This web site uses advanced JavaScript for several data processing functions. Internet Explorer has severe deficiencies in it's JavaScript engine. Please use a modern day browser, such as Chrome or Edge, in order to take full advantage of this web site.
The AIX Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]
Vuln
Rule
Version
CCI
Severity
Title
Description
SV-38932r1_rule
GEN000400
CCI-000048
MEDIUM
The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
Failure to display the login banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.System AdministratorECWM-1
SV-38671r1_rule
GEN000460
CCI-000044
MEDIUM
The system must disable accounts after three consecutive unsuccessful login attempts.
Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.System AdministratorECLO-1, ECLO-2
SV-38839r1_rule
GEN000480
CCI-000043
MEDIUM
The delay between login prompts following a failed login attempt must be at least 4 seconds.
Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks.System AdministratorECLO-1, ECLO-2
SV-27107r1_rule
GEN000560
CCI-000366
HIGH
The system must not have accounts configured with blank or null passwords.
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured without a password, the entire system may be compromised. For user accounts not using password authentication, the account must be configured with a password lock value instead of a blank or null value. System AdministratorIAIA-1, IAIA-2
SV-773r2_rule
GEN000880
CCI-000366
MEDIUM
The root account must be the only account having an UID of 0.
If an account has an UID of 0, it has root authority. Multiple accounts with an UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account.System AdministratorECLP-1
SV-38940r1_rule
GEN000900
CCI-000366
LOW
The root user's home directory must not be the root directory (/).
Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places in its default directory. It also gives root the same discretionary access control for root's home directory as for the other plain user home directories.System AdministratorECCD-1, ECCD-2
SV-38941r1_rule
GEN000920
CCI-000225
MEDIUM
The root account's home directory (other than /) must have mode 0700.
Permissions greater than 0700 could allow unauthorized users access to the root home directory.System AdministratorECCD-1, ECCD-2
SV-40085r3_rule
GEN000940
CCI-000366
MEDIUM
The root accounts executable search path must be the vendor default and must contain only authorized paths.
The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, two consecutive colons, or a single period, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.System Administrator
SV-777r2_rule
GEN000960
CCI-000366
MEDIUM
The root account must not have world-writable directories in its executable search path.
If the root search path contains a world-writable directory, malicious software could be placed in the path by intruders and/or malicious users and inadvertently run by root with all of root's privileges.
System AdministratorECCD-1, ECCD-2
SV-38683r1_rule
GEN000980
CCI-000770
MEDIUM
The system must prevent the root account from directly logging in except from the system console.
Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device.System AdministratorECPA-1
SV-27071r1_rule
GEN000380
CCI-000366
LOW
All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.
If a user is assigned the GID of a group that does not exist on the system, and a group with that GID is subsequently created, the user may have unintended rights to the group.
System AdministratorECSC-1
SV-787r2_rule
GEN001260
CCI-001314
MEDIUM
System log files must have mode 0640 or less permissive.
If the system log files are not protected, unauthorized users could change the logged data, eliminating its forensic value.System AdministratorECTP-1
SV-38735r1_rule
GEN001800
CCI-000225
MEDIUM
All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.
System AdministratorECLP-1
SV-38775r1_rule
GEN001320
CCI-000225
MEDIUM
NIS/NIS+/yp files must be owned by root, sys, or bin.
NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-38776r1_rule
GEN001340
CCI-000225
MEDIUM
NIS/NIS+/yp files must be group-owned by sys, bin, other, or system.
NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-38781r1_rule
GEN001360
CCI-000225
MEDIUM
The NIS/NIS+/yp files must have mode 0755 or less permissive.
NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise these processes and the system.System AdministratorECLP-1
SV-794r4_rule
GEN001200
CCI-001499
MEDIUM
All system command files must have mode 755 or less permissive.
Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default system executables and files present in directories included in the system's default executable search paths.Elevate to Severity Code I if any file listed is world-writable.System Administrator
SV-38944r1_rule
GEN001400
CCI-000225
MEDIUM
The /etc/security/passwd file must be owned by root.
The /etc/security/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-798r2_rule
GEN001380
CCI-000225
MEDIUM
The /etc/passwd file must have mode 0644 or less permissive.
If the password file is writable by a group owner or the world, the risk of password file compromise is increased. The password file contains the list of accounts on the system and associated information.System AdministratorECLP-1
SV-38728r1_rule
GEN001420
CCI-000225
MEDIUM
The /etc/security/passwd file must have mode 0400.
The /etc/security/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which must not be accessible to users other than root.System AdministratorECLP-1
SV-821r2_rule
GEN003720
CCI-000225
MEDIUM
The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
Failure to give ownership of sensitive files or utilities to root provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-822r2_rule
GEN003740
CCI-000225
MEDIUM
The inetd.conf and xinetd.conf files must have mode 0440 or less permissive.
The Internet service daemon configuration files must be protected as malicious modification could cause Denial of Service or increase the attack surface of the system.System AdministratorECLP-1
SV-823r2_rule
GEN003760
CCI-000225
MEDIUM
The services file must be owned by root or bin.
Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-824r2_rule
GEN003780
CCI-000225
MEDIUM
The services file must have mode 0444 or less permissive.
The services file is critical to the proper operation of network services and must be protected from unauthorized modification. Unauthorized modification could result in the failure of network services.System AdministratorECLP-1
SV-38893r1_rule
GEN001780
CCI-000366
LOW
Global initialization files must contain the mesg -n or mesg n commands.
If the mesg -n or mesg n command is not placed into the system profile, messaging can be used to cause a Denial of Service attack.System AdministratorECSC-1
SV-40836r1_rule
GEN004360
CCI-000225
MEDIUM
The alias file must be owned by root.
If the alias file is not owned by root, an unauthorized user may modify the file to add aliases to run malicious code or redirect email.System AdministratorECLP-1
SV-40684r1_rule
GEN004380
CCI-000225
MEDIUM
The alias file must have mode 0644 or less permissive.
