| V-91295 | High | AIX must disable /usr/bin/rcp,
/usr/bin/rlogin,
/usr/bin/rsh, /usr/bin/rexec and /usr/bin/telnet commands. | The listed applications permit the transmission of passwords in plain text. Alternative applications such as SSH, which encrypt data, should be use instead. |
| V-91297 | High | IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server. | While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentication. SSL must be used in this case. |
| V-91291 | High | If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily... |
| V-91293 | High | AIX root passwords must never be passed over a network in clear text form. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily... |
| V-91299 | High | The AIX rsh daemon must be disabled. | The rsh daemon permits username and passwords to be passed over the network in clear text. |
| V-91429 | High | AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. | A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials... |
| V-91283 | High | AIX must enforce password complexity by requiring that at least one lower-case character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-91281 | High | AIX must enforce password complexity by requiring that at least one upper-case character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-91287 | High | AIX must require the change of at least 50% of the total number of characters when passwords are changed. | If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for... |
| V-91285 | High | AIX must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-91289 | High | The AIX system must have no .netrc files on the system. | Unencrypted passwords for remote FTP servers may be stored in .netrc files. Policy requires passwords be encrypted in storage and not used in access scripts. |
| V-91531 | High | AIX must disable trivial file transfer protocol. | Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be... |
| V-91379 | High | The ntalk daemon must be disabled on AIX. | This service establishes a two-way communication link between two users, either locally or remotely. Unless required the ntalk service will be disabled to prevent attacks. |
| V-91303 | High | The AIX rexec daemon must not be running. | The exec service is used to execute a command sent from a remote server. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the rexecd... |
| V-91301 | High | The AIX rlogind service must be disabled. | The rlogin daemon permits username and passwords to be passed over the network in clear text. |
| V-91307 | High | AIX ftpd daemon must not be running. | The ftp service is used to transfer files from or to a remote machine. The username and passwords are passed over the network in clear text and therefore insecurely. Remote file transfer, if... |
| V-91305 | High | AIX telnet daemon must not be running. | This telnet service is used to service remote user connections. This is historically the most commonly used remote access method for UNIX servers. The username and passwords are passed over the... |
| V-91423 | High | All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users). | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Lack of... |
| V-91421 | High | All accounts on AIX system must have unique account names. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational... |
| V-91315 | High | AIX must use Loadable Password Algorithm (LPA) password hashing algorithm. | The default legacy password hashing algorithm, crypt(), uses only the first 8 characters from the password string, meaning the user's password is truncated to eight characters. If the password is... |
| V-91317 | High | AIX must enforce a minimum 15-character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the... |
| V-91439 | High | AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. | If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability... |
| V-91737 | High | AIX must not have accounts configured with blank or null passwords. | If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured... |
| V-91537 | High | AIX must remove NOPASSWD tag from sudo config files. | sudo command does not require reauthentication if NOPASSWD tag is specified in /etc/sudoers config file, or sudoers files in /etc/sudoers.d/ directory. With this tag in sudoers file, users are not... |
| V-91503 | High | AIX must be able to control the ability of remote login for users. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access... |
| V-91425 | High | The AIX SYSTEM attribute must not be set to NONE for any account. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational... |
| V-91259 | Medium | AIX must provide the function to filter audit records for events of interest based upon all audit fields within audit records, support on-demand reporting requirements, and an audit reduction function that supports on-demand audit review and analysis and after-the-fact investigations of security incidents. | The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review... |
| V-91511 | Medium | NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs. | The nosuid mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system not containing approved setuid files. Executing... |
| V-91359 | Medium | If SNMP is not required on AIX, the snmpmibd daemon must be disabled. | The snmpmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. If snmpd is not required, it is recommended that it is disabled. |
| V-91515 | Medium | AIX must provide the function for assigned ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. | If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important... |
| V-91691 | Medium | AIX control scripts library search paths must contain only absolute paths. | The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other... |
| V-91355 | Medium | If AIX server does not host an SNMP agent, the dpid2 daemon must be disabled. | The dpid2 daemon acts as a protocol converter, which enables DPI (SNMP v2) sub-agents, such as hostmibd, to talk to a SNMP v1 agent that follows SNMP MUX protocol.
To prevent attacks this daemon... |
| V-91693 | Medium | The control script lists of preloaded libraries must contain only absolute paths on AIX systems. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to... |
| V-91351 | Medium | If rwhod is not required on AIX, the rwhod daemon must be disabled. | This is the remote WHO service.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
| V-91697 | Medium | The local initialization file library search paths must contain only absolute paths on AIX. | The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other... |
| V-91353 | Medium | The timed daemon must be disabled on AIX. | This is the old UNIX time service.
