UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IBM AIX 7.x Security Technical Implementation Guide


Overview

Date Finding Count (275)
2020-02-24 CAT I (High): 26 CAT II (Med): 243 CAT III (Low): 6
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-91295 High AIX must disable /usr/bin/rcp, /usr/bin/rlogin, /usr/bin/rsh, /usr/bin/rexec and /usr/bin/telnet commands.
V-91297 High IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server.
V-91291 High If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
V-91293 High AIX root passwords must never be passed over a network in clear text form.
V-91299 High The AIX rsh daemon must be disabled.
V-91429 High AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
V-91283 High AIX must enforce password complexity by requiring that at least one lower-case character be used.
V-91281 High AIX must enforce password complexity by requiring that at least one upper-case character be used.
V-91287 High AIX must require the change of at least 50% of the total number of characters when passwords are changed.
V-91285 High AIX must enforce password complexity by requiring that at least one numeric character be used.
V-91289 High The AIX system must have no .netrc files on the system.
V-91531 High AIX must disable trivial file transfer protocol.
V-91379 High The ntalk daemon must be disabled on AIX.
V-91303 High The AIX rexec daemon must not be running.
V-91301 High The AIX rlogind service must be disabled.
V-91307 High AIX ftpd daemon must not be running.
V-91305 High AIX telnet daemon must not be running.
V-91423 High All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users).
V-91421 High All accounts on AIX system must have unique account names.
V-91315 High AIX must use Loadable Password Algorithm (LPA) password hashing algorithm.
V-91317 High AIX must enforce a minimum 15-character password length.
V-91439 High AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
V-91737 High AIX must not have accounts configured with blank or null passwords.
V-91537 High AIX must remove NOPASSWD tag from sudo config files.
V-91503 High AIX must be able to control the ability of remote login for users.
V-91425 High The AIX SYSTEM attribute must not be set to NONE for any account.
V-91259 Medium AIX must provide the function to filter audit records for events of interest based upon all audit fields within audit records, support on-demand reporting requirements, and an audit reduction function that supports on-demand audit review and analysis and after-the-fact investigations of security incidents.
V-91511 Medium NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs.
V-91359 Medium If SNMP is not required on AIX, the snmpmibd daemon must be disabled.
V-91515 Medium AIX must provide the function for assigned ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.
V-91691 Medium AIX control scripts library search paths must contain only absolute paths.
V-91355 Medium If AIX server does not host an SNMP agent, the dpid2 daemon must be disabled.
V-91693 Medium The control script lists of preloaded libraries must contain only absolute paths on AIX systems.
V-91351 Medium If rwhod is not required on AIX, the rwhod daemon must be disabled.
V-91697 Medium The local initialization file library search paths must contain only absolute paths on AIX.
V-91353 Medium The timed daemon must be disabled on AIX.
V-91611 Medium The AIX /etc/group file must be owned by root.
V-91759 Medium All AIX users home directories must have mode 0750 or less permissive.
V-91613 Medium The AIX /etc/group file must be group-owned by security.
V-91615 Medium The AIX /etc/group file must have mode 0644 or less permissive.
V-91617 Medium The AIX /etc/group file must not have an extended ACL.
V-91619 Medium The AIX ldd command must be disabled.
V-91751 Medium The AIX root user home directory must not be the root directory (/).
V-91753 Medium The AIX root accounts home directory (other than /) must have mode 0700.
V-91755 Medium All AIX interactive users must be assigned a home directory in the passwd file and the directory must exist.
V-91251 Medium AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event.
V-91517 Medium AIX must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
V-91419 Medium The Reliable Datagram Sockets (RDS) protocol must be disabled on AIX.
V-92245 Medium AIX must configure the ttys value for all interactive users.
V-91221 Medium AIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system.
V-91223 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts on AIX.
V-91589 Medium All AIX public directories must be owned by root or an application account.
V-91225 Medium The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX.
V-91227 Medium AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types.
