Skip to content
Log In

II - Mission Support Classified

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The local initialization file lists of preloaded libraries must contain only absolute paths on AIX.

    The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to librari...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • AIX package management tool must be used daily to verify system software.

    Verification using the system package management tool can be used to determine that system software has not been tampered with. This requirement is not applicable to systems not using package manag...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The AIX DHCP client must not send dynamic DNS updates.

    Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • AIX must not run any routing protocol daemons unless the system is a router.

    Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • AIX must not process ICMP timestamp requests.

    The processing of Internet Control Message Protocol (ICMP) timestamp requests increases the attack surface of the system.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • AIX must not respond to ICMPv6 echo requests sent to a broadcast address.

    Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00228

    Group
    Show

  • AIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

    Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00229

    Group
    Show

  • There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the AIX system.

    Trust files are convenient, but when used in conjunction with the remote login services, they can allow unauthenticated access to a system.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00229

    Group
    Show

  • The .rhosts file must not be supported in AIX PAM.

    .rhosts files are used to specify a list of hosts permitted remote access to a particular account without authenticating. The use of such a mechanism defeats strong identification and authenticatio...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00230

    Group
    Show

  • The AIX root user home directory must not be the root directory (/).

    Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places in...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00230

    Group
    Show

  • All AIX interactive users must be assigned a home directory in the passwd file and the directory must exist.

    All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory. This could create a Denial of Service becaus...
    Rule Medium Severity
    Show

  • SRG-OS-000105-GPOS-00052

    Group
    Show

  • The AIX operating system must use Multi Factor Authentication.

    To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. M...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The AIX operating system must be configured to authenticate using Multi Factor Authentication.

    To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. M...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The AIX operating system must be configured to use Multi Factor Authentication for remote connections.

    To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. M...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • AIX must have the have the PowerSC Multi Factor Authentication Product configured.

    To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. M...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The AIX operating system must be configured to use a valid server_ca.pem file.

    To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. M...
    Rule Medium Severity
    Show

  • SRG-OS-000376-GPOS-00161

    Group
    Show

  • The AIX operating system must accept and verify Personal Identity Verification (PIV) credentials.

    The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication f...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.

    Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD ...
    Rule Medium Severity
    Show

  • SRG-OS-000342-GPOS-00133

    Group
    Show

  • AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.

    Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The AIX /etc/hosts file must be owned by root.

    Unauthorized ownership of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It is also possible to use the /etc/hosts file to block d...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The AIX /etc/hosts file must be group-owned by system.

    Unauthorized group ownership of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It is also possible to use the /etc/hosts file to b...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The AIX /etc/hosts file must have a mode of 0640 or less permissive.

    Unauthorized permissions of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It is also possible to use the /etc/hosts file to block...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • AIX cron and crontab directories must have a mode of 0640 or less permissive.

    Incorrect permissions of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to set proper permissions...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The AIX /etc/syslog.conf file must be owned by root.

    Unauthorized ownership of the /etc/syslog.conf file can lead to the ability for a malicious actor to alter or disrupt system logging activities. This can aid the malicious actor in avoiding detecti...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The AIX /etc/syslog.conf file must be group-owned by system.

    Unauthorized group ownership of the /etc/syslog.conf file can lead to the ability for a malicious actor to alter or disrupt system logging activities. This can aid the malicious actor in avoiding d...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules