IBM AIX 7.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
If there are no X11 clients that require CDE on AIX, the dt service must be disabled.
<VulnDiscussion>This entry executes the CDE startup script which starts the AIX Common Desktop Environment. To prevent attacks this daemon s...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The .rhosts file must not be supported in AIX PAM.
<VulnDiscussion>.rhosts files are used to specify a list of hosts permitted remote access to a particular account without authenticating. The...Rule Medium Severity -
SRG-OS-000480-GPOS-00230
<GroupDescription></GroupDescription>Group -
If NFS is not required on AIX, the NFS daemon must be disabled.
<VulnDiscussion>The rcnfs entry starts the NFS daemons during system boot. NFS is a service with numerous historical vulnerabilities and sho...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If sendmail is not required on AIX, the sendmail service must be disabled.
<VulnDiscussion>The sendmail service has many historical vulnerabilities and, where possible, should be disabled. If the system is not requir...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If SNMP is not required on AIX, the snmpd service must be disabled.
<VulnDiscussion>The snmpd daemon is used by many 3rd party applications to monitor the health of the system. This allows remote monitoring of...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The AIX DHCP client must be disabled.
<VulnDiscussion>The dhcpcd daemon receives address and configuration information from the DHCP server. DHCP relies on trusting the local netw...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled.
<VulnDiscussion>The dhcprd daemon listens for broadcast packets, receives them, and forwards them to the appropriate server. To prevent remo...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If IPv6 is not utilized on AIX server, the autoconf6 daemon must be disabled.
<VulnDiscussion>"autoconf6" is used to automatically configure IPv6 interfaces at boot time. Running this service may allow other hosts on th...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If AIX server is not functioning as a network router, the gated daemon must be disabled.
<VulnDiscussion>This daemon provides gateway routing functions for protocols such as RIP and SNMP. To prevent remote attacks this daemon sho...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If AIX server is not functioning as a multicast router, the mrouted daemon must be disabled.
<VulnDiscussion>This daemon is an implementation of the multicast routing protocol. To prevent remote attacks this daemon should not be enab...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If AIX server is not functioning as a DNS server, the named daemon must be disabled.
<VulnDiscussion>This is the server for the DNS protocol and controls domain name resolution for its clients. To prevent attacks this daemon ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If AIX server is not functioning as a network router, the routed daemon must be disabled.
<VulnDiscussion>The routed daemon manages the network routing tables in the kernel. To prevent attacks this daemon should not be enabled unl...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If rwhod is not required on AIX, the rwhod daemon must be disabled.
<VulnDiscussion>This is the remote WHO service. To prevent remote attacks this daemon should not be enabled unless there is no alternative.&...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The timed daemon must be disabled on AIX.
<VulnDiscussion>This is the old UNIX time service. The timed daemon is the old UNIX time service. Disable this service and use xntp, if time...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If AIX server does not host an SNMP agent, the dpid2 daemon must be disabled.
<VulnDiscussion>The dpid2 daemon acts as a protocol converter, which enables DPI (SNMP v2) sub-agents, such as hostmibd, to talk to a SNMP v1...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If SNMP is not required on AIX, the snmpmibd daemon must be disabled.
<VulnDiscussion>The snmpmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. If snmpd is not required, it is recommended ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The aixmibd daemon must be disabled on AIX.
<VulnDiscussion>The aixmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. To prevent attacks this daemon should not b...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The ndpd-host daemon must be disabled on AIX.
<VulnDiscussion>This is the Neighbor Discovery Protocol (NDP) daemon, required in IPv6. The ndpd-host is the NDP daemon for the server. Unle...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The ndpd-router must be disabled on AIX.
<VulnDiscussion>This manages the Neighbor Discovery Protocol (NDP) for non-kernel activities, required in IPv6. The ndpd-router manages NDP ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The daytime daemon must be disabled on AIX.
<VulnDiscussion>The daytime service provides the current date and time to other servers on a network. This daytime service is a defunct time...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The cmsd daemon must be disabled on AIX.
<VulnDiscussion>This is a calendar and appointment service for CDE. The cmsd service is utilized by CDE to provide calendar functionality. I...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The ttdbserver daemon must be disabled on AIX.
<VulnDiscussion>The ttdbserver service is the tool-talk database service for CDE. This service runs as root and should be disabled. Unless re...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX.
<VulnDiscussion>This service facilitates file copying between networked servers. The uucp (UNIX to UNIX Copy Program), service allows users ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The time daemon must be disabled on AIX.
<VulnDiscussion>This service can be used to synchronize system clocks. The time service is an obsolete process used to synchronize system cl...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
AIX must not have accounts configured with blank or null passwords.
<VulnDiscussion>If an account is configured for password authentication but does not have an assigned password, it may be possible to log int...Rule High Severity -
SRG-OS-000480-GPOS-00230
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.