IBM VIOS: How to create custom viosecure rules

How To

Summary

The viosecure command can be used to configure security hardening rules.

User can apply either the preconfigured security levels (low, medium, and high), in which attributes values are defined based on the level selected or the User can create their own custom rules based on their requirement.

Objective

This technote describes how to create custom viosecure rules and apply them.

Steps

Important notes before the use of viosecure command:

Make sure there is a recent backup for the VIOS and/or an alternate disk. Backing up the Virtual I/O Server How to clone a PowerVM VIOS rootvg? - Scenario 3 After users apply specific `viosecure` rules, they might notice that some prereq rules are applied. When rules are applied, the actual settings are applied by the aixpert, so `viosecure` cannot verify the dependent rules for that user rule. That is expected. Users might not be able to undo the prereq rules as they do not exist in /etc/security/aixpert/core/undo.xml - VIOS can be restored in case users prefer to remove the prereq rules. Other rules that users might not be able to undo without a restore are explained here. CIS benchmark guidelines are not maintained or supported by IBM PowerVM Support. For questions or support on CIS benchmark, contact CIS. For advanced preparation of custom `viosecure` file, contact IBM Expert Services team.

Pre-configured viosecure hardening

To identify the level of a preconfigured security rule, the security rule is prefixed with lls(low), mls (medium), or hls (high). This is followed by the name of the security rule.

For example, hls_minlen means that it is the preconfigured value for minlen for password management and the security level is high. (The default value for the minlen for level high is 8 as we will see in the next screen capture).

To View or Apply the rules in each level you can run:

$ viosecure -level <high|medium|low>

As shown in the screen capture, the command lists several rules at a time for the viosecure high level. The user can enter one of the values listed to choose which security rules should be applied:

Numbers: for example, "1 , 10" to apply the hls_minage and hls_histsize.
ALL: Applies all the attributes in the level high.
NONE: which will not apply any of the attributes on the current page and skip to the next page, rules.

Custom viosecure hardening

User can create rules with custom values based on their requirements by adding custom stanzas for rule(s) in a file. The custom rules will be applied with the viosecure command by specifying the file with the custom rules.

For example, user may require as part of security standard to ensure security rules are applied to all users for password management.

For our scenario, you have been requested that rules for all users shall:

Prevent users from reusing their password until the user has changed their password a certain amount of times. For example, a value of 25 would require the user to use a different password 25 times before reusing a password.
This rule would affect the histsize attribute.
Set the minage, which specifies the minimum number of weeks before a password can be changed (for example set to 2 weeks).

To achieve this, the easiest and recommended way is to export the rules for one of the pre-configured levels to a file and then edit the file with only the rules that you need to apply as per the requirements. In this example, we used the "high" pre-configured level. You can use any level as you will need to modify their designation to custom.

For example, to export the rules you can use the command below.
$ viosecure -level high -outfile viosecure.high.xml

Edit the XML file with the desired rule's attributes, or create a new file that containS your custom rules.

The stanza for the histsize will look like the below which is the preconfigured for level high:

<AIXPertEntry name="hls_histsize" function="histsize">

                <AIXPertRuleType type="HLS"/>

                <AIXPertDescription>Password reuse time: Specifies the number of previous passwords a user cannot resuse to 20</AIXPertDescription>

                <AIXPertPrereqList>bos.rte.date,bos.rte.commands,bos.rte.security,bos.rte.shell,bos.rte.ILS</AIXPertPrereqList>

                <AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand>

                <AIXPertArgs>histsize=20 ALL hls_histsize</AIXPertArgs>

                <AIXPertGroup>Password policy rules</AIXPertGroup>

        </AIXPertEntry>

Export the stanza for all the required rules and edit the values. In our scenario, it will look like the below after editing the stanza:

<?xml version="1.0" encoding="UTF-8"?>  
<AIXPertSecurityHardening>

        <AIXPertEntry name="custom_histsize" function="cust_histsize">

                <AIXPertRuleType type="Custom"/>

                <AIXPertDescription>Password reuse time_CUSTOM: Specifies the number of previous passwords a user cannot resuse to 25</AIXPertDescription>

                <AIXPertPrereqList>bos.rte.date,bos.rte.commands,bos.rte.security,bos.rte.shell,bos.rte.ILS</AIXPertPrereqList>

                <AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand>

                <AIXPertArgs>histsize=25 ALL Custom</AIXPertArgs>

                <AIXPertGroup>My Custom rules</AIXPertGroup>

        </AIXPertEntry>

                <AIXPertEntry name="custom_minage" function="cust_minage">

                <AIXPertRuleType type="Custom"/>

                <AIXPertDescription>Minimum age for password_CUSTOM: Specifies the minimum number of weeks to 2 week, before a password can be changed</AIXPertDescription>

                <AIXPertPrereqList>bos.rte.date,bos.rte.commands,bos.rte.security,bos.rte.shell,bos.rte.ILS</AIXPertPrereqList>

                <AIXPertCommand>/etc/security/aixpert/bin/chusrattr</AIXPertCommand>

                <AIXPertArgs>minage=2 ALL Custom</AIXPertArgs>

                <AIXPertGroup>My Custom rules</AIXPertGroup>

        </AIXPertEntry>
</AIXPertSecurityHardening>

Note:

The AIXPertEntry name needs to be unique in the XML file; the function part can be anything meaningful of your choice.
Set the AIXPertRuleType to type Custom.
If you would like you can edit the AIXPertDescription to meaningful text.
You can set the AIXPertGroup to group the custom rules.
Refer to this link to review the fields that can be changed

When you finish editing the XML file, or you created a new file (vi can be used to create the file), copy the file back to the VIOS and use the command below to apply the rules:

$ viosecure -file vs_apply_Custom.xml --> this is the new file created with the stanza above

Note:

It is recommended to use the VIOS console when applying the rules, since some rules changes may result in loss of network connection.
Also making any changes to the user parameters like maxage or others might disable the padmin account because the current padmin password violate the rule applied, so please check the padmin user attributes for the password and change it in case it violates the rule.

Before applying the custom viosecure , the users had the default attributes for histsize and minage:

Apply the custom rules:

Users' attributes after applying the custom rules:

View the current rules applied:

To view the value for a specific rule, such as custom_histsize setting, run:

$ viosecure -view -rule custom_histsize
custom_histsize_D95902EC:Password reuse time_CUSTOM: Specifies the number of previous passwords a user cannot resuse to 25

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\/O Server"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Was this topic helpful?

Document Information

More support for:
PowerVM Virtual I/O Server

Software version:
All Versions

Operating system(s):
AIX

Document number:
1087714

Modified date:
28 February 2024

UID

ibm11087714

IBM Support

Tips