IBM AIX 7.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
AIX NFS server must be configured to restrict file system access to local hosts.
<VulnDiscussion>The NFS access option limits user access to the specified level. This assists in protecting exported file systems. If access ...Rule Medium Severity -
SRG-OS-000480-GPOS-00230
<GroupDescription></GroupDescription>Group -
All AIX users home directories must have mode 0750 or less permissive.
<VulnDiscussion>Excessive permissions on home directories allow unauthorized access to user files.</VulnDiscussion><FalsePositives&g...Rule Medium Severity -
SRG-OS-000480-GPOS-00230
<GroupDescription></GroupDescription>Group -
The AIX user home directories must not have extended ACLs.
<VulnDiscussion>Excessive permissions on home directories allow unauthorized access to user files.</VulnDiscussion><FalsePositives&g...Rule Medium Severity -
SRG-OS-000312-GPOS-00124
<GroupDescription></GroupDescription>Group -
AIX must use Trusted Execution (TE) Check policy.
<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have di...Rule Medium Severity -
SRG-OS-000365-GPOS-00152
<GroupDescription></GroupDescription>Group -
AIX must disable trivial file transfer protocol.
<VulnDiscussion>Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficul...Rule High Severity -
SRG-OS-000368-GPOS-00154
<GroupDescription></GroupDescription>Group -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The AIX global initialization files must contain the mesg -n or mesg n commands.
<VulnDiscussion>Command "mesg -n" allows only the root user the permission to send messages to your workstation to avoid having others clutte...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
<VulnDiscussion>Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may pr...Rule Medium Severity -
SRG-OS-000437-GPOS-00194
<GroupDescription></GroupDescription>Group -
AIX must remove all software components after updated versions have been installed.
<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed m...Rule Medium Severity -
SRG-OS-000480-GPOS-00226
<GroupDescription></GroupDescription>Group -
AIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt.
<VulnDiscussion>Limiting the number of login attempts over a certain time interval reduces the chances that an unauthorized user may gain acc...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
AIX system must restrict the ability to switch to the root user to members of a defined group.
<VulnDiscussion>Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing th...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.
<VulnDiscussion>If a user is assigned the GID of a group not existing on the system, and a group with that GID is subsequently created, the u...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All AIX files and directories must have a valid owner.
<VulnDiscussion>Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be ca...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The AIX hosts.lpd file must not contain a + character.
<VulnDiscussion>Having the '+' character in the hosts.lpd (or equivalent) file allows all hosts to use local system print resources.</Vuln...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The chargen daemon must be disabled on AIX.
<VulnDiscussion>This service is used to test the integrity of TCP/IP packets arriving at the destination. This chargen service is a characte...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The discard daemon must be disabled on AIX.
<VulnDiscussion>The discard service is used as a debugging and measurement tool. It sets up a listening socket and ignores data that it recei...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The dtspc daemon must be disabled on AIX.
<VulnDiscussion>The dtspc service deals with the CDE interface of the X11 daemon. It is started automatically by the inetd daemon in response...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The pcnfsd daemon must be disabled on AIX.
<VulnDiscussion>The pcnfsd service is an authentication and printing program, which uses NFS to provide file transfer services. This service ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The rstatd daemon must be disabled on AIX.
<VulnDiscussion>The rstatd service is used to provide kernel statistics and other monitorable parameters pertinent to the system such as: CPU...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The rusersd daemon must be disabled on AIX.
<VulnDiscussion>The rusersd service runs as root and provides a list of current users active on a system. An attacker may use this service to...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The AIX system must have no .netrc files on the system.
<VulnDiscussion>Unencrypted passwords for remote FTP servers may be stored in .netrc files. Policy requires passwords be encrypted in storage...Rule High Severity -
The klogin daemon must be disabled on AIX.
<VulnDiscussion>The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text passwo...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The kshell daemon must be disabled on AIX.
<VulnDiscussion>The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The rquotad daemon must be disabled on AIX.
<VulnDiscussion>The rquotad service allows NFS clients to enforce disk quotas on file systems that are mounted on the local system. This serv...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The tftp daemon must be disabled on AIX.
<VulnDiscussion>The tftp service allows remote systems to download or upload files to the tftp server without any authentication. It is there...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
The imap2 service must be disabled on AIX.
<VulnDiscussion>The imap2 service or Internet Message Access Protocol (IMAP) supports the IMAP4 remote mail access protocol. It works with se...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.