| V-215174 | | If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-215175 | | All accounts on AIX system must have unique account names. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-215176 | | All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users). | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-215177 | | The AIX SYSTEM attribute must not be set to NONE for any account. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-215179 | | AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. | A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the oper... |
| V-215197 | | AIX must not have accounts configured with blank or null passwords. | If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without aut... |
| V-215204 | | IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server. | While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentic... |
| V-215213 | | AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. | If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing s... |
| V-215217 | | AIX must enforce password complexity by requiring that at least one upper-case character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-215218 | | AIX must enforce password complexity by requiring that at least one lower-case character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-215219 | | AIX must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-215220 | | AIX must require the change of at least 50% of the total number of characters when passwords are changed. | If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by i... |
| V-215221 | | AIX root passwords must never be passed over a network in clear text form. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-215225 | | AIX must use Loadable Password Algorithm (LPA) password hashing algorithm. | The default legacy password hashing algorithm, crypt(), uses only the first 8 characters from the password string, meaning the user's password is trun... |
| V-215226 | | AIX must enforce a minimum 15-character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-215233 | | AIX must be able to control the ability of remote login for users. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, i... |
| V-215257 | | The AIX rexec daemon must not be running. | The exec service is used to execute a command sent from a remote server. The username and passwords are passed over the network in clear text and ther... |
| V-215258 | | AIX telnet daemon must not be running. | This telnet service is used to service remote user connections. This is historically the most commonly used remote access method for UNIX servers. The... |
| V-215259 | | AIX ftpd daemon must not be running. | The ftp service is used to transfer files from or to a remote machine. The username and passwords are passed over the network in clear text and theref... |
| V-215260 | | AIX must remove NOPASSWD tag from sudo config files. | sudo command does not require reauthentication if NOPASSWD tag is specified in /etc/sudoers config file, or sudoers files in /etc/sudoers.d/ directory... |
| V-215322 | | AIX must disable /usr/bin/rcp,
/usr/bin/rlogin,
/usr/bin/rsh, /usr/bin/rexec and /usr/bin/telnet commands. | The listed applications permit the transmission of passwords in plain text. Alternative applications such as SSH, which encrypt data, should be use i... |
| V-215334 | | AIX must disable trivial file transfer protocol. | Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted a... |
| V-215346 | | The AIX rsh daemon must be disabled. | The rsh daemon permits username and passwords to be passed over the network in clear text.... |
| V-215347 | | The AIX rlogind service must be disabled. | The rlogin daemon permits username and passwords to be passed over the network in clear text.... |
| V-215375 | | The ntalk daemon must be disabled on AIX. | This service establishes a two-way communication link between two users, either locally or remotely. Unless required the ntalk service will be disable... |
| V-215403 | | The AIX system must have no .netrc files on the system. | Unencrypted passwords for remote FTP servers may be stored in .netrc files. Policy requires passwords be encrypted in storage and not used in access s... |
| V-215169 | | AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account. | The "/etc/security/mkuser.sys.custom" is called by "/etc/security/mkuser.sys" to customize the new user account when a new user is created, or a user ... |
| V-215170 | | AIX must automatically remove or disable temporary user accounts after 72 hours or sooner. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To ... |
| V-215171 | | AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-215172 | | AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the numbe... |
| V-215173 | | If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-215178 | | Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts. | Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There i... |
| V-215180 | | The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. | Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is requir... |
| V-215181 | | The shipped /etc/security/mkuser.sys file on AIX must not be customized directly. | The "/etc/security/mkuser.sys" script customizes the new user account when a new user is created, or a user is logging into the system without a home ... |
| V-215182 | | The regular users default primary group must be staff (or equivalent) on AIX. | The /usr/lib/security/mkuser.default file contains the default primary groups for regular and admin users. Setting a system group as the regular users... |
| V-215183 | | All system files, programs, and directories must be owned by a system account. | Restricting permissions will protect the files from unauthorized modification.... |
| V-215184 | | AIX device files and directories must only be writable by users with a system account or as configured by the vendor. | System device files in writable directories could be modified, removed, or used by an unprivileged user to control system hardware.... |
| V-215186 | | AIX must configure the ttys value for all interactive users. | A user's "ttys" attribute controls from which device(s) the user can authenticate and log in. If the "ttys" attribute is not specified, all terminals ... |
| V-215187 | | AIX must provide the lock command to let users retain their session lock until users are reauthenticated. | All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard.