Excessive permissions on the aliases file may permit unauthorized modification. If the alias file is modified by an unauthorized user, they may modify the file to run malicious code or redirect email.System AdministratorECLP-1
SV-28403r1_rule
GEN004880
CCI-000225
MEDIUM
The ftpusers file must exist.
The ftpusers file contains a list of accounts not allowed to use FTP to transfer files. If this file does not exist, then unauthorized accounts can utilize FTP.
System AdministratorECCD-1, ECCD-2
SV-28409r1_rule
GEN004920
CCI-000225
MEDIUM
The ftpusers file must be owned by root.
If the file ftpusers is not owned by root, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.
System AdministratorECLP-1
SV-28412r1_rule
GEN004940
CCI-000225
MEDIUM
The ftpusers file must have mode 0640 or less permissive.
Excessive permissions on the ftpusers file could permit unauthorized modification. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized users to access the FTP service.System AdministratorECLP-1
SV-901r2_rule
GEN001480
CCI-000225
MEDIUM
All users' home directories must have mode 0750 or less permissive.
Excessive permissions on home directories allow unauthorized access to user's files.System AdministratorECLP-1
SV-38846r1_rule
GEN002220
CCI-000225
HIGH
All shell files must have mode 0755 or less permissive.
Shells with world/group write permissions give the ability to maliciously modify the shell to obtain unauthorized access.System AdministratorECLP-1
SV-28445r1_rule
GEN005740
CCI-000225
MEDIUM
The NFS export configuration file must be owned by root.
Failure to give ownership of the NFS export configuration file to root provides the designated owner and possible unauthorized users with the potential to change system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-28447r1_rule
GEN005760
CCI-000225
LOW
The NFS export configuration file must have mode 0644 or less permissive.
Excessive permissions on the NFS export configuration file could allow unauthorized modification of the file, which could result in Denial of Service to authorized NFS exports and the creation of additional unauthorized exports.System AdministratorECCD-1, ECCD-2, ECLP-1
SV-27318r1_rule
GEN002960
CCI-000225
MEDIUM
Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
The cron facility allows users to execute recurring jobs on a regular and unattended basis. The cron.allow file designates accounts allowed to enter and execute jobs using the cron facility. If neither cron.allow nor cron.deny exists, then any account may use the cron facility. This may open the facility up for abuse by system intruders and malicious users.System AdministratorECLP-1
SV-27324r1_rule
GEN002980
CCI-000225
MEDIUM
The cron.allow file must have mode 0600 or less permissive.
A cron.allow file that is readable and/or writable by other than root could allow potential intruders and malicious users to use the file contents to help discern information, such as who is allowed to execute cron programs, which could be harmful to overall system and network security.System AdministratorECLP-1
SV-27340r1_rule
GEN003080
CCI-000225
MEDIUM
Crontab files must have mode 0600 or less permissive.
To protect the integrity of scheduled system jobs and prevent malicious modification to these jobs, crontab files must be secured.
System AdministratorECLP-1
SV-27342r1_rule
GEN003100
CCI-000225
MEDIUM
Cron and crontab directories must have mode 0755 or less permissive.
To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured.
System AdministratorECLP-1
SV-27345r1_rule
GEN003120
CCI-000225
MEDIUM
Cron and crontab directories must be owned by root or bin.
Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron or crontab directories to root or to bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-39104r1_rule
GEN003140
CCI-000225
MEDIUM
Cron and crontab directories must be group-owned by system, sys, bin, or cron.
To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. Failure to give group ownership of cron or crontab directories to a system group provides the designated group and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-27377r1_rule
GEN003280
CCI-000225
MEDIUM
Access to the at utility must be controlled via the at.allow and/or at.deny file(s).
The at facility selectively allows users to execute jobs at deferred times. It is usually used for one-time jobs. The at.allow file selectively allows access to the at facility. If there is no at.allow file, there is no ready documentation of who is allowed to submit at jobs.System AdministratorECLP-1
SV-27381r1_rule
GEN003300
CCI-000225
MEDIUM
The at.deny file must not be empty if it exists.
On some systems, if there is no at.allow file and there is an empty at.deny file, then the system assumes everyone has permission to use the at facility. This could create an insecure setting in the case of malicious users or system intruders.trueInformation Assurance OfficerSystem AdministratorECLP-1
SV-27385r1_rule
GEN003320
CCI-000225
MEDIUM
Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
Default accounts, such as bin, sys, adm, uucp, daemon, and others, should never have access to the at facility. This would create a possible vulnerability open to intruders or malicious users.System AdministratorECPA-1
SV-27389r1_rule
GEN003340
CCI-000225
MEDIUM
The at.allow file must have mode 0600 or less permissive.
Permissions more permissive than 0600 (read, write and execute for the owner) may allow unauthorized or malicious access to the at.allow and/or at.deny files.
System AdministratorECLP-1
SV-40724r1_rule
GEN006100
CCI-000225
MEDIUM
The /usr/lib/smb.conf file must be owned by root.
The /usr/lib/smb.conf file allows access to other machines on the network and grants permissions to certain users. If it is owned by another user, the file may be maliciously modified and the Samba configuration could be compromised.System AdministratorECLP-1
SV-39229r1_rule
GEN006140
CCI-000225
MEDIUM
The /usr/lib/smb.conf file must have mode 0644 or less permissive.
If the smb.conf file has excessive permissions, the file may be maliciously modified and the Samba configuration could be compromised.System AdministratorECLP-1
SV-40379r1_rule
GEN006160
CCI-000225
MEDIUM
The /var/private/smbpasswd file must be owned by root.
If the smbpasswd file is not owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.System AdministratorECLP-1
SV-38768r1_rule
GEN000540
CCI-000198
MEDIUM
Users must not be able to change passwords more than once every 24 hours.
