AIX 5.3 SECURITY TECHNICAL IMPLEMENTATION GUIDE

Checks: C-27960r1_chk

Ensure the root account for any bootable partitions has a password assigned in the /etc/security/passwd file.

Fix: F-24305r1_fix

Assign a root account password for any bootable partition.

Generate Mitigation Statement:

Checks: C-36649r1_chk

Use the last command to check for multiple accesses to an account from different workstations/IP addresses. If users log directly onto accounts, rather than using the su command from their own named account to access them, this is a finding (such as logging directly on to Oracle). Also, ask the SA or the IAO if shared accounts are logged into directly or if users log on to an individual account and switch user to the shared account. # last <unix account> Shared or Application accounts can have direct login disabled by setting the rlogin parameter to false in the users stanza of the /etc/security/user file. #lsuser -a rlogin < user_id > If users log directly on to shared accounts, this is a finding.

Fix: F-31623r1_fix

Use the switch user (su) command from a named account login to access shared accounts. Maintain audit trails to identify the actual user of that account name. Document requirements and procedures for users/administrators to log into their own accounts first and then switch user (su) to the account that must be shared. Direct login to shared or application accounts can be prevented by setting the rlogin = false in the accounts stanza of the /etc/security/user file. Additional hardening of the shared/application accounts can be done with the sugroups = in the accounts stanza of the /etc/security/user file. #chuser rlogin=false < user id >

Generate Mitigation Statement:

Checks: C-27980r1_chk

Perform the following to ensure there are no duplicate account names: # usrck -n ALL If any duplicate account names are found, this is a finding.

Fix: F-24342r1_fix

Change user account names, or delete accounts, so each account has a unique name.

Generate Mitigation Statement:

Checks: C-27984r1_chk

Perform the following to ensure there are no duplicate UIDs: # usrck -n ALL If any duplicate UIDs are found, this is a finding.

Fix: F-24344r1_fix

Edit user accounts to provide unique UIDs for each account.

Generate Mitigation Statement:

Checks: C-28845r1_chk

Access the system console and make a logon attempt. Check for either of the following login banners based on the character limitations imposed by the system. An exact match is required. If one of these banners is not displayed, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. " OR "I've read &amp; consent to terms in IS user agreem't."

Fix: F-31626r1_fix

Edit /etc/security/login.cfg and assign the herald value for the default and /dev/console stanzas to one of the DoD login banners (based on the character limitations imposed by the system). # chsec -f /etc/security/login.cfg -s default -a herald="<DoD Login Banner>" OR # vi /etc/security/login.cfg and add a herald = <DoD Login Banner> statement to the default stanza DoD Login Banners: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. " OR "I've read & consent to terms in IS user agreem't."

Generate Mitigation Statement:

Checks: C-27996r1_chk

Determine if successful logons are being logged. # last | more Determine if unsuccessful logons are being logged. # last -f /etc/security/failedlogin | more If the commands do not return successful and unsuccessful logins, this is a finding.

Fix: F-31630r1_fix

Edit /etc/syslog.conf and add local log destinations for auth.* or both auth.notice and auth.info. "auth.info /var/log/authlog" Verify service startup scripts for syslog and utmp (if present) are enabled. # vi /etc/rc.tcpip Check the syslogd service is not commented out. Refresh syslogd. #refresh -s syslogd

Generate Mitigation Statement:

Checks: C-36678r1_chk

# /usr/sbin/lsuser -a loginretries ALL | more Check all active accounts on the system for the maximum number of tries before the system will lock the account. If a user has values set to 0 or greater then 3, this is a finding.

Fix: F-31633r1_fix

Use the chsec command to configure the number of unsuccessful logins resulting in account lockout. # chsec -f /etc/security/user -s default -a loginretries=3 # chsec -f /etc/security/user -s <user id> -a loginretries=3

Generate Mitigation Statement:

Checks: C-37832r1_chk

Check the logindelay parameter. # more /etc/security/login.cfg OR #grep logindelay /etc/security/login.cfg | grep -v \* Verify the value of the logindelay variable is 4 or more in each stanza. If the value of logindelay is not 4 or more, this is a finding.

Fix: F-33091r1_fix

Use vi or the chsec command to change the login delay time period. #chsec -f /etc/security/login.cfg -s default -a logindelay=4 OR # vi /etc/security/login.cfg Add logindelay = 4 to the default stanza.

Generate Mitigation Statement:

Checks: C-229r2_chk

If there is an application running on the system continuously in use (such as a network monitoring application), ask the SA what the name of the application is. Execute the following to determine which user owns the process(es) associated with the application. If the owner is root, this is a finding. # ps -ef | more

Fix: F-923r2_fix

Configure the system so the owner of a session requiring a continuous screen display, such as a network management display, is not root. Ensure the display is also located in a secure, controlled access area. Document and justify this requirement. Ensure the terminal and keyboard for the display (or workstation) are secure from all but authorized personnel by maintaining them in a secure area, in a locked cabinet where a swipe card, or other positive forms of identification, must be used to gain entry.

Generate Mitigation Statement:

Checks: C-28053r1_chk

Check the system for duplicate UID 0 assignments by listing all accounts assigned UID 0. Procedure: # grep ":0:" /etc/passwd | awk -F":" '{print$1":"$3":"}' | grep ":0:" If any accounts other than root are assigned UID 0, this is a finding.

Fix: F-24403r1_fix

Remove or change the UID of accounts other than root that have UID 0.

Generate Mitigation Statement:

Checks: C-28063r1_chk

Check the mode of the root home directory. Procedure: # grep "^root" /etc/passwd | awk -F":" '{print $6}' # ls -ld &lt;root home directory&gt; If the mode of the directory is not equal to 0700, this is a finding. If the home directory is /, this is not applicable.

Fix: F-32119r1_fix

The root home directory will have permissions of 0700. Do not change the protections of the / directory. Use the following command to change protections for the root home directory. # chmod 0700 /root.

Generate Mitigation Statement:

Checks: C-236r2_chk

To view the root user's PATH, log in as the root user, and execute the following. # env | grep PATH This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is a finding. If an entry starts with a character other than a slash (/), this is a finding. If directories beyond those in the vendor's default root path are present, this is a finding.

Fix: F-34156r1_fix

Edit the root user's local initialization files. Change any found PATH variable settings to the vendor's default path for the root user. Remove any empty path entries or references to relative paths. # cd <root's home directory> # vi .profile .cshrc If the bash shell is installed, edit these additional files. # vi .bashrc .bash_profile

Generate Mitigation Statement:

Checks: C-28064r1_chk

Check for world-writable permissions on all directories in the root user's executable search path. Procedure: # ls -ld `echo $PATH | sed "s/:/ /g"` If any of the directories in the PATH variable are world-writable, this is a finding.

Fix: F-24415r1_fix

For each world-writable path in root's executable search path, perform one of the following. 1. Remove the world-writable permission on the directory. Procedure: # chmod o-w <path> 2. Remove the world-writable directory from the executable search path. Procedure: Identify and edit the initialization file referencing the world-writable directory and remove it from the PATH variable.

Generate Mitigation Statement:

Checks: C-36930r1_chk

Check the remote login ability of the root account. Procedure: # lsuser -a rlogin root If the rlogin value is not false, this is a finding.

Fix: F-32196r1_fix

The root account can be protected from non-console device logins by setting rlogin = false in the root: stanza of the /etc/security/user file. #chsec -f /etc/security/user -s root -a rlogin=false

Generate Mitigation Statement:

Checks: C-280r2_chk

# more /etc/passwd Confirm all accounts with a GID of 99 and below (499 and below for Linux) are used by a system account. If a GID reserved for system accounts, 0 - 99 (0 - 499 for Linux), is used by a non-system account, this is a finding.

Fix: F-33336r1_fix

Change the primary group GID numbers for non-system accounts with reserved primary group GIDs (those less or equal to 99 in general, or 499 for Linux). # smitty chuser

Generate Mitigation Statement:

Checks: C-285r3_chk

Ask the SA or IAO if a host-based intrusion detection application is loaded on the system. Determine if the application is loaded on the system. Procedure: # find / -name &lt;daemon name&gt; -print Determine if the application is active on the system. Procedure: # ps -ef | grep &lt;daemon name&gt; If no host-based intrusion detection system is installed on the system, this is a finding.

Fix: F-936r3_fix

Install a host-based intrusion detection tool.

Generate Mitigation Statement:

Checks: C-36595r2_chk

Obtain the list of available security patches from IBM. Verify the available patches and service packs have been installed on the system. Check the currently running TL (Technology Levels and Service Packs). #oslevel -s Perform the following to obtain a list of installed patches. # /usr/sbin/instfix -i If there are security patches available and applicable for the system that have not been installed, this is a finding.

