Configuration Values

Security Auditor allows you to define your policy for global configuration settings.

Initializing

Many administrators are comfortable with the current settings for these configuration settings and want to make sure that they remain set that way. The way to use Security Auditor to ensure they remain the same is to start by initializing the Security Auditor Configuration category.

  1. Go to Servers > Initialize Policies.
  2. Select the server or servers you would like to initialize for Private policies. To initialize a Group Policy, select a single server, which will be the Group Policy's benchmark for these categories (see Policy Overview for details).
  3. Select the Policies tab.
  4. Choose whether this is a Private or Group policy.
  5. Choose the Configuration category.
  6. Click Initialize.

Using the Configuration Category

If you are not familiar with all of the attributes listed in this category, simply click on the attribute name and a description will be displayed. You’ll notice that for an AIX managed server, some attributes, such as the minlen attribute as defined in the User Account Creation – Password category have a value of “No Entry Policy.” This means that, when a user account is created, there is no entry for minlen in the /etc/security/user file. (If there’s an entry at the user level, it overrides (takes precedence over) the global value.) Instead, the value for minlen is to come from the minlen global setting. This value is defined in Security Auditor in the User Account Default – Password minlen attribute. The “No Entry Policy” is not applicable for this attribute since this is the global (highest level) attribute.

Running a compliance check

You may want to check all of the values listed in the Configuration category. Or, because only some of them are meaningful for your organization you only want to check a few. If this is the case, you can change the policy value to be “Any value”. This means that it doesn’t matter what the value is and it will never be checked during a compliance check or identified as out of compliance.

When a compliance check is run against the Configuration category, the values you specify for your policy will be compared against the actual value of the configuration item. The item will be in compliance if the actual value is the same as the value you have defined in the policy. If the actual setting is different than the value defined in the policy, the value will be flagged as “out of compliance”.

To run a compliance check, do one of the following:

  • On the Manage Servers screen, click and choose whether you want to check the Private Policy, Group Policy, or both for the server (or Server Group).
  • On the Servers and Policies screen, click for the Attribute under the Action column.
  • On the Manage Servers screen, click next to a server to open the server's Configuration policies. Check Attribute to select all Attributes and click CheckIt in the upper right. This will run a compliance check on all of the attributes in the Configuration category.
  • Choose Servers > CheckIt. Choose the server(s) and then the category, then click CheckIt.
  • Schedule a regular compliance check. Choose Admin tasks > Manage Scheduled Jobs.

Running FixIt

If an item is identified as Out of compliance (), you can have Security Auditor change the value to make it match the policy by running the Security Auditor FixIt function. By default, FixIt is not enabled. You must enable FixIt.

NOTE: You must first run a compliance check to identify what is out of compliance before you can run FixIt.

Once a compliance check has been run and FixIt is enabled, do one of the following:

  • On the Servers and Policies screen, click for the setting under the Action column.
  • Check the individual item or all items and then click FixIt and choose Servers > FixIt. Choose the server and then the category, then click FixIt
  • Schedule a regular compliance check and FixIt. Choose Admin Tasks > Manage Scheduled Jobs.
NOTE: FixIt cannot be used for all AIX configuration settings. Obviously, prior to using FixIt, all changes should be reviewed carefully; however, some settings seemed as those they had significant chance of causing disruption if changed. Therefore, these values cannot be changed through FixIt:
  • auth_type
  • pwd_algorithm
  • auth1
  • auth2
  • SYSTEM
  • default_roles
  • roles
  • auditclasses
  • dictionlist
  • pwdchecks
  • account_locked
  • rlogin

These settings are also noted in the Configuration category with an ‘*’. These items will be identified as out of compliance but FixIt will not modify their values.

 

Related Topics

Previous Next