IBM AIX 7.x Security Technical Implementation Guide

U_IBM_AIX_7-x_STIG_V1R1_Manual-xccdf.xml

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]
Details

Version / Release: V1R1

Published: 2019-04-29

Updated At: 2019-07-06 21:57:30

Actions

Download

Filter

Vuln Rule Version CCI Severity Title Description
SV-101311r1_rule AIX7-00-001015 CCI-000015 MEDIUM The shipped /etc/security/mkuser.sys file on AIX must not be customized directly. The "/etc/security/mkuser.sys" script customizes the new user account when a new user is created, or a user is logging into the system without a home directory. An improper "/etc/security/mkuser.sys" script increases the risk that non-privileged users may obtain elevated privileges.
SV-101313r1_rule AIX7-00-001000 CCI-000015 MEDIUM AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account. The "/etc/security/mkuser.sys.custom" is called by "/etc/security/mkuser.sys" to customize the new user account when a new user is created, or a user is logging into the system without a home directory. An improper "/etc/security/mkuser.sys.custom" script increases the risk that non-privileged users may obtain elevated privileges. It must not exist unless it is needed.
SV-101315r1_rule AIX7-00-001016 CCI-000015 MEDIUM The regular users default primary group must be staff (or equivalent) on AIX. The /usr/lib/security/mkuser.default file contains the default primary groups for regular and admin users. Setting a system group as the regular users' primary group increases the risk that the regular users can access privileged resources.
SV-101317r1_rule AIX7-00-001001 CCI-000016 MEDIUM AIX must automatically remove or disable temporary user accounts after 72 hours or sooner. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
SV-101319r1_rule AIX7-00-001003 CCI-000044 MEDIUM AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
SV-101321r1_rule AIX7-00-001041 CCI-000048 MEDIUM AIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
SV-101323r1_rule AIX7-00-001042 CCI-000048 MEDIUM The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts on AIX. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
SV-101325r1_rule AIX7-00-001043 CCI-000048 MEDIUM The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
SV-101327r1_rule AIX7-00-001004 CCI-000054 MEDIUM AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types. Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.
SV-101329r1_rule AIX7-00-001028 CCI-000056 MEDIUM AIX must provide the lock command to let users retain their session lock until users are reauthenticated. All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard. To lock the terminal, use the lock command.
SV-101331r1_rule AIX7-00-001029 CCI-000056 MEDIUM AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated. All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard. If the interface is AIXwindows (CDE), use the xlock command to lock the sessions.
SV-101333r1_rule AIX7-00-003000 CCI-000057 MEDIUM AIX must automatically lock after 15 minutes of inactivity in the CDE Graphical desktop environment. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled.
SV-101335r1_rule AIX7-00-001100 CCI-000058 MEDIUM AIX must be configured to allow users to directly initiate a session lock for all connection types. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.
SV-101337r1_rule AIX7-00-001101 CCI-000060 MEDIUM AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed. Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.
SV-101339r1_rule AIX7-00-002100 CCI-000067 MEDIUM AIX must monitor and record successful remote logins. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
SV-101341r1_rule AIX7-00-002101 CCI-000067 MEDIUM AIX must monitor and record unsuccessful remote logins. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
SV-101343r1_rule AIX7-00-003100 CCI-000068 MEDIUM The AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
SV-101345r1_rule AIX7-00-002104 CCI-000068 MEDIUM The AIX SSH server must use SSH Protocol 2. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
SV-101347r1_rule AIX7-00-002001 CCI-000130 MEDIUM AIX must produce audit records containing information to establish what the date, time, and type of events that occurred. Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in AIX audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016
SV-101349r1_rule AIX7-00-002003 CCI-000132 MEDIUM AIX must produce audit records containing information to establish where the events occurred. Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as operating system components, modules, device identifiers, node names, file names, and functionality. Associating information about where the event occurred within AIX provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