Fix: F-31604r1_fix

Use a web browser to access the vendor's support web site. Download the service packs and patches. Use SMIT to apply the updates. #smitty update_all

Generate Mitigation Statement:

Checks: C-289r2_chk

Check system directories for uneven file permissions. Procedure: # ls -lL /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin Uneven file permissions exist if the file owner has less permissions than the group or other user classes. If any of the files in the above listed directories contain uneven file permissions, this is a finding.

Fix: F-24427r1_fix

Change the mode of files with uneven permissions so owners do not have less permission than group or world users.

Generate Mitigation Statement:

Checks: C-290r2_chk

Check the system for files with no assigned owner. Procedure: # find / -nouser -print If any files have no assigned owner, this is a finding.

Fix: F-32206r1_fix

All directories and files (executable and data) will have an identifiable owner and group name. Either trace files to an authorized user, change the file's owner to root, or delete them. Determine the legitimate owner of the files and use the chown command to set the owner and group to the correct value. If the legitimate owner cannot be determined, change the owner to root (but make sure none of the changed files remain executable because they could be Trojan horses or other malicious code). Examine the files to determine their origin and the reason for their lack of an owner/group. #chown <a-valid-user> <directory>/<file>

Generate Mitigation Statement:

Checks: C-36945r1_chk

Check the mode of network services daemons. # ls -la /usr/sbin /usr/bin If the mode of a network services daemon is more permissive than 0755, this is a finding. NOTE: Network daemons that may not reside in these directories (such as httpd or sshd) must also be checked for the correct permissions.

Fix: F-940r2_fix

Change the mode of the network services daemon. # chmod 0755 <path>

Generate Mitigation Statement:

Checks: C-292r2_chk

Check the mode of log files. Procedure: # ls -lL /var/log /var/log/syslog /var/adm If any of the log files have modes more permissive than 0640, this is a finding.

Fix: F-941r2_fix

Change the mode of the system log file(s) to 0640 or less permissive. Procedure: # chmod 0640 /path/to/system-log-file NOTE: Do not confuse system log files with audit logs. Any subsystems that require less stringent permissions must be documented.

Generate Mitigation Statement:

Checks: C-37165r1_chk

Check skeleton files permissions. Procedure: # ls -l /etc/security/.profile If a skeleton file has a mode more permissive than 0644, this is a finding. Check the mkuser.sys file. The /etc/security/mkuser.sys is a script containing items used in creation of users' ~/.profile files. This script needs to be both protected from unauthorized modification, but also needs to be executable, therefore the permissions need to be at the mode of 755. #ls -l /etc/security/mkuser.sys If the mkuser.sys file has a mode more permissive than 0755, this is a finding.

Fix: F-32450r1_fix

Change the mode of skeleton files with incorrect mode. # chmod 0644 /etc/security/.profile #chmod 0755 /etc/security/mkuser.sys

Generate Mitigation Statement:

Checks: C-36963r1_chk

Perform the following to check NIS file ownership. # ls -lRa /var/nis /var/yp /usr/lib/nis /usr/lib/netsvc/yp If the file ownership is not root, sys, or bin, this is a finding.

Fix: F-35060r1_fix

Change the owner of the NIS files to root, sys, or bin. Procedure (example): # chown root < directory>/< file >

Generate Mitigation Statement:

Checks: C-36964r1_chk

Check the group ownership of the NIS files. Procedure: # ls -lRa /var/nis /var/yp /usr/lib/nis /usr/lib/netsvc/yp If the file group owner is not sys, bin, or system, this is a finding.

Fix: F-33349r1_fix

Change the group owner of the NIS files to sys, bin, system, or other. Procedure: # chgrp system < directory>/< file >

Generate Mitigation Statement:

Checks: C-37004r1_chk

Perform the following to check NIS file mode # ls -lRa /var/nis /var/yp /usr/lib/nis /usr/lib/netsvc/yp If the file's mode is more permissive than 0755, this is a finding.

Fix: F-945r2_fix

Change the mode of NIS/NIS+/yp files to 0755 or less permissive. Procedure (example): # chmod 0755 <filename>

Generate Mitigation Statement:

Checks: C-296r2_chk

Check the mode of library files. Procedure: # ls -lLR /usr/lib /lib If any of the library files have a mode more permissive than 0755, this is a finding.

Fix: F-32227r1_fix

Change the mode of library files to 0755 or less permissive. Procedure (example): # chmod 0755 <path>/<library-file> NOTE: Library files should have an extension of .a or .so (a=archive, so=shared object) extension, possibly followed by a version.

Generate Mitigation Statement:

Checks: C-298r4_chk

Check the permissions for files in /etc, /bin, /usr/bin, /usr/lbin, /usr/ucb, /sbin, and /usr/sbin. Procedure: # ls -lL /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin If any command file is listed and has a mode more permissive than 0755, this is a finding. NOTE: Elevate to Severity Code I if any command file listed is world-writable.

Fix: F-948r2_fix

Change the mode for system command files to 0755 or less permissive. Procedure: # chmod 0755 <filename>

Generate Mitigation Statement:

Checks: C-39522r1_chk

Check the ownership of system files, programs, and directories. Procedure: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin If any of the system files, programs, or directories are not owned by a system account, this is a finding. For this check, the system-provided "ipsec" user is considered to be a system account.

Fix: F-949r2_fix

Change the owner of system files, programs, and directories to a system account. Procedure: # chown root /some/system/file (A different system user may be used in place of root.)

Generate Mitigation Statement:

Checks: C-39523r1_chk

Check the group ownership of system files, programs, and directories. Procedure: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin If any system file, program, or directory is not group-owned by a system group, this is a finding. For this check, the system-provided "ipsec" group is also acceptable.

Fix: F-33348r1_fix

Change the group owner of system files to a system group. Procedure: # chgrp sys /path/to/system/file (System groups other than sys may be used.)

Generate Mitigation Statement:

Checks: C-28148r1_chk

Check the ownership of the /etc/security/passwd file. Procedure: # ls -lL /etc/security/passwd If the owner of this file is not root, this is a finding.

Fix: F-32285r1_fix

Change the ownership of the /etc/security/passwd file. # chown root /etc/security/passwd

Generate Mitigation Statement:

Checks: C-8016r2_chk

Check the mode of the /etc/passwd file. Procedure: # ls -lL /etc/passwd If /etc/passwd has a mode more permissive than 0644, this is a finding.

Fix: F-952r2_fix

Change the mode of the passwd file to 0644. Procedure: # chmod 0644 /etc/passwd Document all changes.

Generate Mitigation Statement:

Checks: C-37036r1_chk

Check the mode of the /etc/security/passwd file. Procedure: # ls -lL /etc/security/passwd If the mode of this file is more permissive than 0400, this is a finding.

Fix: F-32304r2_fix

Change the mode of the /etc/security/passwd file. # chmod 0400 /etc/security/passwd

Generate Mitigation Statement:

Checks: C-527r2_chk

Files with the setuid bit set will allow anyone running these files to be temporarily assigned the user or group ID of the file. If an executable with setuid allows shell escapes, the user can operate on the system with the effective permission rights of the user or group owner. List all setuid files on the system. Procedure: # find / -perm -4000 -exec ls -l {} \; | more NOTE: Executing these commands may result in large listings of files; the output may be redirected to a file for easier analysis. Ask the SA or IAO if files with the setuid bit set have been documented. If any undocumented file has its setuid bit set, this is a finding.

Fix: F-955r2_fix

Document the files with the setuid bit set or unset the setuid bit on the executable.

Generate Mitigation Statement:

Checks: C-8026r2_chk

Locate all setgid files on the system. Procedure: # find / -perm -2000 If the ownership, permissions, location, and ACLs of all files with the setgid bit set are not documented, this is a finding.

Fix: F-32464r1_fix

All files with the sgid bit set will be documented in the system baseline and authorized by the Information Systems Security Officer. Locate all sgid files with the following command: #find / -perm -2000 -exec ls -lL {} \; # find / -perm -2000 -exec aclget {} \; Ensure sgid files are part of the operating system software, documented application software, documented utility software, or documented locally developed software. Ensure none are text files or shell programs.

Generate Mitigation Statement:

Checks: C-528r2_chk

Determine if a weekly automated or manual process is used to generate a list of setuid files on the system and compare it with the prior list. If no such process is in place, this is a finding.