The ability to change passwords frequently facilitates users reusing the same password. This can result in users effectively never changing their passwords. This would be accomplished by users changing their passwords when required and then immediately changing it to the original value.System AdministratorECSC-1
SV-39231r1_rule
GEN006120
CCI-000225
MEDIUM
The /usr/lib/smb.conf file must be group-owned by bin, sys, or system.
If the group-owner of the smb.conf file is not root or a system group, the file may be maliciously modified and the Samba configuration could be compromised.System AdministratorECLP-1
SV-39235r1_rule
GEN006180
CCI-000225
MEDIUM
The /var/private/smbpasswd file must be group-owned by sys or system.
If the smbpasswd file is not group-owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.System AdministratorECLP-1
SV-40725r1_rule
GEN006200
CCI-000225
MEDIUM
The /var/private/smbpasswd file must have mode 0600 or less permissive.
If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.System AdministratorECLP-1
SV-38679r1_rule
GEN000800
CCI-000200
MEDIUM
The system must prohibit the reuse of passwords within five iterations.
If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.System AdministratorIAIA-1, IAIA-2
SV-4284r2_rule
GEN000000-AIX00040
CCI-000032
MEDIUM
The securetcpip command must be used.
The AIX securetcpip command disables insecure network utilities, such as rcp, rlogin, rlogind, rsh, rshd, tftp, tftpd, and trpt/d. These services increase the attack surface of the system.System AdministratorECSC-1
SV-40862r2_rule
GEN005500
CCI-001436
HIGH
The SSH daemon must be configured to only use the SSHv2 protocol.
SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.System Administrator
SV-27149r1_rule
GEN001000
CCI-000070
MEDIUM
Remote consoles must be disabled or protected from unauthorized access.
The remote console feature provides an additional means of access to the system which could allow unauthorized access if not disabled or properly secured. With virtualization technologies, remote console access is essential as there is no physical console for virtual machines. Remote console access must be protected in the same manner as any other remote privileged access method.System AdministratorECSC-1
SV-27360r1_rule
GEN003200
CCI-000225
MEDIUM
The cron.deny file must have mode 0600 or less permissive.
If file permissions for cron.deny are more permissive than 0600, sensitive information could be viewed or edited by unauthorized users.
System AdministratorECLP-1
SV-27367r1_rule
GEN003240
CCI-000225
MEDIUM
The cron.allow file must be owned by root, bin, or sys.
If the owner of the cron.allow file is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or to edit sensitive information.System AdministratorECLP-1
SV-38907r1_rule
GEN003400
CCI-000225
MEDIUM
The at directory must have mode 0755 or less permissive.
If the at directory has a mode more permissive than 0755, unauthorized users could be allowed to view or to edit files containing sensitive information within the at directory. Unauthorized modifications could result in Denial of Service to authorized at jobs.System AdministratorECLP-1
SV-27393r1_rule
GEN003460
CCI-000225
MEDIUM
The at.allow file must be owned by root, bin, or sys.
If the owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.System AdministratorECLP-1
SV-27397r1_rule
GEN003480
CCI-000225
MEDIUM
The at.deny file must be owned by root, bin, or sys.
If the owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.System AdministratorECLP-1
SV-28393r1_rule
GEN003960
CCI-000225
MEDIUM
The traceroute command owner must be root.
If the traceroute command owner has not been set to root, an unauthorized user could use this command to obtain knowledge of the network topology inside the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.System AdministratorECLP-1
SV-28397r1_rule
GEN003980
CCI-000225
MEDIUM
The traceroute command must be group-owned by sys, bin, or system.
If the group owner of the traceroute command has not been set to a system group, unauthorized users could have access to the command and use it to gain information regarding a network's topology inside of the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.System AdministratorECLP-1
SV-28400r1_rule
GEN004000
CCI-000225
MEDIUM
The traceroute file must have mode 0700 or less permissive.
If the mode of the traceroute executable is more permissive than 0700, malicious code could be inserted by an attacker and triggered whenever the traceroute command is executed by authorized users. Additionally, if an unauthorized user is granted executable permissions to the traceroute command, it could be used to gain information about the network topology behind the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.System AdministratorECLP-1
SV-4385r2_rule
GEN004580
CCI-000366
MEDIUM
The system must not use .forward files.
The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops which could degrade system performance.System AdministratorECSC-1
SV-4387r2_rule
GEN005000
CCI-000225
HIGH
Anonymous FTP accounts must not have a functional shell.
If an anonymous FTP account has been configured to use a functional shell, attackers could gain access to the shell if the account is compromised.System AdministratorECCD-1, ECCD-2
SV-4393r2_rule
GEN005400
CCI-000225
MEDIUM
The /etc/syslog.conf file must be owned by root.
If the /etc/syslog.conf file is not owned by root, unauthorized users could be allowed to view, edit, or delete important system messages handled by the syslog facility.System AdministratorECLP-1
SV-40364r1_rule
GEN005420
CCI-000225
MEDIUM
The /etc/syslog.conf file must be group-owned by bin, sys, or system.
If the group owner of /etc/syslog.conf is not root, bin, or sys, unauthorized users could be permitted to view, edit, or delete important system messages handled by the syslog facility.System AdministratorECLP-1
SV-27372r1_rule
GEN003260
CCI-000225
MEDIUM
The cron.deny file must be owned by root, bin, or sys.
Cron daemon control files restrict the scheduling of automated tasks and must be protected.
System AdministratorECLP-1
SV-27434r1_rule
GEN003820
CCI-000068
HIGH
The rsh daemon must not be running.
The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.
System AdministratorInformation Assurance OfficerEBRU-1
SV-38878r1_rule
GEN003840
CCI-001435
HIGH
The rexec daemon must not be running.
The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.trueInformation Assurance OfficerSystem AdministratorECSC-1
SV-27440r1_rule
GEN003860
CCI-001551
LOW
The system must not have the finger service active.
