aixpert useability and/or bug fixes related to ipsec

First a few bugs that need fixing. Why not blocking adoption, they make it a harder sell when sitting with a customer and telling them aixpert is a mature product - existing since 2004.
* bug one: when the backport of the -r and -R options were added to aixpert no one thought to remove the commas "," from the file aixpertall.xml, e.g.,
root@x066:[/etc/security/aixpert/core]grep Descr aixpertall.xml | grep "," | head -1
<AIXPertDescription>Prereq rule for NoSyn: Checks whether IPSec is enabled or not, if its not, then enable it</AIXPertDescription>
The "," in the description "breaks" the .csv file created.
* correct the description of the AIXPERT rules generated - at least add a space character between IP address and the port being "shunned" or permitted (HMC)

root@x071:[/root]lsfilt -v4 -O | grep AIXpert | head -2
15|permit|192.168.129.61|255.255.255.255|192.168.90.71|255.255.255.255|yes|all|any|0|any|0|both|inbound|no|all packets|0|all|0|||AIXpert:IPv4:HostPermitHMC192.168.129.61
17|shun_host|0.0.0.0|0.0.0.0|192.168.129.71|255.255.255.255|yes|all|any|0|eq|11|both|inbound|no|all packets|0|all|300|||AIXpert:IPv4:ShunHost192.168.129.7111

* The rules from "ipsecshun*" should be appended to the end, rather than put before the "Dynamic" placeholder. Actually, not placing them AFTER the dynamic placeholder is a bug. The dynamic rules are never seen.

* A recurring issue: mkfilt -g start activates logging reports to syslog. There is a recurring regression where the syslog report is not immediate.

1. so first RFE text:
* new command (i.e., not mkfilt) to control syslog activity (e.g., chipseclog), and store values in ODM
* attributes:
** "reboot": yes|no # if no, remove ODM entries during reboot, OR, do not activate, default: "yes"
** "IP": 4|6|both, default: "both"
** "syslogv4: "valid syslog facility": default: "local4"
** "syslogv6: "valid syslog facility": default: "local6"
** "syslog" : "valid syslog facility": default: (None aka not set) # setting this value overrides syslogv4 and syslogv6 effectively merging the two
** "" : Range, 0-300, default: 0 # time to delay
** "concurrency": Range 0-X, default: 0 - number of messages to store/buffer before writing to syslog (aka something to make what is now a bug a feature that can be configured by anyone wanting it)
*** maybe concurrency is not the right label, neither would sleep, maybe cache_count
*** maybe you have some additiona ideas

Back to RFE: new command, and options that are stored in ODM - perhaps like ipsec_filter in /etc/security/ipsec_logging rather than ${ODMDIR}

2. RFE behavior:
* currently, aixpert acts asif it know better in all situations. It does check whether a port is active and not create a rule when already active, but this assumes aixpert is activated AFTER all applications have been installed. This is not always the case, so needs attention.
RFE: rather than have the port numbers in the script, have them be an argument aka variable in the XML that can be modified. This is much better than needding to modify the script (copy, give it a new name so an update does not destroy the change), etc.. Further, this may simplify documentation and vastly improve reporting (as each port number, or the list of port numbers can become part of the csv report text).
RFE: rather than always create a seperate rule for each interface, default to "all" and "inbound" and for "tcp" use two rules - permitting "tcp/ack" so that inbound from sessions locally generated could be permitted. Again, an option to have the current behavior (regardless of response) which assumes it is probe behavior (only).
RFE: again - having the port numbers in the XML makes it possible to let AIXPERT evaluate not only the "probe" rules now offered, but also allows ways for using AIXPERT to assist admins with maintaining and verifying their ipsec rules -e.g., from a seperate XML file that only contains ipsec related rules. (aixpert -c -P xxxx.xml [-r])

** at least, rather than presume that AIXPERT knows better and prefix all existing rules - rules should either be appended to existing rules (default mkfilt behavior) - or the script should "fail" because there are existing rules (must find a way to ignore AIXPERT HMC rules generated earlier). Then the work already done does not get potentially voided by AIXPERT.

3. aixpert check mode
An enhancement made was to provide an argument "-P" to -c to use a file as the point to compare against, rather than only against what is applied - making it possible to research "what-if" much more easy. The command syntax also has the "check" syntax: 'aixpert -c -l high', but when appliedaixpert.xml does not exist it says appliedaixpert.xml does not exist and exits. If this is working as designed the RFE becomes: "aixpert -c -l {level in aixpertall.xml}" should be alias for {aixpert -l {level} -a -o {level}.xml; aixpert -c -P {level}.xml; rm {level}.xml}