Fix: F-957r2_fix

Establish a weekly automated or manual process to generate a list of setuid files on the system and compare it with the prior list. To create a list of setuid files use the following command. # find / -perm -4000 > setuid-file-list

Generate Mitigation Statement:

Checks: C-8027r2_chk

Determine if a weekly automated or manual process is used to generate a list of setgid files on the system and compare it with the prior list. If no such process is in place, this is a finding.

Fix: F-958r2_fix

Establish a weekly automated or manual process to generate a list of setgid files on the system and compare it with the prior list. To create a list of setgid files use the following command. # find / -perm -2000 > setgid-file-list

Generate Mitigation Statement:

Checks: C-37185r1_chk

Check /etc/filesystems and verify the nosuid mount option is used on file systems mounted from removable media, network shares, or any other file system not containing approved setuid or setgid files. Each file system stanza must contain a device special file and may additionally contain all of the following fields type = , options = , and check = . # more /etc/filesystems # lsfs If any of these files systems do not mount with the nosuid option, it is a finding.

Fix: F-32462r1_fix

Edit /etc/filesystems and add the options = nosuid to the stanza of file system mounted from removable media or network shares, and any file system not containing approved setuid or setgid files. OR Add the nosuid option with the chfs command. # chfs -a options=nosuid <filesystem>

Generate Mitigation Statement:

Checks: C-8028r2_chk

Check the ownership of all public directories. Procedure: # find / -type d -perm -1002 -exec ls -ld {} \; If any public directory is not owned by root or an application user, this is a finding.

Fix: F-961r2_fix

Change the owner of public directories to root or an application account. Procedure: # chown root /tmp (Replace root with an application user and/or /tmp with another public directory as necessary.)

Generate Mitigation Statement:

Checks: C-550r2_chk

Check global initialization files for the configured umask value. Procedure: # grep umask /etc/* Check local initialization files for the configured umask value. Procedure: # grep umask /userhomedirectory/.* If the system and user default umask is not 077, this is a finding. NOTE: If the default umask is 000 or allows for the creation of world-writable files, this becomes a Severity Code I (CAT I) finding.

Fix: F-962r2_fix

Edit local and global initialization files that contain "umask" and change them to use 077 instead of the current value.

Generate Mitigation Statement:

Checks: C-37188r1_chk

Determine if default system accounts (such as those for guest, sys, bin, uucp, nuucp, daemon, smtp, and lpd) have been disabled. Procedure: # lsuser -a account_locked ALL If there are any unlocked default system accounts, this is a finding.

Fix: F-24500r1_fix

Lock the default system account(s). # chuser account_locked=true <user>

Generate Mitigation Statement:

Checks: C-28347r1_chk

Determine if auditing is enabled. # /usr/sbin/audit query | head -1 If the response Auditing On is not returned, this is a finding.

Fix: F-32465r1_fix

Use SMIT or command line to enable auditing on the system. #audit start Additionally, make sure auditing subsystem starts on system startup. #mkitab -i cron "audit:2:once:/usr/sbin/audit start 2>&1 > /dev/console"

Generate Mitigation Statement:

Checks: C-37189r1_chk

Perform the following to determine the location of audit logs and then check the ownership. Procedure: # grep -p bin: /etc/security/audit/config Directories to search will be listed under the bin stanza. # ls -la &lt;audit directories&gt; If any audit log file is not owned by root, this is a finding.

Fix: F-966r2_fix

Change the ownership of the audit log file(s). Procedure: # chown root <audit log file>

Generate Mitigation Statement:

Checks: C-37247r1_chk

Perform the following to determine the location of audit logs and then check the mode of the files. Procedure: # grep -p bin: /etc/security/audit/config Directories to search will be listed under the bin stanza. # ls -la &lt;audit directories&gt; If any audit log file has a mode more permissive than 0640, this is a finding.

Fix: F-967r2_fix

Change the mode of the audit log directories/files. # chmod 0750 <audit directory> # chmod 0640 <audit file>

Generate Mitigation Statement:

Checks: C-37842r1_chk

Check the system audit configuration to determine if failed attempts to access files and programs are audited. Check system activities (events) to audit are listed in the /etc/security/audit/events file. Procedure: # more /etc/security/audit/events If the FILE_Open event is not configured, this is a finding. Check the FILE_Open audit event is defined in the audit classes' stanza classes: of the /etc/security/audit/config file. Procedure: #more /etc/security/audit/config Make note of the audit class(es) that the FILE_Open event is associated with. If the FILE_Open event is not associated with any audit classes in the classes: stanza, this is a finding. Verify the audit class is associated with the default user and all other user ids listed in the users: stanza of the /etc/security/audit/config file. Procedure: #more /etc/security/audit/config If the class(es) the FILE_Open event is(/are) not associated with the default user and all the system users in the users: stanza, this is a finding. Supplementary Information: Successful setup of AIX auditing requires several files and stanza's to be correctly configured. 1. The /etc/security/audit/events must have the system call defined. 2. The /etc/security/audit/config has 2 stanzas that need to be configured a. "classes:" stanza. Each entry in this stanza defines two things. The first is the name of a class to group the events to be audited on. The class is linked to users of the system for auditing. The second is the event(s) to be audited in this class: stanza. Example: classes: DISA_CLASS = FILE_Open, File_Unlink, FS_Rmdir b. "users:" stanza. There are two options of specifying what users audit on. The first is to explicitly spell out user names. EXAMPLE: users: root = DISA_CLASS The second is to specify a default catching all users not listed elsewhere in the users: stanza EXAMPLE users: root = DISA_CLASS default = DISA_CLASS 3. An approach to setup auditing to meet STIG requirements would be to create class stanza with all audit events that are required. The users: stanza would then be populated with the root user, any other user ids with special requirements and finally a default user. 4. The /usr/lib/security/mkuser.default file can have under the users: stanza an entry auditclasses = class(es) of events to be audited for each new user added to the system.

Fix: F-33105r1_fix

Edit /etc/security/audit/events and add the FILE_Open event to the list of audited events. Edit /etc/security/audit/config and add the FILE_Open audit event to an audit class in the classes: stanza. Edit the /etc/security/audit/config and assign the audit classes that have the FILE_Open event to the users listed in the users: stanza.

Generate Mitigation Statement:

Checks: C-37843r1_chk

Check the system audit configuration to determine if failed attempts to access files and programs are audited. # more /etc/security/audit/events If auditing of the FILE_Unlink or FS_Rmdir events is not configured, this is a finding. If no results are returned, this is a finding. Check the FILE_Unlink and FS_Rmdir audit event(s) are defined in the audit classes' stanza classes: of the /etc/security/audit/config file. #more /etc/security/audit/config Make note of the audit class(es) that the File_Unlink and FS_Rmdir events are associated with. If the FILE_Unlink and FS_Rmdir events are not associated with any audit classes in the classes: stanza this is a finding. Verify the audit class is associated with the default user and all other user ids listed in the users: stanza of the /etc/security/audit/config file. #more /etc/security/audit/config If the class(es) that the FILE_Unlink and FS_Rmdir events are not associated with the default user and all the system users in the users: stanza, this is a finding.

Fix: F-33106r1_fix

Edit /etc/security/audit/events and add the FILE_Unlink or FS_Rmdir events to the list of audited events. Edit /etc/security/audit/config and add the FILE_Unlink and FS_Rmdir audit events to an audit class in the classes: stanza. Edit the /etc/security/audit/config and assign the audit classes containing the FILE_Unlink and FS_Rmdir events to the all users listed in the users: stanza.