The finger service provides information about the system's users to network clients. This information could expose information that could be used in subsequent attacks.
System AdministratorDCPP-1
SV-27052r1_rule
GEN000100
CCI-001230
HIGH
The operating system must be a supported release.
An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.If an extended support agreement providing security patches for the unsupported product is procured from the vendor, this finding may be downgraded to a CAT III.System AdministratorVIVM-1
SV-38936r2_rule
GEN000580
CCI-000205
MEDIUM
The system must require passwords to contain a minimum of 15 characters.
The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space.System Administrator
SV-39503r1_rule
GEN000640
CCI-001619
MEDIUM
The system must require that passwords contain at least one special character.
To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.System AdministratorIAIA-1, IAIA-2
SV-38675r1_rule
GEN000680
CCI-000366
MEDIUM
The system must require passwords to contain no more than three consecutive repeating characters.
To enforce the use of complex passwords, the number of consecutive repeating characters is limited. Passwords with excessive repeated characters may be more vulnerable to password-guessing attacks.System AdministratorIAIA-1, IAIA-2
SV-38939r1_rule
GEN000700
CCI-000180
MEDIUM
User passwords must be changed at least every 60 days.
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.System AdministratorIAIA-1, IAIA-2
SV-38882r1_rule
GEN001720
CCI-000225
MEDIUM
All global initialization files must have mode 0644 or less permissive.
Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon.System AdministratorECLP-1
SV-38884r1_rule
GEN001740
CCI-000225
MEDIUM
All global initialization files must be owned by root.
Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-38892r1_rule
GEN001760
CCI-000225
MEDIUM
All global initialization files must be group-owned by sys, bin, system, or security.
Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-38737r1_rule
GEN001820
CCI-000225
MEDIUM
All skeleton files and directories (typically in /etc/skel) must be owned by root or bin.
If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-12489r2_rule
GEN002040
CCI-000366
HIGH
There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
The .rhosts, .shosts, hosts.equiv, and shosts.equiv files are used to configure host-based authentication for individual users or the system. Host-based authentication is not sufficient for preventing unauthorized access to the system.System AdministratorInformation Assurance OfficerECCD-1, ECCD-2
SV-27402r1_rule
GEN003500
CCI-000366
LOW
Process core dumps must be disabled unless needed.
Process core dumps contain the memory in use by the process when it crashed. Process core dump files can be of significant size and their use can result in file systems filling to capacity, which may result in Denial of Service. Process core dumps can be useful for software debugging. System AdministratorECCD-1, ECCD-2
SV-38948r1_rule
GEN003600
CCI-001551
MEDIUM
The system must not forward IPv4 source-routed packets.
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.System AdministratorECSC-1
SV-41532r1_rule
GEN006620
CCI-000366
MEDIUM
The system's access control program must be configured to grant or deny system access to specific hosts.
If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.System AdministratorECSC-1
SV-12536r2_rule
GEN000000-AIX00080
CCI-000225
HIGH
The SYSTEM attribute must not be set to NONE for any account.
The SYSTEM attribute in /etc/security/user defines the mechanisms used to authenticate specific user accounts. If the value is set to NONE, other attributes will be used to determine the authentication mechanisms, but if these attributes are not present, no authentication will be performed. To ensure authentication is always used for the system's accounts, the SYSTEM attribute must always be set to a valid setting other than NONE.
System AdministratorIAIA-1, IAIA-2
SV-38880r1_rule
GEN003865
CCI-000305
MEDIUM
Network analysis tools must not be installed.
Network analysis tools allow for the capture of network traffic visible to the system.System AdministratorDCPA-1
SV-39091r1_rule
GEN000241
CCI-000366
MEDIUM
The system clock must be synchronized continuously, or at least daily.
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. Internal system clocks tend to drift and require periodic resynchronization to ensure their accuracy. Software, such as ntpd, can be used to continuously synchronize the system clock with authoritative sources. Alternatively, the system may be synchronized periodically, with a maximum of one day between synchronizations.
If the system is completely isolated (no connections to networks or other systems), time synchronization is not required as no correlation of events or operation of time-dependent protocols between systems will be necessary. If the system is completely isolated, this requirement is not applicable.System AdministratorECSC-1
SV-40383r1_rule
GEN000250
CCI-000225
MEDIUM
The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system account, unauthorized modifications could result in the failure of time synchronization.System AdministratorECLP-1
SV-39093r1_rule
GEN000251
CCI-000225
MEDIUM
The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by bin, sys, or system.
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system group, unauthorized modifications could result in the failure of time synchronization.System AdministratorECLP-1
SV-40384r1_rule
GEN000252
CCI-000225
MEDIUM
The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not protected, unauthorized modifications could result in the failure of time synchronization.System AdministratorECLP-1
SV-38769r1_rule
GEN000585
CCI-000205
MEDIUM
The system must enforce the entire password during authentication.
Some common password hashing schemes only process the first eight characters of a user's password, which reduces the effective strength of the password.
System AdministratorIAIA-1, IAIA-2
SV-38672r1_rule
GEN000595
CCI-000196
MEDIUM
The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.System AdministratorDCNR-1, IAIA-1, IAIA-2
SV-38677r2_rule
GEN000750
CCI-000195
MEDIUM
The system must require at least eight characters be changed between the old and new passwords during a password change.
To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.System Administrator
SV-38678r1_rule
GEN000790
CCI-000189
MEDIUM
The system must prevent the use of dictionary words for passwords.
An easily guessable password provides an open door to any external or internal malicious intruder. Many computer compromises occur as the result of account name and password guessing. This is generally done by someone with an automated script using repeated logon attempts until the correct account and password pair is guessed. Utilities, such as cracklib, can be used to validate that passwords are not dictionary words and meet other criteria during password changes.
System AdministratorIAIA-1, IAIA-2
SV-38680r1_rule
GEN000850
CCI-000009
LOW
The system must restrict the ability to switch to the root user to members of a defined group.
Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials.System AdministratorECLP-1
SV-38770r1_rule
GEN000945
CCI-000366
MEDIUM
The root account's library search path must be the system default and must contain only absolute paths.
The library search path environment variable(s) contains a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.System AdministratorECSC-1
SV-38772r1_rule
GEN000950
CCI-000366
MEDIUM
The root account's list of preloaded libraries must be empty.
The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. This variable is formatted as a space-separated list of libraries. Paths starting with (/) are absolute paths.System AdministratorECSC-1
SV-26395r1_rule
GEN001362
CCI-000225
MEDIUM
The /etc/resolv.conf file must be owned by root.
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.
System AdministratorECLP-1
SV-39099r1_rule
GEN001363
CCI-000225
MEDIUM
The /etc/resolv.conf file must be group-owned by bin, sys, or system.
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
SV-26397r1_rule
GEN001364
CCI-000225
MEDIUM
The /etc/resolv.conf file must have mode 0644 or less permissive.
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
SV-26410r2_rule
GEN001366
CCI-000225
MEDIUM
The /etc/hosts file must be owned by root.
The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.System Administrator
SV-39100r1_rule
GEN001367
CCI-000225
MEDIUM
The /etc/hosts file must be group-owned by bin, sys, or system.
The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
SV-26412r1_rule
GEN001368
CCI-000225
MEDIUM
The /etc/hosts file must have mode 0644 or less permissive.
The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
SV-26425r1_rule
GEN001378
CCI-000225
MEDIUM
The /etc/passwd file must be owned by root.
The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.System AdministratorECLP-1
SV-38723r1_rule
GEN001379
CCI-000225
MEDIUM
The /etc/passwd file must be group-owned by bin, security, sys, or system.
The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.System AdministratorECLP-1
SV-26431r1_rule
GEN001391
CCI-000225
MEDIUM
The /etc/group file must be owned by root.
The /etc/group file is critical to system security and must be owned by a privileged user. The group file contains a list of system groups and associated information.System AdministratorECLP-1
SV-38725r1_rule
GEN001392
CCI-000225
MEDIUM
The /etc/group file must be group-owned by security, bin, sys, or system.
The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.System AdministratorECLP-1
SV-26433r1_rule
GEN001393
CCI-000225
MEDIUM
The /etc/group file must have mode 0644 or less permissive.
The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.System AdministratorECLP-1
SV-38727r1_rule
GEN001410
CCI-000225
MEDIUM
The /etc/security/passwd file must be group-owned by security, bin, sys, or system.
The /etc/security/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which must not be accessible to users other than root.System AdministratorECLP-1
SV-26447r1_rule
GEN001475
CCI-000225
MEDIUM
The /etc/group file must not contain any group password hashes.
Group passwords are typically shared and should not be used. Additionally, if password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes.System AdministratorECLP-1
SV-38738r1_rule
GEN001830
CCI-000225
MEDIUM
All skeleton files (typically in /etc/skel) must be group-owned by security.
If the skeleton files are not protected, unauthorized personnel could change user start-up parameters and possibly jeopardize user files.System AdministratorECLP-1
SV-39346r1_rule
GEN003250
CCI-000225
MEDIUM
The cron.allow file must be group-owned by system, bin, sys, or cron.
If the group of the cron.allow is not set to system, bin, sys, or cron, the possibility exists for an unauthorized user to view or edit the list of users permitted to use cron. Unauthorized modification of this file could cause Denial of Service to authorized cron users or provide unauthorized users with the ability to run cron jobs.
System AdministratorECLP-1
SV-38787r1_rule
GEN003252
CCI-000225
MEDIUM
The at.deny file must have mode 0640 or less permissive.
The at daemon control files restrict access to scheduled job manipulation and must be protected. Unauthorized modification of the at.deny file could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.System AdministratorECLP-1
SV-38789r1_rule
GEN003270
CCI-000225
MEDIUM
The cron.deny file must be group-owned by system, bin, sys, or cron.
Cron daemon control files restrict the scheduling of automated tasks and must be protected. Unauthorized modification of the cron.deny file could result in Denial of Service to authorized cron users or could provide unauthorized users with the ability to run cron jobs.System AdministratorECLP-1
SV-39352r1_rule
GEN003430
CCI-000225
MEDIUM
The "at" directory must be group-owned by system, bin, sys, or cron.
If the group of the "at" directory is not system, bin, sys, or cron, unauthorized users could be allowed to view or edit files containing sensitive information within the directory.System AdministratorECLP-1
SV-39354r1_rule
GEN003470
CCI-000225
MEDIUM
The at.allow file must be group-owned by system, bin, sys, or cron.
If the group-owner of the at.allow file is not set to system, bin, sys, or cron, unauthorized users could be allowed to view or edit the list of users permitted to run at jobs. Unauthorized modification could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.System AdministratorECLP-1
SV-39356r1_rule
GEN003490
CCI-000225
MEDIUM
The at.deny file must be group-owned by system, bin, sys, or cron.
If the group owner of the at.deny file is not set to system, bin, sys, or cron, unauthorized users could be allowed to view or edit sensitive information contained within the file. Unauthorized modification could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.System AdministratorECLP-1
SV-38949r1_rule
GEN003606
CCI-001551
MEDIUM
The system must prevent local applications from generating source-routed packets.
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.System AdministratorECSC-1
SV-38800r1_rule
GEN003607
CCI-001551
MEDIUM
The system must not accept source-routed IPv4 packets.
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv4 forwarding is enabled and the system is functioning as a routerSystem AdministratorECSC-1
SV-38801r1_rule
GEN003609
CCI-001503
MEDIUM
The system must ignore IPv4 ICMP redirect messages.
ICMP redirect messages are used by routers to inform hosts a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
System AdministratorECSC-1
SV-38802r1_rule
GEN003610
CCI-001551
MEDIUM
The system must not send IPv4 ICMP redirects.