To l... |
| V-215188 | | AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated. | All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard.
If th... |
| V-215189 | | AIX system must prevent the root account from directly logging in except from the system console. | Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device.
... |
| V-215190 | | All AIX public directories must be owned by root or an application account. | If a public directory has the sticky bit set and is not owned by a privileged UID, unauthorized users may be able to modify files created by others. T... |
| V-215191 | | AIX administrative accounts must not run a web browser, except as needed for local service administration. | If a web browser flaw is exploited while running as a privileged user, the entire system could be compromised.
Specific exceptions for local service... |
| V-215192 | | AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist. | To centralize the management of privileged account crontabs, of the default system accounts, only root may have a crontab.... |
| V-215193 | | The AIX root account must not have world-writable directories in its executable search path. | If the root search path contains a world-writable directory, malicious software could be placed in the path by intruders and/or malicious users and in... |
| V-215194 | | The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID. | Reserved GIDs are typically used by system software packages. If non-system groups have GIDs in this range, they may conflict with system software, po... |
| V-215195 | | UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems. | Reserved UIDs are typically used by system software packages. If non-system accounts have UIDs in this range, they may conflict with system software, ... |
| V-215196 | | The AIX root accounts list of preloaded libraries must be empty. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the... |
| V-215198 | | The AIX root accounts home directory (other than /) must have mode 0700. | Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with ... |
| V-215199 | | The AIX root accounts home directory must not have an extended ACL. | Excessive permissions on root home directories allow unauthorized access to root user files.... |
| V-215200 | | AIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-215201 | | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts on AIX. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-215202 | | The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-215203 | | Any publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and securit... |
| V-215205 | | If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day. | If cached authentication information is out-of-date, the validity of the authentication information may be questionable.... |
| V-215206 | | The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups. | A plus (+) in system accounts files causes the system to lookup the specified entry using NIS. If the system is not using NIS, no such entries should ... |
| V-215207 | | AIX must protect the confidentiality and integrity of all information at rest. | Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used fo... |
| V-215208 | | AIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-215209 | | All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions. | When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and... |
| V-215210 | | AIX nosuid option must be enabled on all NFS client mounts. | Enabling the nosuid mount option prevents the system from granting owner or group-owner privileges to programs with the suid or sgid bit set. If the s... |
| V-215211 | | AIX must be configured to allow users to directly initiate a session lock for all connection types. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-215212 | | AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-215214 | | If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions. | If LDAP authentication is used, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.... |
| V-215215 | | AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD syst... |
| V-215216 | | AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requireme... |
| V-215222 | | AIX Operating systems must enforce 24 hours/1 day as the minimum password lifetime. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-215223 | | AIX Operating systems must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not... |
| V-215227 | | AIX must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure o... |
| V-215229 | | AIX must prevent the use of dictionary words for passwords. | If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by incre... |
| V-215230 | | The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. | Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved a... |
| V-215231 | | If SNMP service is enabled on AIX, the default SNMP password must not be used in the /etc/snmpd.conf config file. | Use default SNMP password increases the chance of security vulnerability on SNMP service.... |
| V-215232 | | AIX must require passwords to contain no more than three consecutive repeating characters. | Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.... |
| V-215234 | | NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs. | The nosuid mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system not... |
| V-215235 | | AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option. | The nodev (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file ... |
| V-215236 | | AIX must produce audit records containing information to establish what the date, time, and type of events that occurred. | Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage o... |
| V-215237 | | AIX must produce audit records containing information to establish where the events occurred. | Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
I... |
| V-215238 | | AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event. | Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
... |
| V-215239 | | AIX must produce audit records containing information to establish the outcome of the events. | Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if ch... |
| V-215240 | | AIX must produce audit records containing the full-text recording of privileged commands. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-215241 | | AIX must be configured to generate an audit record when 75% of the audit file system is full. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-215242 | | AIX must provide the function to filter audit records for events of interest based upon all audit fields within audit records, support on-demand reporting requirements, and an audit reduction function that supports on-demand audit review and analysis and after-the-fact investigations of security incidents. | The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and ide... |
