| Finding ID |
Severity |
Title |
Description |
|
V-215403
|
High |
The AIX system must have no .netrc files on the system. |
Unencrypted passwords for remote FTP servers may be stored in .netrc files. Policy requires passwords be encrypted in storage and not used in access scripts. |
|
V-215375
|
High |
The ntalk daemon must be disabled on AIX. |
This service establishes a two-way communication link between two users, either locally or remotely. Unless required the ntalk service will be disabled to prevent attacks. |
|
V-215347
|
High |
The AIX rlogind service must be disabled. |
The rlogin daemon permits username and passwords to be passed over the network in clear text. |
|
V-215346
|
High |
The AIX rsh daemon must be disabled. |
The rsh daemon permits username and passwords to be passed over the network in clear text. |
|
V-215334
|
High |
AIX must disable trivial file transfer protocol. |
Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions.
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings.... |
|
V-215322
|
High |
AIX must disable /usr/bin/rcp,
/usr/bin/rlogin,
/usr/bin/rsh, /usr/bin/rexec and /usr/bin/telnet commands. |
The listed applications permit the transmission of passwords in plain text. Alternative applications such as SSH, which encrypt data, should be use instead. |
|
V-215260
|
High |
AIX must remove NOPASSWD tag from sudo config files. |
sudo command does not require reauthentication if NOPASSWD tag is specified in /etc/sudoers config file, or sudoers files in /etc/sudoers.d/ directory. With this tag in sudoers file, users are not required to reauthenticate for privilege escalation. |
|
V-215259
|
High |
AIX ftpd daemon must not be running. |
The ftp service is used to transfer files from or to a remote machine. The username and passwords are passed over the network in clear text and therefore insecurely. Remote file transfer, if required, should be facilitated through SSH. |
|
V-215258
|
High |
AIX telnet daemon must not be running. |
This telnet service is used to service remote user connections. This is historically the most commonly used remote access method for UNIX servers. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the telnetd daemon will be disabled. This function, if required,... |
|
V-215257
|
High |
The AIX rexec daemon must not be running. |
The exec service is used to execute a command sent from a remote server. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the rexecd daemon will be disabled. This function, if required, should be facilitated through SSH. |
|
V-215233
|
High |
AIX must be able to control the ability of remote login for users. |
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through... |
|
V-215226
|
High |
AIX must enforce a minimum 15-character password length. |
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that... |
|
V-215225
|
High |
AIX must use Loadable Password Algorithm (LPA) password hashing algorithm. |
The default legacy password hashing algorithm, crypt(), uses only the first 8 characters from the password string, meaning the user's password is truncated to eight characters. If the password is shorter than 8 characters, it is padded with zero bits on the right.
The crypt() is a modified DES algorithm... |
|
V-215221
|
High |
AIX root passwords must never be passed over a network in clear text form. |
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. |
|
V-215220
|
High |
AIX must require the change of at least 50% of the total number of characters when passwords are changed. |
If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
The number of changed characters refers to the number of changes required with respect to the... |
|
V-215219
|
High |
AIX must enforce password complexity by requiring that at least one numeric character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it... |
|
V-215218
|
High |
AIX must enforce password complexity by requiring that at least one lower-case character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it... |
|
V-215217
|
High |
AIX must enforce password complexity by requiring that at least one upper-case character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it... |
|
V-215213
|
High |
AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. |
If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data.
Some maintenance and... |
|
V-215204
|
High |
IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server. |
While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentication. SSL must be used in this case. |
|
V-215197
|
High |
AIX must not have accounts configured with blank or null passwords. |
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured without a password, the entire system may be compromised. For user accounts not using password authentication, the account... |
|
V-215179
|
High |
AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. |
A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials must not be vulnerable to a replay attack.
An authentication process resists replay attacks if it is impractical to achieve a successful... |
|
V-215177
|
High |
The AIX SYSTEM attribute must not be set to NONE for any account. |
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users)... |
|
V-215176
|
High |
All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users). |
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise... |
|
V-215175
|
High |
All accounts on AIX system must have unique account names. |
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users)... |
|
V-215174
|
High |
If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords. |
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. |
|
V-245569
|
Medium |
The AIX cron and crontab directories must be group-owned by cron. |
Incorrect group ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron or crontab directories to root or to bin provides the designated owner and unauthorized users with the potential... |
|
V-245568
|
Medium |
The AIX /var/spool/cron/atjobs directory must have a mode of 0640 or less permissive. |
Incorrect permissions of the /var/spool/cron/atjobs directory could permit unauthorized users the ability to alter atjobs and run automated jobs as privileged users. Failure to set proper permissions of the /var/spool/cron/atjobs directory provides unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the... |
|
V-245567
|
Medium |
The AIX /var/spool/cron/atjobs directory must be group-owned by cron. |
Unauthorized group ownership of the /var/spool/cron/atjobs directory could permit unauthorized users the ability to alter atjobs and run automated jobs as privileged users. Failure to set proper permissions of the /var/spool/cron/atjobs directory provides unauthorized users with the potential to access sensitive information or change the system configuration which could weaken... |
|
V-245566
|
Medium |
The AIX /var/spool/cron/atjobs directory must be owned by root or bin. |
Unauthorized ownership of the /var/spool/cron/atjobs directory could permit unauthorized users the ability to alter atjobs and run automated jobs as privileged users. Failure to set proper permissions of the /var/spool/cron/atjobs directory provides unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the... |
|
V-245565
|
Medium |
The AIX /etc/inetd.conf file must have a mode of 0640 or less permissive. |
Failure to set proper permissions of sensitive files or utilities may provide unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture. |
|
V-245564
|
Medium |
The inetd.conf file on AIX must be group owned by the "system" group. |
Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture. |
|
V-245563
|
Medium |
The AIX /etc/syslog.conf file must have a mode of 0640 or less permissive. |
