IBM AIX 7.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX.
<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and se...Rule Medium Severity -
SRG-OS-000228-GPOS-00088
<GroupDescription></GroupDescription>Group -
Any publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible operating system en...Rule Medium Severity -
AIX must turn on SSH daemon reverse name checking.
<VulnDiscussion>If reverse name checking is off, SSH may allow a remote attacker to circumvent security policies and attempt to or actually l...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
AIX must protect the confidentiality and integrity of all information at rest.
<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and...Rule Medium Severity -
SRG-OS-000355-GPOS-00143
<GroupDescription></GroupDescription>Group -
AIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours.
<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the cor...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions.
<VulnDiscussion>When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remo...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
AIX nosuid option must be enabled on all NFS client mounts.
<VulnDiscussion>Enabling the nosuid mount option prevents the system from granting owner or group-owner privileges to programs with the suid ...Rule Medium Severity -
SRG-OS-000030-GPOS-00011
<GroupDescription></GroupDescription>Group -
AIX must be configured to allow users to directly initiate a session lock for all connection types.
<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the ...Rule Medium Severity -
SRG-OS-000031-GPOS-00012
<GroupDescription></GroupDescription>Group -
AIX Operating systems must enforce a 60-day maximum password lifetime restriction.
<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the ...Rule Medium Severity -
SRG-OS-000078-GPOS-00046
<GroupDescription></GroupDescription>Group -
AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the ...Rule Medium Severity -
SRG-OS-000125-GPOS-00065
<GroupDescription></GroupDescription>Group -
AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
<VulnDiscussion>If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the syst...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.