La commande 'aixpert' est fournie avec le système d'exploitation AIX et permet de définir plus aisément le niveau de sécurité souhaité.
Il est possible de spécifier simplement un niveau de sécurité pour que la commande fasse un certain nombre de modification dans les fichiers de configuration.
Avant de procéder aux modifications, il est préconiser d'effectuer une sauvegarde du système par MKSYSB et de stocker les paramétrages du niveau actuel en utilisant les arguments '-n -o nom_fichier'.
Le détail de la documentation officielle IBM concernant ce produit est donnée ci-dessous.
aixpert Command
Purpose
Aids the system administrator in setting the security configuration.
Syntax
aixpert
aixpert -l h|high | m|medium | l|low | d|default | s|sox-cobit [-n -o filename ] [ -a -o filename ] [ -p ]
aixpert -d
aixpert [-f filename ] [ -a -o filename ] [ -p ]
Description
The aixpert command sets a variety of system configuration settings to enable the desired security level. For more information on which setting can be used in a typical environment, see AIX Security Expert.
Running aixpert with the only the -l flag set implements the security settings promptly without letting the user configure the settings. For example, running aixpert -l high applies all the high-level security settings to the system automatically. However, running aixpert -l with the -n -o filename option saves the security settings to a file specified by the filename parameter. The -f flag then applies the new configurations.
After the initial selection, a menu is displayed itemizing all security configuration options associated with the selected security level. These options can be accepted in whole or individually toggled off or on. After any secondary changes, aixpert continues to apply the security settings to the computer system.
Flags
| -a | The settings with the associated level security options are written in abbreviated file format to the file specified by the -o flag. You must specify the -o option when you specify the -a option. |
| -p | Specifies that the output of the security rules will be displayed using verbose output. The -p option logs the rules processed into the audit subsystem if the auditing is turned on. This option can be used with any of the -l, -u, -c and -f options. |
| -c | Checks the security settings against the previous set of rules specified in the -l flag. If the check against a rule fails, the previous versions of the rule are also checked. This process continues until the check passes, or until all of the instances of the failed rules in the /etc/security/aixpert/core/appliedaixpert.xml file are checked. |
| -f | Applies the security settings in the provided filename.
For example, the following command writes all of the high-level security options to the /etc/security/aixpert/core/hls.xml file: aixpert -l h -n /etc/security/aixpert/core/hls.xml After removing any unwanted options, you can apply these security settings with the following command: aixpert -f /etc/security/aixpert/core/hls.xml When you specify the -f option, security settings are consistently applied from system to system by securely transferring and applying an appliedaixpert.xml file from system to system. All the successfully applied rules are written to the /etc/security/aixpert/core/appliedaixpert.xml file and the corresponding "undo" action rules are written to the /etc/security/aixpert/core/undo.xml file. |
| -l | Sets the system security settings to the level specified with this option. This flag has the following options:
All the successfully applied rules are written to the /etc/security/aixpert/core/appliedaixpert.xml file and the corresponding undo action rules are written to the /etc/security/aixpert/core/undo.xml file. Attention: When you use the d|default option, the option can overwrite the configured security settings that you previously set through the aixpert command or independently, and restores the system to its traditional open configuration.
|
| -n | The settings with the associated level security options are written to the file specified by the -o flag. You must specify the -o option when you use the -n option. |
| -o | Stores security output to the file pointed to by filename. The output file has its read and write permissions set to root as a security precaution. This file should be protected against unwanted access. |
| -u | Undoes the security settings that have been applied. |
| -d | Displays the document type definition (DTD). |
Parameters
| filename | The output file that stores the security settings. Root permission is required to access this file. |
Security
The aixpert command is executable only by root.
Examples
- To write all of the high-level security options to an output file, use the following command:
aixpert -l high -n -o /etc/security/aixpert/plugin/myPreferredSettings.xml
After completing this command, the output file can be edited, and specific security roles can be commented out by enclosing them in the standard xml comment string (<-- begins the comment and -\> closes the comment).
- To apply the security settings from a configuration file, use the following command:
aixpert -f /etc/security/aixpert/plugin/myPreferredSettings.xml
- To check the security settings that have been applied to the system, and to log the rules that failed into the audit subsystem, use the following command:
aixpert -c -p
Location
| /usr/sbin/aixpert/ | Contains the aixpert command. |
Files
| /etc/security/aixpert/core/aixpertall.xml | Contains an xml listing of all possible security settings. Has -r-------- permissions, and requires root security. |
| /etc/security/aixpert/core/appliedaixpert.xml | Contains an xml listing of applied security. |
| /etc/security/aixpert/log/aixpert.log | Contains a trace log of applied security settings. This does not use syslog. The aixpert command writes directly to the file. Has -rw------- permissions, and requires root security. |
| /etc/security/aixpert/log/firstboot.log | Contains a trace log of the security settings that were applied during the first boot of a Secure by Default (SbD) installation. |
| /etc/security/aixpert/core/undo.xml | Contains an xml listing of security settings, which can be undone. |
Related Information
AIX Security Expert in Security.
