viosecure Command
Purpose
Activates, deactivates, and displays security hardening rules. Configures,
unconfigures or displays firewall settings.
Syntax
viosecure -level LEVEL [-apply] | [-nonint] -view
viosecure -firewall on [-force] | off
viosecure -firewall allow | deny -port number [-interface ifname] [-address IPaddress] [-timeout Timeout] [-remote]
viosecure -firewall view [-fmt delimiter]
Description
The viosecure activates, deactivats, and displays
security hardening rules. By default, none of the security hardening features
are activated after installation. Upon running the viosecure command, the command guides the user through the proper security settings,
which range from High to Medium to Low. After this initial selection, a menu
is displayed itemizing the security configuration options associated with
the selected security level in sets of 10. These options can be accepted in
whole, individually toggled off or on, or ignored. After any changes, viosecure continues to apply the security settings to the
computer system.
The viosecure command also configures, unconfigures,
and displays network firewall settings. Using the viosecure command, you can activate and deactivate specific ports and specify
the interface and IP address from which connections will be allowed.
Flags
| -apply |
Applies all of the LEVEL security settings to the system.
There is no user-selectable option. |
| -firewall allow -port Port [-interface ifname ] [-address IPaddress ] [-timeout Timeout] [-source] |
Permits IP activity per port with optional parameters
according to interface, IP address, and time that it is effective. The Port argument can be a number or a service name from the /etc/services file. The remote option
specifies that the port is a remote port. All IP activity to and from that
remote port is allowed. The default is all IP activity to and from a local
port is allowed. The timeout period can be specified as a number (in seconds),
or with a number followed by m(minutes), h(hours), or d(days). The maximum timeout period is 30 days. |
| -firewall deny -port Port [-interface Ifname] [-address IPaddress] [-timeout Timeout] [-source] |
Removes a previous firewall -allow setting. The Port argument can be a number or
a service name from the /etc/services file. If -port 0 is specified, then all allow settings are removed. The remote option specifies that the port is the remote port. The default
is local port. The timeout period can be specified as a number (in seconds),
or with a number followed by m(minutes), h(hours) or d(days). The maximum timeout period is 30 days. |
| -firewall off |
Unconfigures the default firewall settings. |
| -firewall on [-force ] |
Configures the default firewall settings from the /home/ios/security/viosecure.ctl file. If the viosecure.ctl file does not exist, you will have to use the -force option to use the default firewall settings. |
| -level LEVEL |
Specifies the security LEVEL settings to choose, where
LEVEL is low, middle, high, or default. The default LEVEL deactivates any previous security LEVEL system settings.
Except for the default LEVEL, ten security LEVEL settings are displayed at
a time. The user then can choose the desired security settings by entering
comma separated numbers, the word ALL to choose all of the settings,
the word NONE to choose none of the settings, the letter q to exit, or the letter h for help. The security settings
chosen are then applied to the system. |
| -firewall view [-fmt delimiter] |
Displays the current allowable ports. If the -fmt option is specified, then it divides output by a user-specified
delimiter. |
| -nonint |
Specifies non-interactive mode. |
| -view |
Displays the current security level settings. All of
the security setting names end with three characters Xls where X = l(low), m(medium), h(high)
or d(default). For example, the security level name minlenlls is the low level security setting for minimum length of a password. |
Examples
- To display the high system security settings, and to select which of the
high security settings to apply to the system, type:
viosecure -level high
- To apply all of the 'high' system security settings to the system, type:
viosecure -level high -apply
- To the display the current system security settings, type:
viosecure -view
- To unconfigure the previous system security settings, type:
viosecure -level default
- To allow IP activity on the ftp-data, ftp, ssh, www, https, rmc, and cimon
ports, and to deny other IP activity, type:
viosecure -firewall on
- To allow IP activity on all ports, type:
viosecure -firewall off
- To allow users from IP address 10.10.10.10 to rlogin, type:
viosecure -firewall allow -port login -address 10.10.10.10
- To allow users to rlogin for seven days, type:
viosecure -firewall allow -port login -timeout 7d
- To allow rsh client activity through interface en0, type:
viosecure -firewall allow -port 514 -interface en0 -remote
- To removes the rule that allows users from IP address 10.10.10.10 to rlogin,
type:
viosecure -firewall deny -port login -address 10.10.10.10
- To display the list of allowed ports, type:
viosecure -firewall view