Introducing AIX Security Expert PDF Print E-mail
User Rating: / 10
Written by Michael Felt   


A new feature introduced in AIX 5.3 TL05 is a tool to assist AIX system administrators with hardening AIX. The goal of the tool is to ensure that there is a consistent view of security related configuration parameters. Configuration settings include TCP/IP, IPSec, User Administration, Auditing and more.

The tool has been expanded in AIX6! 

A system administrator does not have to be a security expert to use the tool. Neither is a huge collection of individual tools required to bring an AIX system to a required security level, and maintain and monitor compliance with that security level.
The basic approach is to use one tool, aixcert, that "at the click of a button" (when using the websm interface) will create a snapshot of the systems current settings, or update the settings to a new level (high, medium, low). There is also an option "default" to reset settings back to "factory" settings. Customization (advanced settings) is also possible, but that is more than one click. And in AIX6, advanced settings are only possible using the GUI.
In AIX6, the AIX Security Expert has been expanded in breadth with several new features. These include:
Secure by Default (installation feature)
Distributed security policy using AIX Security Expert and LDAP
Use of XML files for customizing AIX Security Expert policy initialization, monitoring and control
File Permission Manager (fpm) for managing setuid and setgid file access (program control).
Extra checks for weak passwords
Secure FTP (ftp on TLS)

Secure by Default

AIX 5L versions had two security related installation settings: TCB and CCEVAL (also know as Common Criteria Evaluation or as CAPP/EAL4+). AIX6 introduces three new settings: a) Trusted AIX, LSPP/EAL4+, and Secure by Default.
Secure by Default is an approach in line with the goals of AIX Security Expert. LSPP/EAL4+ and Trusted AIX have security frameworks outside the scope of AIX Security Expert.
Secure by Default is a bottom-up approach in hardening. With Secure by Default only a minimal set of filesets are installed. The system administrator is responsible for deciding what additional software is needed as well as actually installing it. This approach is opposite to the AIX 5L and previous approach of installing a full-blown AIX system, and then remove unwanted packages and filesets as part of the hardening process.

Distributed Security Policy using LDAP

This addition to AIX Security Policy means that security policies can be stored on a cerntralized LDAP server and read(-only) by AIX6 systems using aixcert to setup, maintain or monitor security settings.
User-defined AIX Security Expert XML rules
The new GUI interface of AIX Security Expert enables the AIX administrator to specify specific security configuration settings and export these into XML files that AIX Security Expert are integrated with the standard XML rules installed with AIX Security Expert. Additionally, these user-defined XML files can be extended with rules for 3rd-party products, services and-or applications.

I have not finished this yet, and I hope to "real soon". I'll add updated to the title when I do.

< Prev   Next >