ICMP redirect messages are used by routers to inform hosts a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.System AdministratorECSC-1
SV-38803r1_rule
GEN003612
CCI-001092
MEDIUM
The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
A TCP SYN flood attack can cause Denial of Service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are a mechanism used to not track a connection until a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This technique does not operate in a fully standards-compliant manner, but is only activated when a flood condition is detected, and allows defense of the system while continuing to service valid requests.System AdministratorECSC-1
SV-40385r1_rule
GEN003730
CCI-000225
MEDIUM
The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by bin, sys, or system.
Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-39112r1_rule
GEN003770
CCI-000225
MEDIUM
The services file must be group-owned by bin, sys, or system.
Failure to give ownership of system configuration files to root or a system group provides the designated owner and unauthorized users with the potential to change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-38952r1_rule
GEN003815
CCI-000305
MEDIUM
The portmap or rpcbind service must not be installed unless needed.
The portmap and rpcbind services increase the attack surface of the system and should only be used when needed. The portmap or rpcbind services are used by a variety of services using Remote Procedure Calls (RPCs).System AdministratorECSC-1
SV-38876r1_rule
GEN003830
CCI-000068
MEDIUM
The rlogind service must not be running.
The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.System AdministratorDCPP-1
SV-39875r1_rule
GEN003930
CCI-000225
MEDIUM
The hosts.lpd (or equivalent) file must be group-owned by bin, sys, or system.
Failure to give group ownership of the hosts.lpd file to bin, sys, or system provides the members of the owning group and possible unauthorized users, with the potential to modify the hosts.lpd file. Unauthorized modifications could disrupt access to local printers from authorized remote hosts or permit unauthorized remote access to local printers.System AdministratorECLP-1
SV-40683r1_rule
GEN004370
CCI-000225
MEDIUM
The aliases file must be group-owned by sys, bin, or system.
If the alias file is not group-owned by a system group, an unauthorized user may modify the file to add aliases to run malicious code or redirect e-mail.System AdministratorECLP-1
SV-39180r1_rule
GEN004930
CCI-000225
MEDIUM
The ftpusers file must be group-owned by bin, sys, or system.
If the ftpusers file is not group-owned by a system group, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.System AdministratorECLP-1
SV-26740r1_rule
GEN005390
CCI-000225
MEDIUM
The /etc/syslog.conf file must have mode 0640 or less permissive.
Unauthorized users must not be allowed to access or modify the /etc/syslog.conf file.System AdministratorECLP-1
SV-26755r1_rule
GEN005511
CCI-000366
MEDIUM
The SSH client must be configured to not use CBC-based ciphers.
The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
System AdministratorECSC-1
SV-26756r2_rule
GEN005512
CCI-001453
MEDIUM
The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.System Administrator
SV-26763r1_rule
GEN005521
CCI-000225
MEDIUM
The SSH daemon must restrict login ability to specific users and/or groups.
Restricting SSH logins to a limited group of users, such as system administrators, prevents password-guessing and other SSH attacks from reaching system accounts and other accounts not authorized for SSH access.System AdministratorECLP-1
SV-26764r1_rule
GEN005522
CCI-000225
MEDIUM
The SSH public host key files must have mode 0644 or less permissive.
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.System AdministratorECLP-1
SV-26765r1_rule
GEN005523
CCI-000225
MEDIUM
The SSH private host key files must have mode 0600 or less permissive.
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.System AdministratorECLP-1
SV-40714r1_rule
GEN005524
CCI-000366
LOW
The SSH daemon must not permit GSSAPI authentication unless needed.
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.System AdministratorECSC-1
SV-40715r1_rule
GEN005525
CCI-000366
LOW
The SSH client must not permit GSSAPI authentication unless needed.
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.System AdministratorECSC-1
SV-40716r1_rule
GEN005526
CCI-000366
LOW
The SSH daemon must not permit Kerberos authentication unless needed.
Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.
System AdministratorECSC-1
SV-40720r1_rule
GEN005536
CCI-000225
MEDIUM
The SSH daemon must perform strict mode checking of home directory configuration files.
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.System AdministratorECLP-1
SV-40721r1_rule
GEN005537
CCI-000225
MEDIUM
The SSH daemon must use privilege separation.
SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.System AdministratorECLP-1
SV-40722r1_rule
GEN005538
CCI-000366
MEDIUM
The SSH daemon must not allow rhosts RSA authentication.
If SSH permits rhosts RSA authentication, a user may be able to log in based on the keys of the host originating the request and not any user-specific authentication.System AdministratorECSC-1
SV-40723r1_rule
GEN005539
CCI-000366
MEDIUM
The SSH daemon must not allow compression or must only allow compression after successful authentication.
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.System AdministratorECSC-1
SV-38931r1_rule
GEN007840
CCI-000366
MEDIUM
The DHCP client must be disabled if not needed.
DHCP allows for the unauthenticated configuration of network parameters on the system by exchanging information with a DHCP server.System AdministratorECSC-1
SV-38963r1_rule
GEN007850
CCI-000366
MEDIUM
The DHCP client must not send dynamic DNS updates.
Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed.System AdministratorECSC-1
SV-38825r1_rule
GEN007860
CCI-001551
MEDIUM
The system must ignore IPv6 ICMP redirect messages.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.System AdministratorECSC-1
SV-38826r1_rule
GEN007880
CCI-001551
MEDIUM
The system must not send IPv6 ICMP redirects.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table that could reveal portions of the network topology.System AdministratorECSC-1
SV-38827r1_rule
GEN007920
CCI-001551
MEDIUM
The system must not forward IPv6 source-routed packets.
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. System AdministratorECSC-1
SV-38828r1_rule
GEN007940
CCI-001551
MEDIUM
The system must not accept source-routed IPv6 packets.
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv6 forwarding is enabled and the system is functioning as a router.System AdministratorECSC-1
SV-38969r1_rule
GEN008060
CCI-000225
MEDIUM
If the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive.