V-91585 Medium AIX SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-91229 Medium AIX must provide the lock command to let users retain their session lock until users are reauthenticated.
V-91587 Medium The inetd.conf file on AIX must be owned by root and system group.
V-91581 Medium AIX system must restrict the ability to switch to the root user to members of a defined group.
V-91253 Medium AIX must produce audit records containing information to establish the outcome of the events.
V-91583 Medium If SNMP service is enabled on AIX, the default SNMP password must not be used in the /etc/snmpd.conf config file.
V-91369 Medium The cmsd daemon must be disabled on AIX.
V-91767 Medium The AIX user home directories must not have extended ACLs.
V-91761 Medium All AIX interactive users home directories must be owned by their respective users.
V-91763 Medium All AIX interactive users home directories must be group-owned by the home directory owner primary group.
V-91361 Medium The aixmibd daemon must be disabled on AIX.
V-91695 Medium The global initialization file lists of preloaded libraries must contain only absolute paths on AIX.
V-91363 Medium The ndpd-host daemon must be disabled on AIX.
V-91365 Medium The ndpd-router must be disabled on AIX.
V-91367 Medium The daytime daemon must be disabled on AIX.
V-91567 Medium AIX must prevent the use of dictionary words for passwords.
V-91565 Medium AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-91563 Medium AIX must remove all software components after updated versions have been installed.
V-91257 Medium AIX must be configured to generate an audit record when 75% of the audit file system is full.
V-91561 Medium AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods.
V-91609 Medium AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
V-91607 Medium AIX administrative accounts must not run a web browser, except as needed for local service administration.
V-91605 Medium AIX time synchronization configuration file must have mode 0640 or less permissive.
V-91603 Medium AIX time synchronization configuration file must be group-owned by bin, or system.
V-91569 Medium AIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt.
V-91601 Medium AIX time synchronization configuration file must be owned by root.
V-91399 Medium The kshell daemon must be disabled on AIX.
V-91453 Medium AIX log files must be owned by root.
V-91451 Medium AIX log files must have mode 0640 or less permissive.
V-91599 Medium AIX passwd.nntp file must have mode 0600 or less permissive.
V-91219 Medium AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.
V-91455 Medium AIX log files must be owned by privileged groups.
V-91215 Medium The regular users default primary group must be staff (or equivalent) on AIX.
V-91593 Medium AIX nosuid option must be enabled on all NFS client mounts.
V-91217 Medium AIX must automatically remove or disable temporary user accounts after 72 hours or sooner.
V-91591 Medium All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions.
V-91211 Medium The shipped /etc/security/mkuser.sys file on AIX must not be customized directly.
V-91597 Medium AIX audio devices must be group-owned by root, sys, bin, or system.
V-91213 Medium AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account.
V-91595 Medium AIX cron and crontab directories must be owned by root or bin.
V-91773 Medium If AIX SSH daemon is required, the SSH daemon must only listen on the approved listening IP addresses.
V-91771 Medium AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
V-91279 Medium AIX SSH private host key files must have mode 0600 or less permissive.
V-91775 Medium AIX must provide audit record generation functionality for DoD-defined auditable events.
V-91277 Medium If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.
V-91275 Medium The AIX audit configuration files must be set to 640 or less permissive.
V-91273 Medium The AIX audit configuration files must be group-owned by audit.
V-91271 Medium The AIX audit configuration files must be owned by root.
V-91575 Medium AIX system must require authentication upon booting into single-user and maintenance modes.
V-91679 Medium The AIX SSH daemon must be configured for IP filtering.
V-91577 Medium On AIX, the SSH server must not permit root logins using remote access programs.
V-91571 Medium Samba packages must be removed from AIX.
V-91255 Medium AIX must produce audit records containing the full-text recording of privileged commands.
V-91391 Medium The rusersd daemon must be disabled on AIX.
V-91673 Medium AIX process core dumps must be disabled.
V-91671 Medium The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups.
