aixpert Command

Purpose

Aids the system administrator in setting the security configuration.

Syntax

aixpert

aixpert -l h|high | m|medium | l|low | d|default | s|sox-cobit [-n -o filename ] [ -a -o filename ] [ -p ]

aixpert -c [ -p ]

aixpert -u [ -p ]

aixpert -d

aixpert [-f filename ] [ -a -o filename ] [ -p ]

Description

The aixpert command sets a variety of system configuration settings to enable the desired security level.

Running aixpert with the only the -l flag set implements the security settings promptly without letting the user configure the settings. For example, running aixpert -l high applies all the high-level security settings to the system automatically. However, running aixpert -l with the -n -o filename option saves the security settings to a file specified by the filename parameter. The -f flag then applies the new configurations.

After the initial selection, a menu is displayed itemizing all security configuration options associated with the selected security level. These options can be accepted in whole or individually toggled off or on. After any secondary changes, aixpert continues to apply the security settings to the computer system.

Note: It is recommended that aixpert be rerun after any major systems changes, such as the installation or updates of software. If a particular security configuration item is deselected when aixpert is rerun, that configuration item is skipped.

Flags

Item Description
-a The settings with the associated level security options are written in abbreviated file format to the file specified by the -o flag. You must specify the -o option when you specify the -a option.
-p Specifies that the output of the security rules will be displayed using verbose output. The -p option logs the rules processed into the audit subsystem if the auditing is turned on. This option can be used with any of the -l, -u, -c and -f options.
-c Checks the security settings against the previously applied set of rules. If the check against a rule fails, the previous versions of the rule are also checked. This process continues until the check passes, or until all of the instances of the failed rule in the /etc/security/aixpert/core/appliedaixpert.xml file are checked.
-f Applies the security settings in the provided filename.
For example, the following command writes all of the high-level security options to the /etc/security/aixpert/core/hls.xml file:
aixpert -l h -n -o /etc/security/aixpert/core/hls.xml
After removing any unwanted options, you can apply these security settings with the following command:
aixpert -f /etc/security/aixpert/core/hls.xml

When you specify the -f option, security settings are consistently applied from system to system by securely transferring and applying an appliedaixpert.xml file from system to system.

All the successfully applied rules are written to the /etc/security/aixpert/core/appliedaixpert.xml file and the corresponding "undo" action rules are written to the /etc/security/aixpert/core/undo.xml file.

-l Sets the system security settings to the level specified with this option. This flag has the following options:
h|high
Specifies high-level security options.
m|medium
Specifies medium-level security options.
l|low
Specifies low-level security options.
d|default
Specifies AIX® standards-level security options.
s|sox-cobit
Specifies SOX-COBIT best practices-level security options.
If you specify both the -l and -n flags, the security settings are not implemented on the system; however, they are only written to the file that you specified in the -o flag.

All the successfully applied rules are written to the /etc/security/aixpert/core/appliedaixpert.xml file and the corresponding undo action rules are written to the /etc/security/aixpert/core/undo.xml file.

Attention: When you use the d|default option, the option can overwrite the configured security settings that you previously set through the aixpert command or independently, and restores the system to its traditional open configuration.
-n The settings with the associated level security options are written to the file specified by the -o flag. You must specify the -o option when you use the -n option.
-o Stores security output to the file pointed to by filename. The output file has its read and write permissions set to root as a security precaution. This file should be protected against unwanted access.
-u Undoes the security settings that have been applied.
-d Displays the document type definition (DTD).

Parameters

Item Description
filename The output file that stores the security settings. Root permission is required to access this file.

Security

The aixpert command is executable only by root.

Examples

  1. To write all of the high-level security options to an output file, use the following command:
    aixpert -l high -n -o /etc/security/aixpert/plugin/myPreferredSettings.xml
    After completing this command, the output file can be edited, and specific security roles can be commented out by enclosing them in the standard xml comment string (<-- begins the comment and -\> closes the comment).
  2. To apply the security settings from a configuration file, use the following command:
    aixpert -f /etc/security/aixpert/plugin/myPreferredSettings.xml
  3. To check the security settings that have been applied to the system, and to log the rules that failed into the audit subsystem, use the following command:
    aixpert –c -p

Location

Item Description
/usr/sbin/aixpert/ Contains the aixpert command.

Files

Item Description
/etc/security/aixpert/core/aixpertall.xml Contains an xml listing of all possible security settings. Has -r-------- permissions, and requires root security.
/etc/security/aixpert/core/appliedaixpert.xml Contains an xml listing of applied security.
/etc/security/aixpert/log/aixpert.log Contains a trace log of applied security settings. This does not use syslog. The aixpert command writes directly to the file. Has -rw------- permissions, and requires root security.
/etc/security/aixpert/log/firstboot.log Contains a trace log of the security settings that were applied during the first boot of a Secure by Default (SbD) installation.
/etc/security/aixpert/core/undo.xml Contains an xml listing of security settings, which can be undone.