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
SV-38970r1_rule
GEN008080
CCI-000225
MEDIUM
If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
SV-38971r1_rule
GEN008100
CCI-000225
MEDIUM
If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by security, bin, sys, or system.
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
SV-38934r1_rule
GEN000410
CCI-000048
MEDIUM
The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
Failure to display the login banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
NOTE: SFTP and FTPS are encrypted alternatives to FTP and should be used in place of FTP. SFTP is implemented by the SSH service and uses its banner configuration.System AdministratorECWM-1
SV-38796r1_rule
GEN003601
CCI-000366
MEDIUM
TCP backlog queue sizes must be set appropriately.
To provide some mitigation to TCP DoS attacks, the clear_partial_conns parameter must be enabled.System AdministratorECSC-1
SV-38953r1_rule
GEN003850
CCI-000197
HIGH
The telnet daemon must not be running.
The telnet daemon provides a typically unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised.GEN003850If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated, and this is not a finding.System AdministratorDCPP-1
SV-38695r1_rule
GEN000000-AIX0085
CCI-000225
MEDIUM
The /etc/netsvc.conf file must be root owned.
The /etc/netsvc.conf file is used to specify the ordering of name resolution for the sendmail command, alias resolution for the sendmail command, and host name resolution routines. Malicious changes could prevent the system from functioning correctly or compromise system security.System AdministratorECLP-1
SV-38696r1_rule
GEN000000-AIX0090
CCI-000225
MEDIUM
The /etc/netsvc.conf file must be group-owned by bin, sys, or system.
The /etc/netsvc.conf file is used to specify the ordering of name resolution for the sendmail command, alias resolution for the sendmail command, and host name resolution routines. Malicious changes could prevent the system from functioning correctly or compromise system security.System AdministratorECLP-1
SV-38697r1_rule
GEN000000-AIX0100
CCI-000225
MEDIUM
The /etc/netsvc.conf file must have mode 0644 or less permissive.
The /etc/netsvc.conf file is used to specify the ordering of name resolution for the sendmail command, alias resolution for the sendmail command, and host name resolution routines. Malicious changes could prevent the system from functioning correctly or compromise system security.System AdministratorECLP-1
SV-38699r1_rule
GEN000000-AIX0200
CCI-000032
MEDIUM
The system must not allow directed broadcasts to gateway.
Disabling directed broadcast prevents packets directed to a gateway to be broadcasted on a remote network.System AdministratorECSC-1
SV-38700r1_rule
GEN000000-AIX0210
CCI-000032
MEDIUM
The system must provide protection from Internet Control Message Protocol (ICMP) attacks on TCP connections.
The ICMP attacks may be of the form of ICMP source quench attacks and Path MTU Discovery (PMTUD) attacks. If this network option tcp_icmpsecure is turned on, the system does not react to ICMP source quench messages. This will protect against ICMP source quench attacks. The payload of the ICMP message is tested to determine if the sequence number of the TCP header portion of the payload is within the range of acceptable sequence numbers. This will mitigate PMTUD attacks to a large extent.
System AdministratorECSC-1
SV-38701r1_rule
GEN000000-AIX0220
CCI-000032
MEDIUM
The system must provide protection for the TCP stack against connection resets, SYN, and data injection attacks.
The tcp_tcpsecure parameter provides protection for TCP connections from fake SYN's, fake RST, and data injections on established connections. The first vulnerability involves sending a fake SYN to an established connection to abort the connection. The second vulnerability involves sending a fake RST to an established connection to abort the connection. The third vulnerability involves injecting fake data in an established TCP connection.System AdministratorECSC-1
SV-38702r1_rule
GEN000000-AIX0230
CCI-000032
MEDIUM
The system must provide protection against IP fragmentation attacks.
The parameter ip_nfrag provides an additional layer of protection against IP fragmentation attacks. The value the ip_nfrag specifies is the maximum number of fragments of an IP packet that can be kept in the IP reassembly queue at any time. The default value of this network option is 200. This is a reasonable value for most environments and offers protection from IP fragmentation attacks. System AdministratorECSC-1
SV-38703r1_rule
GEN000000-AIX0300
CCI-000032
MEDIUM
The system must not have the bootp service active.
The bootp service is used for Network Installation Management (NIM) and remote booting of systems. The bootp service should not be active unless it is needed for NIM servers or booting remote systems. Running unnecessary services increases the attack vector of the system.System AdministratorECSC-1
SV-38704r1_rule
GEN009140
CCI-001436
MEDIUM
The system must not have the chargen service active.
When contacted, chargen responds with some random characters. When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until the client closes the connection. An easy attack is 'ping-pong' in which an attacker spoofs a packet between two machines running chargen. This will cause them to spew characters at each other, slowing the machines down and saturating the network.
The chargen service is unnecessary and provides an opportunity for Denial of Service attack. System AdministratorECSC-1
SV-38705r1_rule
GEN009160
CCI-001436
MEDIUM
The system must not have the Calendar Manager Service Daemon (CMSD) service active.
The CMSD service for CDE is an unnecessary process that runs a root and increases attack vector of the system. Buffer overflow attacks against the CMSD process can potentially give access to the system.System AdministratorECSC-1
SV-38706r1_rule
GEN009180
CCI-001436
MEDIUM
The system must not have the tool-talk database server (ttdbserver) service active.
The ttdbserver service for CDE is an unnecessary service that runs as root and might be compromised.System AdministratorECSC-1
SV-38707r1_rule
GEN009190
CCI-001436
MEDIUM
The system must not have the comsat service active.
The comsat daemon notifies users on incoming email. This is an unnecessary service and is vulnerable to a flood attack. Running unnecessary services increases the attack vector of the system.System AdministratorECSC-1
SV-38708r1_rule
GEN009200
CCI-001436
MEDIUM
The system must not have the daytime service active.
