UCF STIG Viewer Logo

AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE


Overview

Date Finding Count (184)
2016-10-28 CAT I (High): 10 CAT II (Med): 164 CAT III (Low): 10
STIG Description
The AIX Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via email to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-24386 High The telnet daemon must not be running.
V-12035 High The SYSTEM attribute must not be set to NONE for any account.
V-4387 High Anonymous FTP accounts must not have a functional shell.
V-11940 High The operating system must be a supported release.
V-770 High The system must not have accounts configured with blank or null passwords.
V-4688 High The rexec daemon must not be running.
V-11988 High There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
V-4295 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-922 High All shell files must have mode 0755 or less permissive.
V-4687 High The rsh daemon must not be running.
V-4371 Medium The traceroute file must have mode 0700 or less permissive.
V-4370 Medium The traceroute command must be group-owned by sys, bin, or system.
V-22561 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by security, bin, sys, or system.
V-22560 Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.
V-4367 Medium The at.allow file must be owned by root, bin, or sys.
V-831 Medium The alias file must be owned by root.
V-22488 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-22486 Medium The SSH daemon must use privilege separation.
V-22487 Medium The SSH daemon must not allow rhosts RSA authentication.
V-11975 Medium The system must require passwords to contain no more than three consecutive repeating characters.
V-22485 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
V-768 Medium The delay between login prompts following a failed login attempt must be at least 4 seconds.
V-1032 Medium Users must not be able to change passwords more than once every 24 hours.
V-766 Medium The system must disable accounts after three consecutive unsuccessful login attempts.
V-763 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
V-22472 Medium The SSH private host key files must have mode 0600 or less permissive.
V-22471 Medium The SSH public host key files must have mode 0644 or less permissive.
V-22470 Medium The SSH daemon must restrict login ability to specific users and/or groups.
V-29491 Medium The /etc/netsvc.conf file must be root owned.
V-29492 Medium The /etc/netsvc.conf file must be group-owned by bin, sys, or system.
V-12030 Medium The system's access control program must be configured to grant or deny system access to specific hosts.
V-29498 Medium The system must provide protection against IP fragmentation attacks.
V-22332 Medium The /etc/passwd file must be owned by root.
V-4385 Medium The system must not use .forward files.
V-29515 Medium The system must not have the rusersd service active.
V-788 Medium All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
V-11947 Medium The system must require passwords to contain a minimum of 15 characters.
V-778 Medium The system must prevent the root account from directly logging in except from the system console.
V-800 Medium The /etc/security/passwd file must have mode 0400.
V-777 Medium The root account must not have world-writable directories in its executable search path.
V-775 Medium The root account's home directory (other than /) must have mode 0700.
V-773 Medium The root account must be the only account having an UID of 0.
V-22462 Medium The SSH client must be configured to not use CBC-based ciphers.
V-22463 Medium The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-4084 Medium The system must prohibit the reuse of passwords within five iterations.
V-22553 Medium The system must not forward IPv6 source-routed packets.
V-981 Medium Cron and crontab directories must be group-owned by system, sys, bin, or cron.
V-980 Medium Cron and crontab directories must be owned by root or bin.
V-22290 Medium The system clock must be synchronized continuously, or at least daily.
V-985 Medium The at.deny file must not be empty if it exists.
V-984 Medium Access to the at utility must be controlled via the at.allow and/or at.deny file(s).
V-987 Medium The at.allow file must have mode 0600 or less permissive.
V-23741 Medium TCP backlog queue sizes must be set appropriately.
V-4394 Medium The /etc/syslog.conf file must be group-owned by bin, sys, or system.
V-22294 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
V-4393 Medium The /etc/syslog.conf file must be owned by root.
V-789 Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
V-974 Medium Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
V-975 Medium The cron.allow file must have mode 0600 or less permissive.
V-22391 Medium The cron.allow file must be group-owned by system, bin, sys, or cron.
V-22348 Medium The /etc/group file must not contain any group password hashes.
V-978 Medium Crontab files must have mode 0600 or less permissive.
V-979 Medium Cron and crontab directories must have mode 0755 or less permissive.
V-22324 Medium The /etc/hosts file must be group-owned by bin, sys, or system.