Generate Mitigation Statement:

Checks: C-28415r1_chk

Check the auditing configuration of the system. # more /etc/security/audit/events Verify the following events are configured. ACCT_Disable, ACCT_Enable, AUD_it, BACKUP_Export, DEV_Change, DEV_Configure, DEV_Create, FILE_Chpriv, FILE_Fchpriv, FILE_Mknod, FILE_Owner, FS_Chroot, FS_Mount, FS_Umount, PASSWORD_Check, PROC_Adjtime, PROC_Kill, PROC_Privilege, PROC_Setpgid, PROC_SetUserIDs, RESTORE_Import, TCBCK_Delete, USER_Change, USER_Create, USER_Reboot, USER_Remove, and USER_SetEnv If any of these events are missing from the configuration, this is a finding. Check the ACCT_Disable, ACCT_Enable, AUD_it, BACKUP_Export, DEV_Change, DEV_Configure, DEV_Create, FILE_Chpriv, FILE_Fchpriv, FILE_Mknod, FILE_Owner, FS_Chroot, FS_Mount, FS_Umount, PASSWORD_Check, PROC_Adjtime, PROC_Kill, PROC_Privilege, PROC_Setpgid, PROC_SetUserIDs, RESTORE_Import, TCBCK_Delete, USER_Change, USER_Create, USER_Reboot, USER_Remove, and USER_SetEnv audit events are defined in the audit classes' stanza 'classes:' of the /etc/security/audit/config file. #more /etc/security/audit/config Make note of the audit class(es) that the ACCT_Disable, ACCT_Enable, AUD_it, BACKUP_Export, DEV_Change, DEV_Configure, DEV_Create, FILE_Chpriv, FILE_Fchpriv, FILE_Mknod, FILE_Owner, FS_Chroot, FS_Mount, FS_Umount, PASSWORD_Check, PROC_Adjtime, PROC_Kill, PROC_Privilege, PROC_Setpgid, PROC_SetUserIDs, RESTORE_Import, TCBCK_Delete, USER_Change, USER_Create, USER_Reboot, USER_Remove, and USER_SetEnv events are associated with. If the ACCT_Disable, ACCT_Enable, AUD_it, BACKUP_Export, DEV_Change, DEV_Configure, DEV_Create, FILE_Chpriv, FILE_Fchpriv, FILE_Mknod, FILE_Owner, FS_Chroot, FS_Mount, FS_Umount, PASSWORD_Check, PROC_Adjtime, PROC_Kill, PROC_Privilege, PROC_Setpgid, PROC_SetUserIDs, RESTORE_Import, TCBCK_Delete, USER_Change, USER_Create, USER_Reboot, USER_Remove, and USER_SetEnv events are not associated with any audit classes in the classes: stanza, this is a finding. Verify the audit class is associated with the default user and all other user ids listed in the users: stanza of the /etc/security/audit/config file. #more /etc/security/audit/config If the class(es) that the ACCT_Disable, ACCT_Enable, AUD_it, BACKUP_Export, DEV_Change, DEV_Configure, DEV_Create, FILE_Chpriv, FILE_Fchpriv, FILE_Mknod, FILE_Owner, FS_Chroot, FS_Mount, FS_Umount, PASSWORD_Check, PROC_Adjtime,PROC_Kill, PROC_Privilege, PROC_Setpgid, PROC_SetUserIds, RESTORE_Import, TCBCK_Delete, USER_Change, USER_Create, USER_Reboot, USER_Remove, and USER_SetEnv events are not associated with the default user and all the system users in the 'users:' stanza, this is a finding.

Fix: F-24542r1_fix

Edit /etc/security/audit/events and add the following events to the list of audited events: ACCT_Disable, ACCT_Enable, AUD_it, BACKUP_Export, DEV_Change, DEV_Configure, DEV_Create, FILE_Chpriv, FILE_Fchpriv, FILE_Mknod, FILE_Owner, FS_Chroot, FS_Mount, FS_Umount, PASSWORD_Check, PROC_Adjtime, PROC_Kill, PROC_Privilege, PROC_Setpgid, PROC_SetUserIDs, RESTORE_Import, TCBCK_Delete, USER_Change, USER_Create, USER_Reboot, USER_Remove, and USER_SetEnv. Edit /etc/security/audit/config and add the ACCT_Disable, ACCT_Enable, AUD_it, BACKUP_Export, DEV_Change, DEV_Configure, DEV_Create, FILE_Chpriv, FILE_Fchpriv, FILE_Mknod, FILE_Owner, FS_Chroot, FS_Mount, FS_Umount, PASSWORD_Check, PROC_Adjtime, PROC_Kill, PROC_Privilege, PROC_Setpgid, PROC_SetUserIDs, RESTORE_Import, TCBCK_Delete, USER_Change, USER_Create, USER_Reboot, USER_Remove, and USER_SetEnv audit events to an audit class in the classes: stanza. Edit the /etc/security/audit/config and assign the audit classes with the ACCT_Disable, ACCT_Enable, AUD_it, BACKUP_Export, DEV_Change, DEV_Configure, DEV_Create, FILE_Chpriv, FILE_Fchpriv, FILE_Mknod, FILE_Owner, FS_Chroot, FS_Mount, FS_Umount, PASSWORD_Check, PROC_Adjtime, PROC_Kill, PROC_Privilege, PROC_Setpgid, PROC_SetUserIDs, RESTORE_Import, TCBCK_Delete, USER_Change, USER_Create, USER_Reboot, USER_Remove, and USER_SetEnv events to the all users listed in the users: stanza.

Generate Mitigation Statement:

Checks: C-37848r1_chk

Check the system's audit configuration. # more /etc/security/audit/events Confirm the following events are configured: USER_Login, USER_Logout, INIT_Start, INIT_End and USER_SU. If any of these events are not present, this is a finding. Check the USER_Login, USER_Logout, INIT_Start, INIT_End, and USER_SU audit events are defined in the audit classes' stanza 'classes:' of the /etc/security/audit/config file. #more /etc/security/audit/config Make note of the audit class(es) the USER_Login, USER_Logout, INIT_Start, INIT_End, and USER_SU events are associated with. If the USER_Login, USER_Logout, INIT_Start, INIT_End, and USER_SU events are not associated with any audit classes in the classes: stanza, this is a finding. Verify the audit class is associated with the default user and all other user ids listed in the users: stanza of the /etc/security/audit/config file. #more /etc/security/audit/config If the class(es) the USER_Login, USER_Logout, INIT_Start, INIT_End, and USER_SU events are not associated with the default user and all the system users in the users: stanza, this is a finding.

Fix: F-33111r1_fix

Edit /etc/security/audit/events and add the USER_Login, USER_Logout, INIT_Start, INIT_End, and USER_SU events to the list of audited events. Edit /etc/security/audit/config and add the USER_Login, USER_Logout, INIT_Start, INIT_End, and USER_SU audit events to an audit class in the classes: stanza. Edit the /etc/security/audit/config and assign the audit classes with the USER_Login, USER_Logout, INIT_Start, INIT_End, and USER_SU events to the all users listed in the users: stanza.

Generate Mitigation Statement:

Checks: C-37849r1_chk

Check the system's audit configuration. # more /etc/security/audit/events Confirm the following events are configured: FILE_Acl, FILE_Fchmod, FILE_Fchown, FILE_Mode, and FILE_Owner. If any of these events are not configured, this is a finding. Check the FILE_Acl, FILE_Fchmod, FILE_Fchown, FILE_Mode, and FILE_Owner audit events are defined in the audit classes' stanza classes: of the /etc/security/audit/config file. #more /etc/security/audit/config Make note of the audit class(es) the FILE_Acl, FILE_Fchmod, FILE_Fchown, FILE_Mode, and FILE_Owner events are associated with. If the FILE_Acl, FILE_Fchmod, FILE_Fchown, FILE_Mode, and FILE_Owner events are not associated with any audit classes in the classes: stanza, this is a finding. Verify the audit class is associated with the default user and all other user ids listed in the users: stanza of the /etc/security/audit/config file. If the class(es) the FILE_Acl, FILE_Fchmod, FILE_Fchown, FILE_Mode, and FILE_Owner events are not associated with the default user and all the system users in the users: stanza, this is a finding.

Fix: F-33112r1_fix

Edit /etc/security/audit/events and add the FILE_Acl, FILE_Fchmod, FILE_Fchown, FILE_Mode, and FILE_Owner events to the list of audited events. Edit /etc/security/audit/config and add the FILE_Acl, FILE_Fchmod, FILE_Fchown, FILE_Mode, and FILE_Owner audit events to an audit class in the classes: stanza. Edit the /etc/security/audit/config and assign the audit classes with the FILE_Acl, FILE_Fchmod, FILE_Fchown, FILE_Mode, and FILE_Owner events to the all users listed in the users: stanza.

Generate Mitigation Statement:

Checks: C-567r2_chk

Check the ownership of inetd.conf file. Procedure: # ls -lL /etc/inetd.conf This is a finding if any of the above files or directories are not owned by root or bin.

Fix: F-975r2_fix

Change the ownership of the inetd.conf file to root or bin. Procedure: # chown root /etc/inetd.conf

Generate Mitigation Statement:

Checks: C-8029r2_chk

Check the mode of inetd.conf file. # ls -lL /etc/inetd.conf If the mode of the file(s) is more permissive than 0440, this is a finding.

Fix: F-976r2_fix

Change the mode of the inetd.conf file. # chmod 0440 /etc/inetd.conf

Generate Mitigation Statement:

Checks: C-28612r1_chk

Check the ownership of the services file. Procedure: # ls -lL /etc/services If the services file is not owned by root or bin, this is a finding.