SV-101351r1_rule AIX7-00-002004 CCI-000133 MEDIUM AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event. Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. In addition to logging where events occur within AIX, AIX must also generate audit records that identify sources of events. Sources of operating system events include, but are not limited to, processes and services. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event. Satisfies: SRG-OS-000040-GPOS-00018, SRG-OS-000255-GPOS-00096
SV-101353r1_rule AIX7-00-002005 CCI-000134 MEDIUM AIX must produce audit records containing information to establish the outcome of the events. Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.
SV-101355r1_rule AIX7-00-002006 CCI-000135 MEDIUM AIX must produce audit records containing the full-text recording of privileged commands. Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
SV-101357r1_rule AIX7-00-002008 CCI-000139 MEDIUM AIX must be configured to generate an audit record when 75% of the audit file system is full. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
SV-101359r1_rule AIX7-00-002011 CCI-000158 MEDIUM AIX must provide the function to filter audit records for events of interest based upon all audit fields within audit records, support on-demand reporting requirements, and an audit reduction function that supports on-demand audit review and analysis and after-the-fact investigations of security incidents. The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. Events of interest can be identified by the content of specific audit record fields, including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents. The ability to perform on-demand audit review and analysis, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. If the audit reduction capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies. Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports. This requires operating systems to provide the capability to customize audit record reports based on all available criteria. Satisfies: SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137
SV-101363r1_rule AIX7-00-002013 CCI-000162 MEDIUM Audit logs on the AIX system must be owned by root. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
SV-101365r1_rule AIX7-00-002014 CCI-000162 MEDIUM Audit logs on the AIX system must be group-owned by system. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
SV-101367r1_rule AIX7-00-002015 CCI-000162 MEDIUM Audit logs on the AIX system must be set to 660 or less permissive. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
SV-101369r1_rule AIX7-00-002200 CCI-000171 MEDIUM The AIX audit configuration files must be owned by root. Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
SV-101371r1_rule AIX7-00-002201 CCI-000171 MEDIUM The AIX audit configuration files must be group-owned by audit. Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
SV-101373r1_rule AIX7-00-002202 CCI-000171 MEDIUM The AIX audit configuration files must be set to 640 or less permissive. Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
SV-101375r1_rule AIX7-00-001006 CCI-000185 MEDIUM If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA. Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.
SV-101377r1_rule AIX7-00-003004 CCI-000186 MEDIUM AIX SSH private host key files must have mode 0600 or less permissive. If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.
SV-101379r1_rule AIX7-00-001120 CCI-000192 HIGH AIX must enforce password complexity by requiring that at least one upper-case character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
SV-101381r1_rule AIX7-00-001121 CCI-000193 HIGH AIX must enforce password complexity by requiring that at least one lower-case character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
SV-101383r1_rule AIX7-00-001122 CCI-000194 HIGH AIX must enforce password complexity by requiring that at least one numeric character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
SV-101385r1_rule AIX7-00-001123 CCI-000195 HIGH AIX must require the change of at least 50% of the total number of characters when passwords are changed. If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters.
SV-101387r1_rule AIX7-00-003101 CCI-000196 HIGH The AIX system must have no .netrc files on the system. Unencrypted passwords for remote FTP servers may be stored in .netrc files. Policy requires passwords be encrypted in storage and not used in access scripts.
SV-101389r1_rule AIX7-00-001007 CCI-000196 HIGH If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