| V-215243 | | Audit logs on the AIX system must be owned by root. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-215244 | | Audit logs on the AIX system must be group-owned by system. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-215245 | | Audit logs on the AIX system must be set to 660 or less permissive. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-215246 | | AIX must provide audit record generation functionality for DoD-defined auditable events. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-215247 | | AIX must start audit at boot. | If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state... |
| V-215248 | | AIX audit tools must be owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-215249 | | AIX audit tools must be group-owned by audit. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-215250 | | AIX audit tools must be set to 4550 or less permissive. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-215251 | | AIX must verify the hash of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit informat... |
| V-215252 | | AIX must provide the function for assigned ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. | If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not... |
| V-215253 | | AIX must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility. | In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocat... |
| V-215254 | | AIX must provide a report generation function that supports on-demand audit review and analysis, on-demand reporting requirements, and after-the-fact investigations of security incidents. | The report generation capability must support on-demand review and analysis in order to facilitate the organization's ability to generate incident rep... |
| V-215255 | | AIX must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generate... |
| V-215256 | | AIX audit logs must be rotated daily. | Rotate audit logs daily to preserve audit file system space and to conform to the DoD/DISA requirement. If it is not rotated daily and moved to anothe... |
| V-215261 | | AIX must remove !authenticate option from sudo config files. | sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ di... |
| V-215262 | | AIX must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router. | If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks.... |
| V-215263 | | IP forwarding for IPv4 must not be enabled on AIX unless the system is a router. | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only... |
| V-215264 | | AIX must be configured with a default gateway for IPv6 if the system uses IPv6 unless the system is a router. | If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks.... |
| V-215265 | | AIX must not have IP forwarding for IPv6 enabled unless the system is an IPv6 router. | If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for comm... |
| V-215266 | | AIX log files must be owned by a system account. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-215267 | | AIX log files must be owned by a system group. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-215268 | | AIX system files, programs, and directories must be group-owned by a system group. | Restricting permissions will protect the files from unauthorized modification.... |
| V-215269 | | The inetd.conf file on AIX must be owned by root. | Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive infor... |
| V-215270 | | AIX cron and crontab directories must be owned by root or bin. | Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privil... |
| V-215271 | | AIX audio devices must be group-owned by root, sys, bin, or system. | Without privileged group owners, audio devices will be vulnerable to being used as eaves-dropping devices by malicious users or intruders to possibly ... |
| V-215272 | | AIX time synchronization configuration file must be owned by root. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. I... |
| V-215273 | | AIX time synchronization configuration file must be group-owned by bin, or system. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. I... |
| V-215274 | | The AIX /etc/group file must be owned by root. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-215275 | | The AIX /etc/group file must be group-owned by security. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-215276 | | All AIX interactive users home directories must be owned by their respective users. | System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution ... |
| V-215277 | | All AIX interactive users home directories must be group-owned by the home directory owner primary group. | If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files.... |
| V-215278 | | All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member. | If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files.... |
| V-215279 | | AIX library files must have mode 0755 or less permissive. | Unauthorized access could destroy the integrity of the library files.... |
| V-215280 | | Samba packages must be removed from AIX. | If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the c... |
| V-215281 | | AIX time synchronization configuration file must have mode 0640 or less permissive. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. I... |
| V-215282 | | The AIX /etc/group file must have mode 0644 or less permissive. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-215283 | | AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required. | The AIX Encrypted File System (EFS) is a J2 filesystem-level encryption through individual key stores. This allows for file encryption in order to pro... |
| V-215284 | | AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods. | Without protection of the transmitted or received information, confidentiality and integrity may be compromised because unprotected communications can... |
| V-215285 | | AIX must monitor and record successful remote logins. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-215286 | | AIX must monitor and record unsuccessful remote logins. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-215287 | | On AIX, the SSH server must not permit root logins using remote access programs. | Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on r... |
| V-215288 | | All AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins. | The /etc/shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their de... |
| V-215289 | | The AIX SSH server must use SSH Protocol 2. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-215290 | | AIX must config the SSH idle timeout interval. | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that ... |
| V-215291 | | AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions. | Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted a... |
| V-215292 | | If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the ... |
| V-215293 | | AIX must setup SSH daemon to disable revoked public keys. | Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked... |
| V-215294 | | AIX SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. | DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.... |
| V-215295 | | The AIX SSH daemon must be configured for IP filtering. | The SSH daemon must be configured for IP filtering to provide a layered defense against connection attempts from unauthorized addresses.... |
| V-215296 | | The AIX SSH daemon must not allow compression. | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the ... |