Unauthorized permissions of the /etc/syslog.conf file can lead to the ability for a malicious actor to alter or disrupt system logging activities. This can aid the malicious actor in avoiding detection and further their ability to conduct malicious activities on the system. |
|
V-245562
|
Medium |
The AIX /etc/syslog.conf file must be group-owned by system. |
Unauthorized group ownership of the /etc/syslog.conf file can lead to the ability for a malicious actor to alter or disrupt system logging activities. This can aid the malicious actor in avoiding detection and further their ability to conduct malicious activities on the system. |
|
V-245561
|
Medium |
The AIX /etc/syslog.conf file must be owned by root. |
Unauthorized ownership of the /etc/syslog.conf file can lead to the ability for a malicious actor to alter or disrupt system logging activities. This can aid the malicious actor in avoiding detection and further their ability to conduct malicious activities on the system. |
|
V-245560
|
Medium |
AIX cron and crontab directories must have a mode of 0640 or less permissive. |
Incorrect permissions of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to set proper permissions of cron or crontab directories provides unauthorized users with the potential to access sensitive information or change the system configuration... |
|
V-245559
|
Medium |
The AIX /etc/hosts file must have a mode of 0640 or less permissive. |
Unauthorized permissions of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It is also possible to use the /etc/hosts file to block detection by security software by blocking the traffic to all the download or update servers of... |
|
V-245558
|
Medium |
The AIX /etc/hosts file must be group-owned by system. |
Unauthorized group ownership of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It is also possible to use the /etc/hosts file to block detection by security software by blocking the traffic to all the download or update servers... |
|
V-245557
|
Medium |
The AIX /etc/hosts file must be owned by root. |
Unauthorized ownership of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It is also possible to use the /etc/hosts file to block detection by security software by blocking the traffic to all the download or update servers of... |
|
V-219956
|
Medium |
AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full. |
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. |
|
V-219057
|
Medium |
AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. |
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. |
|
V-215441
|
Medium |
The AIX operating system must accept and verify Personal Identity Verification (PIV) credentials. |
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered... |
|
V-215440
|
Medium |
The AIX operating system must be configured to use a valid server_ca.pem file. |
To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication uses two or more factors to achieve authentication.
Factors include:
1. Something you know (e.g., password/PIN);
2. Something you have (e.g., cryptographic identification device,... |
|
V-215439
|
Medium |
AIX must have the have the PowerSC Multi Factor Authentication Product configured. |
To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication uses two or more factors to achieve authentication.
Factors include:
1. Something you know (e.g., password/PIN);
2. Something you have (e.g., cryptographic identification device,... |
|
V-215438
|
Medium |
The AIX operating system must be configured to use Multi Factor Authentication for remote connections. |
To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication uses two or more factors to achieve authentication.
Factors include:
1. Something you know (e.g., password/PIN);
2. Something you have (e.g., cryptographic identification device,... |
|
V-215437
|
Medium |
The AIX operating system must be configured to authenticate using Multi Factor Authentication. |
To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication uses two or more factors to achieve authentication.
Factors include:
1. Something you know (e.g., password/PIN);
2. Something you have (e.g., cryptographic identification device,... |
|
V-215436
|
Medium |
The AIX operating system must use Multi Factor Authentication. |
To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication uses two or more factors to achieve authentication.
Factors include:
1. Something you know (e.g., password/PIN);
2. Something you have (e.g., cryptographic identification device,... |
|
V-215435
|
Medium |
All AIX interactive users must be assigned a home directory in the passwd file and the directory must exist. |
All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory. This could create a Denial of Service because the user would not be able to perform useful tasks in this location. |
|
V-215434
|
Medium |
The AIX root user home directory must not be the root directory (/). |
Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places in its default directory. It also gives root the same discretionary access control for root's home directory... |
|
V-215433
|
Medium |
The .rhosts file must not be supported in AIX PAM. |
.rhosts files are used to specify a list of hosts permitted remote access to a particular account without authenticating. The use of such a mechanism defeats strong identification and authentication requirements. |
|
V-215432
|
Medium |
There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the AIX system. |
Trust files are convenient, but when used in conjunction with the remote login services, they can allow unauthenticated access to a system. |
|
V-215431
|
Medium |
AIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. |
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. |
|
V-215430
|
Medium |
AIX must not respond to ICMPv6 echo requests sent to a broadcast address. |
Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks. |
|
V-215429
|
Medium |
AIX must not process ICMP timestamp requests. |
The processing of Internet Control Message Protocol (ICMP) timestamp requests increases the attack surface of the system. |
|
V-215428
|
Medium |
AIX must not run any routing protocol daemons unless the system is a router. |
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. |
|
V-215427
|
Medium |
The AIX DHCP client must not send dynamic DNS updates. |
Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed. |
|
V-215426
|
Medium |
AIX package management tool must be used daily to verify system software. |
Verification using the system package management tool can be used to determine that system software has not been tampered with. This requirement is not applicable to systems not using package management tools. |
|
V-215425
|
Medium |
The local initialization file lists of preloaded libraries must contain only absolute paths on AIX. |
The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. This variable is formatted as a space-separated... |
|
V-215424
|
Medium |
The local initialization file library search paths must contain only absolute paths on AIX. |
The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated... |
|
V-215423
|
Medium |
The global initialization file lists of preloaded libraries must contain only absolute paths on AIX. |
The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. |
|
V-215422
|
Medium |
The control script lists of preloaded libraries must contain only absolute paths on AIX systems. |
The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. |
|
V-215421
|
Medium |
AIX control scripts library search paths must contain only absolute paths. |
The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated... |
|
V-215420
|
Medium |
All AIX files and directories must have a valid group owner. |
Failure to restrict system access to authenticated users negatively impacts operating system security. |
|
V-215419
|
Medium |
The AIX systems access control program must be configured to grant or deny system access to specific hosts. |
If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts. |
|
V-215418
|
Medium |
NIS maps must be protected through hard-to-guess domain names on AIX. |
The use of hard-to-guess NIS domain names provides additional protection from unauthorized access to the NIS directory information. |
|
V-215417
|
Medium |
The SMTP service HELP command must not be enabled on AIX. |
The HELP command should be disabled to mask version information. The version of the SMTP service software could be used by attackers to target vulnerabilities present in specific software versions. |
|
V-215416
|
Medium |
All global initialization file executable search paths must contain only absolute paths. |
Failure to restrict system access to authenticated users negatively impacts operating system security. |
|
V-215415
|
Medium |
SMTP service must not have the EXPN or VRFY features active on AIX systems. |
The SMTP EXPN function allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. EXPN may also provide additional information concerning users on the system, such as the full names of account owners. The VRFY (Verify) command... |
|
V-215414
|
Medium |
The sendmail server must have the debug feature disabled on AIX systems. |
Debug mode is a feature present in older versions of Sendmail which, if not disabled, may allow an attacker to gain access to a system through the Sendmail service. |
|
V-215411
|
Medium |
AIX must not use removable media as the boot loader. |
Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. |
|
V-215410
|
Medium |
AIX must be configured to only boot from the system boot device. |
The ability to boot from removable media is the same as being able to boot into single user or maintenance mode without a password. This ability could allow a malicious user to boot the system and perform changes possibly compromising or damaging the system. It could also allow the system... |
|
V-215409
|
Medium |
AIX public directories must be the only world-writable directories and world-writable files must be located only in public directories. |
World-writable files and directories make it easy for a malicious user to place potentially compromising files on the system. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the... |
|
V-215408
|
Medium |
The /etc/shells file must exist on AIX systems. |
The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell. |
|
V-215407
|
Medium |
In the event of a system failure, AIX must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. |
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.... |
|
V-215406
|
Medium |
The rwalld daemon must be disabled on AIX. |
The rwalld service allows remote users to broadcast system wide messages. The service runs as root and should be disabled unless absolutely necessary to prevent attacks. |
|
V-215405
|
Medium |
If DHCP server is not required on AIX, the DHCP server must be disabled. |
The dhcpsd daemon is the DHCP server that serves addresses and configuration information to DHCP clients in the network.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
|
V-215404
|
Medium |
AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status. |
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for... |
|
V-215402
|
Medium |
The AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers. |
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.... |
|
V-215401
|
Medium |
AIX must allow admins to send a message to a user who logged in currently. |
Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via... |
|
V-215400
|
Medium |
AIX must allow admins to send a message to all the users who logged in currently. |
Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via... |
|
V-215399
|
Medium |
AIX must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring AIX is implementing rate-limiting measures on impacted network interfaces. |
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
This requirement addresses the configuration of AIX to mitigate the impact of DoS attacks that have occurred or are ongoing on... |
|
V-215398
|
Medium |
AIX must set Stack Execution Disable (SED) system wide mode to all. |
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce... |
|
V-215397
|
Medium |
AIX kernel core dumps must be disabled unless needed. |
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial of Service by exhausting the available space on the target file system. The kernel core dump process... |
|
V-215396
|
Medium |
AIX process core dumps must be disabled. |
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
|
V-215395
|
Medium |
If automated file system mounting tool is not required on AIX, it must be disabled. |
Automated file system mounting tools may provide unprivileged users with the ability to access local media and network shares. If this access is not necessary for the system’s operation, it must be disabled to reduce the risk of unauthorized access to these resources. |
|
V-215394
|
Medium |
The Reliable Datagram Sockets (RDS) protocol must be disabled on AIX. |
The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the system to dynamically load a... |
|
V-215393
|
Medium |
If Stream Control Transmission Protocol (SCTP) must be disabled on AIX. |
The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the system to dynamically load a protocol handler by... |
|
V-215392
|
Medium |
The Internet Network News (INN) server must be disabled on AIX. |
Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Transfer Protocol (NNTP) to transfer information from the Usenet to the server and from the server to authorized remote hosts.
If this function is necessary to support a valid mission requirement, its... |
|
V-215391
|
Medium |
The echo daemon must be disabled on AIX. |
The echo service can be used in Denial of Service or SMURF attacks. It can also be used by someone else to get through a firewall or start a data storm. The echo service is unnecessary and it increases the attack vector of the system. |
|
V-215390
|
Medium |
The instsrv daemon must be disabled on AIX. |
The instsrv service is part of the Network Installation Tools, used for servicing servers running AIX 3.2. This service should be disabled to prevent attacks. |
|
V-215389
|
Medium |
The finger daemon must be disabled on AIX. |
The fingerd daemon provides the server function for the finger command. This allows users to view real-time pertinent user login information on other remote systems. This service should be disabled as it may provide an attacker with a valid user list to target. |
|
V-215388
|
Medium |
The pop3 daemon must be disabled on AIX. |
The pop3 service provides a pop3 server. It supports the pop3 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not required to prevent attacks. |
|
V-215387
|
Medium |
The imap2 service must be disabled on AIX. |
The imap2 service or Internet Message Access Protocol (IMAP) supports the IMAP4 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not required to prevent attacks. |
|
V-215386
|
Medium |
The tftp daemon must be disabled on AIX. |
The tftp service allows remote systems to download or upload files to the tftp server without any authentication. It is therefore a service that should not run, unless needed. One of the main reasons for requiring this service to be activated is if the host is a NIM master. However,... |
|
V-215385
|
Medium |
The rquotad daemon must be disabled on AIX. |
The rquotad service allows NFS clients to enforce disk quotas on file systems that are mounted on the local system. This service should be disabled if to prevent attacks. |
|
V-215384
|
Medium |
The kshell daemon must be disabled on AIX. |
The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted communications. The recommendation is to use SSH wherever possible instead of kshell.