The timed daemon is the old UNIX time service. Disable this service and use xntp, if time synchronization is required in the environment. |
| V-91611 | Medium | The AIX /etc/group file must be owned by root. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. |
| V-91759 | Medium | All AIX users home directories must have mode 0750 or less permissive. | Excessive permissions on home directories allow unauthorized access to user files. |
| V-91613 | Medium | The AIX /etc/group file must be group-owned by security. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. |
| V-91615 | Medium | The AIX /etc/group file must have mode 0644 or less permissive. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. |
| V-91617 | Medium | The AIX /etc/group file must not have an extended ACL. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. |
| V-91619 | Medium | The AIX ldd command must be disabled. | The ldd command provides a list of dependent libraries needed by a given binary, which is useful for troubleshooting software. Instead of parsing the binary file, some ldd implementations invoke... |
| V-91751 | Medium | The AIX root user home directory must not be the root directory (/). | Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places... |
| V-91753 | Medium | The AIX root accounts home directory (other than /) must have mode 0700. | Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. |
| V-91755 | Medium | All AIX interactive users must be assigned a home directory in the passwd file and the directory must exist. | All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory. This could create a Denial of Service... |
| V-91251 | Medium | AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event. | Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
Without information that establishes the... |
| V-91517 | Medium | AIX must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility. | In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity.
The task of... |
| V-91419 | Medium | The Reliable Datagram Sockets (RDS) protocol must be disabled on AIX. | The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Binding this protocol to the network stack increases... |
| V-92245 | Medium | AIX must configure the ttys value for all interactive users. | A user's "ttys" attribute controls from which device(s) the user can authenticate and log in. If the "ttys" attribute is not specified, all terminals can access the user account. |
| V-91221 | Medium | AIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal... |
| V-91223 | Medium | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts on AIX. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal... |
| V-91589 | Medium | All AIX public directories must be owned by root or an application account. | If a public directory has the sticky bit set and is not owned by a privileged UID, unauthorized users may be able to modify files created by others. The only authorized public directories are... |
| V-91225 | Medium | The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal... |
| V-91227 | Medium | AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is... |
| V-91585 | Medium | AIX SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. | DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. |
| V-91229 | Medium | AIX must provide the lock command to let users retain their session lock until users are reauthenticated. | All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard.
To lock the terminal, use the lock command. |
| V-91587 | Medium | The inetd.conf file on AIX must be owned by root and system group. | Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive information or change the system configuration... |
| V-91581 | Medium | AIX system must restrict the ability to switch to the root user to members of a defined group. | Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials. |
| V-91253 | Medium | AIX must produce audit records containing information to establish the outcome of the events. | Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the... |
| V-91583 | Medium | If SNMP service is enabled on AIX, the default SNMP password must not be used in the /etc/snmpd.conf config file. | Use default SNMP password increases the chance of security vulnerability on SNMP service. |
| V-91369 | Medium | The cmsd daemon must be disabled on AIX. | This is a calendar and appointment service for CDE.
The cmsd service is utilized by CDE to provide calendar functionality. If CDE is not required, this service should be disabled to prevent attacks. |
| V-91767 | Medium | The AIX user home directories must not have extended ACLs. | Excessive permissions on home directories allow unauthorized access to user files. |
| V-91761 | Medium | All AIX interactive users home directories must be owned by their respective users. | System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. |
| V-91763 | Medium | All AIX interactive users home directories must be group-owned by the home directory owner primary group. | If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files. |
| V-91361 | Medium | The aixmibd daemon must be disabled on AIX. | The aixmibd daemon is a dpi2 sub-agent which manages a number of MIB variables.
To prevent attacks this daemon should not be enabled unless there is no alternative. |
| V-91695 | Medium | The global initialization file lists of preloaded libraries must contain only absolute paths on AIX. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to... |
| V-91363 | Medium | The ndpd-host daemon must be disabled on AIX. | This is the Neighbor Discovery Protocol (NDP) daemon, required in IPv6.
The ndpd-host is the NDP daemon for the server. Unless the server utilizes IPv6, this is not required and should be... |
| V-91365 | Medium | The ndpd-router must be disabled on AIX. | This manages the Neighbor Discovery Protocol (NDP) for non-kernel activities, required in IPv6.
The ndpd-router manages NDP for non-kernel activities. Unless the server utilizes IPv6, this is not... |
| V-91367 | Medium | The daytime daemon must be disabled on AIX. | The daytime service provides the current date and time to other servers on a network.