SV-101391r1_rule AIX7-00-001124 CCI-000197 HIGH AIX root passwords must never be passed over a network in clear text form. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
SV-101393r1_rule AIX7-00-003005 CCI-000197 HIGH AIX must disable /usr/bin/rcp, /usr/bin/rlogin, /usr/bin/rsh, /usr/bin/rexec and /usr/bin/telnet commands. The listed applications permit the transmission of passwords in plain text. Alternative applications such as SSH, which encrypt data, should be use instead.
SV-101395r1_rule AIX7-00-001045 CCI-000197 HIGH IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server. While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentication. SSL must be used in this case.
SV-101397r1_rule AIX7-00-003040 CCI-000197 HIGH The AIX rsh daemon must be disabled. The rsh daemon permits username and passwords to be passed over the network in clear text.
SV-101399r1_rule AIX7-00-003041 CCI-000197 HIGH The AIX rlogind service must be disabled. The rlogin daemon permits username and passwords to be passed over the network in clear text.
SV-101401r1_rule AIX7-00-002058 CCI-000197 HIGH The AIX rexec daemon must not be running. The exec service is used to execute a command sent from a remote server. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the rexecd daemon will be disabled. This function, if required, should be facilitated through SSH.
SV-101403r1_rule AIX7-00-002059 CCI-000197 HIGH AIX telnet daemon must not be running. This telnet service is used to service remote user connections. This is historically the most commonly used remote access method for UNIX servers. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the telnetd daemon will be disabled. This function, if required, should be facilitated through SSH.
SV-101405r1_rule AIX7-00-002060 CCI-000197 HIGH AIX ftpd daemon must not be running. The ftp service is used to transfer files from or to a remote machine. The username and passwords are passed over the network in clear text and therefore insecurely. Remote file transfer, if required, should be facilitated through SSH.
SV-101407r1_rule AIX7-00-001125 CCI-000198 MEDIUM AIX Operating systems must enforce 24 hours/1 day as the minimum password lifetime. Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
SV-101409r1_rule AIX7-00-001126 CCI-000199 MEDIUM AIX Operating systems must enforce a 60-day maximum password lifetime restriction. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
SV-101411r1_rule AIX7-00-001127 CCI-000200 MEDIUM AIX must prohibit password reuse for a minimum of five generations. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.
SV-101413r1_rule AIX7-00-001128 CCI-000205 HIGH AIX must use Loadable Password Algorithm (LPA) password hashing algorithm. The default legacy password hashing algorithm, crypt(), uses only the first 8 characters from the password string, meaning the user's password is truncated to eight characters. If the password is shorter than 8 characters, it is padded with zero bits on the right. The crypt() is a modified DES algorithm that is vulnerable to brute force password guessing attacks and also to cracking the DES-hashing algorithm by using techniques such as pre-computation. With the Loadable Password Algorithm (LPA) framework release, AIX implemented a set of LPAs using MD5, SHA2, and Blowfish algorithms. These IBM proprietary password algorithms support a password longer than 8 characters and Unicode characters in passwords.
SV-101415r1_rule AIX7-00-001129 CCI-000205 HIGH AIX must enforce a minimum 15-character password length. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
SV-101417r1_rule AIX7-00-003102 CCI-000213 MEDIUM AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code. Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. Operating system functionality will vary, and while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages, such as from an approved software repository. AIX or software configuration management utility must enforce control of software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000134-GPOS-00068, SRG-OS-000312-GPOS-00123, SRG-OS-000362-GPOS-00149
SV-101419r1_rule AIX7-00-003042 CCI-000381 MEDIUM The AIX qdaemon must be disabled if local or remote printing is not required. The qdaemon program is the printing scheduling daemon that manages the submission of print jobs to the piobe service. To prevent remote attacks this daemon should not be enabled unless there is no alternative.
SV-101421r1_rule AIX7-00-003043 CCI-000381 MEDIUM If AIX system does not act as a remote print server for other servers, the lpd daemon must be disabled. The lpd daemon accepts remote print jobs from other systems. To prevent remote attacks this daemon should not be enabled unless there is no alternative.