Fix: F-977r2_fix

Change the ownership of the services file to root or bin. Procedure: # chown root /etc/services

Generate Mitigation Statement:

Checks: C-8030r2_chk

Check the mode of the services file. Procedure: # ls -lL /etc/services If the services file has a mode more permissive than 0444, this is a finding.

Fix: F-978r2_fix

Change the mode of the services file to 0444 or less permissive. Procedure: # chmod 0444 /etc/services

Generate Mitigation Statement:

Checks: C-37885r1_chk

Look for the presence of a print service configuration file. Procedure: # find /etc -name hosts.lpd -print # find /etc -name Systems -print # find /etc -name printers.conf If none of the files are found, this check should be marked not applicable. Otherwise, examine the configuration file. Procedure: # more &lt;print service file&gt; Check for entries containing a "+" character by itself on any line. If any are found, this is a finding.

Fix: F-33132r1_fix

Remove the "+" entries from the hosts.lpd (or equivalent) file.

Generate Mitigation Statement:

Checks: C-612r2_chk

Locate any print service configuration file on the system. Consult vendor documentation to verify the names and locations of print service configuration files on the system. Procedure: # find /etc -name hosts.lpd -print # find /etc -name Systems -print If no print service configuration file is found, this is not applicable. Check the ownership of the print service configuration file(s). Procedure: # ls -lL &lt;print service file&gt; If the owner of the file is not root, sys, bin, or lp, this is a finding.

Fix: F-982r2_fix

Change the owner of the /etc/hosts.lpd file (or equivalent, such as /etc/lp/Systems) to root, lp, or another privileged UID. Consult vendor documentation to determine the name and location of print service configuration files. Procedure: # chown root /etc/hosts.lpd

Generate Mitigation Statement:

Checks: C-8031r2_chk

Locate any print service configuration file on the system. Consult vendor documentation for the name and location of print service configuration files. Procedure: # find /etc -name hosts.lpd -print # find /etc -name Systems -print If no print service configuration file is found, this is not applicable. Check the mode of the print service configuration file. Procedure: # ls -lL &lt;print service file&gt; If the mode of the print service configuration file is more permissive than 0644, this is a finding.

Fix: F-983r2_fix

Change the mode of the /etc/hosts.lpd file (or equivalent, such as /etc/lp/Systems) to 0644 or less permissive. Consult vendor documentation for the name and location of print service configuration files. Procedure: # chmod 0644 /etc/hosts.lpd

Generate Mitigation Statement:

Checks: C-39548r1_chk

Check the ownership of the alias file. Procedure: # ls -lL /etc/mail/aliases If the file is not owned by root, this is a finding.

Fix: F-985r2_fix

Change the owner of the /etc/mail/aliases file (or equivalent, such as /usr/lib/aliases) to root. Procedure: # chown root /etc/mail/aliases

Generate Mitigation Statement:

Checks: C-39414r1_chk

Check the mode of the alias file. Procedure: # ls -lL /etc/mail/aliases If the alias file has a mode more permissive than 0644, this is a finding.

Fix: F-34539r1_fix

Change the mode of the /etc/mail/aliases file. Procedure: # chmod 0644 /etc/mail/aliases

Generate Mitigation Statement:

Checks: C-8033r2_chk

Find the aliases file on the system. Procedure: # find / -name aliases -depth -print Examine the aliases file for any directories or paths that may be utilized. Procedure: # more &lt;aliases file location&gt; Check the permissions for any paths referenced. Procedure: # ls -lL &lt;path&gt; If any file referenced from the aliases file has a mode more permissive than 0755, this is a finding.

Fix: F-988r2_fix

Use the chmod command to change the access permissions for files executed from the alias file. For example: # chmod 0755 < filename >

Generate Mitigation Statement:

Checks: C-38139r1_chk

Check the syslog configuration file for mail.crit logging configuration. The syslog.conf file critical mail logging option line will typically appear as one of the following examples: mail.crit /var/log/syslog *.crit /var/log/syslog mail.* /var/log/syslog Procedure: # more /etc/syslog.conf If syslog is not configured to log critical Sendmail messages, this is a finding.

Fix: F-33411r1_fix

Edit the syslog.conf file and add a configuration line specifying an appropriate destination for mail.crit syslogs.

Generate Mitigation Statement:

Checks: C-8034r2_chk

Locate any mail log files by checking the syslog configuration file. Procedure: # more /etc/syslog.conf Identify any log files configured for the mail service at any severity level, or those configured for all services. Check the ownership of these log files. Procedure: # ls -lL &lt;file location&gt; If any mail log file is not owned by root, this is a finding.

Fix: F-991r2_fix

Change the ownership of the Sendmail log file. # chown root <sendmail log file>

Generate Mitigation Statement:

Checks: C-8035r2_chk

Check the mode of the SMTP service log file. Procedure: # more /etc/syslog.conf Check the configuration to determine which log files contain logs for mail.crit, mail.debug, or *.crit. Procedure: # ls -lL &lt;file location&gt; If the log file permissions are greater than 0644, this is a finding.

Fix: F-992r2_fix

Change the mode of the SMTP service log file. Procedure: # chmod 0644 <sendmail log file>

Generate Mitigation Statement:

Checks: C-28645r1_chk

Check for the existence of the ftpusers file. # ls -l /etc/ftpusers If the ftpusers file does not exist, this is a finding.

Fix: F-25674r1_fix

Create a /etc/ftpusers file containing a list of accounts not authorized for FTP.

Generate Mitigation Statement:

Checks: C-28656r1_chk

Check the contents of the ftpusers file. If the system has accounts not allowed to use FTP and are not listed in the ftpusers file, this is a finding. # more /etc/ftpusers

Fix: F-25682r1_fix

Add accounts not allowed to use FTP to the /etc/ftpusers file.

Generate Mitigation Statement:

Checks: C-28664r1_chk

Check the ownership of the ftpusers file. # ls -l /etc/ftpusers If the ftpusers file is not owned by root, this is a finding.

Fix: F-25694r1_fix

Change the owner of the ftpusers file to root. # chown root /etc/ftpusers

Generate Mitigation Statement:

Checks: C-28668r1_chk

Check the permissions of the ftpusers file. # ls -l /etc/ftpusers If the ftpusers file has a mode more permissive than 0640, this is a finding.

Fix: F-25697r1_fix

Change the mode of the ftpusers file to 0640. # chmod 0640 /etc/ftpusers

Generate Mitigation Statement:

Checks: C-711r2_chk

Attempt to log into this host with a user name of anonymous and a password of guest (also try the password of guest@mail.com). If the logon is successful, this is a finding. Procedure: # ftp localhost Name: anonymous 530 Guest login not allowed on this machine.

Fix: F-34157r1_fix

Remove user "anonymous" from /etc/passwd.

Generate Mitigation Statement:

Checks: C-715r2_chk

Check the /etc/passwd file to determine if TFTP is configured properly. Procedure: # grep tftp /etc/passwd If a TFTP user account does not exist and TFTP is active, this is a finding. Check the user shell for the TFTP user. If it is not /bin/false or equivalent, this is a finding. Check the home directory assigned to the TFTP user. If no home directory is set, or the directory specified is not dedicated to the use of the TFTP service, this is a finding.

Fix: F-1003r2_fix

Create a TFTP user account if none exists. Assign a non-login shell to the TFTP user account, such as /bin/false. Assign a home directory to the TFTP user account.

Generate Mitigation Statement:

Checks: C-718r2_chk

Check for .Xauthority files being utilized by looking for such files in the home directory of a user that uses X. Procedure: # cd ~someuser # ls -la .Xauthority If the .Xauthority file does not exist, ask the SA if the user is using X Windows. If the user is utilizing X Windows and the .Xauthority file does not exist, this is a finding.

Fix: F-1004r2_fix

Ensure the X Windows host is configured to write .Xauthority files into user home directories. Edit the Xaccess file. Ensure the line that writes the .Xauthority file is uncommented.

Generate Mitigation Statement:

Checks: C-851r2_chk

Perform the following to determine if NIS is active on the system. # ps -ef | egrep '(ypbind|ypserv)' If NIS is found active on the system, this is a finding.

Fix: F-1021r2_fix

Disable the use of NIS. Possible replacements are NIS+ and LDAP.

Generate Mitigation Statement:

Checks: C-8017r3_chk

Check the home directory mode of each user in /etc/passwd. Procedure: # cut -d : -f 6 /etc/passwd | xargs -n1 ls -ld | more If a user's home directory's mode is more permissive than 0750, this is a finding. NOTE: Application directories are allowed and may need 0755 permissions (or greater) for correct operation.