This daytime service is a defunct time service, typically used for testing purposes only. The service should... |
| V-91567 | Medium | AIX must prevent the use of dictionary words for passwords. | If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses... |
| V-91565 | Medium | AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3,... |
| V-91563 | Medium | AIX must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products... |
| V-91257 | Medium | AIX must be configured to generate an audit record when 75% of the audit file system is full. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an... |
| V-91561 | Medium | AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods. | Without protection of the transmitted or received information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.... |
| V-91609 | Medium | AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist. | To centralize the management of privileged account crontabs, of the default system accounts, only root may have a crontab. |
| V-91607 | Medium | AIX administrative accounts must not run a web browser, except as needed for local service administration. | If a web browser flaw is exploited while running as a privileged user, the entire system could be compromised.
Specific exceptions for local service administration should be documented in... |
| V-91605 | Medium | AIX time synchronization configuration file must have mode 0640 or less permissive. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
| V-91603 | Medium | AIX time synchronization configuration file must be group-owned by bin, or system. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
| V-91569 | Medium | AIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt. | Limiting the number of login attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. |
| V-91601 | Medium | AIX time synchronization configuration file must be owned by root. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
| V-91399 | Medium | The kshell daemon must be disabled on AIX. | The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted communications. The recommendation is to use SSH wherever possible... |
| V-91453 | Medium | AIX log files must be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform.... |
| V-91451 | Medium | AIX log files must have mode 0640 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform.... |
| V-91599 | Medium | AIX passwd.nntp file must have mode 0600 or less permissive. | File permissions more permissive than 0600 for /etc/news/passwd.nntp may allow access to privileged information by system intruders or malicious users. |
| V-91219 | Medium | AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by... |
| V-91455 | Medium | AIX log files must be owned by privileged groups. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform.... |
| V-91215 | Medium | The regular users default primary group must be staff (or equivalent) on AIX. | The /usr/lib/security/mkuser.default file contains the default primary groups for regular and admin users. Setting a system group as the regular users' primary group increases the risk that the... |
| V-91593 | Medium | AIX nosuid option must be enabled on all NFS client mounts. | Enabling the nosuid mount option prevents the system from granting owner or group-owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users... |
| V-91217 | Medium | AIX must automatically remove or disable temporary user accounts after 72 hours or sooner. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of... |
| V-91591 | Medium | All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions. | When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and GID should be chosen from the system to... |
| V-91211 | Medium | The shipped /etc/security/mkuser.sys file on AIX must not be customized directly. | The "/etc/security/mkuser.sys" script customizes the new user account when a new user is created, or a user is logging into the system without a home directory. An improper... |
| V-91597 | Medium | AIX audio devices must be group-owned by root, sys, bin, or system. | Without privileged group owners, audio devices will be vulnerable to being used as eaves-dropping devices by malicious users or intruders to possibly listen to conversations containing sensitive... |
| V-91213 | Medium | AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account. | The "/etc/security/mkuser.sys.custom" is called by "/etc/security/mkuser.sys" to customize the new user account when a new user is created, or a user is logging into the system without a home... |
| V-91595 | Medium | AIX cron and crontab directories must be owned by root or bin. | Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron... |
| V-91773 | Medium | If AIX SSH daemon is required, the SSH daemon must only listen on the approved listening IP addresses. | The SSH daemon should only listen on the approved listening IP addresses. Otherwise the SSH service could be subject to unauthorized access. |
| V-91771 | Medium | AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. |
| V-91279 | Medium | AIX SSH private host key files must have mode 0600 or less permissive. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
The cornerstone of the PKI is the private key... |
| V-91775 | Medium | AIX must provide audit record generation functionality for DoD-defined auditable events. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit... |
| V-91277 | Medium | If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. |
| V-91275 | Medium | The AIX audit configuration files must be set to 640 or less permissive. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured... |
| V-91273 | Medium | The AIX audit configuration files must be group-owned by audit. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured... |
| V-91271 | Medium | The AIX audit configuration files must be owned by root. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured... |
| V-91575 | Medium | AIX system must require authentication upon booting into single-user and maintenance modes. | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. |
| V-91679 | Medium | The AIX SSH daemon must be configured for IP filtering. | The SSH daemon must be configured for IP filtering to provide a layered defense against connection attempts from unauthorized addresses. |
| V-91577 | Medium | On AIX, the SSH server must not permit root logins using remote access programs. | Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password. |
| V-91571 | Medium | Samba packages must be removed from AIX. | If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts. |
| V-91255 | Medium | AIX must produce audit records containing the full-text recording of privileged commands. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of... |
| V-91391 | Medium | The rusersd daemon must be disabled on AIX. | The rusersd service runs as root and provides a list of current users active on a system. An attacker may use this service to learn valid account names on the system. This is not an essential... |
| V-91673 | Medium | AIX process core dumps must be disabled. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers... |
| V-91671 | Medium | The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups. | A plus (+) in system accounts files causes the system to lookup the specified entry using NIS. If the system is not using NIS, no such entries should exist. |
| V-91245 | Medium | The AIX SSH server must use SSH Protocol 2. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD nonpublic information... |
| V-91677 | Medium | The AIX syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures. | Unintentionally running a syslog server accepting remote messages puts the system at increased risk. Malicious syslog messages sent to the server could exploit vulnerabilities in the server... |
| V-91579 | Medium | AIX system must prevent the root account from directly logging in except from the system console. | Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device.