If the kshell service is used, you should use the latest Kerberos version available and must make sure... |
|
V-215383
|
Medium |
The klogin daemon must be disabled on AIX. |
The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text password exchanges on the network. However, it is still not as secure as SSH, which encrypts all traffic. If using klogin to log in to a system, the password is not sent... |
|
V-215382
|
Medium |
The sprayd daemon must be disabled on AIX. |
The sprayd service is used as a tool to generate UDP packets for testing and diagnosing network problems. The service must be disabled if NFS is not in use, as it can be used by attackers in a Distributed Denial of Service (DDoS) attack. |
|
V-215381
|
Medium |
The rusersd daemon must be disabled on AIX. |
The rusersd service runs as root and provides a list of current users active on a system. An attacker may use this service to learn valid account names on the system. This is not an essential service and should be disabled. |
|
V-215380
|
Medium |
The rstatd daemon must be disabled on AIX. |
The rstatd service is used to provide kernel statistics and other monitorable parameters pertinent to the system such as: CPU usage, system uptime, network usage etc. An attacker may use this information in a DoS attack. This service should be disabled. |
|
V-215379
|
Medium |
The pcnfsd daemon must be disabled on AIX. |
The pcnfsd service is an authentication and printing program, which uses NFS to provide file transfer services. This service is vulnerable and exploitable and permits the machine to be compromised both locally and remotely. If PC NFS clients are required within the environment, Samba is recommended as an alternative software... |
|
V-215378
|
Medium |
The dtspc daemon must be disabled on AIX. |
The dtspc service deals with the CDE interface of the X11 daemon. It is started automatically by the inetd daemon in response to a CDE client requesting a process to be started on the daemon's host. This makes it vulnerable to buffer overflow attacks, which may allow an attacker to... |
|
V-215377
|
Medium |
The discard daemon must be disabled on AIX. |
The discard service is used as a debugging and measurement tool. It sets up a listening socket and ignores data that it receives. This is a /dev/null service and is obsolete. This can be used in DoS attacks and therefore, must be disabled to prevent attacks. |
|
V-215376
|
Medium |
The chargen daemon must be disabled on AIX. |
This service is used to test the integrity of TCP/IP packets arriving at the destination.
This chargen service is a character generator service and is used for testing the integrity of TCP/IP packets arriving at the destination. An attacker may spoof packets between machines running the chargen service and thus... |
|
V-215374
|
Medium |
The talk daemon must be disabled on AIX. |
This talk service is used to establish an interactive two-way communication link between two UNIX users. Unless required the talk service will be disabled to prevent attacks. |
|
V-215373
|
Medium |
The time daemon must be disabled on AIX. |
This service can be used to synchronize system clocks.
The time service is an obsolete process used to synchronize system clocks at boot time. This has been superseded by NTP, which should be used if time synchronization is necessary. Unless required the time service must be disabled. |
|
V-215372
|
Medium |
The uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX. |
This service facilitates file copying between networked servers.
The uucp (UNIX to UNIX Copy Program), service allows users to copy files between networked machines. Unless an application or process requires UUCP this should be disabled to prevent attacks. |
|
V-215371
|
Medium |
The ttdbserver daemon must be disabled on AIX. |
The ttdbserver service is the tool-talk database service for CDE. This service runs as root and should be disabled. Unless required the ttdbserver service will be disabled to prevent attacks. |
|
V-215370
|
Medium |
The cmsd daemon must be disabled on AIX. |
This is a calendar and appointment service for CDE.
The cmsd service is utilized by CDE to provide calendar functionality. If CDE is not required, this service should be disabled to prevent attacks. |
|
V-215369
|
Medium |
The daytime daemon must be disabled on AIX. |
The daytime service provides the current date and time to other servers on a network.
This daytime service is a defunct time service, typically used for testing purposes only. The service should be disabled as it can leave the system vulnerable to DoS ping attacks. |
|
V-215368
|
Medium |
The ndpd-router must be disabled on AIX. |
This manages the Neighbor Discovery Protocol (NDP) for non-kernel activities, required in IPv6.
The ndpd-router manages NDP for non-kernel activities. Unless the server utilizes IPv6, this is not required and should be disabled to prevent attacks. |
|
V-215367
|
Medium |
The ndpd-host daemon must be disabled on AIX. |
This is the Neighbor Discovery Protocol (NDP) daemon, required in IPv6.
The ndpd-host is the NDP daemon for the server. Unless the server utilizes IPv6, this is not required and should be disabled to prevent attacks. |
|
V-215366
|
Medium |
The aixmibd daemon must be disabled on AIX. |
The aixmibd daemon is a dpi2 sub-agent which manages a number of MIB variables.
To prevent attacks this daemon should not be enabled unless there is no alternative. |
|
V-215365
|
Medium |
If SNMP is not required on AIX, the snmpmibd daemon must be disabled. |
The snmpmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. If snmpd is not required, it is recommended that it is disabled. |
|
V-215364
|
Medium |
If AIX server does not host an SNMP agent, the dpid2 daemon must be disabled. |
The dpid2 daemon acts as a protocol converter, which enables DPI (SNMP v2) sub-agents, such as hostmibd, to talk to a SNMP v1 agent that follows SNMP MUX protocol.
To prevent attacks this daemon should not be enabled unless there is no alternative. |
|
V-215363
|
Medium |
The timed daemon must be disabled on AIX. |
This is the old UNIX time service.
The timed daemon is the old UNIX time service. Disable this service and use xntp, if time synchronization is required in the environment. |
|
V-215362
|
Medium |
If rwhod is not required on AIX, the rwhod daemon must be disabled. |
This is the remote WHO service.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
|
V-215361
|
Medium |
If AIX server is not functioning as a network router, the routed daemon must be disabled. |
The routed daemon manages the network routing tables in the kernel.
To prevent attacks this daemon should not be enabled unless there is no alternative. |
|
V-215360
|
Medium |
If AIX server is not functioning as a DNS server, the named daemon must be disabled. |
This is the server for the DNS protocol and controls domain name resolution for its clients.