Fix: F-1055r2_fix

Change the mode of users' home directories to 0750 or less permissive. Procedure (example): # chmod 0750 <home directory>

Generate Mitigation Statement:

Checks: C-8018r2_chk

Check the ownership of each user's home directory listed in the /etc/passwd file. Procedure: # ls -lLd &lt;user home directory&gt; If any user's home directory is not owned by the assigned user, this is a finding.

Fix: F-1056r2_fix

Change the owner of a user's home directory to its assigned user. Procedure: # chown <user> <home directory>

Generate Mitigation Statement:

Checks: C-8019r3_chk

Check the group ownership for each user in the /etc/passwd file. Procedure: # ls -lLd &lt;user home directory&gt; If any user's home directory is not group-owned by the assigned user's primary group, this is a finding. Home directories for application accounts requiring different group ownership must be documented using site-defined procedures.

Fix: F-1057r3_fix

Change the group owner for user's home directories to the primary group of the assigned user. Procedure: # chgrp groupname directoryname (Replace examples with appropriate group and home directory.) Document all changes.

Generate Mitigation Statement:

Checks: C-395r4_chk

NOTE: The following commands must be run in the BASH shell. Check the ownership of local initialization files. Procedure (using a shell that supports ~USER as USER's home directory): # cut -d : -f 1 /etc/passwd | xargs -n1 -IUSER sh -c "ls -l ~USER/.[a-z]*" # cut -d : -f 1 /etc/passwd | xargs -n1 -IUSER find ~USER/.dt ! -fstype nfs ! -user USER -exec ls -ld {} \; If local initialization files are not owned by the home directory's user, this is a finding.

Fix: F-1058r3_fix

Change the ownership of the startup and login files in the user's directory to the user or root, as appropriate. Examine each user's home directory and verify all file names beginning with "." are owned by the owner of the directory or root. If they are not, use the chown command to change the owner to the user and research the reasons why the owners were not assigned as required. Procedure: # chown username .filename Document all changes.

Generate Mitigation Statement:

Checks: C-8020r2_chk

Check the modes of local initialization files. Procedure: # ls -al /&lt;usershomedirectory&gt;/.login # ls -al /&lt;usershomedirectory&gt;/.cshrc # ls -al /&lt;usershomedirectory&gt;/.logout # ls -al /&lt;usershomedirectory&gt;/.profile # ls -al /&lt;usershomedirectory&gt;/.bash_profile # ls -al /&lt;usershomedirectory&gt;/.bashrc # ls -al /&lt;usershomedirectory&gt;/.bash_logout # ls -al /&lt;usershomedirectory&gt;/.env # ls -al /&lt;usershomedirectory&gt;/.dtprofile (permissions should be 0755) # ls -al /&lt;usershomedirectory&gt;/.dispatch # ls -al /&lt;usershomedirectory&gt;/.emacs # ls -al /&lt;usershomedirectory&gt;/.exrc # find /&lt;usershomedirectory&gt;/.dt ! -fstype nfs \( -perm -0002 -o -perm -0020 \) -exec ls -ld {} \; (permissions not to be more permissive than 0755) If local initialization files are more permissive than 0740, the .dt directory or the .dtprofile file is more permissive than 0755, this is a finding.

Fix: F-1059r3_fix

Ensure user startup files have permissions of 0740 or more restrictive. Examine each user's home directory and verify all file names beginning with "." have access permissions of 0740 or more restrictive. If they do not, use the chmod command to correct the vulnerability. Procedure: # chmod 0740 .filename NOTE: The period is part of the file name and is required.

Generate Mitigation Statement:

Checks: C-37149r1_chk

Check run control script modes. # cd /etc # find rc* -ls If any run control script has a mode more permissive than 0755, this is a finding.

Fix: F-32414r1_fix

Ensure all system startup files have mode 0755 or less permissive. Examine the rc files, all files in the rc1.d (rc2.d, and so on) directories, and in the /etc/init.d directory to ensure they are not world-writable. If the files are world-writable, use the chmod command to correct the vulnerability and research why they are world-writable. Procedure: # chmod 755 startupfile Document all changes.

Generate Mitigation Statement:

Checks: C-39526r1_chk

Verify run control scripts' library search paths. Procedure: # grep -r PATH /etc/rc* This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/), this is a relative path, and this is a finding.

Fix: F-1061r2_fix

Edit the run control script and remove the relative path entry from the executable search path variable.

Generate Mitigation Statement:

Checks: C-404r2_chk

Check the system for the existence of any .netrc files. Procedure: # find / -name .netrc If any .netrc file exists, this is a finding.

Fix: F-1067r3_fix

Remove the .netrc file(s). Procedure: # rm .netrc

Generate Mitigation Statement:

Checks: C-37242r1_chk

Check /etc/security/login.cfg for a shells stanza. Procedure: # grep -p usw: /etc/security/login.cfg | grep "shells =" If no such stanza exists, this is a finding. Check the /etc/shells file. Procedure: # more /etc/shells If the /etc/shells file does not exist, this is a finding.

Fix: F-32456r1_fix

Edit the /etc/security/login.cfg file and add a shells stanza containing a list of valid shells. #chsec -f /etc/security/login.cfg -s usw -a shells=<list of approved shells> Create the /etc/shells file. #vi /etc/shells

Generate Mitigation Statement:

Checks: C-37177r1_chk

Confirm the login shells referenced in the /etc/passwd file are listed in the /etc/security/login.cfg file's shells =variable in the usw stanza. # more /etc/security/login.cfg # more /etc/shells The /usr/bin/false, /bin/false, /dev/null, /sbin/nologin, (and equivalents), and sdshell will be considered valid shells for use in the /etc/passwd file, but will not be listed in the shells stanza. If a shell referenced in /etc/passwd is not listed in the shells stanza, excluding the above mentioned shells, then this is a finding.

Fix: F-32457r1_fix

Use the chsh utility or edit the /etc/passwd file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the /etc/shells file. Alternatively, use the SMIT to change the /etc/passwd shell entry.

Generate Mitigation Statement:

Checks: C-37833r1_chk

Indications of inactive accounts are those without entries in the last log. Check the date in the last log to verify it is within the last 35 days. If an inactive account is not disabled via an invalid login shell /bin/false entry in the shell field of the /etc/passwd file or account_locked = true in /etc/security/user file, this is a finding.

Fix: F-33093r1_fix

All inactive accounts will have /bin/false, /usr/bin/false, or /dev/null as the default shell in the /etc/passwd file and have the password disabled. Disable the inactive accounts. Examine the inactive accounts using the last command. Note the date of last login for each account. If any (other than system and application accounts) exceed 35 days, then disable them by placing a shell of /bin/false or /dev/null in the shell field of the passwd file entry for that account. An alternative, and preferable method, is to disable the account using SMIT or the chsec command. Change the accounts login shell. #chsh <account> /bin/false Lock the account in /etc/security/user file. #chuser account_locked=true < user id > OR # smitty chuser

Generate Mitigation Statement:

Checks: C-37840r1_chk

Obtain a list of system shells from /etc/security/login.cfg and check the ownership of these shells. Procedure: #grep shells /etc/security/login.cfg | grep -v \* | cut -f 2 -d = | sed s/,/\ /g | xargs -n1 ls -l If any shell is not owned by root or bin, this is a finding. Obtain a list of system shells from /etc/shells and check the ownership of these shells. Procedure: #cat /etc/shells | xargs -n1 ls -l If any shell is not owned by root or bin, this is a finding.

Fix: F-33103r1_fix

Change the ownership of the shell with incorrect ownership. # chown root < shell >

Generate Mitigation Statement:

Checks: C-465r2_chk

Find all device files existing anywhere on the system. Procedure: # find / -type b -print &gt; devicelist # find / -type c -print &gt;&gt; devicelist Check the permissions on the directories above subdirectories containing device files. If any of the device files or their parent directories is world-writable, excepting device files specifically intended to be world-writable, such as /dev/null, this is a finding.

Fix: F-1078r3_fix

Remove the world-writable permission from the device file(s). Procedure: # chmod o-w <device file> Document all changes.

Generate Mitigation Statement:

Checks: C-37183r1_chk

Check the system for world-writable device files. Procedure: # find / -perm -2 -a \( -type b -o -type c \) -exec ls -ld {} \; If any device file(s) used for backup are writable by users other than root, this is a finding (Typical backup devices for tape are/dev/rmt* and cd/dvd writers are /dev/cd*).

Fix: F-32459r1_fix

Use the chmod command to remove the world-writable bit from the backup device files. Procedure: # chmod o-w <back device filename> Document all changes.

