AIX Security Configuration Audit – Remediate Security Failures

Following on from my previous blog on how to quickly perform a AIX security configuration audit, I thought I would take a look at how to remediate some of the security failures that the audit detected. The remediation will be done using the IBM Endpoint Manager Security Configuration Module.

So if we use the same example of having run all the Level 1 security checks from the “Center for Internet Security – Security Configuration Benchmark for AIX 6.1”, we can see that the server failed the  CIS 1.1.2 check. This check is performed on the “minage” setting that is held within the /etc/security/user file. By definition of the standard if this value is not equal to 1 then we have failed this security check.

The following is an extract from the benchmark defining the CIS-1.1.2 check.

CIS 1.1.2

Check the value of the minage setting in /etc/security/user

How can we remediate the security failure?

We had already created a custom security checklist, that generated a custom site in IBM Endpoint Manager called “ORB-DATA-AIX-CIS-LEVEL-1-CHECK”, within this site is a fixlet that will allow us to remediate the CIS-1.1.2 security failure.  The fixlet is called:

/etc/security/user – minage – AIX 5.3-6.1

We can simply run this fixlet using our AIX server as the target and it will change the value of the minage setting to be compliant with our custom defined standard.

What does the fixlet do on the AIX server?

On checking the action script associated with this fixlet, we find that the fixlet will execute the following command on the AIX server.

wait /bin/sh -c “cd SCM; ./runme.sh -r CIS-1.1.2”

The default location for our custom site on the target AIX server will be

/var/opt/BESClient/__BESData/CustomSite_ORB-2dDATA-2dAIX-2dCIS-2dLEVEL-2d1-2dCHECK

Note that the custom site name is renamed from ORB-DATA-AIX-CIS-LEVEL-1-CHECK to CustomSite_ORB-2dDATA-2dAIX-2dCIS-2dLEVEL-2d1-2dCHECK

On checking the runme.sh script we find that it call a remediation script that will backup the current settings to

/var/opt/BESClient/__BESData/CustomSite_ORB-2dDATA-2dAIX-2dCIS-2dLEVEL-2d1-2dCHECK/scm_preserve/backup/etc/security/user.XXXXX

It will also create a rollback script called

/var/opt/BESClient/__BESData/CustomSite_ORB-2dDATA-2dAIX-2dCIS-2dLEVEL-2d1-2dCHECK/scm_preserve/backup/rollback/CIS-1.1.2.rollback

The remediation script that is executed is the CIS-1.1.2.remediate script that is located in

/var/opt/BESClient/__BESData/CustomSite_ORB-2dDATA-2dAIX-2dCIS-2dLEVEL-2d1-2dCHECK/SCM/AIX/61

Finally the remediation script will check the params file for the current setting of CIS 1.1.2 that will make this server compliant witht the standard, this file is located in:

/var/opt/BESClient/__BESData/CustomSite_ORB-2dDATA-2dAIX-2dCIS-2dLEVEL-2d1-2dCHECK/SCM/AIX/61

These values are then used by the remediation script to run  the chsec command to modify the minage value on the server.

The server will now be compliant with the CIS 1.1.2 check, the extract shows the compliance state for the /etc/security/user minage setting, note the historical status shows a graph going from non-compliance to compliant.

Compliance remediated

Server is now compliant with the standard

If you would like any more information on using IBM Endpoint Manager to perform security compliance checks on your server infrastructure then contact sales@orb-data.com

Visits: 110