A common attack method of potential hackers is... |
| V-91675 | Medium | The SMTP service HELP command must not be enabled on AIX. | The HELP command should be disabled to mask version information. The version of the SMTP service software could be used by attackers to target vulnerabilities present in specific software versions. |
| V-91239 | Medium | AIX must monitor and record successful remote logins. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access... |
| V-91393 | Medium | The rwalld daemon must be disabled on AIX. | The rwalld service allows remote users to broadcast system wide messages. The service runs as root and should be disabled unless absolutely necessary to prevent attacks. |
| V-91349 | Medium | If AIX server is not functioning as a network router, the routed daemon must be disabled. | The routed daemon manages the network routing tables in the kernel.
To prevent attacks this daemon should not be enabled unless there is no alternative. |
| V-91395 | Medium | The sprayd daemon must be disabled on AIX. | The sprayd service is used as a tool to generate UDP packets for testing and diagnosing network problems. The service must be disabled if NFS is not in use, as it can be used by attackers in a... |
| V-91687 | Medium | The AIX root accounts list of preloaded libraries must be empty. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to... |
| V-92951 | Medium | The AIX operating system must accept and verify Personal Identity Verification (PIV) credentials. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DoD has mandated the use of the CAC to support identity management and personal authentication... |
| V-91443 | Medium | AIX must set Stack Execution Disable (SED) system wide mode to all. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
Managing... |
| V-91683 | Medium | NIS maps must be protected through hard-to-guess domain names on AIX. | The use of hard-to-guess NIS domain names provides additional protection from unauthorized access to the NIS directory information. |
| V-91447 | Medium | AIX must terminate all SSH login sessions after 10 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-91449 | Medium | AIX must protect the confidentiality and integrity of all information at rest. | Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system.
This... |
| V-91689 | Medium | All AIX files and directories must have a valid group owner. | Failure to restrict system access to authenticated users negatively impacts operating system security. |
| V-91265 | Medium | Audit logs on the AIX system must be group-owned by system. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit information includes all information (e.g., audit... |
| V-91267 | Medium | Audit logs on the AIX system must be set to 660 or less permissive. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit information includes all information (e.g., audit... |
| V-91263 | Medium | Audit logs on the AIX system must be owned by root. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit information includes all information (e.g., audit... |
| V-91541 | Medium | If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing... |
| V-91669 | Medium | All global initialization file executable search paths must contain only absolute paths. | Failure to restrict system access to authenticated users negatively impacts operating system security. |
| V-91389 | Medium | The rstatd daemon must be disabled on AIX. | The rstatd service is used to provide kernel statistics and other monitorable parameters pertinent to the system such as: CPU usage, system uptime, network usage etc. An attacker may use this... |
| V-91545 | Medium | AIX must implement a way to force an identified temporary user to renew their password at next login. | Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary... |
| V-91457 | Medium | AIX log files must not have extended ACLs, except as needed to support authorized software. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform.... |
| V-91547 | Medium | If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day. | If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
| V-91383 | Medium | The discard daemon must be disabled on AIX. | The discard service is used as a debugging and measurement tool. It sets up a listening socket and ignores data that it receives. This is a /dev/null service and is obsolete. This can be used in... |
| V-91661 | Medium | The sendmail server must have the debug feature disabled on AIX systems. | Debug mode is a feature present in older versions of Sendmail which, if not disabled, may allow an attacker to gain access to a system through the Sendmail service. |
| V-91381 | Medium | The chargen daemon must be disabled on AIX. | This service is used to test the integrity of TCP/IP packets arriving at the destination.