To prevent attacks this daemon should not be enabled unless there is no alternative. |
|
V-215359
|
Medium |
If AIX server is not functioning as a multicast router, the mrouted daemon must be disabled. |
This daemon is an implementation of the multicast routing protocol.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
|
V-215358
|
Medium |
If AIX server is not functioning as a network router, the gated daemon must be disabled. |
This daemon provides gateway routing functions for protocols such as RIP and SNMP.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
|
V-215357
|
Medium |
If IPv6 is not utilized on AIX server, the autoconf6 daemon must be disabled. |
"autoconf6" is used to automatically configure IPv6 interfaces at boot time. Running this service may allow other hosts on the same physical subnet to connect via IPv6, even when the network does not support it. Disable this unless you use IPv6 on the server. |
|
V-215356
|
Medium |
If DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled. |
The dhcprd daemon listens for broadcast packets, receives them, and forwards them to the appropriate server.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
|
V-215355
|
Medium |
The AIX DHCP client must be disabled. |
The dhcpcd daemon receives address and configuration information from the DHCP server. DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used.
To prevent remote attacks this daemon should not be enabled unless there is no alternative.
Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 |
|
V-215354
|
Medium |
If SNMP is not required on AIX, the snmpd service must be disabled. |
The snmpd daemon is used by many 3rd party applications to monitor the health of the system. This allows remote monitoring of network and server configuration.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
|
V-215353
|
Medium |
If sendmail is not required on AIX, the sendmail service must be disabled. |
The sendmail service has many historical vulnerabilities and, where possible, should be disabled. If the system is not required to operate as a mail server i.e. sending, receiving or processing e-mail, disable the sendmail daemon. |
|
V-215352
|
Medium |
If NFS is not required on AIX, the NFS daemon must be disabled. |
The rcnfs entry starts the NFS daemons during system boot.
NFS is a service with numerous historical vulnerabilities and should not be enabled unless there is no alternative. If NFS serving is required, then read-only exports are recommended and no filesystem or directory should be exported with root access. Unless... |
|
V-215351
|
Medium |
If there are no X11 clients that require CDE on AIX, the dt service must be disabled. |
This entry executes the CDE startup script which starts the AIX Common Desktop Environment.
To prevent attacks this daemon should not be enabled unless there is no alternative. |
|
V-215350
|
Medium |
If AIX system does not support either local or remote printing, the piobe service must be disabled. |
The piobe daemon is the I/O back end for the printing process, handling the job scheduling and spooling.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
|
V-215349
|
Medium |
If AIX system does not act as a remote print server for other servers, the lpd daemon must be disabled. |
The lpd daemon accepts remote print jobs from other systems.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
|
V-215348
|
Medium |
The AIX qdaemon must be disabled if local or remote printing is not required. |
The qdaemon program is the printing scheduling daemon that manages the submission of print jobs to the piobe service.
To prevent remote attacks this daemon should not be enabled unless there is no alternative. |
|
V-215345
|
Medium |
AIX run control scripts executable search paths must contain only absolute paths. |
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. |
|
V-215344
|
Medium |
AIX sendmail logging must not be set to less than nine in the sendmail.cf file. |
If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the sendmail service. |
|
V-215343
|
Medium |
The AIX hosts.lpd file must not contain a + character. |
Having the '+' character in the hosts.lpd (or equivalent) file allows all hosts to use local system print resources. |
|
V-215342
|
Medium |
The AIX global initialization files must contain the mesg -n or mesg n commands. |
Command "mesg -n" allows only the root user the permission to send messages to your workstation to avoid having others clutter your display with incoming messages. |
|
V-215341
|
Medium |
The sticky bit must be set on all public directories on AIX systems. |
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the... |
|
V-215340
|
Medium |
All AIX files and directories must have a valid owner. |
Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be... |
|
V-215339
|
Medium |
All AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file. |
If a user is assigned the GID of a group not existing on the system, and a group with that GID is subsequently created, the user may have unintended rights to the group. |
|
V-215338
|
Medium |
AIX system must restrict the ability to switch to the root user to members of a defined group. |
Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials. |
|
V-215337
|
Medium |
AIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt. |
Limiting the number of login attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. |
|
V-215336
|
Medium |
AIX must remove all software components after updated versions have been installed. |
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. |
|
V-215335
|
Medium |
AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. |
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at AIX-level.
Some of the programs, installed by... |
|
V-215333
|
Medium |
AIX must use Trusted Execution (TE) Check policy. |
Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via... |
|
V-215332
|
Medium |
The AIX user home directories must not have extended ACLs. |
Excessive permissions on home directories allow unauthorized access to user files. |
|
V-215331
|
Medium |
All AIX users home directories must have mode 0750 or less permissive. |
Excessive permissions on home directories allow unauthorized access to user files. |
|
V-215330
|
Medium |
AIX NFS server must be configured to restrict file system access to local hosts. |
The NFS access option limits user access to the specified level. This assists in protecting exported file systems. If access is not restricted, unauthorized hosts may be able to access the system's NFS exports. |
|
V-215329
|
Medium |
The AIX ldd command must be disabled. |
The ldd command provides a list of dependent libraries needed by a given binary, which is useful for troubleshooting software. Instead of parsing the binary file, some ldd implementations invoke the program with a special environment variable set, which causes the system dynamic linker to display the list of libraries.... |
|
V-215328
|
Medium |
The AIX /etc/group file must not have an extended ACL. |
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. |
|
V-215327
|
Medium |
AIX passwd.nntp file must have mode 0600 or less permissive. |
File permissions more permissive than 0600 for /etc/news/passwd.nntp may allow access to privileged information by system intruders or malicious users. |
|
V-215326
|
Medium |
All library files must not have extended ACLs. |
Unauthorized access could destroy the integrity of the library files. |
|
V-215325
|
Medium |
All system command files must not have extended ACLs. |
Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default system executables and files present in directories included in the system's default executable search paths. |
|
V-215324
|
Medium |
AIX log files must not have extended ACLs, except as needed to support authorized software. |
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their... |
|
V-215323
|
Medium |
AIX log files must have mode 0640 or less permissive. |
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their... |
|
V-215321
|
Medium |
AIX SSH private host key files must have mode 0600 or less permissive. |
If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information.