Generate Mitigation Statement:

Checks: C-852r2_chk

If the system is not using NIS+, this is not applicable. Check the system to determine if NIS+ security level 2 is implemented. Procedure: # niscat cred.org_dir If the second column does not contain DES, the system is not using NIS+ security level 2, and this is a finding.

Fix: F-25778r1_fix

Configure the NIS+ server to use security level 2.

Generate Mitigation Statement:

Checks: C-28739r1_chk

Check the owner of the exports file. Example: # ls -lL /etc/exports If the export configuration file is not owned by root, this is a finding.

Fix: F-25756r1_fix

Change the owner of the exports file to root. Example: # chown root /etc/exports

Generate Mitigation Statement:

Checks: C-862r2_chk

Check for NFS exported file systems. Procedure: # exportfs -v This will display all of the exported file systems. For each file system displayed, check the ownership. Procedure: # ls -lLa &lt;exported file system path&gt; If the files and directories are not owned by root, this is a finding.

Fix: F-1085r2_fix

Change the ownership of exported file systems not owned by root. Procedure: # chown root <path>

Generate Mitigation Statement:

Checks: C-863r2_chk

Check if the anon option is set correctly for exported file systems. List exported file systems. # exportfs -v Each of the exported file systems should include an entry for the 'anon=' option set to -1 or an equivalent (60001, 60002, 65534, or 65535). If an appropriate 'anon=' setting is not present for an exported file system, this is a finding.

Fix: F-32338r1_fix

Edit /etc/exports and set the anon=-1 option for exported file systems without it. Re-export the file systems. # exportfs -a

Generate Mitigation Statement:

Checks: C-864r2_chk

Check the permissions on exported NFS file systems. Procedure: # exportfs -v If the exported file systems do not contain the rw or ro options specifying a list of hosts or networks, this is a finding.

Fix: F-1087r2_fix

Edit /etc/exports and add ro and/or rw options (as appropriate) specifying a list of hosts or networks which are permitted access. Re-export the file systems.

Generate Mitigation Statement:

Checks: C-867r2_chk

Determine if the NFS server is exporting with the root access option. Procedure: # exportfs -v | grep "root=" If an export with the root option is found, this is a finding.

Fix: F-1089r2_fix

Edit /etc/exports and remove the root= option for all exports. Re-export the file systems.

Generate Mitigation Statement:

Checks: C-38202r1_chk

Check the system for NFS mounts not using the nosuid option. Procedure: # lsfs -v nfs If the mounted file systems do not have the nosuid option, this is a finding.

Fix: F-32339r1_fix

Edit /etc/filesystems and add the nosuid option for all NFS file systems. Remount the NFS file systems to make the change take effect.

Generate Mitigation Statement:

Checks: C-28781r1_chk

Determine if TCP_WRAPPERS is being used. # grep tcpd /etc/inetd.conf If no services are listed, this is a finding.

Fix: F-32344r1_fix

Edit /etc/inetd.conf and use tcpd to wrap services. Use SMIT to install TCP Wrappers from the AIX Expansion pack media as fileset netsec.options.tcpwrappers.

Generate Mitigation Statement:

Checks: C-888r2_chk

Normally, TCPD logs to the mail facility in /etc/syslog.conf. Determine if syslog is configured to log events by TCPD. Procedure: # more /etc/syslog.conf Look for entries similar to the following: mail.debug /var/adm/maillog mail.none /var/adm/maillog mail.* /var/log/mail auth.info /var/log/messages The above entries would indicate mail alerts are being logged. If no entries for mail exist, then TCPD is not logging and this is a finding.

Fix: F-1095r2_fix

Configure the access restriction program to log every access attempt. Ensure the implementation instructions for TCP_WRAPPERS are followed, so system access attempts are logged into the system log files. If an alternate application is used, it must support this function.

Generate Mitigation Statement:

Checks: C-2321r2_chk

Perform: # /bin/tcbck If TCB is not installed, the output will show an error code of 3001-101 and/or a text message indicating TCB is not installed, this is a finding.

Fix: F-31368r1_fix

Ensure the Trusted Computing Base (TCB) software is implemented. TCB can only be installed at OS installation time.

Generate Mitigation Statement:

Checks: C-28455r1_chk

Check for the existence of the cron.allow and cron.deny files. # ls -lL /var/adm/cron/cron.allow # ls -lL /var/adm/cron/cron.deny If neither file exists, this is a finding.

Fix: F-24558r1_fix

Create /var/adm/cron/cron.allow and/or /var/adm/cron/cron.deny with appropriate content.

Generate Mitigation Statement:

Checks: C-38875r1_chk

Check mode of the cron.allow file. Procedure: # ls -lL /var/adm/cron/cron.allow If the file has a mode more permissive than 0640, this is a finding.

Fix: F-34019r1_fix

Change the mode of the cron.allow file to 0640. Procedure: # chmod 0640 /var/adm/cron/cron.allow

Generate Mitigation Statement:

Checks: C-28464r1_chk

List all cronjobs on the system. Procedure: # ls /var/spool/cron/crontabs/ If cron jobs exist under any of the above directories search for programs executed by cron. Procedure: # more &lt;cron job file&gt; Determine if the file is group-writable or world-writable. Procedure: # ls -la &lt;cron program file&gt; If cron executes group-writable or world-writable files, this is a finding.

Fix: F-1130r2_fix

Remove the world-writable and group-writable permissions from the cron program file(s) identified. # chmod go-w <cron program file>

Generate Mitigation Statement:

Checks: C-28466r1_chk

List all cronjobs on the system. Procedure: # ls /var/spool/cron/crontabs/ If cron jobs exist under any of the above directories search for programs executed by cron. Procedure: # more &lt;cron job file&gt; Determine if the directory containing programs executed from cron is world-writable. Procedure: # ls -ld &lt;cron program directory&gt; If cron executes programs in world-writable directories, this is a finding.

Fix: F-32473r1_fix

Remove the world-writable permission from the cron program directories identified. Procedure: # chmod o-w <cron program directory>

Generate Mitigation Statement:

Checks: C-790r2_chk

Check the modes of the crontab and cron job script files. If the mode is more permissive than 0600 for crontab files or 0700 for cron job script files, this is a finding.

Fix: F-1132r2_fix

Change the modes of crontab files to 0600 and cron job script files to 0700.

Generate Mitigation Statement:

Checks: C-28478r1_chk

Check the mode of the crontab directory. # ls -ld /var/spool/cron/crontabs If the mode of the crontab directory is more permissive than 0755, this is a finding.

Fix: F-24581r1_fix

Change the mode of the crontab directory. # chmod 0755 /var/spool/cron/crontabs

Generate Mitigation Statement:

Checks: C-28480r1_chk

Check the owner of the crontab directory. # ls -ld /var/spool/cron/crontabs If the owner of the crontab directory is not root or bin, this is a finding.

Fix: F-24583r1_fix

Change the owner of the crontab directory. # chown root /var/spool/cron/crontabs

Generate Mitigation Statement:

Checks: C-38095r1_chk

Check the group owner of cron and crontab directories. Procedure: # ls -ld /var/spool/cron/crontabs If a cron or crontab directory is not group-owned by sys, system, bin, or cron, this is a finding.

Fix: F-33357r1_fix

Change the group owner of the crontab directories to sys, system, bin, or cron. Procedure: # chown cron /var/spool/cron/crontabs

Generate Mitigation Statement:

Checks: C-28491r1_chk

# ls -lL /var/adm/cron/log If this file does not exist or is older than the last cron job, this is a finding.

Fix: F-1136r2_fix

Enable cron logging on the system.

Generate Mitigation Statement:

Checks: C-28498r1_chk

Check the mode of the cron log file. # ls -lL /var/adm/cron/log If the mode is more permissive than 0600, this is a finding.

Fix: F-24600r1_fix

Change the mode of the cron log file. # chmod 0600 /var/adm/cron/log

Generate Mitigation Statement:

Checks: C-28531r1_chk

Check for the existence of at.allow and at.deny files. # ls -lL /var/adm/cron/at.allow # ls -lL /var/adm/cron/at.deny If neither file exists, this is a finding.

Fix: F-11346r2_fix

Create at.allow and/or at.deny files containing appropriate lists of users to be allowed or denied access to the "at" daemon.

Generate Mitigation Statement:

Checks: C-28535r1_chk

# more /var/adm/cron/at.deny If the at.deny file exists and is empty, this is a finding.

Fix: F-1139r2_fix

Add appropriate users to the at.deny file, or remove the empty at.deny file if an at.allow file exists.