This chargen service is a character generator service and is used for testing the integrity of TCP/IP... |
| V-91663 | Medium | SMTP service must not have the EXPN or VRFY features active on AIX systems. | The SMTP EXPN function allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. EXPN may also provide additional... |
| V-91387 | Medium | The pcnfsd daemon must be disabled on AIX. | The pcnfsd service is an authentication and printing program, which uses NFS to provide file transfer services. This service is vulnerable and exploitable and permits the machine to be compromised... |
| V-91459 | Medium | Any publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent... |
| V-91385 | Medium | The dtspc daemon must be disabled on AIX. | The dtspc service deals with the CDE interface of the X11 daemon. It is started automatically by the inetd daemon in response to a CDE client requesting a process to be started on the daemon's... |
| V-91667 | Medium | AIX must require passwords to contain no more than three consecutive repeating characters. | Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. |
| V-91707 | Medium | AIX must be configured with a default gateway for IPv6 if the system uses IPv6 unless the system is a router. | If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks. |
| V-91625 | Medium | All AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file. | If a user is assigned the GID of a group not existing on the system, and a group with that GID is subsequently created, the user may have unintended rights to the group. |
| V-91649 | Medium | AIX must not use removable media as the boot loader. | Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. |
| V-91543 | Medium | If automated file system mounting tool is not required on AIX, it must be disabled. | Automated file system mounting tools may provide unprivileged users with the ability to access local media and network shares. If this access is not necessary for the system’s operation, it must... |
| V-91523 | Medium | AIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when... |
| V-91377 | Medium | The talk daemon must be disabled on AIX. | This talk service is used to establish an interactive two-way communication link between two UNIX users. Unless required the talk service will be disabled to prevent attacks. |
| V-92943 | Medium | The AIX operating system must be configured to authenticate using Multi Factor Authentication. | To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.... |
| V-91479 | Medium | All system command files must not have extended ACLs. | Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default... |
| V-92945 | Medium | The AIX operating system must be configured to use Multi Factor Authentication for remote connections. | To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.... |
| V-91371 | Medium | The ttdbserver daemon must be disabled on AIX. | The ttdbserver service is the tool-talk database service for CDE. This service runs as root and should be disabled. Unless required the ttdbserver service will be disabled to prevent attacks. |
| V-91475 | Medium | All system files, programs, and directories must be owned by a system account. | Restricting permissions will protect the files from unauthorized modification. |
| V-92949 | Medium | The AIX operating system must be configured to use a valid server_ca.pem file. | To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.... |
| V-91477 | Medium | AIX library files must have mode 0755 or less permissive. | Unauthorized access could destroy the integrity of the library files. |
| V-91471 | Medium | AIX audit tools must be set to 4550 or less permissive. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized... |
| V-91473 | Medium | AIX system files, programs, and directories must be group-owned by a system group. | Restricting permissions will protect the files from unauthorized modification. |
| V-91657 | Medium | AIX must implement a remote syslog server that is documented using site-defined procedures. | If a remote log host is in use and it has not been justified and documented, sensitive information could be obtained by unauthorized users without the administrator’s knowledge.
Satisfies:... |
| V-91651 | Medium | AIX audit logs must be rotated daily. | Rotate audit logs daily to preserve audit file system space and to conform to the DoD/DISA requirement. If it is not rotated daily and moved to another location, then there is more of a chance for... |
| V-91701 | Medium | AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option. | The nodev (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system not containing approved device files.... |
| V-91417 | Medium | If Stream Control Transmission Protocol (SCTP) must be disabled on AIX. | The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the... |
| V-91415 | Medium | The Internet Network News (INN) server must be disabled on AIX. | Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Transfer Protocol (NNTP) to transfer information from the Usenet to the... |
| V-91413 | Medium | The echo daemon must be disabled on AIX. | The echo service can be used in Denial of Service or SMURF attacks. It can also be used by someone else to get through a firewall or start a data storm. The echo service is unnecessary and it... |
| V-91411 | Medium | The instsrv daemon must be disabled on AIX. | The instsrv service is part of the Network Installation Tools, used for servicing servers running AIX 3.2. This service should be disabled to prevent attacks. |
| V-91715 | Medium | The AIX DHCP client must not send dynamic DNS updates. | Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed. |
| V-91717 | Medium | AIX must not run any routing protocol daemons unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be... |
| V-91493 | Medium | AIX must set inactivity time-out on login sessions and terminate all login sessions after 10 minutes of inactivity. | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions... |
| V-91711 | Medium | AIX package management tool must be used daily to verify system software. | Verification using the system package management tool can be used to determine that system software has not been tampered with. This requirement is not applicable to systems not using package... |
| V-91491 | Medium | AIX must config the SSH idle timeout interval. | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions... |
| V-91559 | Medium | AIX must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring AIX is implementing rate-limiting measures on impacted network interfaces. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
This... |