| V-215297 | | AIX must turn on SSH daemon privilege separation. | SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabil... |
| V-215298 | | AIX must turn on SSH daemon reverse name checking. | If reverse name checking is off, SSH may allow a remote attacker to circumvent security policies and attempt to or actually login from IP addresses th... |
| V-215299 | | AIX SSH daemon must perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.... |
| V-215300 | | AIX must turn off X11 forwarding for the SSH daemon. | X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH conne... |
| V-215301 | | AIX must turn off TCP forwarding for the SSH daemon. | SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenien... |
| V-215302 | | The AIX SSH daemon must be configured to disable empty passwords. | When password authentication is allowed, PermitEmptyPasswords specifies whether the server allows login to accounts with empty password strings. If an... |
| V-215303 | | The AIX SSH daemon must be configured to disable user .rhosts files. | Trust .rhost file means a compromise on one host can allow an attacker to move trivially to other hosts.... |
| V-215304 | | The AIX SSH daemon must be configured to not use host-based authentication. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.... |
| V-215305 | | The AIX SSH daemon must not allow RhostsRSAAuthentication. | If SSH permits rhosts RSA authentication, a user may be able to log in based on the keys of the host originating the request and not any user-specific... |
| V-215306 | | If AIX SSH daemon is required, the SSH daemon must only listen on the approved listening IP addresses. | The SSH daemon should only listen on the approved listening IP addresses. Otherwise the SSH service could be subject to unauthorized access.... |
| V-215308 | | AIX system must require authentication upon booting into single-user and maintenance modes. | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further preve... |
| V-215312 | | AIX must implement a remote syslog server that is documented using site-defined procedures. | If a remote log host is in use and it has not been justified and documented, sensitive information could be obtained by unauthorized users without the... |
| V-215313 | | The AIX syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures. | Unintentionally running a syslog server accepting remote messages puts the system at increased risk. Malicious syslog messages sent to the server coul... |
| V-215314 | | AIX must be configured to use syslogd to log events by TCPD. | Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted a... |
| V-215315 | | The AIX audit configuration files must be owned by root. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-215316 | | The AIX audit configuration files must be group-owned by audit. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-215317 | | The AIX audit configuration files must be set to 640 or less permissive. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-215318 | | AIX must automatically lock after 15 minutes of inactivity in the CDE Graphical desktop environment. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-215320 | | AIX must set inactivity time-out on login sessions and terminate all login sessions after 10 minutes of inactivity. | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that ... |
| V-215321 | | AIX SSH private host key files must have mode 0600 or less permissive. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-215323 | | AIX log files must have mode 0640 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-215324 | | AIX log files must not have extended ACLs, except as needed to support authorized software. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-215325 | | All system command files must not have extended ACLs. | Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories us... |
| V-215326 | | All library files must not have extended ACLs. | Unauthorized access could destroy the integrity of the library files.... |
| V-215327 | | AIX passwd.nntp file must have mode 0600 or less permissive. | File permissions more permissive than 0600 for /etc/news/passwd.nntp may allow access to privileged information by system intruders or malicious users... |
| V-215328 | | The AIX /etc/group file must not have an extended ACL. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-215329 | | The AIX ldd command must be disabled. | The ldd command provides a list of dependent libraries needed by a given binary, which is useful for troubleshooting software. Instead of parsing the ... |
| V-215330 | | AIX NFS server must be configured to restrict file system access to local hosts. | The NFS access option limits user access to the specified level. This assists in protecting exported file systems. If access is not restricted, unauth... |
| V-215331 | | All AIX users home directories must have mode 0750 or less permissive. | Excessive permissions on home directories allow unauthorized access to user files.... |
| V-215332 | | The AIX user home directories must not have extended ACLs. | Excessive permissions on home directories allow unauthorized access to user files.... |
| V-215333 | | AIX must use Trusted Execution (TE) Check policy. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-215335 | | AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-215336 | | AIX must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by advers... |
| V-215337 | | AIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt. | Limiting the number of login attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.... |
| V-215338 | | AIX system must restrict the ability to switch to the root user to members of a defined group. | Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with... |
| V-215339 | | All AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file. | If a user is assigned the GID of a group not existing on the system, and a group with that GID is subsequently created, the user may have unintended r... |
| V-215340 | | All AIX files and directories must have a valid owner. | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by i... |
| V-215341 | | The sticky bit must be set on all public directories on AIX systems. | Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public d... |
| V-215342 | | The AIX global initialization files must contain the mesg -n or mesg n commands. | Command "mesg -n" allows only the root user the permission to send messages to your workstation to avoid having others clutter your display with incom... |
| V-215343 | | The AIX hosts.lpd file must not contain a + character. | Having the '+' character in the hosts.lpd (or equivalent) file allows all hosts to use local system print resources.... |
| V-215344 | | AIX sendmail logging must not be set to less than nine in the sendmail.cf file. | If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the sendmail s... |
| V-215345 | | AIX run control scripts executable search paths must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If th... |
| V-215348 | | The AIX qdaemon must be disabled if local or remote printing is not required. | The qdaemon program is the printing scheduling daemon that manages the submission of print jobs to the piobe service.