SV-101423r1_rule AIX7-00-003044 CCI-000381 MEDIUM If AIX system does not support either local or remote printing, the piobe service must be disabled. The piobe daemon is the I/O back end for the printing process, handling the job scheduling and spooling. To prevent remote attacks this daemon should not be enabled unless there is no alternative.
SV-101425r1_rule AIX7-00-003045 CCI-000381 MEDIUM If there are no X11 clients that require CDE on AIX, the dt service must be disabled. This entry executes the CDE startup script which starts the AIX Common Desktop Environment. To prevent attacks this daemon should not be enabled unless there is no alternative.
SV-101427r1_rule AIX7-00-003046 CCI-000381 MEDIUM If NFS is not required on AIX, the NFS daemon must be disabled. The rcnfs entry starts the NFS daemons during system boot. NFS is a service with numerous historical vulnerabilities and should not be enabled unless there is no alternative. If NFS serving is required, then read-only exports are recommended and no filesystem or directory should be exported with root access. Unless otherwise required the NFS daemons (rcnfs) will be disabled.
SV-101429r1_rule AIX7-00-003047 CCI-000381 MEDIUM If sendmail is not required on AIX, the sendmail service must be disabled. The sendmail service has many historical vulnerabilities and, where possible, should be disabled. If the system is not required to operate as a mail server i.e. sending, receiving or processing e-mail, disable the sendmail daemon.
SV-101431r1_rule AIX7-00-003048 CCI-000381 MEDIUM If SNMP is not required on AIX, the snmpd service must be disabled. The snmpd daemon is used by many 3rd party applications to monitor the health of the system. This allows remote monitoring of network and server configuration. To prevent remote attacks this daemon should not be enabled unless there is no alternative.
SV-101433r1_rule AIX7-00-003049 CCI-000366 MEDIUM The AIX DHCP client must be disabled. The dhcpcd daemon receives address and configuration information from the DHCP server. DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. To prevent remote attacks this daemon should not be enabled unless there is no alternative. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
SV-101435r1_rule AIX7-00-003050 CCI-000381 MEDIUM If DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled. The dhcprd daemon listens for broadcast packets, receives them, and forwards them to the appropriate server. To prevent remote attacks this daemon should not be enabled unless there is no alternative.
SV-101437r1_rule AIX7-00-003104 CCI-000381 MEDIUM If DHCP server is not required on AIX, the DHCP server must be disabled. The dhcpsd daemon is the DHCP server that serves addresses and configuration information to DHCP clients in the network. To prevent remote attacks this daemon should not be enabled unless there is no alternative.
SV-101439r1_rule AIX7-00-003051 CCI-000381 MEDIUM If IPv6 is not utilized on AIX server, the authoconf6 daemon must be disabled. authoconf6 is used to automatically configure IPv6 interfaces at boot time. Running this service may allow other hosts on the same physical subnet to connect via IPv6, even when the network does not support it. Disable this unless you use IPv6 on the server.
SV-101441r1_rule AIX7-00-003052 CCI-000381 MEDIUM If AIX server is not functioning as a network router, the gated daemon must be disabled. This daemon provides gateway routing functions for protocols such as RIP and SNMP. To prevent remote attacks this daemon should not be enabled unless there is no alternative.
SV-101443r1_rule AIX7-00-003053 CCI-000381 MEDIUM If AIX server is not functioning as a multicast router, the mrouted daemon must be disabled. This daemon is an implementation of the multicast routing protocol. To prevent remote attacks this daemon should not be enabled unless there is no alternative.
SV-101445r1_rule AIX7-00-003054 CCI-000381 MEDIUM If AIX server is not functioning as a DNS server, the named daemon must be disabled. This is the server for the DNS protocol and controls domain name resolution for its clients. To prevent attacks this daemon should not be enabled unless there is no alternative.
SV-101447r1_rule AIX7-00-003055 CCI-000381 MEDIUM If AIX server is not functioning as a network router, the routed daemon must be disabled. The routed daemon manages the network routing tables in the kernel. To prevent attacks this daemon should not be enabled unless there is no alternative.
SV-101449r1_rule AIX7-00-003056 CCI-000381 MEDIUM If rwhod is not required on AIX, the rwhod daemon must be disabled. This is the remote WHO service. To prevent remote attacks this daemon should not be enabled unless there is no alternative.