If the private key is stolen, this will lead... |
|
V-215320
|
Medium |
AIX must set inactivity time-out on login sessions and terminate all login sessions after 10 minutes of inactivity. |
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses... |
|
V-215318
|
Medium |
AIX must automatically lock after 15 minutes of inactivity in the CDE Graphical desktop environment. |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating... |
|
V-215317
|
Medium |
The AIX audit configuration files must be set to 640 or less permissive. |
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate,... |
|
V-215316
|
Medium |
The AIX audit configuration files must be group-owned by audit. |
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate,... |
|
V-215315
|
Medium |
The AIX audit configuration files must be owned by root. |
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate,... |
|
V-215314
|
Medium |
AIX must be configured to use syslogd to log events by TCPD. |
Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions.
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings.... |
|
V-215313
|
Medium |
The AIX syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures. |
Unintentionally running a syslog server accepting remote messages puts the system at increased risk. Malicious syslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service. |
|
V-215312
|
Medium |
AIX must implement a remote syslog server that is documented using site-defined procedures. |
If a remote log host is in use and it has not been justified and documented, sensitive information could be obtained by unauthorized users without the administrator’s knowledge.
Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 |
|
V-215308
|
Medium |
AIX system must require authentication upon booting into single-user and maintenance modes. |
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. |
|
V-215306
|
Medium |
If AIX SSH daemon is required, the SSH daemon must only listen on the approved listening IP addresses. |
The SSH daemon should only listen on the approved listening IP addresses. Otherwise the SSH service could be subject to unauthorized access. |
|
V-215305
|
Medium |
The AIX SSH daemon must not allow RhostsRSAAuthentication. |
If SSH permits rhosts RSA authentication, a user may be able to log in based on the keys of the host originating the request and not any user-specific authentication. |
|
V-215304
|
Medium |
The AIX SSH daemon must be configured to not use host-based authentication. |
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. |
|
V-215303
|
Medium |
The AIX SSH daemon must be configured to disable user .rhosts files. |
Trust .rhost file means a compromise on one host can allow an attacker to move trivially to other hosts. |
|
V-215302
|
Medium |
The AIX SSH daemon must be configured to disable empty passwords. |
When password authentication is allowed, PermitEmptyPasswords specifies whether the server allows login to accounts with empty password strings. If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. |
|
V-215301
|
Medium |
AIX must turn off TCP forwarding for the SSH daemon. |
SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. |
|
V-215300
|
Medium |
AIX must turn off X11 forwarding for the SSH daemon. |
X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed. |
|
V-215299
|
Medium |
AIX SSH daemon must perform strict mode checking of home directory configuration files. |
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. |
|
V-215298
|
Medium |
AIX must turn on SSH daemon reverse name checking. |
If reverse name checking is off, SSH may allow a remote attacker to circumvent security policies and attempt to or actually login from IP addresses that are not permitted to access resources. |
|
V-215297
|
Medium |
AIX must turn on SSH daemon privilege separation. |
SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section. |
|
V-215296
|
Medium |
The AIX SSH daemon must not allow compression. |
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. |
|
V-215295
|
Medium |
The AIX SSH daemon must be configured for IP filtering. |
The SSH daemon must be configured for IP filtering to provide a layered defense against connection attempts from unauthorized addresses. |
|
V-215294
|
Medium |
AIX SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. |
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. |
|
V-215293
|
Medium |
AIX must setup SSH daemon to disable revoked public keys. |
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). |
|
V-215292
|
Medium |
If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication. |
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed. |
|
V-215291
|
Medium |
AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions. |
Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions.
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings.... |
|
V-215290
|
Medium |
AIX must config the SSH idle timeout interval. |
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses... |
|
V-215289
|
Medium |
The AIX SSH server must use SSH Protocol 2. |
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.... |
|
V-215288
|
Medium |
All AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins. |
The /etc/shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell. |
|
V-215287
|
Medium |
On AIX, the SSH server must not permit root logins using remote access programs. |
Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password. |
|
V-215286
|
Medium |
AIX must monitor and record unsuccessful remote logins. |
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through... |
|
V-215285
|
Medium |
AIX must monitor and record successful remote logins. |
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through... |
|
V-215284
|
Medium |
AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods. |
Without protection of the transmitted or received information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained... |
|
V-215283
|
Medium |
AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required. |
The AIX Encrypted File System (EFS) is a J2 filesystem-level encryption through individual key stores. This allows for file encryption in order to protect confidential data from attackers with physical access to the computer. User authentication and access control lists can protect files from unauthorized access (even from root user)... |
|
V-215282
|
Medium |
The AIX /etc/group file must have mode 0644 or less permissive. |
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. |
|
V-215281
|
Medium |
AIX time synchronization configuration file must have mode 0640 or less permissive. |
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. File permissions more permissive... |
|
V-215280
|
Medium |
Samba packages must be removed from AIX. |
If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts. |
|
V-215279
|
Medium |
AIX library files must have mode 0755 or less permissive. |
Unauthorized access could destroy the integrity of the library files. |
|
V-215278
|
Medium |
All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member. |
If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files. |
|
V-215277
|
Medium |
All AIX interactive users home directories must be group-owned by the home directory owner primary group. |
If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files. |
|
V-215276
|
Medium |
All AIX interactive users home directories must be owned by their respective users. |
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. |
|
V-215275
|
Medium |
The AIX /etc/group file must be group-owned by security. |
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. |
|
V-215274
|
Medium |
The AIX /etc/group file must be owned by root. |
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security. |
|
V-215273
|
Medium |
AIX time synchronization configuration file must be group-owned by bin, or system. |
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files... |
|
V-215272
|
Medium |
AIX time synchronization configuration file must be owned by root. |
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files... |
|
V-215271
|
Medium |
AIX audio devices must be group-owned by root, sys, bin, or system. |
Without privileged group owners, audio devices will be vulnerable to being used as eaves-dropping devices by malicious users or intruders to possibly listen to conversations containing sensitive information. |
|
V-215270
|
Medium |