To prevent remote attacks this ... |
| V-215349 | | If AIX system does not act as a remote print server for other servers, the lpd daemon must be disabled. | The lpd daemon accepts remote print jobs from other systems.
To prevent remote attacks this daemon should not be enabled unless there is no alternati... |
| V-215350 | | If AIX system does not support either local or remote printing, the piobe service must be disabled. | The piobe daemon is the I/O back end for the printing process, handling the job scheduling and spooling.
To prevent remote attacks this daemon should... |
| V-215351 | | If there are no X11 clients that require CDE on AIX, the dt service must be disabled. | This entry executes the CDE startup script which starts the AIX Common Desktop Environment.
To prevent attacks this daemon should not be enabled unle... |
| V-215352 | | If NFS is not required on AIX, the NFS daemon must be disabled. | The rcnfs entry starts the NFS daemons during system boot.
NFS is a service with numerous historical vulnerabilities and should not be enabled unless... |
| V-215353 | | If sendmail is not required on AIX, the sendmail service must be disabled. | The sendmail service has many historical vulnerabilities and, where possible, should be disabled. If the system is not required to operate as a mail s... |
| V-215354 | | If SNMP is not required on AIX, the snmpd service must be disabled. | The snmpd daemon is used by many 3rd party applications to monitor the health of the system. This allows remote monitoring of network and server confi... |
| V-215355 | | The AIX DHCP client must be disabled. | The dhcpcd daemon receives address and configuration information from the DHCP server. DHCP relies on trusting the local network. If the local network... |
| V-215356 | | If DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled. | The dhcprd daemon listens for broadcast packets, receives them, and forwards them to the appropriate server.
To prevent remote attacks this daemon sh... |
| V-215357 | | If IPv6 is not utilized on AIX server, the autoconf6 daemon must be disabled. | "autoconf6" is used to automatically configure IPv6 interfaces at boot time. Running this service may allow other hosts on the same physical subnet to... |
| V-215358 | | If AIX server is not functioning as a network router, the gated daemon must be disabled. | This daemon provides gateway routing functions for protocols such as RIP and SNMP.
To prevent remote attacks this daemon should not be enabled unless... |
| V-215359 | | If AIX server is not functioning as a multicast router, the mrouted daemon must be disabled. | This daemon is an implementation of the multicast routing protocol.
To prevent remote attacks this daemon should not be enabled unless there is no al... |
| V-215360 | | If AIX server is not functioning as a DNS server, the named daemon must be disabled. | This is the server for the DNS protocol and controls domain name resolution for its clients.
To prevent attacks this daemon should not be enabled unl... |
| V-215361 | | If AIX server is not functioning as a network router, the routed daemon must be disabled. | The routed daemon manages the network routing tables in the kernel.
To prevent attacks this daemon should not be enabled unless there is no alternati... |
| V-215362 | | If rwhod is not required on AIX, the rwhod daemon must be disabled. | This is the remote WHO service.
To prevent remote attacks this daemon should not be enabled unless there is no alternative.... |
| V-215363 | | The timed daemon must be disabled on AIX. | This is the old UNIX time service.
The timed daemon is the old UNIX time service. Disable this service and use xntp, if time synchronization is requi... |
| V-215364 | | If AIX server does not host an SNMP agent, the dpid2 daemon must be disabled. | The dpid2 daemon acts as a protocol converter, which enables DPI (SNMP v2) sub-agents, such as hostmibd, to talk to a SNMP v1 agent that follows SNMP ... |
| V-215365 | | If SNMP is not required on AIX, the snmpmibd daemon must be disabled. | The snmpmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. If snmpd is not required, it is recommended that it is disabled.... |
| V-215366 | | The aixmibd daemon must be disabled on AIX. | The aixmibd daemon is a dpi2 sub-agent which manages a number of MIB variables.
