the option and setting the network attribute to 1 enables the option.
AIX Security Expert IPsec filter rules group
AIX Security Expert provides the following IPsec filters,
AIX Security Expert Miscellaneous group
AIX Security Expert provides miscellaneous security settings for High, Medium, and Low Level Security.
AIX Security Expert Undo Security
You can undo some AIX Security Expert security settings and rules.
AIX Security Expert Check Security
AIX Security Expert can generate reports of current system and network security settings.
AIX Security Expert files
AIX Security Expert creates and uses several files.
AIX Security Expert High level security scenario
This is a scenario for AIX Security Expert High level security.
AIX Security Expert Medium level security scenario
This is a scenario for AIX Security Expert Medium level security.
AIX Security Expert Low level security scenario
This is a scenario for AIX Security Expert Low level security.
> security