V-91245 Medium The AIX SSH server must use SSH Protocol 2.
V-91677 Medium The AIX syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
V-91579 Medium AIX system must prevent the root account from directly logging in except from the system console.
V-91675 Medium The SMTP service HELP command must not be enabled on AIX.
V-91239 Medium AIX must monitor and record successful remote logins.
V-91393 Medium The rwalld daemon must be disabled on AIX.
V-91349 Medium If AIX server is not functioning as a network router, the routed daemon must be disabled.
V-91395 Medium The sprayd daemon must be disabled on AIX.
V-91687 Medium The AIX root accounts list of preloaded libraries must be empty.
V-92951 Medium The AIX operating system must accept and verify Personal Identity Verification (PIV) credentials.
V-91443 Medium AIX must set Stack Execution Disable (SED) system wide mode to all.
V-91683 Medium NIS maps must be protected through hard-to-guess domain names on AIX.
V-91447 Medium AIX must terminate all SSH login sessions after 10 minutes of inactivity.
V-91449 Medium AIX must protect the confidentiality and integrity of all information at rest.
V-91689 Medium All AIX files and directories must have a valid group owner.
V-91265 Medium Audit logs on the AIX system must be group-owned by system.
V-91267 Medium Audit logs on the AIX system must be set to 660 or less permissive.
V-91263 Medium Audit logs on the AIX system must be owned by root.
V-91541 Medium If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication.
V-91669 Medium All global initialization file executable search paths must contain only absolute paths.
V-91389 Medium The rstatd daemon must be disabled on AIX.
V-91545 Medium AIX must implement a way to force an identified temporary user to renew their password at next login.
V-91457 Medium AIX log files must not have extended ACLs, except as needed to support authorized software.
V-91547 Medium If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day.
V-91383 Medium The discard daemon must be disabled on AIX.
V-91661 Medium The sendmail server must have the debug feature disabled on AIX systems.
V-91381 Medium The chargen daemon must be disabled on AIX.
V-91663 Medium SMTP service must not have the EXPN or VRFY features active on AIX systems.
V-91387 Medium The pcnfsd daemon must be disabled on AIX.
V-91459 Medium Any publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-91385 Medium The dtspc daemon must be disabled on AIX.
V-91667 Medium AIX must require passwords to contain no more than three consecutive repeating characters.
V-91707 Medium AIX must be configured with a default gateway for IPv6 if the system uses IPv6 unless the system is a router.
V-91625 Medium All AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.
V-91649 Medium AIX must not use removable media as the boot loader.
V-91543 Medium If automated file system mounting tool is not required on AIX, it must be disabled.
V-91523 Medium AIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours.
V-91377 Medium The talk daemon must be disabled on AIX.
V-92943 Medium The AIX operating system must be configured to authenticate using Multi Factor Authentication.
V-91479 Medium All system command files must not have extended ACLs.
V-92945 Medium The AIX operating system must be configured to use Multi Factor Authentication for remote connections.
V-91371 Medium The ttdbserver daemon must be disabled on AIX.
V-91475 Medium All system files, programs, and directories must be owned by a system account.
V-92949 Medium The AIX operating system must be configured to use a valid server_ca.pem file.
V-91477 Medium AIX library files must have mode 0755 or less permissive.
V-91471 Medium AIX audit tools must be set to 4550 or less permissive.
V-91473 Medium AIX system files, programs, and directories must be group-owned by a system group.
V-91657 Medium AIX must implement a remote syslog server that is documented using site-defined procedures.
V-91651 Medium AIX audit logs must be rotated daily.
V-91701 Medium AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option.
V-91417 Medium If Stream Control Transmission Protocol (SCTP) must be disabled on AIX.
V-91415 Medium The Internet Network News (INN) server must be disabled on AIX.
V-91413 Medium The echo daemon must be disabled on AIX.
V-91411 Medium The instsrv daemon must be disabled on AIX.
V-91715 Medium The AIX DHCP client must not send dynamic DNS updates.