To prevent attacks this daemon should not be enabled unless there is... |
| V-215367 | | The ndpd-host daemon must be disabled on AIX. | This is the Neighbor Discovery Protocol (NDP) daemon, required in IPv6.
The ndpd-host is the NDP daemon for the server. Unless the server utilizes IP... |
| V-215368 | | The ndpd-router must be disabled on AIX. | This manages the Neighbor Discovery Protocol (NDP) for non-kernel activities, required in IPv6.
The ndpd-router manages NDP for non-kernel activities... |
| V-215369 | | The daytime daemon must be disabled on AIX. | The daytime service provides the current date and time to other servers on a network.
This daytime service is a defunct time service, typically used ... |
| V-215370 | | The cmsd daemon must be disabled on AIX. | This is a calendar and appointment service for CDE.
The cmsd service is utilized by CDE to provide calendar functionality. If CDE is not required, th... |
| V-215371 | | The ttdbserver daemon must be disabled on AIX. | The ttdbserver service is the tool-talk database service for CDE. This service runs as root and should be disabled. Unless required the ttdbserver ser... |
| V-215372 | | The uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX. | This service facilitates file copying between networked servers.
The uucp (UNIX to UNIX Copy Program), service allows users to copy files between net... |
| V-215373 | | The time daemon must be disabled on AIX. | This service can be used to synchronize system clocks.
The time service is an obsolete process used to synchronize system clocks at boot time. This h... |
| V-215374 | | The talk daemon must be disabled on AIX. | This talk service is used to establish an interactive two-way communication link between two UNIX users. Unless required the talk service will be disa... |
| V-215376 | | The chargen daemon must be disabled on AIX. | This service is used to test the integrity of TCP/IP packets arriving at the destination.
This chargen service is a character generator service and i... |
| V-215377 | | The discard daemon must be disabled on AIX. | The discard service is used as a debugging and measurement tool. It sets up a listening socket and ignores data that it receives. This is a /dev/null ... |
| V-215378 | | The dtspc daemon must be disabled on AIX. | The dtspc service deals with the CDE interface of the X11 daemon. It is started automatically by the inetd daemon in response to a CDE client requesti... |
| V-215379 | | The pcnfsd daemon must be disabled on AIX. | The pcnfsd service is an authentication and printing program, which uses NFS to provide file transfer services. This service is vulnerable and exploit... |
| V-215380 | | The rstatd daemon must be disabled on AIX. | The rstatd service is used to provide kernel statistics and other monitorable parameters pertinent to the system such as: CPU usage, system uptime, ne... |
| V-215381 | | The rusersd daemon must be disabled on AIX. | The rusersd service runs as root and provides a list of current users active on a system. An attacker may use this service to learn valid account name... |
| V-215382 | | The sprayd daemon must be disabled on AIX. | The sprayd service is used as a tool to generate UDP packets for testing and diagnosing network problems. The service must be disabled if NFS is not i... |
| V-215383 | | The klogin daemon must be disabled on AIX. | The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text password exchanges on the netwo... |
| V-215384 | | The kshell daemon must be disabled on AIX. | The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted communications. The reco... |
| V-215385 | | The rquotad daemon must be disabled on AIX. | The rquotad service allows NFS clients to enforce disk quotas on file systems that are mounted on the local system. This service should be disabled if... |
| V-215386 | | The tftp daemon must be disabled on AIX. | The tftp service allows remote systems to download or upload files to the tftp server without any authentication. It is therefore a service that shoul... |
| V-215387 | | The imap2 service must be disabled on AIX. | The imap2 service or Internet Message Access Protocol (IMAP) supports the IMAP4 remote mail access protocol. It works with sendmail and bellmail. This... |
| V-215388 | | The pop3 daemon must be disabled on AIX. | The pop3 service provides a pop3 server. It supports the pop3 remote mail access protocol. It works with sendmail and bellmail. This service should be... |
| V-215389 | | The finger daemon must be disabled on AIX. | The fingerd daemon provides the server function for the finger command. This allows users to view real-time pertinent user login information on other ... |
| V-215390 | | The instsrv daemon must be disabled on AIX. | The instsrv service is part of the Network Installation Tools, used for servicing servers running AIX 3.2. This service should be disabled to prevent ... |
| V-215391 | | The echo daemon must be disabled on AIX. | The echo service can be used in Denial of Service or SMURF attacks. It can also be used by someone else to get through a firewall or start a data stor... |
| V-215392 | | The Internet Network News (INN) server must be disabled on AIX. | Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Transfer Protocol (NNTP) to... |
| V-215393 | | If Stream Control Transmission Protocol (SCTP) must be disabled on AIX. | The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet widely used. Binding this p... |
| V-215394 | | The Reliable Datagram Sockets (RDS) protocol must be disabled on AIX. | The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Bindin... |
