I - Mission Critical Public
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000259-GPOS-00100
Group -
All system command files must not have extended ACLs.
Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default ...Rule Medium Severity -
SRG-OS-000259-GPOS-00100
Group -
All library files must not have extended ACLs.
Unauthorized access could destroy the integrity of the library files.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
AIX passwd.nntp file must have mode 0600 or less permissive.
File permissions more permissive than 0600 for /etc/news/passwd.nntp may allow access to privileged information by system intruders or malicious users.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The AIX /etc/group file must not have an extended ACL.
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The AIX ldd command must be disabled.
The ldd command provides a list of dependent libraries needed by a given binary, which is useful for troubleshooting software. Instead of parsing the binary file, some ldd implementations invoke th...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
AIX NFS server must be configured to restrict file system access to local hosts.
The NFS access option limits user access to the specified level. This assists in protecting exported file systems. If access is not restricted, unauthorized hosts may be able to access the system's...Rule Medium Severity -
SRG-OS-000480-GPOS-00230
Group -
All AIX users home directories must have mode 0750 or less permissive.
Excessive permissions on home directories allow unauthorized access to user files.Rule Medium Severity -
SRG-OS-000480-GPOS-00230
Group -
The AIX user home directories must not have extended ACLs.
Excessive permissions on home directories allow unauthorized access to user files.Rule Medium Severity -
SRG-OS-000312-GPOS-00124
Group -
AIX must use Trusted Execution (TE) Check policy.
Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which...Rule Medium Severity -
SRG-OS-000365-GPOS-00152
Group -
AIX must disable trivial file transfer protocol.
Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available...Rule High Severity -
SRG-OS-000368-GPOS-00154
Group -
AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users wi...Rule Medium Severity -
SRG-OS-000437-GPOS-00194
Group -
AIX must remove all software components after updated versions have been installed.
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may...Rule Medium Severity -
SRG-OS-000480-GPOS-00226
Group -
AIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt.
Limiting the number of login attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
AIX system must restrict the ability to switch to the root user to members of a defined group.
Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.
If a user is assigned the GID of a group not existing on the system, and a group with that GID is subsequently created, the user may have unintended rights to the group.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All AIX files and directories must have a valid owner.
Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft softwar...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The sticky bit must be set on all public directories on AIX systems.
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supp...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The AIX global initialization files must contain the mesg -n or mesg n commands.
Command "mesg -n" allows only the root user the permission to send messages to your workstation to avoid having others clutter your display with incoming messages.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The AIX hosts.lpd file must not contain a + character.
Having the '+' character in the hosts.lpd (or equivalent) file allows all hosts to use local system print resources.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
AIX sendmail logging must not be set to less than nine in the sendmail.cf file.
If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the sendmail service.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
AIX run control scripts executable search paths must contain only absolute paths.
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory ...Rule Medium Severity -
SRG-OS-000074-GPOS-00042
Group -
The AIX rsh daemon must be disabled.
The rsh daemon permits username and passwords to be passed over the network in clear text.Rule High Severity -
SRG-OS-000074-GPOS-00042
Group -
The AIX rlogind service must be disabled.
The rlogin daemon permits username and passwords to be passed over the network in clear text.Rule High Severity -
SRG-OS-000095-GPOS-00049
Group -
The AIX qdaemon must be disabled if local or remote printing is not required.
The qdaemon program is the printing scheduling daemon that manages the submission of print jobs to the piobe service. To prevent remote attacks this daemon should not be enabled unless there is no...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If AIX system does not act as a remote print server for other servers, the lpd daemon must be disabled.
The lpd daemon accepts remote print jobs from other systems. To prevent remote attacks this daemon should not be enabled unless there is no alternative.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.