| V-91557 | Medium | AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient... |
| V-91555 | Medium | AIX must request and perform data origin and integrity authentication verification on the name/address resolution responses the system receives from authoritative sources. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been... |
| V-91719 | Medium | AIX must not process ICMP timestamp requests. | The processing of Internet Control Message Protocol (ICMP) timestamp requests increases the attack surface of the system. |
| V-91397 | Medium | The klogin daemon must be disabled on AIX. | The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text password exchanges on the network. However, it is still not as secure as SSH,... |
| V-91427 | Medium | Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts. | Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or... |
| V-91665 | Medium | UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems. | Reserved UIDs are typically used by system software packages. If non-system accounts have UIDs in this range, they may conflict with system software, possibly leading to the user having... |
| V-91469 | Medium | AIX audit tools must be group-owned by audit. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized... |
| V-91709 | Medium | AIX must not have IP forwarding for IPv6 enabled unless the system is an IPv6 router. | If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices. |
| V-91463 | Medium | AIX must start audit at boot. | If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is... |
| V-91309 | Medium | AIX Operating systems must enforce 24 hours/1 day as the minimum password lifetime. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and... |
| V-91461 | Medium | If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions. | If LDAP authentication is used, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions. |
| V-91467 | Medium | AIX audit tools must be owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized... |
| V-91643 | Medium | AIX NFS server must be configured to restrict file system access to local hosts. | The NFS access option limits user access to the specified level. This assists in protecting exported file systems. If access is not restricted, unauthorized hosts may be able to access the... |
| V-91641 | Medium | All AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins. | The /etc/shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell. |
| V-91647 | Medium | AIX must be configured to only boot from the system boot device. | The ability to boot from removable media is the same as being able to boot into single user or maintenance mode without a password. This ability could allow a malicious user to boot the system and... |
| V-91645 | Medium | AIX public directories must be the only world-writable directories and world-writable files must be located only in public directories. | World-writable files and directories make it easy for a malicious user to place potentially compromising files on the system. The only authorized public directories are those temporary directories... |
| V-91405 | Medium | The imap2 service must be disabled on AIX. | The imap2 service or Internet Message Access Protocol (IMAP) supports the IMAP4 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not... |
| V-91401 | Medium | The rquotad daemon must be disabled on AIX. | The rquotad service allows NFS clients to enforce disk quotas on file systems that are mounted on the local system. This service should be disabled if to prevent attacks. |
| V-91403 | Medium | The tftp daemon must be disabled on AIX. | The tftp service allows remote systems to download or upload files to the tftp server without any authentication. It is therefore a service that should not run, unless needed. One of the main... |
| V-91721 | Medium | AIX must not respond to ICMPv6 echo requests sent to a broadcast address. | Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks. |
| V-91485 | Medium | AIX must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting... |
| V-91529 | Medium | AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions. | Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be... |
| V-91487 | Medium | In the event of a system failure, AIX must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. | Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality,... |
| V-91725 | Medium | AIX must turn on SSH daemon privilege separation. | SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section. |
| V-91481 | Medium | All library files must not have extended ACLs. | Unauthorized access could destroy the integrity of the library files. |
| V-91727 | Medium | AIX must turn on SSH daemon reverse name checking. | If reverse name checking is off, SSH may allow a remote attacker to circumvent security policies and attempt to or actually login from IP addresses that are not permitted to access resources. |
| V-91483 | Medium | AIX device files and directories must only be writable by users with a system account or as configured by the vendor. | System device files in writable directories could be modified, removed, or used by an unprivileged user to control system hardware. |
| V-91729 | Medium | AIX SSH daemon must perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. |
| V-91521 | Medium | AIX must provide a report generation function that supports on-demand audit review and analysis, on-demand reporting requirements, and after-the-fact investigations of security incidents. | The report generation capability must support on-demand review and analysis in order to facilitate the organization's ability to generate incident reports, as needed, to better handle larger-scale... |
| V-91527 | Medium | AIX must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by AIX include date and time. Time is... |
| V-91489 | Medium | AIX must verify the hash of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit... |
| V-91685 | Medium | The AIX systems access control program must be configured to grant or deny system access to specific hosts. | If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts. |
| V-91549 | Medium | AIX must setup SSH daemon to disable revoked public keys. | Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). |
| V-91311 | Medium | AIX Operating systems must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force... |
| V-91313 | Medium | AIX must prohibit password reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the... |
| V-91659 | Medium | AIX must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router. | If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks. |