| V-215395 | | If automated file system mounting tool is not required on AIX, it must be disabled. | Automated file system mounting tools may provide unprivileged users with the ability to access local media and network shares. If this access is not n... |
| V-215396 | | AIX process core dumps must be disabled. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-215397 | | AIX kernel core dumps must be disabled unless needed. | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk... |
| V-215398 | | AIX must set Stack Execution Disable (SED) system wide mode to all. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-215399 | | AIX must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring AIX is implementing rate-limiting measures on impacted network interfaces. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-215400 | | AIX must allow admins to send a message to all the users who logged in currently. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-215401 | | AIX must allow admins to send a message to a user who logged in currently. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-215402 | | The AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-215404 | | AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-215405 | | If DHCP server is not required on AIX, the DHCP server must be disabled. | The dhcpsd daemon is the DHCP server that serves addresses and configuration information to DHCP clients in the network.
To prevent remote attacks th... |
| V-215406 | | The rwalld daemon must be disabled on AIX. | The rwalld service allows remote users to broadcast system wide messages. The service runs as root and should be disabled unless absolutely necessary ... |
| V-215407 | | In the event of a system failure, AIX must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. | Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure s... |
| V-215408 | | The /etc/shells file must exist on AIX systems. | The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot chan... |
| V-215409 | | AIX public directories must be the only world-writable directories and world-writable files must be located only in public directories. | World-writable files and directories make it easy for a malicious user to place potentially compromising files on the system. The only authorized publ... |
| V-215410 | | AIX must be configured to only boot from the system boot device. | The ability to boot from removable media is the same as being able to boot into single user or maintenance mode without a password. This ability could... |
| V-215411 | | AIX must not use removable media as the boot loader. | Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader.... |
| V-215414 | | The sendmail server must have the debug feature disabled on AIX systems. | Debug mode is a feature present in older versions of Sendmail which, if not disabled, may allow an attacker to gain access to a system through the Sen... |
| V-215415 | | SMTP service must not have the EXPN or VRFY features active on AIX systems. | The SMTP EXPN function allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on u... |
| V-215416 | | All global initialization file executable search paths must contain only absolute paths. | Failure to restrict system access to authenticated users negatively impacts operating system security.... |
| V-215417 | | The SMTP service HELP command must not be enabled on AIX. | The HELP command should be disabled to mask version information. The version of the SMTP service software could be used by attackers to target vulnera... |
| V-215418 | | NIS maps must be protected through hard-to-guess domain names on AIX. | The use of hard-to-guess NIS domain names provides additional protection from unauthorized access to the NIS directory information.... |
| V-215419 | | The AIX systems access control program must be configured to grant or deny system access to specific hosts. | If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services ... |
| V-215420 | | All AIX files and directories must have a valid group owner. | Failure to restrict system access to authenticated users negatively impacts operating system security.... |
| V-215421 | | AIX control scripts library search paths must contain only absolute paths. | The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path include... |
| V-215422 | | The control script lists of preloaded libraries must contain only absolute paths on AIX systems. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the... |
| V-215423 | | The global initialization file lists of preloaded libraries must contain only absolute paths on AIX. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the... |
| V-215424 | | The local initialization file library search paths must contain only absolute paths on AIX. | The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path include... |
| V-215425 | | The local initialization file lists of preloaded libraries must contain only absolute paths on AIX. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the... |
| V-215426 | | AIX package management tool must be used daily to verify system software. | Verification using the system package management tool can be used to determine that system software has not been tampered with. This requirement is no... |
| V-215427 | | The AIX DHCP client must not send dynamic DNS updates. | Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed.... |
| V-215428 | | AIX must not run any routing protocol daemons unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-215429 | | AIX must not process ICMP timestamp requests. | The processing of Internet Control Message Protocol (ICMP) timestamp requests increases the attack surface of the system.... |