V-1028 Medium The /usr/lib/smb.conf file must have mode 0644 or less permissive.
V-1029 Medium The /var/private/smbpasswd file must be owned by root.
V-22325 Medium The /etc/hosts file must have mode 0644 or less permissive.
V-1027 Medium The /usr/lib/smb.conf file must be owned by root.
V-22323 Medium The /etc/hosts file must be owned by root.
V-22453 Medium The /etc/syslog.conf file must have mode 0640 or less permissive.
V-22320 Medium The /etc/resolv.conf file must be group-owned by bin, sys, or system.
V-776 Medium The root accounts executable search path must be the vendor default and must contain only authorized paths.
V-22321 Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
V-23732 Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
V-11984 Medium All skeleton files and directories (typically in /etc/skel) must be owned by root or bin.
V-901 Medium All users' home directories must have mode 0750 or less permissive.
V-22358 Medium All skeleton files (typically in /etc/skel) must be group-owned by security.
V-12002 Medium The system must not forward IPv4 source-routed packets.
V-4368 Medium The at.deny file must be owned by root, bin, or sys.
V-22339 Medium The /etc/security/passwd file must be group-owned by security, bin, sys, or system.
V-22335 Medium The /etc/group file must be owned by root.
V-22336 Medium The /etc/group file must be group-owned by security, bin, sys, or system.
V-22337 Medium The /etc/group file must have mode 0644 or less permissive.
V-22444 Medium The ftpusers file must be group-owned by bin, sys, or system.
V-22333 Medium The /etc/passwd file must be group-owned by bin, security, sys, or system.
V-4430 Medium The cron.deny file must be owned by root, bin, or sys.
V-11973 Medium The system must require that passwords contain at least one special character.
V-824 Medium The services file must have mode 0444 or less permissive.
V-22302 Medium The system must enforce the entire password during authentication.
V-22304 Medium The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-22307 Medium The system must prevent the use of dictionary words for passwords.
V-22306 Medium The system must require at least eight characters be changed between the old and new passwords during a password change.
V-22438 Medium The aliases file must be group-owned by sys, bin, or system.
V-22435 Medium The hosts.lpd (or equivalent) file must be group-owned by bin, sys, or system.
V-22432 Medium The rlogind service must not be running.
V-22430 Medium The portmap or rpcbind service must not be installed unless needed.
V-840 Medium The ftpusers file must exist.
V-842 Medium The ftpusers file must be owned by root.
V-843 Medium The ftpusers file must have mode 0640 or less permissive.
V-11981 Medium All global initialization files must have mode 0644 or less permissive.
V-11983 Medium All global initialization files must be group-owned by sys, bin, system, or security.
V-11982 Medium All global initialization files must be owned by root.
V-29520 Medium The /etc/ftpaccess.ctl file must be owned by root.
V-29522 Medium The /etc/ftpaccess.ctl file must have mode 0640 or less permissive.
V-29495 Medium The system must not allow directed broadcasts to gateway.
V-12049 Medium Network analysis tools must not be installed.
V-4358 Medium The cron.deny file must have mode 0600 or less permissive.
V-22549 Medium The DHCP client must not send dynamic DNS updates.
V-22548 Medium The DHCP client must be disabled if not needed.
V-29496 Medium The system must provide protection from Internet Control Message Protocol (ICMP) attacks on TCP connections.
V-29497 Medium The system must provide protection for the TCP stack against connection resets, SYN, and data injection attacks.
V-1059 Medium The /var/private/smbpasswd file must have mode 0600 or less permissive.
V-1058 Medium The /var/private/smbpasswd file must be group-owned by sys or system.
V-22398 Medium The at.deny file must be group-owned by system, bin, sys, or cron.
V-22396 Medium The "at" directory must be group-owned by system, bin, sys, or cron.
V-22397 Medium The at.allow file must be group-owned by system, bin, sys, or cron.
V-22394 Medium The cron.deny file must be group-owned by system, bin, sys, or cron.
V-1056 Medium The /usr/lib/smb.conf file must be group-owned by bin, sys, or system.
V-22392 Medium The at.deny file must have mode 0640 or less permissive.
