I - Mission Critical Public
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000095-GPOS-00049
Group -
The ntalk daemon must be disabled on AIX.
This service establishes a two-way communication link between two users, either locally or remotely. Unless required the ntalk service will be disabled to prevent attacks.Rule High Severity -
SRG-OS-000095-GPOS-00049
Group -
The chargen daemon must be disabled on AIX.
This service is used to test the integrity of TCP/IP packets arriving at the destination. This chargen service is a character generator service and is used for testing the integrity of TCP/IP pack...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The discard daemon must be disabled on AIX.
The discard service is used as a debugging and measurement tool. It sets up a listening socket and ignores data that it receives. This is a /dev/null service and is obsolete. This can be used in Do...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The dtspc daemon must be disabled on AIX.
The dtspc service deals with the CDE interface of the X11 daemon. It is started automatically by the inetd daemon in response to a CDE client requesting a process to be started on the daemon's host...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The pcnfsd daemon must be disabled on AIX.
The pcnfsd service is an authentication and printing program, which uses NFS to provide file transfer services. This service is vulnerable and exploitable and permits the machine to be compromised ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The rstatd daemon must be disabled on AIX.
The rstatd service is used to provide kernel statistics and other monitorable parameters pertinent to the system such as: CPU usage, system uptime, network usage etc. An attacker may use this infor...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The rusersd daemon must be disabled on AIX.
The rusersd service runs as root and provides a list of current users active on a system. An attacker may use this service to learn valid account names on the system. This is not an essential servi...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The sprayd daemon must be disabled on AIX.
The sprayd service is used as a tool to generate UDP packets for testing and diagnosing network problems. The service must be disabled if NFS is not in use, as it can be used by attackers in a Dist...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The klogin daemon must be disabled on AIX.
The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text password exchanges on the network. However, it is still not as secure as SSH, ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The kshell daemon must be disabled on AIX.
The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted communications. The recommendation is to use SSH wherever possible inst...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The rquotad daemon must be disabled on AIX.
The rquotad service allows NFS clients to enforce disk quotas on file systems that are mounted on the local system. This service should be disabled if to prevent attacks.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The tftp daemon must be disabled on AIX.
The tftp service allows remote systems to download or upload files to the tftp server without any authentication. It is therefore a service that should not run, unless needed. One of the main reaso...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The imap2 service must be disabled on AIX.
The imap2 service or Internet Message Access Protocol (IMAP) supports the IMAP4 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not requir...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The pop3 daemon must be disabled on AIX.
The pop3 service provides a pop3 server. It supports the pop3 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not required to prevent atta...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The finger daemon must be disabled on AIX.
The fingerd daemon provides the server function for the finger command. This allows users to view real-time pertinent user login information on other remote systems. This service should be disabled...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The instsrv daemon must be disabled on AIX.
The instsrv service is part of the Network Installation Tools, used for servicing servers running AIX 3.2. This service should be disabled to prevent attacks.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The echo daemon must be disabled on AIX.
The echo service can be used in Denial of Service or SMURF attacks. It can also be used by someone else to get through a firewall or start a data storm. The echo service is unnecessary and it incre...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The Internet Network News (INN) server must be disabled on AIX.
Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Transfer Protocol (NNTP) to transfer information from the Usenet to the se...Rule Medium Severity -
SRG-OS-000096-GPOS-00050
Group -
If Stream Control Transmission Protocol (SCTP) must be disabled on AIX.
The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the atta...Rule Medium Severity -
SRG-OS-000096-GPOS-00050
Group -
The Reliable Datagram Sockets (RDS) protocol must be disabled on AIX.
The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Binding this protocol to the network stack increases ...Rule Medium Severity -
SRG-OS-000378-GPOS-00163
Group -
If automated file system mounting tool is not required on AIX, it must be disabled.
Automated file system mounting tools may provide unprivileged users with the ability to access local media and network shares. If this access is not necessary for the system’s operation, it must be...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
AIX process core dumps must be disabled.
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers tryin...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
AIX kernel core dumps must be disabled unless needed.
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial of Service by e...Rule Medium Severity -
SRG-OS-000142-GPOS-00071
Group -
AIX must set Stack Execution Disable (SED) system wide mode to all.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing ex...Rule Medium Severity -
SRG-OS-000420-GPOS-00186
Group -
AIX must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring AIX is implementing rate-limiting measures on impacted network interfaces.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This require...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.