The daytime service runs as root from the inetd daemon and can provide an opportunity for Denial of Service PING or PING-PONG attacks. The daytime service is unnecessary and it increases the attack vector of the system.System AdministratorECSC-1
SV-38709r1_rule
GEN009210
CCI-001436
MEDIUM
The system must not have the discard service active.
The discard service runs as root from the inetd server and can be used in Denial of Service attacks. The discard service is unnecessary and it increases the attack vector of the system.System AdministratorECSC-1
SV-38710r1_rule
GEN009220
CCI-001436
MEDIUM
The system must not have the dtspc service active.
This service is started automatically by the inetd daemon with root permission in response to a CDE client requesting a process to be started on the daemon’s host system. Running the dtscp service is unnecessary and it increases the attack vector of the system.System AdministratorECSC-1
SV-38711r1_rule
GEN009230
CCI-001436
MEDIUM
The system must not have the echo service active.
The echo service can be used in Denial of Service or SMURF attacks. It can also used at someone else to get through a firewall or start a data storm. The echo service is unnecessary and it increases the attack vector of the system.System AdministratorECSC-1
SV-38712r1_rule
GEN009240
CCI-001436
MEDIUM
The system must not have Internet Message Access Protocol (IMAP) service active.
The IMAP service should not be running unless the system is acting as a mail server for client connections. Running unnecessary services increases the attack vector on the system.System AdministratorECSC-1
SV-38713r1_rule
GEN009250
CCI-001436
MEDIUM
The system must not have the PostOffice Protocol (POP3) service active.
The POP3 service is only needed if the server is acting as a mail server and clients are using applications that only support POP3. Users' ids and passwords are sent in plain text to the POP3 service. If mail client access is needed, consider using IMAP or SSL enabled POP3.System AdministratorECSC-1
SV-38714r1_rule
GEN009260
CCI-001436
MEDIUM
The system must not have the talk or ntalk services active.
The talk and ntalk commands allow users on the same or different systems on converse. The talk daemons are started from the inetd process and run as root. These unnecessary processes increase the attack vector of the system and may cause Denial of Service by scrambling the users display. System AdministratorECSC-1
SV-38715r1_rule
GEN009270
CCI-001436
MEDIUM
The system must not have the netstat service active on the inetd process.
The netstat service can potentially give out network information on active connections if it is running. The information given out can aid in an attack and weaken the systems defensive posture.System AdministratorECSC-1
SV-38716r1_rule
GEN009280
CCI-001436
MEDIUM
The system must not have the PCNFS service active.
The PCNFS service predates Microsoft’s SMB specifications. If a similar service is needed to share files from a Windows based OS to a UNIX based OS, consider SAMBA.System AdministratorECSC-1
SV-38717r1_rule
GEN009290
CCI-001436
MEDIUM
The system must not have the systat service active.
The systat daemon allows remote users to see the running process and who is running them. This may aid in information collection for an attack and weaken the security posture of the system.System AdministratorECSC-1
SV-38718r1_rule
GEN009300
CCI-001436
MEDIUM
The inetd time service must not be active on the system on the inetd daemon.
The time service is an internal inetd function is used by the rdate command. This service is sometimes used to synchronize clocks at boot time. The service is outdated. Use the ntpdate command instead.System AdministratorECSC-1
SV-38719r1_rule
GEN009310
CCI-001436
MEDIUM
The system must not have the rusersd service active.
The rusersd daemon gives out a list of current uses on the system. The rusersd daemon is unnecessary and it increases the attack vector of the system by providing information on the current users of the system.System AdministratorECSC-1
SV-38720r1_rule
GEN009320
CCI-001436
MEDIUM
The system must not have the sprayd service active.
The sprayd service is sometimes used for network and nfs troubleshooting. The spray service can be used for both buffer overflow and Denial of Service attacks by saturating the network. The sprayd daemon is an unnecessary service.System AdministratorECSC-1
SV-38721r1_rule
GEN009330
CCI-001436
MEDIUM
The system must not have the rstatd service active.
The rstatd can give out information on the running system, such as the CPU usage, the system uptime, its network usage, and other system information that could potentially aid in an attack. The rstatd service is unnecessary and it weakens the defensive posture of the system. If systems monitoring is needed, use a third party tool or SNMP. System AdministratorECSC-1
SV-38750r1_rule
GEN000000-AIX0310
CCI-000032
MEDIUM
The /etc/ftpaccess.ctl file must exist.
The ftpaccess.ctl file contains options for the ftp daemon, such as herald, motd, user access, and permissions to files and directories. If the ftpaccess.ctl file does not exist, the ftpd process will not display any warning banners, and permissions will only be enforced using basic UNIX permissions. System AdministratorECSC-1
SV-38751r1_rule
GEN000000-AIX0320
CCI-000225
MEDIUM
The /etc/ftpaccess.ctl file must be owned by root.
If the ftpaccess.ctl file is not owned by root, an unauthorized user may modify the file to allow unauthorized access to change the file. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized access to system information.
System Administrator
SV-38752r1_rule
GEN000000-AIX0330
CCI-000225
MEDIUM
The /etc/ftpaccess.ctl file must be group-owned by bin, sys, or system.
If the ftpaccess.ctl file is not group-owned by a system group, an unauthorized user may modify the file to allow unauthorized access to modify the file. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized access to system information.System AdministratorECLP-1
SV-38753r1_rule
GEN000000-AIX0340
CCI-000225
MEDIUM
The /etc/ftpaccess.ctl file must have mode 0640 or less permissive.
Excessive permissions on the ftpaccess.ctl file could permit unauthorized modification. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized access to system information.System AdministratorECLP-1
Overview
RMF Control
Vuln Id
Rule Id
Version
CCI
Severity
Description
Details
Check Text ()
Fix Text ()
Feedback
Thank you so much for spending time on this site. We are always seeking feedback for suggestions or feature requests. Please let us know if there is anything you'd like to see added to the site.