| V-215430 | | AIX must not respond to ICMPv6 echo requests sent to a broadcast address. | Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks.... |
| V-215431 | | AIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.... |
| V-215432 | | There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the AIX system. | Trust files are convenient, but when used in conjunction with the remote login services, they can allow unauthenticated access to a system.... |
| V-215433 | | The .rhosts file must not be supported in AIX PAM. | .rhosts files are used to specify a list of hosts permitted remote access to a particular account without authenticating. The use of such a mechanism ... |
| V-215434 | | The AIX root user home directory must not be the root directory (/). | Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the ... |
| V-215435 | | All AIX interactive users must be assigned a home directory in the passwd file and the directory must exist. | All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root director... |
| V-215436 | | The AIX operating system must use Multi Factor Authentication. | To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent po... |
| V-215437 | | The AIX operating system must be configured to authenticate using Multi Factor Authentication. | To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent po... |
| V-215438 | | The AIX operating system must be configured to use Multi Factor Authentication for remote connections. | To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent po... |
| V-215439 | | AIX must have the have the PowerSC Multi Factor Authentication Product configured. | To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent po... |
| V-215440 | | The AIX operating system must be configured to use a valid server_ca.pem file. | To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent po... |
| V-215441 | | The AIX operating system must accept and verify Personal Identity Verification (PIV) credentials. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DoD has mandated the use of the CAC to support id... |
| V-219057 | | AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound conne... |
| V-219956 | | AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full. | Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.... |
| V-245557 | | The AIX /etc/hosts file must be owned by root. | Unauthorized ownership of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It is also... |
| V-245558 | | The AIX /etc/hosts file must be group-owned by system. | Unauthorized group ownership of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It i... |
| V-245559 | | The AIX /etc/hosts file must have a mode of 0640 or less permissive. | Unauthorized permissions of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It is al... |
| V-245560 | | AIX cron and crontab directories must have a mode of 0640 or less permissive. | Incorrect permissions of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as priv... |
| V-245561 | | The AIX /etc/syslog.conf file must be owned by root. | Unauthorized ownership of the /etc/syslog.conf file can lead to the ability for a malicious actor to alter or disrupt system logging activities. This ... |
| V-245562 | | The AIX /etc/syslog.conf file must be group-owned by system. | Unauthorized group ownership of the /etc/syslog.conf file can lead to the ability for a malicious actor to alter or disrupt system logging activities.... |
| V-245563 | | The AIX /etc/syslog.conf file must have a mode of 0640 or less permissive. | Unauthorized permissions of the /etc/syslog.conf file can lead to the ability for a malicious actor to alter or disrupt system logging activities. Thi... |
| V-245564 | | The inetd.conf file on AIX must be group owned by the "system" group. | Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive infor... |
| V-245565 | | The AIX /etc/inetd.conf file must have a mode of 0640 or less permissive. | Failure to set proper permissions of sensitive files or utilities may provide unauthorized users with the potential to access sensitive information or... |
| V-245566 | | The AIX /var/spool/cron/atjobs directory must be owned by root or bin. | Unauthorized ownership of the /var/spool/cron/atjobs directory could permit unauthorized users the ability to alter atjobs and run automated jobs as p... |
| V-245567 | | The AIX /var/spool/cron/atjobs directory must be group-owned by cron. | Unauthorized group ownership of the /var/spool/cron/atjobs directory could permit unauthorized users the ability to alter atjobs and run automated job... |
| V-245568 | | The AIX /var/spool/cron/atjobs directory must have a mode of 0640 or less permissive. | Incorrect permissions of the /var/spool/cron/atjobs directory could permit unauthorized users the ability to alter atjobs and run automated jobs as pr... |
| V-245569 | | The AIX cron and crontab directories must be group-owned by cron. | Incorrect group ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as ... |
| V-215309 | | If bash is used, AIX must display logout messages. | If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zom... |
| V-215310 | | If Bourne / ksh shell is used, AIX must display logout messages. | If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zom... |
| V-215311 | | If csh/tcsh shell is used, AIX must display logout messages. | If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zom... |
| V-215412 | | If the AIX host is running an SMTP service, the SMTP greeting must not provide version information. | The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version.... |
| V-215413 | | AIX must contain no .forward files. | The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail ... |