V-91717 Medium AIX must not run any routing protocol daemons unless the system is a router.
V-91493 Medium AIX must set inactivity time-out on login sessions and terminate all login sessions after 10 minutes of inactivity.
V-91711 Medium AIX package management tool must be used daily to verify system software.
V-91491 Medium AIX must config the SSH idle timeout interval.
V-91559 Medium AIX must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring AIX is implementing rate-limiting measures on impacted network interfaces.
V-91557 Medium AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
V-91555 Medium AIX must request and perform data origin and integrity authentication verification on the name/address resolution responses the system receives from authoritative sources.
V-91719 Medium AIX must not process ICMP timestamp requests.
V-91397 Medium The klogin daemon must be disabled on AIX.
V-91427 Medium Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts.
V-91665 Medium UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems.
V-91469 Medium AIX audit tools must be group-owned by audit.
V-91709 Medium AIX must not have IP forwarding for IPv6 enabled unless the system is an IPv6 router.
V-91463 Medium AIX must start audit at boot.
V-91309 Medium AIX Operating systems must enforce 24 hours/1 day as the minimum password lifetime.
V-91461 Medium If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.
V-91467 Medium AIX audit tools must be owned by root.
V-91643 Medium AIX NFS server must be configured to restrict file system access to local hosts.
V-91641 Medium All AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins.
V-91647 Medium AIX must be configured to only boot from the system boot device.
V-91645 Medium AIX public directories must be the only world-writable directories and world-writable files must be located only in public directories.
V-91405 Medium The imap2 service must be disabled on AIX.
V-91401 Medium The rquotad daemon must be disabled on AIX.
V-91403 Medium The tftp daemon must be disabled on AIX.
V-91721 Medium AIX must not respond to ICMPv6 echo requests sent to a broadcast address.
V-91485 Medium AIX must enforce password complexity by requiring that at least one special character be used.
V-91529 Medium AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions.
V-91487 Medium In the event of a system failure, AIX must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-91725 Medium AIX must turn on SSH daemon privilege separation.
V-91481 Medium All library files must not have extended ACLs.
V-91727 Medium AIX must turn on SSH daemon reverse name checking.
V-91483 Medium AIX device files and directories must only be writable by users with a system account or as configured by the vendor.
V-91729 Medium AIX SSH daemon must perform strict mode checking of home directory configuration files.
V-91521 Medium AIX must provide a report generation function that supports on-demand audit review and analysis, on-demand reporting requirements, and after-the-fact investigations of security incidents.
V-91527 Medium AIX must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-91489 Medium AIX must verify the hash of audit tools.
V-91685 Medium The AIX systems access control program must be configured to grant or deny system access to specific hosts.
V-91549 Medium AIX must setup SSH daemon to disable revoked public keys.
V-91311 Medium AIX Operating systems must enforce a 60-day maximum password lifetime restriction.
V-91313 Medium AIX must prohibit password reuse for a minimum of five generations.
V-91659 Medium AIX must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
V-91319 Medium AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.
V-91765 Medium The AIX root accounts home directory must not have an extended ACL.
V-91705 Medium The AIX SSH daemon must not allow compression.
V-91573 Medium The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-91437 Medium The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.
V-91637 Medium AIX run control scripts executable search paths must contain only absolute paths.
V-91539 Medium AIX must remove !authenticate option from sudo config files.
V-91635 Medium AIX sendmail logging must not be set to less than nine in the sendmail.cf file.
V-91633 Medium The AIX hosts.lpd file must not contain a + character.
V-91631 Medium The AIX global initialization files must contain the mesg -n or mesg n commands.
V-91739 Medium There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the AIX system.
V-91629 Medium The sticky bit must be set on all public directories on AIX systems.
V-91533 Medium AIX must be configured to use syslogd to log events by TCPD.
V-91535 Medium AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-91639 Medium The /etc/shells file must exist on AIX systems.