V-22423 Medium The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by bin, sys, or system.
V-822 Medium The inetd.conf and xinetd.conf files must have mode 0440 or less permissive.
V-22427 Medium The services file must be group-owned by bin, sys, or system.
V-823 Medium The services file must be owned by root or bin.
V-4298 Medium Remote consoles must be disabled or protected from unauthorized access.
V-29493 Medium The /etc/netsvc.conf file must have mode 0644 or less permissive.
V-22296 Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
V-787 Medium System log files must have mode 0640 or less permissive.
V-832 Medium The alias file must have mode 0644 or less permissive.
V-22295 Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by bin, sys, or system.
V-29511 Medium The system must not have the netstat service active on the inetd process.
V-29510 Medium The system must not have the talk or ntalk services active.
V-29513 Medium The system must not have the systat service active.
V-29512 Medium The system must not have the PCNFS service active.
V-986 Medium Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
V-29514 Medium The inetd time service must not be active on the system on the inetd daemon.
V-29517 Medium The system must not have the rstatd service active.
V-29516 Medium The system must not have the sprayd service active.
V-22550 Medium The system must ignore IPv6 ICMP redirect messages.
V-22551 Medium The system must not send IPv6 ICMP redirects.
V-928 Medium The NFS export configuration file must be owned by root.
V-22554 Medium The system must not accept source-routed IPv6 packets.
V-4369 Medium The traceroute command owner must be root.
V-29521 Medium The /etc/ftpaccess.ctl file must be group-owned by bin, sys, or system.
V-4364 Medium The at directory must have mode 0755 or less permissive.
V-22559 Medium If the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive.
V-22311 Medium The root account's list of preloaded libraries must be empty.
V-4361 Medium The cron.allow file must be owned by root, bin, or sys.
V-11976 Medium User passwords must be changed at least every 60 days.
V-29499 Medium The system must not have the bootp service active.
V-22419 Medium The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
V-798 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-29519 Medium The /etc/ftpaccess.ctl file must exist.
V-22413 Medium The system must prevent local applications from generating source-routed packets.
V-22414 Medium The system must not accept source-routed IPv4 packets.
V-22417 Medium The system must not send IPv4 ICMP redirects.
V-22416 Medium The system must ignore IPv4 ICMP redirect messages.
V-29506 Medium The system must not have the dtspc service active.
V-29507 Medium The system must not have the echo service active.
V-29504 Medium The system must not have the daytime service active.
V-29505 Medium The system must not have the discard service active.
V-29502 Medium The system must not have the tool-talk database server (ttdbserver) service active.
V-29503 Medium The system must not have the comsat service active.
V-29500 Medium The system must not have the chargen service active.
V-29501 Medium The system must not have the Calendar Manager Service Daemon (CMSD) service active.
V-4284 Medium The securetcpip command must be used.
V-29508 Medium The system must not have Internet Message Access Protocol (IMAP) service active.
V-29509 Medium The system must not have the PostOffice Protocol (POP3) service active.
V-790 Medium NIS/NIS+/yp files must be group-owned by sys, bin, other, or system.
V-791 Medium The NIS/NIS+/yp files must have mode 0755 or less permissive.
V-821 Medium The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
V-794 Medium All system command files must have mode 755 or less permissive.
V-22310 Medium The root account's library search path must be the system default and must contain only absolute paths.
V-797 Medium The /etc/security/passwd file must be owned by root.
V-22319 Medium The /etc/resolv.conf file must be owned by root.
V-4701 Low The system must not have the finger service active.
V-22473 Low The SSH daemon must not permit GSSAPI authentication unless needed.
V-22474 Low The SSH client must not permit GSSAPI authentication unless needed.
V-774 Low The root user's home directory must not be the root directory (/).
V-22308 Low The system must restrict the ability to switch to the root user to members of a defined group.
V-825 Low Global initialization files must contain the mesg -n or mesg n commands.
V-11996 Low Process core dumps must be disabled unless needed.
V-22475 Low The SSH daemon must not permit Kerberos authentication unless needed.
V-781 Low All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.
V-929 Low The NFS export configuration file must have mode 0644 or less permissive.