AIX cron and crontab directories must be owned by root or bin. |
Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron or crontab directories to root or to bin provides the designated owner and unauthorized users with the potential to... |
|
V-215269
|
Medium |
The inetd.conf file on AIX must be owned by root. |
Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture. |
|
V-215268
|
Medium |
AIX system files, programs, and directories must be group-owned by a system group. |
Restricting permissions will protect the files from unauthorized modification. |
|
V-215267
|
Medium |
AIX log files must be owned by a system group. |
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their... |
|
V-215266
|
Medium |
AIX log files must be owned by a system account. |
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their... |
|
V-215265
|
Medium |
AIX must not have IP forwarding for IPv6 enabled unless the system is an IPv6 router. |
If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices. |
|
V-215264
|
Medium |
AIX must be configured with a default gateway for IPv6 if the system uses IPv6 unless the system is a router. |
If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks. |
|
V-215263
|
Medium |
IP forwarding for IPv4 must not be enabled on AIX unless the system is a router. |
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. |
|
V-215262
|
Medium |
AIX must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router. |
If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks. |
|
V-215261
|
Medium |
AIX must remove !authenticate option from sudo config files. |
sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are not required to reauthenticate for privilege escalation. |
|
V-215256
|
Medium |
AIX audit logs must be rotated daily. |
Rotate audit logs daily to preserve audit file system space and to conform to the DoD/DISA requirement. If it is not rotated daily and moved to another location, then there is more of a chance for the compromise of audit data by malicious users. |
|
V-215255
|
Medium |
AIX must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by AIX include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time... |
|
V-215254
|
Medium |
AIX must provide a report generation function that supports on-demand audit review and analysis, on-demand reporting requirements, and after-the-fact investigations of security incidents. |
The report generation capability must support on-demand review and analysis in order to facilitate the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate... |
|
V-215253
|
Medium |
AIX must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility. |
In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity.
The task of allocating audit record storage capacity is usually performed during initial installation of AIX. |
|
V-215252
|
Medium |
AIX must provide the function for assigned ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. |
If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost.
This requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements.... |
|
V-215251
|
Medium |
AIX must verify the hash of audit tools. |
Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
Audit tools include, but are not limited to, vendor-provided... |
|
V-215250
|
Medium |
AIX audit tools must be set to 4550 or less permissive. |
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the... |
|
V-215249
|
Medium |
AIX audit tools must be group-owned by audit. |
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the... |
|
V-215248
|
Medium |
AIX audit tools must be owned by root. |
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.
Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the... |
|
V-215247
|
Medium |
AIX must start audit at boot. |
If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. |
|
V-215246
|
Medium |
AIX must provide audit record generation functionality for DoD-defined auditable events. |
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
The list of audited events... |
|
V-215245
|
Medium |
Audit logs on the AIX system must be set to 660 or less permissive. |
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029 |
|
V-215244
|
Medium |
Audit logs on the AIX system must be group-owned by system. |
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029 |
|
V-215243
|
Medium |
Audit logs on the AIX system must be owned by root. |
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029 |
|
V-215242
|
Medium |
AIX must provide the function to filter audit records for events of interest based upon all audit fields within audit records, support on-demand reporting requirements, and an audit reduction function that supports on-demand audit review and analysis and after-the-fact investigations of security incidents. |
The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded.
Events... |
|
V-215241
|
Medium |
AIX must be configured to generate an audit record when 75% of the audit file system is full. |
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
Audit processing... |
|
V-215240
|
Medium |
AIX must produce audit records containing the full-text recording of privileged commands. |
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of... |
|
V-215239
|
Medium |
AIX must produce audit records containing information to establish the outcome of the events. |
Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system.
Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state... |
|
V-215238
|
Medium |
AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event. |
Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine... |
|
V-215237
|
Medium |
AIX must produce audit records containing information to establish where the events occurred. |
Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as operating system components,... |
|
V-215236
|
Medium |
AIX must produce audit records containing information to establish what the date, time, and type of events that occurred. |
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail... |
|
V-215235
|
Medium |
AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option. |
The nodev (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system not containing approved device files. Device files can provide direct access to system hardware and can compromise security if not protected. |
|
V-215234
|
Medium |
NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs. |
The nosuid mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system not containing approved setuid files. Executing setuid files from untrusted file systems, or file systems not containing approved setuid files, increases the opportunity for unprivileged... |
|
V-215232
|
Medium |
AIX must require passwords to contain no more than three consecutive repeating characters. |
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. |
|
V-215231
|
Medium |
If SNMP service is enabled on AIX, the default SNMP password must not be used in the /etc/snmpd.conf config file. |
Use default SNMP password increases the chance of security vulnerability on SNMP service. |
|
V-215230
|
Medium |
The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. |
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise. |
|
V-215229
|
Medium |
AIX must prevent the use of dictionary words for passwords. |
If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks. |
|
V-215227
|
Medium |
AIX must enforce password complexity by requiring that at least one special character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor in determining how long it takes to... |
|
V-215223
|
Medium |
AIX Operating systems must enforce a 60-day maximum password lifetime restriction. |
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. |
|
V-215222
|
Medium |
AIX Operating systems must enforce 24 hours/1 day as the minimum password lifetime. |
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding... |
|
V-215216
|
Medium |
AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.
Use of weak or untested encryption algorithms undermines the purposes of... |
|
V-215215
|
Medium |
AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. |
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.... |
|
V-215214
|
Medium |
If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions. |
If LDAP authentication is used, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions. |
|
V-215212
|
Medium |
AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image. |
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.