V-91409 Medium The finger daemon must be disabled on AIX.
V-91735 Medium AIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-91249 Medium AIX must produce audit records containing information to establish where the events occurred.
V-92941 Medium The AIX operating system must use Multi Factor Authentication.
V-91731 Medium AIX must turn off X11 forwarding for the SSH daemon.
V-91733 Medium AIX must turn off TCP forwarding for the SSH daemon.
V-91247 Medium AIX must produce audit records containing information to establish what the date, time, and type of events that occurred.
V-91375 Medium The time daemon must be disabled on AIX.
V-91329 Medium If NFS is not required on AIX, the NFS daemon must be disabled.
V-91243 Medium The AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
V-91241 Medium AIX must monitor and record unsuccessful remote logins.
V-91325 Medium If AIX system does not support either local or remote printing, the piobe service must be disabled.
V-91327 Medium If there are no X11 clients that require CDE on AIX, the dt service must be disabled.
V-91321 Medium The AIX qdaemon must be disabled if local or remote printing is not required.
V-91323 Medium If AIX system does not act as a remote print server for other servers, the lpd daemon must be disabled.
V-91373 Medium The uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX.
V-91505 Medium AIX must allow admins to send a message to all the users who logged in currently.
V-91507 Medium AIX must allow admins to send a message to a user who logged in currently.
V-91407 Medium The pop3 daemon must be disabled on AIX.
V-91703 Medium AIX kernel core dumps must be disabled unless needed.
V-91347 Medium If AIX server is not functioning as a DNS server, the named daemon must be disabled.
V-91769 Medium All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member.
V-91345 Medium If AIX server is not functioning as a multicast router, the mrouted daemon must be disabled.
V-92947 Medium AIX must have the have the PowerSC Multi Factor Authentication Product configured.
V-91509 Medium AIX must use Trusted Execution (TE) Check policy.
V-91341 Medium If IPv6 is not utilized on AIX server, the autoconf6 daemon must be disabled.
V-91749 Medium The AIX SSH daemon must not allow RhostsRSAAuthentication.
V-91627 Medium All AIX files and directories must have a valid owner.
V-91621 Medium The AIX root account must not have world-writable directories in its executable search path.
V-91623 Medium The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID.
V-91743 Medium The AIX SSH daemon must be configured to disable empty passwords.
V-91741 Medium The .rhosts file must not be supported in AIX PAM.
V-91747 Medium The AIX SSH daemon must be configured to not use host-based authentication.
V-91681 Medium IP forwarding for IPv4 must not be enabled on AIX unless the system is a router.
V-91745 Medium The AIX SSH daemon must be configured to disable user .rhosts files.
V-91723 Medium AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required.
V-91343 Medium If AIX server is not functioning as a network router, the gated daemon must be disabled.
V-91233 Medium AIX must automatically lock after 15 minutes of inactivity in the CDE Graphical desktop environment.
V-91699 Medium The local initialization file lists of preloaded libraries must contain only absolute paths on AIX.
V-91231 Medium AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated.
V-91339 Medium If DHCP server is not required on AIX, the DHCP server must be disabled.
V-91237 Medium AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-91235 Medium AIX must be configured to allow users to directly initiate a session lock for all connection types.
V-91333 Medium If SNMP is not required on AIX, the snmpd service must be disabled.
V-100005 Medium AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.
V-91331 Medium If sendmail is not required on AIX, the sendmail service must be disabled.
V-91337 Medium If DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled.
V-91335 Medium The AIX DHCP client must be disabled.
V-91501 Low SSH must display the date and time of the last successful account login to AIX system upon login.
V-91655 Low AIX must contain no .forward files.
V-91653 Low If the AIX host is running an SMTP service, the SMTP greeting must not provide version information.
V-91497 Low If Bourne / ksh shell is used, AIX must display logout messages.
V-91495 Low If bash is used, AIX must display logout messages.
V-91499 Low If csh/tcsh shell is used, AIX must display logout messages.