II - Mission Support Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480-GPOS-00227
Group -
AIX administrative accounts must not run a web browser, except as needed for local service administration.
If a web browser flaw is exploited while running as a privileged user, the entire system could be compromised. Specific exceptions for local service administration should be documented in site-de...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
To centralize the management of privileged account crontabs, of the default system accounts, only root may have a crontab.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The AIX root account must not have world-writable directories in its executable search path.
If the root search path contains a world-writable directory, malicious software could be placed in the path by intruders and/or malicious users and inadvertently run by root with all of root's priv...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID.
Reserved GIDs are typically used by system software packages. If non-system groups have GIDs in this range, they may conflict with system software, possibly leading to the group having permissions ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems.
Reserved UIDs are typically used by system software packages. If non-system accounts have UIDs in this range, they may conflict with system software, possibly leading to the user having permissions...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The AIX root accounts list of preloaded libraries must be empty.
The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to librari...Rule Medium Severity -
SRG-OS-000480-GPOS-00229
Group -
AIX must not have accounts configured with blank or null passwords.
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured wit...Rule High Severity -
SRG-OS-000480-GPOS-00230
Group -
The AIX root accounts home directory (other than /) must have mode 0700.
Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.Rule Medium Severity -
SRG-OS-000480-GPOS-00230
Group -
The AIX root accounts home directory must not have an extended ACL.
Excessive permissions on root home directories allow unauthorized access to root user files.Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
AIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.