The session lock is implemented at the point where session activity can... |
|
V-215211
|
Medium |
AIX must be configured to allow users to directly initiate a session lock for all connection types. |
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
The session lock is implemented at the point where session... |
|
V-215210
|
Medium |
AIX nosuid option must be enabled on all NFS client mounts. |
Enabling the nosuid mount option prevents the system from granting owner or group-owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users with unprivileged access to the local system may be able to acquire privileged access by executing suid or... |
|
V-215209
|
Medium |
All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions. |
When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and GID should be chosen from the system to provide the appropriate level of non-privileged access. |
|
V-215208
|
Medium |
AIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours. |
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
Synchronizing internal... |
|
V-215207
|
Medium |
AIX must protect the confidentiality and integrity of all information at rest. |
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system.
This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to... |
|
V-215206
|
Medium |
The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups. |
A plus (+) in system accounts files causes the system to lookup the specified entry using NIS. If the system is not using NIS, no such entries should exist. |
|
V-215205
|
Medium |
If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day. |
If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
|
V-215203
|
Medium |
Any publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. |
|
|
V-215202
|
Medium |
The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX. |
|
|
V-215201
|
Medium |
The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts on AIX. |
|
|
V-215200
|
Medium |
AIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system. |
|
|
V-215199
|
Medium |
The AIX root accounts home directory must not have an extended ACL. |
Excessive permissions on root home directories allow unauthorized access to root user files. |
|
V-215198
|
Medium |
The AIX root accounts home directory (other than /) must have mode 0700. |
Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. |
|
V-215196
|
Medium |
The AIX root accounts list of preloaded libraries must be empty. |
The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. |
|
V-215195
|
Medium |
UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems. |
Reserved UIDs are typically used by system software packages. If non-system accounts have UIDs in this range, they may conflict with system software, possibly leading to the user having permissions to modify system files. |
|
V-215194
|
Medium |
The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID. |
Reserved GIDs are typically used by system software packages. If non-system groups have GIDs in this range, they may conflict with system software, possibly leading to the group having permissions to modify system files. |
|
V-215193
|
Medium |
The AIX root account must not have world-writable directories in its executable search path. |
If the root search path contains a world-writable directory, malicious software could be placed in the path by intruders and/or malicious users and inadvertently run by root with all of root's privileges. |
|
V-215192
|
Medium |
AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist. |
To centralize the management of privileged account crontabs, of the default system accounts, only root may have a crontab. |
|
V-215191
|
Medium |
AIX administrative accounts must not run a web browser, except as needed for local service administration. |
If a web browser flaw is exploited while running as a privileged user, the entire system could be compromised.
Specific exceptions for local service administration should be documented in site-defined policy. These exceptions may include HTTP(S)-based tools used for the administration of the local system, services, or attached devices. Examples... |
|
V-215190
|
Medium |
All AIX public directories must be owned by root or an application account. |
If a public directory has the sticky bit set and is not owned by a privileged UID, unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The... |
|
V-215189
|
Medium |
AIX system must prevent the root account from directly logging in except from the system console. |
Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device.
A common attack method of potential hackers is to obtain the root password.
To avoid this type of attack, disable direct access to the root ID and then... |
|
V-215188
|
Medium |
AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated. |
All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard.
If the interface is AIXwindows (CDE), use the xlock command to lock the sessions. |
|
V-215187
|
Medium |
AIX must provide the lock command to let users retain their session lock until users are reauthenticated. |
All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard.
To lock the terminal, use the lock command. |
|
V-215186
|
Medium |
AIX must configure the ttys value for all interactive users. |
A user's "ttys" attribute controls from which device(s) the user can authenticate and log in. If the "ttys" attribute is not specified, all terminals can access the user account. |
|
V-215184
|
Medium |
AIX device files and directories must only be writable by users with a system account or as configured by the vendor. |
System device files in writable directories could be modified, removed, or used by an unprivileged user to control system hardware. |
|
V-215183
|
Medium |
All system files, programs, and directories must be owned by a system account. |
Restricting permissions will protect the files from unauthorized modification. |
|
V-215182
|
Medium |
The regular users default primary group must be staff (or equivalent) on AIX. |
The /usr/lib/security/mkuser.default file contains the default primary groups for regular and admin users. Setting a system group as the regular users' primary group increases the risk that the regular users can access privileged resources. |
|
V-215181
|
Medium |
The shipped /etc/security/mkuser.sys file on AIX must not be customized directly. |
The "/etc/security/mkuser.sys" script customizes the new user account when a new user is created, or a user is logging into the system without a home directory. An improper "/etc/security/mkuser.sys" script increases the risk that non-privileged users may obtain elevated privileges. |
|
V-215180
|
Medium |
The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. |
Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system... |
|
V-215178
|
Medium |
Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts. |
Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability. |
|
V-215173
|
Medium |
If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA. |
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. |
|
V-215172
|
Medium |
AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types. |
Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. |
|
V-215171
|
Medium |
AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator. |
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128 |
|
V-215170
|
Medium |
AIX must automatically remove or disable temporary user accounts after 72 hours or sooner. |
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
Temporary accounts are established as part of normal account activation... |
|
V-215169
|
Medium |
AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account. |
The "/etc/security/mkuser.sys.custom" is called by "/etc/security/mkuser.sys" to customize the new user account when a new user is created, or a user is logging into the system without a home directory. An improper "/etc/security/mkuser.sys.custom" script increases the risk that non-privileged users may obtain elevated privileges. It must not exist unless it... |
|
V-215413
|
Low |
AIX must contain no .forward files. |
The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops which could degrade system performance. |
|
V-215412
|
Low |
If the AIX host is running an SMTP service, the SMTP greeting must not provide version information. |
The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version. |
|
V-215311
|
Low |
If csh/tcsh shell is used, AIX must display logout messages. |
If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated.
Information resources to which users gain access... |
|
V-215310
|
Low |
If Bourne / ksh shell is used, AIX must display logout messages. |
If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated.
Information resources to which users gain access... |
|
V-215309
|
Low |
If bash is used, AIX must display logout messages. |
If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated.
Information resources to which users gain access... |