| V-91319 | Medium | AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must... |
| V-91765 | Medium | The AIX root accounts home directory must not have an extended ACL. | Excessive permissions on root home directories allow unauthorized access to root user files. |
| V-91705 | Medium | The AIX SSH daemon must not allow compression. | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection,... |
| V-91573 | Medium | The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. | Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes... |
| V-91437 | Medium | The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. | Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation... |
| V-91637 | Medium | AIX run control scripts executable search paths must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory... |
| V-91539 | Medium | AIX must remove !authenticate option from sudo config files. | sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are... |
| V-91635 | Medium | AIX sendmail logging must not be set to less than nine in the sendmail.cf file. | If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the sendmail service. |
| V-91633 | Medium | The AIX hosts.lpd file must not contain a + character. | Having the '+' character in the hosts.lpd (or equivalent) file allows all hosts to use local system print resources. |
| V-91631 | Medium | The AIX global initialization files must contain the mesg -n or mesg n commands. | Command "mesg -n" allows only the root user the permission to send messages to your workstation to avoid having others clutter your display with incoming messages. |
| V-91739 | Medium | There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the AIX system. | Trust files are convenient, but when used in conjunction with the remote login services, they can allow unauthenticated access to a system. |
| V-91629 | Medium | The sticky bit must be set on all public directories on AIX systems. | Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories... |
| V-91533 | Medium | AIX must be configured to use syslogd to log events by TCPD. | Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be... |
| V-91535 | Medium | AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users... |
| V-91639 | Medium | The /etc/shells file must exist on AIX systems. | The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized... |
| V-91409 | Medium | The finger daemon must be disabled on AIX. | The fingerd daemon provides the server function for the finger command. This allows users to view real-time pertinent user login information on other remote systems. This service should be... |
| V-91735 | Medium | AIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. |
| V-91249 | Medium | AIX must produce audit records containing information to establish where the events occurred. | Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
In order to compile an accurate risk assessment... |
| V-92941 | Medium | The AIX operating system must use Multi Factor Authentication. | To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.... |
| V-91731 | Medium | AIX must turn off X11 forwarding for the SSH daemon. | X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed. |
| V-91733 | Medium | AIX must turn off TCP forwarding for the SSH daemon. | SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the... |
| V-91247 | Medium | AIX must produce audit records containing information to establish what the date, time, and type of events that occurred. | Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
Audit record content that may be... |
| V-91375 | Medium | The time daemon must be disabled on AIX. | This service can be used to synchronize system clocks.
The time service is an obsolete process used to synchronize system clocks at boot time. This has been superseded by NTP, which should be... |
| V-91329 | Medium | If NFS is not required on AIX, the NFS daemon must be disabled. | The rcnfs entry starts the NFS daemons during system boot.
NFS is a service with numerous historical vulnerabilities and should not be enabled unless there is no alternative. If NFS serving is... |
| V-91243 | Medium | The AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD nonpublic information... |
| V-91241 | Medium | AIX must monitor and record unsuccessful remote logins. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access... |
| V-91325 | Medium | If AIX system does not support either local or remote printing, the piobe service must be disabled. | The piobe daemon is the I/O back end for the printing process, handling the job scheduling and spooling.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
| V-91327 | Medium | If there are no X11 clients that require CDE on AIX, the dt service must be disabled. | This entry executes the CDE startup script which starts the AIX Common Desktop Environment.
To prevent attacks this daemon should not be enabled unless there is no alternative. |
| V-91321 | Medium | The AIX qdaemon must be disabled if local or remote printing is not required. | The qdaemon program is the printing scheduling daemon that manages the submission of print jobs to the piobe service.
To prevent remote attacks this daemon should not be enabled unless there is... |
| V-91323 | Medium | If AIX system does not act as a remote print server for other servers, the lpd daemon must be disabled. | The lpd daemon accepts remote print jobs from other systems.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
| V-91373 | Medium | The uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX. | This service facilitates file copying between networked servers.
The uucp (UNIX to UNIX Copy Program), service allows users to copy files between networked machines. Unless an application or... |
| V-91505 | Medium | AIX must allow admins to send a message to all the users who logged in currently. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in... |
| V-91507 | Medium | AIX must allow admins to send a message to a user who logged in currently. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in... |
| V-91407 | Medium | The pop3 daemon must be disabled on AIX. | The pop3 service provides a pop3 server. It supports the pop3 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not required to prevent attacks. |
| V-91703 | Medium | AIX kernel core dumps must be disabled unless needed. | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial of Service by... |
| V-91347 | Medium | If AIX server is not functioning as a DNS server, the named daemon must be disabled. | This is the server for the DNS protocol and controls domain name resolution for its clients.
