openscap for AIX?

View Only

Expand all | Collapse all

1. openscap for AIX?

0 Like
Martin Rödlach
Posted Wed August 05, 2020 01:34 AM

Reply
Hi,

could You imagine to provide us with openscap for AIX?
On Linux this tool generates great reports which I need for external crontrollers.

Thanks

------------------------------
Opensource the Planet ;-)
------------------------------
2. RE: openscap for AIX?

0 Like
SANKET RATHI
Posted Thu August 06, 2020 06:21 AM

Reply
Hi Martin,

We have looked in past for porting openscap on AIX but encountered some Linux specific code in packages.
Hence it is difficult to port this packages.
Right now we do not have plan to pursue it further because of Linux specific requirement from package.

------------------------------
SANKET RATHI
------------------------------

Original Message
3. RE: openscap for AIX?

0 Like
Martin Rödlach
Posted Thu August 06, 2020 08:06 AM

Reply
Hi,

Thanks for the information.
I will have a look from time to time on the openscap project site - maybe they will consider a better integration with AIX.

Thank You
Martin

------------------------------
Opensource the Planet ;-)
------------------------------

Original Message
4. RE: openscap for AIX?

0 Like
Andrey Klyachkin
Posted Fri August 07, 2020 04:15 AM

Reply
Try inspec https://inspec.io or https://www.power-devops.com/chef-inspec. You don't need any agent on AIX, just an SSH connection to it and it also generates reports for auditors.

------------------------------
Andrey Klyachkin
------------------------------

Original Message
5. RE: openscap for AIX?

0 Like
Bruce Landrum
Posted Thu August 27, 2020 04:50 PM

Reply
Have you looked into aixpert?

------------------------------
Bruce Landrum
------------------------------

Original Message
6. RE: openscap for AIX?

0 Like
Martin Rödlach
Posted Fri August 28, 2020 03:59 AM

Reply
Hi, thanks for the hint. We know the tool but the idea was to use one tool for Linux and AIX.

AIX has another great option - PowerSC - which You can use for Reporting and setting baselines. But You still habe to do a lot on the command line. I'm testing this at the moment.

But first of all we have 300 AIX LPAR's and 600 Linux systems - and while the number of AIX images is decreasing, Linux is becoming more and more.
The other thing is that the staff responsible for those AIX and Linux installations was reduced. We are now 5 experienced admins and another one is new and still learning.
And because we also manage the disk subsystems, the SAN infrastructure and the backup infrastructure (Spectrum Protect), we want to keep that as simple as possible.

Another option we evaluate at the moment ist Nessus. Works fine for Vulnerability Management but it seems to has a bug for compliance scans regarding our SSH/sudo configuration.

Thanks

------------------------------
Opensource the Planet ;-)
------------------------------

Original Message
7. RE: openscap for AIX?

0 Like
Vasiliy Gokoyev
Posted 17 days ago

Reply
How is everyone is able to keep AIX in compliance these days?

Are there any new developments with compliance checking for AIX? We evaluated the PowerSC product and it fell short of expectations. Also looked at the tenable/nessus audit results, but the baseline profile appears infested with bugs and incorrect check logic https://www.tenable.com/audits/DISA_STIG_AIX_7.x_v2r9.

openscap seems to produce the cleanest and most readable reports I've seen so far for Power LE linux, it would be ideal if it can be ported to AIX.

so here another vote for IBM to contribute an openscap AIX package and the AIX compliance profiles.

------------------------------
Vasiliy Gokoyev
------------------------------

Original Message
8. RE: openscap for AIX?

0 Like
Martin Rödlach
Posted 17 days ago

Reply
In the meantime we do everything with Tenable.sc/Nessus - it works for us - but You are right - some parameters are categorized as "Medium" in the scan results, which means, that Tenable was not able to recognize if a parameter is set or not correctly.

The quality of the CIS audit files is a little bit better than STIG - STIG is also behind regarding OS versions. The parameters are partly different, but sufficient for our baseline.

If necessary, You can also adapt the audit files and import it. So You can improve the quality or even check for parameters that are not part of the original STIG guidelines or CIS benchmarks.

I don't know if an openscap implementation would provide better results than Tenable/Nessus. The problem here is that the scripts that deliver the information are the key point - the openscap community is mainly operating Linux systems - but none of them has an IBM Power system at home. So the expectation should be lower than with the Linux platforms.

And the openscap files for Linux are delivered by the distributors - e.g. if You have a request for SLES, You may write to security@suse.com and they consider if the request can be implemented.

So for AIX, IBM needs not only to deliver the tool - they also need to provide the scap files.

But it still would be interesting for us to have openscap - because the HTML reports are really great structured. Better than with Tenable.

------------------------------
Opensource the Planet ;-)
------------------------------

Original Message

AIX Open Source

openscap for AIX?

Martin RödlachWed August 05, 2020 01:34 AM

SANKET RATHIThu August 06, 2020 06:21 AM

Martin RödlachThu August 06, 2020 08:06 AM

Andrey KlyachkinFri August 07, 2020 04:15 AM

Bruce LandrumThu August 27, 2020 04:50 PM

Martin RödlachFri August 28, 2020 03:59 AM

Vasiliy Gokoyev17 days ago

Martin Rödlach17 days ago

1. openscap for AIX?

2. RE: openscap for AIX?

3. RE: openscap for AIX?

4. RE: openscap for AIX?

5. RE: openscap for AIX?

6. RE: openscap for AIX?

7. RE: openscap for AIX?

8. RE: openscap for AIX?