II - Mission Support Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000095-GPOS-00049
Group -
If AIX system does not support either local or remote printing, the piobe service must be disabled.
The piobe daemon is the I/O back end for the printing process, handling the job scheduling and spooling. To prevent remote attacks this daemon should not be enabled unless there is no alternative.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If there are no X11 clients that require CDE on AIX, the dt service must be disabled.
This entry executes the CDE startup script which starts the AIX Common Desktop Environment. To prevent attacks this daemon should not be enabled unless there is no alternative.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If NFS is not required on AIX, the NFS daemon must be disabled.
The rcnfs entry starts the NFS daemons during system boot. NFS is a service with numerous historical vulnerabilities and should not be enabled unless there is no alternative. If NFS serving is req...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If sendmail is not required on AIX, the sendmail service must be disabled.
The sendmail service has many historical vulnerabilities and, where possible, should be disabled. If the system is not required to operate as a mail server i.e. sending, receiving or processing e-m...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If SNMP is not required on AIX, the snmpd service must be disabled.
The snmpd daemon is used by many 3rd party applications to monitor the health of the system. This allows remote monitoring of network and server configuration. To prevent remote attacks this daemo...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The AIX DHCP client must be disabled.
The dhcpcd daemon receives address and configuration information from the DHCP server. DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. T...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled.
The dhcprd daemon listens for broadcast packets, receives them, and forwards them to the appropriate server. To prevent remote attacks this daemon should not be enabled unless there is no alternat...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If IPv6 is not utilized on AIX server, the autoconf6 daemon must be disabled.
"autoconf6" is used to automatically configure IPv6 interfaces at boot time. Running this service may allow other hosts on the same physical subnet to connect via IPv6, even when the network does n...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If AIX server is not functioning as a network router, the gated daemon must be disabled.
This daemon provides gateway routing functions for protocols such as RIP and SNMP. To prevent remote attacks this daemon should not be enabled unless there is no alternative.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If AIX server is not functioning as a multicast router, the mrouted daemon must be disabled.
This daemon is an implementation of the multicast routing protocol. To prevent remote attacks this daemon should not be enabled unless there is no alternative.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If AIX server is not functioning as a DNS server, the named daemon must be disabled.
This is the server for the DNS protocol and controls domain name resolution for its clients. To prevent attacks this daemon should not be enabled unless there is no alternative.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If AIX server is not functioning as a network router, the routed daemon must be disabled.
The routed daemon manages the network routing tables in the kernel. To prevent attacks this daemon should not be enabled unless there is no alternative.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If rwhod is not required on AIX, the rwhod daemon must be disabled.
This is the remote WHO service. To prevent remote attacks this daemon should not be enabled unless there is no alternative.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The timed daemon must be disabled on AIX.
This is the old UNIX time service. The timed daemon is the old UNIX time service. Disable this service and use xntp, if time synchronization is required in the environment.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If AIX server does not host an SNMP agent, the dpid2 daemon must be disabled.
The dpid2 daemon acts as a protocol converter, which enables DPI (SNMP v2) sub-agents, such as hostmibd, to talk to a SNMP v1 agent that follows SNMP MUX protocol. To prevent attacks this daemon s...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
If SNMP is not required on AIX, the snmpmibd daemon must be disabled.
The snmpmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. If snmpd is not required, it is recommended that it is disabled.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The aixmibd daemon must be disabled on AIX.
The aixmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. To prevent attacks this daemon should not be enabled unless there is no alternative.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The ndpd-host daemon must be disabled on AIX.
This is the Neighbor Discovery Protocol (NDP) daemon, required in IPv6. The ndpd-host is the NDP daemon for the server. Unless the server utilizes IPv6, this is not required and should be disabled...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The ndpd-router must be disabled on AIX.
This manages the Neighbor Discovery Protocol (NDP) for non-kernel activities, required in IPv6. The ndpd-router manages NDP for non-kernel activities. Unless the server utilizes IPv6, this is not ...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The daytime daemon must be disabled on AIX.
The daytime service provides the current date and time to other servers on a network. This daytime service is a defunct time service, typically used for testing purposes only. The service should b...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The cmsd daemon must be disabled on AIX.
This is a calendar and appointment service for CDE. The cmsd service is utilized by CDE to provide calendar functionality. If CDE is not required, this service should be disabled to prevent attacks.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The ttdbserver daemon must be disabled on AIX.
The ttdbserver service is the tool-talk database service for CDE. This service runs as root and should be disabled. Unless required the ttdbserver service will be disabled to prevent attacks.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX.
This service facilitates file copying between networked servers. The uucp (UNIX to UNIX Copy Program), service allows users to copy files between networked machines. Unless an application or proce...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The time daemon must be disabled on AIX.
This service can be used to synchronize system clocks. The time service is an obsolete process used to synchronize system clocks at boot time. This has been superseded by NTP, which should be used...Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The talk daemon must be disabled on AIX.
This talk service is used to establish an interactive two-way communication link between two UNIX users. Unless required the talk service will be disabled to prevent attacks.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.