To prevent attacks this daemon should not be enabled unless there is no alternative. |
| V-91769 | Medium | All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member. | If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files. |
| V-91345 | Medium | If AIX server is not functioning as a multicast router, the mrouted daemon must be disabled. | This daemon is an implementation of the multicast routing protocol.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
| V-92947 | Medium | AIX must have the have the PowerSC Multi Factor Authentication Product configured. | To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.... |
| V-91509 | Medium | AIX must use Trusted Execution (TE) Check policy. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in... |
| V-91341 | Medium | If IPv6 is not utilized on AIX server, the autoconf6 daemon must be disabled. | "autoconf6" is used to automatically configure IPv6 interfaces at boot time. Running this service may allow other hosts on the same physical subnet to connect via IPv6, even when the network does... |
| V-91749 | Medium | The AIX SSH daemon must not allow RhostsRSAAuthentication. | If SSH permits rhosts RSA authentication, a user may be able to log in based on the keys of the host originating the request and not any user-specific authentication. |
| V-91627 | Medium | All AIX files and directories must have a valid owner. | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft... |
| V-91621 | Medium | The AIX root account must not have world-writable directories in its executable search path. | If the root search path contains a world-writable directory, malicious software could be placed in the path by intruders and/or malicious users and inadvertently run by root with all of root's privileges. |
| V-91623 | Medium | The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID. | Reserved GIDs are typically used by system software packages. If non-system groups have GIDs in this range, they may conflict with system software, possibly leading to the group having permissions... |
| V-91743 | Medium | The AIX SSH daemon must be configured to disable empty passwords. | When password authentication is allowed, PermitEmptyPasswords specifies whether the server allows login to accounts with empty password strings. If an account has an empty password, anyone could... |
| V-91741 | Medium | The .rhosts file must not be supported in AIX PAM. | .rhosts files are used to specify a list of hosts permitted remote access to a particular account without authenticating. The use of such a mechanism defeats strong identification and... |
| V-91747 | Medium | The AIX SSH daemon must be configured to not use host-based authentication. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. |
| V-91681 | Medium | IP forwarding for IPv4 must not be enabled on AIX unless the system is a router. | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. |
| V-91745 | Medium | The AIX SSH daemon must be configured to disable user .rhosts files. | Trust .rhost file means a compromise on one host can allow an attacker to move trivially to other hosts. |
| V-91723 | Medium | AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required. | The AIX Encrypted File System (EFS) is a J2 filesystem-level encryption through individual key stores. This allows for file encryption in order to protect confidential data from attackers with... |
| V-91343 | Medium | If AIX server is not functioning as a network router, the gated daemon must be disabled. | This daemon provides gateway routing functions for protocols such as RIP and SNMP.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
| V-91233 | Medium | AIX must automatically lock after 15 minutes of inactivity in the CDE Graphical desktop environment. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the... |
| V-91699 | Medium | The local initialization file lists of preloaded libraries must contain only absolute paths on AIX. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to... |
| V-91231 | Medium | AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated. | All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard.
If the interface is AIXwindows (CDE), use the xlock... |
| V-91339 | Medium | If DHCP server is not required on AIX, the DHCP server must be disabled. | The dhcpsd daemon is the DHCP server that serves addresses and configuration information to DHCP clients in the network.
To prevent remote attacks this daemon should not be enabled unless there... |
| V-91237 | Medium | AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature... |
| V-91235 | Medium | AIX must be configured to allow users to directly initiate a session lock for all connection types. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the... |
| V-91333 | Medium | If SNMP is not required on AIX, the snmpd service must be disabled. | The snmpd daemon is used by many 3rd party applications to monitor the health of the system. This allows remote monitoring of network and server configuration.
To prevent remote attacks this... |
| V-100005 | Medium | AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full. | Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. |
| V-91331 | Medium | If sendmail is not required on AIX, the sendmail service must be disabled. | The sendmail service has many historical vulnerabilities and, where possible, should be disabled. If the system is not required to operate as a mail server i.e. sending, receiving or processing... |
| V-91337 | Medium | If DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled. | The dhcprd daemon listens for broadcast packets, receives them, and forwards them to the appropriate server.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
| V-91335 | Medium | The AIX DHCP client must be disabled. | The dhcpcd daemon receives address and configuration information from the DHCP server. DHCP relies on trusting the local network. If the local network is not trusted, then it should not be... |
| V-91501 | Low | SSH must display the date and time of the last successful account login to AIX system upon login. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access... |
| V-91655 | Low | AIX must contain no .forward files. | The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops which... |
| V-91653 | Low | If the AIX host is running an SMTP service, the SMTP greeting must not provide version information. | The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version. |
| V-91497 | Low | If Bourne / ksh shell is used, AIX must display logout messages. | If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether... |
| V-91495 | Low | If bash is used, AIX must display logout messages. | If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether... |
| V-91499 | Low | If csh/tcsh shell is used, AIX must display logout messages. | If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether... |
