II - Mission Support Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480-GPOS-00227
Group -
The AIX root accounts list of preloaded libraries must be empty.
The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to librari...Rule Medium Severity -
SRG-OS-000480-GPOS-00229
Group -
AIX must not have accounts configured with blank or null passwords.
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured wit...Rule High Severity -
SRG-OS-000480-GPOS-00230
Group -
The AIX root accounts home directory (other than /) must have mode 0700.
Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.Rule Medium Severity -
SRG-OS-000480-GPOS-00230
Group -
The AIX root accounts home directory must not have an extended ACL.
Excessive permissions on root home directories allow unauthorized access to root user files.Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
AIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts on AIX.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
SRG-OS-000228-GPOS-00088
Group -
Any publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with...Rule Medium Severity -
SRG-OS-000074-GPOS-00042
Group -
IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server.
While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentication. SSL must be used in this case.Rule High Severity -
SRG-OS-000383-GPOS-00166
Group -
If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day.
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups.
A plus (+) in system accounts files causes the system to lookup the specified entry using NIS. If the system is not using NIS, no such entries should exist.Rule Medium Severity -
SRG-OS-000185-GPOS-00079
Group -
AIX must protect the confidentiality and integrity of all information at rest.
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This re...Rule Medium Severity -
SRG-OS-000355-GPOS-00143
Group -
AIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions.
When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and GID should be chosen from the system to provid...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
AIX nosuid option must be enabled on all NFS client mounts.
Enabling the nosuid mount option prevents the system from granting owner or group-owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users with...Rule Medium Severity -
SRG-OS-000030-GPOS-00011
Group -
AIX must be configured to allow users to directly initiate a session lock for all connection types.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary...Rule Medium Severity -
SRG-OS-000031-GPOS-00012
Group -
AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature ...Rule Medium Severity -
SRG-OS-000125-GPOS-00065
Group -
AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to...Rule High Severity -
SRG-OS-000250-GPOS-00093
Group -
If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.
If LDAP authentication is used, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.Rule Medium Severity -
SRG-OS-000403-GPOS-00182
Group -
AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient secur...Rule Medium Severity -
SRG-OS-000120-GPOS-00061
Group -
AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, o...Rule Medium Severity -
SRG-OS-000069-GPOS-00037
Group -
AIX must enforce password complexity by requiring that at least one upper-case character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule High Severity -
SRG-OS-000070-GPOS-00038
Group -
AIX must enforce password complexity by requiring that at least one lower-case character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule High Severity -
SRG-OS-000071-GPOS-00039
Group -
AIX must enforce password complexity by requiring that at least one numeric character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule High Severity -
SRG-OS-000072-GPOS-00040
Group -
AIX must require the change of at least 50% of the total number of characters when passwords are changed.
If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempt...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.