IBM AIX 7.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The AIX system must have no .netrc files on the system.
<VulnDiscussion>Unencrypted passwords for remote FTP servers may be stored in .netrc files. Policy requires passwords be encrypted in storage...Rule High Severity -
The klogin daemon must be disabled on AIX.
<VulnDiscussion>The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text passwo...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The kshell daemon must be disabled on AIX.
<VulnDiscussion>The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The rquotad daemon must be disabled on AIX.
<VulnDiscussion>The rquotad service allows NFS clients to enforce disk quotas on file systems that are mounted on the local system. This serv...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The tftp daemon must be disabled on AIX.
<VulnDiscussion>The tftp service allows remote systems to download or upload files to the tftp server without any authentication. It is there...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The imap2 service must be disabled on AIX.
<VulnDiscussion>The imap2 service or Internet Message Access Protocol (IMAP) supports the IMAP4 remote mail access protocol. It works with se...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The pop3 daemon must be disabled on AIX.
<VulnDiscussion>The pop3 service provides a pop3 server. It supports the pop3 remote mail access protocol. It works with sendmail and bellmai...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
If DHCP server is not required on AIX, the DHCP server must be disabled.
<VulnDiscussion>The dhcpsd daemon is the DHCP server that serves addresses and configuration information to DHCP clients in the network. To ...Rule Medium Severity -
The Internet Network News (INN) server must be disabled on AIX.
<VulnDiscussion>Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Tr...Rule Medium Severity -
SRG-OS-000096-GPOS-00050
<GroupDescription></GroupDescription>Group -
If Stream Control Transmission Protocol (SCTP) must be disabled on AIX.
<VulnDiscussion>The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet wi...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.