Generate Mitigation Statement:

Checks: C-28541r1_chk

# more /var/adm/cron/at.allow If default accounts (such as bin, sys, adm, and others) are listed in the at.allow file, this is a finding.

Fix: F-1140r2_fix

Remove the default accounts (such as bin, sys, adm, and others) from the at.allow file.

Generate Mitigation Statement:

Checks: C-38874r1_chk

Check the mode of the at.allow file. # ls -lL /var/adm/cron/at.allow If the at.allow file has a mode more permissive than 0640, this is a finding.

Fix: F-34018r1_fix

Change the mode of the at.allow file. # chmod 0640 /var/adm/cron/at.allow

Generate Mitigation Statement:

Checks: C-801r2_chk

List the "at" jobs on the system. Procedure: # ls -la /var/spool/cron/atjobs /var/spool/atjobs For each "at" job file, determine which programs are executed. Procedure: # more &lt;at job file&gt; Check each program executed by "at" for group- or world-writable permissions. Procedure: # ls -la &lt;at program file&gt; If "at" executes group- or world-writable programs, this is a finding.

Fix: F-1142r2_fix

Remove group-write and world-write permissions from files executed by "at" jobs. Procedure: # chmod go-w <file>

Generate Mitigation Statement:

Checks: C-802r2_chk

List any "at" jobs on the system. Procedure: # ls /var/spool/cron/atjobs /var/spool/atjobs For each "at" job, determine which programs are executed. Procedure: # more &lt;at job file&gt; Check the directory containing each program executed by "at" for world-writable permissions. Procedure: # ls -la &lt;at program file directory&gt; If "at" executes programs in world-writable directories, this is a finding.

Fix: F-1143r2_fix

Remove the world-writable permission from directories containing programs executed by "at". Procedure: # chmod o-w <at program directory>

Generate Mitigation Statement:

Checks: C-37058r1_chk

Check the mode of the SNMP daemon configuration file. Locate the SNMP daemon configuration file. Consult vendor documentation to verify the name and location of the file. Procedure: # find / -name "snmpd*.conf" Check the mode of the SNMP daemon configuration file. Procedure: # ls -lL &lt;snmpd conf&gt;

Fix: F-32326r1_fix

Change the mode of the SNMP daemon configuration file to 0600. Procedure: # chmod 0600 /etc/snmpd.conf # chmod 0600 /etc/snmpdv3.conf

Generate Mitigation Statement:

Checks: C-818r2_chk

Check the modes for all Management Information Base (MIB) files on the system. Procedure: # find / -name *.mib -print # ls -lL &lt;mib file&gt; If any file is returned that does not have mode 0640 or less permissive, this is a finding.

Fix: F-1149r2_fix

Change the mode of MIB files to 0640. Procedure: # chmod 0640 <mib file>

Generate Mitigation Statement:

Checks: C-467r3_chk

Check the system for world-writable files and directories. Procedure: # find / -perm -2 -a \( -type d -o -type f \) -exec ls -ld {} \; If any world-writable files or directories are located, except those required for proper system or application operation, such as /tmp and /dev/null, this is a finding.

Fix: F-1164r2_fix

Remove or change the mode for any world-writable file or directory on the system that is not required to be world-writable. Procedure: # chmod o-w <file/directory> Document all changes.

Generate Mitigation Statement:

Checks: C-2043r2_chk

# ps -ef | egrep "innd|nntpd" If an INN server is running, this is a finding.

Fix: F-1177r2_fix

Disable the INN server.

Generate Mitigation Statement:

Checks: C-2047r3_chk

Check the system for an enabled SWAT service. # grep -i swat /etc/inetd.conf If SWAT is found enabled, it must be utilized with SSL to ensure a secure connection between the client and the server. Ask the SA to identify the method used to provide SSL protection for the SWAT service. Verify (or ask the SA to demonstrate) this configuration is effective by accessing SWAT using an HTTPS connection from a web browser. If SWAT is found enabled and has no SSL protection, this is a finding.

Fix: F-1180r3_fix

Disable SWAT (e.g., remove the "swat" line from inetd.conf or equivalent, and restart the service) or configure SSL protection for the SWAT service.

Generate Mitigation Statement:

Checks: C-39455r1_chk

Check the ownership of the /usr/lib/smb.conf file. Procedure: # ls -l /usr/lib/smb.conf If an smb.conf file is not owned by root, this is a finding.

Fix: F-34583r1_fix

Change the ownership of the smb.conf file. Procedure: # chown root /usr/lib/smb.conf

Generate Mitigation Statement:

Checks: C-39456r1_chk

Check the mode of the smb.conf file. Procedure: # ls -lL /usr/lib/smb.conf If the smb.conf has a mode more permissive than 0644, this is a finding.

Fix: F-34584r1_fix

Change the mode of the smb.conf file to 0644 or less permissive. Procedure: # chmod 0644 /usr/lib/smb.conf

Generate Mitigation Statement:

Checks: C-39245r1_chk

Check the ownership of the smbpasswd file. # ls -l /var/private/smbpasswd If an smbpasswd file is not owned by root, this is a finding.

Fix: F-34347r1_fix

Change the owner of the smbpasswd file to root. # chown root /var/private/smbpasswd

Generate Mitigation Statement:

Checks: C-38211r1_chk

Examine the smb.conf file. # more /usr/lib/smb.conf If the hosts option is not present to restrict access to a list of authorized hosts and networks, this is a finding.

Fix: F-1184r2_fix

Edit the smb.conf file and set the hosts option to permit only authorized hosts to access Samba.

Generate Mitigation Statement:

Checks: C-36689r1_chk

Check the minage field for each user. # /usr/sbin/lsuser -a minage ALL If the minage field is less than 1 for any user, this is a finding.

Fix: F-33201r1_fix

Use SMIT or the chsec command to set the minimum password age to 1 week. # chsec -f /etc/security/user -s default -a minage=1 # chsec -f /etc/security/user -s <user id> -a minage=1 OR # smitty chuser

Generate Mitigation Statement:

Checks: C-36938r1_chk

Determine if the SSH daemon is configured to permit root logins. Procedure: # find / -name sshd_config -ls # grep -v "^#" &lt;sshd_config path and file&gt; | grep -i permitrootlogin If the PermitRootLogin entry is not found or is not set to no, this is a finding.

Fix: F-32204r1_fix

Edit the /etc/ssh/sshd_config file and set the PermitRootLogin option to no and refresh sshd. #kill -1 <pid of sshd>

Generate Mitigation Statement:

Checks: C-28267r1_chk

Check the mode of audio devices. # /usr/sbin/lsdev -C | grep -i audio # ls -lL /dev/*aud0 If the mode of audio devices are more permissive than 0660, this is a finding.

Fix: F-24491r1_fix

Change the mode of audio devices. # chmod o-w <audio device>

Generate Mitigation Statement:

Checks: C-28273r1_chk

Check the owner of audio devices. Procedure: # /usr/sbin/lsdev -C | grep -i audio # ls -lL /dev/*aud0 If the owner of any audio device file is not root, this is a finding.

Fix: F-1203r2_fix

Change the owner of the audio device. # chown root <audio device>

Generate Mitigation Statement:

Checks: C-39457r1_chk

Check the group ownership of the smb.conf file. Procedure: # ls -l /usr/lib/smb.conf If an smb.conf file is not group-owned by bin, sys, or system, this is a finding.

Fix: F-33481r1_fix

Change the group owner of the smb.conf file. Procedure: # chgrp system /usr/lib/smb.conf

Generate Mitigation Statement:

Checks: C-38209r1_chk

Check smbpasswd ownership. # ls -lL /var/private/smbpasswd If smbpasswd is not group-owned by sys, or system, this is a finding.

Fix: F-33485r1_fix

Use the chgrp command to change the group owner of the smbpasswd file to system. # chgrp system /var/private/smbpasswd

Generate Mitigation Statement:

Checks: C-39458r1_chk

Check smbpasswd mode. Procedure: # ls -lL /var/private/smbpasswd If smbpasswd has a mode more permissive than 0600, this is a finding.

Fix: F-34585r1_fix

Change the mode of the smbpasswd file to 0600. Procedure: # chmod 0600 /var/private/smbpasswd

Generate Mitigation Statement:

Checks: C-28285r1_chk

Check the group owner of audio devices. Procedure: # /usr/sbin/lsdev -C | grep -i audio # ls -lL /dev/*aud0 If the group owner of an audio device is not root, sys, bin, or system, this is a finding.

Fix: F-1215r2_fix

Change the group owner of the audio device. Procedure: # chgrp system <audio device>

Generate Mitigation Statement:

Checks: C-8205r2_chk