SV-101451r1_rule AIX7-00-003057 CCI-000381 MEDIUM The timed daemon must be disabled on AIX. This is the old UNIX time service. The timed daemon is the old UNIX time service. Disable this service and use xntp, if time synchronization is required in the environment.
SV-101453r1_rule AIX7-00-003058 CCI-000381 MEDIUM If AIX server does not host an SNMP agent, the dpid2 daemon must be disabled. The dpid2 daemon acts as a protocol converter, which enables DPI (SNMP v2) sub-agents, such as hostmibd, to talk to a SNMP v1 agent that follows SNMP MUX protocol. To prevent attacks this daemon should not be enabled unless there is no alternative.
SV-101457r1_rule AIX7-00-003060 CCI-000381 MEDIUM If SNMP is not required on AIX, the snmpmibd daemon must be disabled. The snmpmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. If snmpd is not required, it is recommended that it is disabled.
SV-101459r1_rule AIX7-00-003061 CCI-000381 MEDIUM The aixmibd daemon must be disabled on AIX. The aixmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. To prevent attacks this daemon should not be enabled unless there is no alternative.
SV-101461r1_rule AIX7-00-003062 CCI-000381 MEDIUM The ndpd-host daemon must be disabled on AIX. This is the Neighbor Discovery Protocol (NDP) daemon, required in IPv6. The ndpd-host is the NDP daemon for the server. Unless the server utilizes IPv6, this is not required and should be disabled to prevent attacks.
SV-101463r1_rule AIX7-00-003063 CCI-000381 MEDIUM The ndpd-router must be disabled on AIX. This manages the Neighbor Discovery Protocol (NDP) for non-kernel activities, required in IPv6. The ndpd-router manages NDP for non-kernel activities. Unless the server utilizes IPv6, this is not required and should be disabled to prevent attacks.
SV-101465r1_rule AIX7-00-003064 CCI-000381 MEDIUM The daytime daemon must be disabled on AIX. The daytime service provides the current date and time to other servers on a network. This daytime service is a defunct time service, typically used for testing purposes only. The service should be disabled as it can leave the system vulnerable to DoS ping attacks.
SV-101467r1_rule AIX7-00-003065 CCI-000381 MEDIUM The cmsd daemon must be disabled on AIX. This is a calendar and appointment service for CDE. The cmsd service is utilized by CDE to provide calendar functionality. If CDE is not required, this service should be disabled to prevent attacks.
SV-101469r1_rule AIX7-00-003066 CCI-000381 MEDIUM The ttdbserver daemon must be disabled on AIX. The ttdbserver service is the tool-talk database service for CDE. This service runs as root and should be disabled. Unless required the ttdbserver service will be disabled to prevent attacks.
SV-101471r1_rule AIX7-00-003067 CCI-000381 MEDIUM The uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX. This service facilitates file copying between networked servers. The uucp (UNIX to UNIX Copy Program), service allows users to copy files between networked machines. Unless an application or process requires UUCP this should be disabled to prevent attacks.
SV-101473r1_rule AIX7-00-003068 CCI-000381 MEDIUM The time daemon must be disabled on AIX. This service can be used to synchronize system clocks. The time service is an obsolete process used to synchronize system clocks at boot time. This has been superseded by NTP, which should be used if time synchronization is necessary. Unless required the time service must be disabled.
SV-101475r1_rule AIX7-00-003069 CCI-000381 MEDIUM The talk daemon must be disabled on AIX. This talk service is used to establish an interactive two-way communication link between two UNIX users. Unless required the talk service will be disabled to prevent attacks.
SV-101477r1_rule AIX7-00-003070 CCI-000381 HIGH The ntalk daemon must be disabled on AIX. This service establishes a two-way communication link between two users, either locally or remotely. Unless required the ntalk service will be disabled to prevent attacks.
SV-101479r1_rule AIX7-00-003071 CCI-000381 MEDIUM The chargen daemon must be disabled on AIX. This service is used to test the integrity of TCP/IP packets arriving at the destination. This chargen service is a character generator service and is used for testing the integrity of TCP/IP packets arriving at the destination. An attacker may spoof packets between machines running the chargen service and thus provide an opportunity for DoS attacks. Disable this service to prevent attacks unless testing the network.
SV-101481r1_rule AIX7-00-003072 CCI-000381 MEDIUM The discard daemon must be disabled on AIX. The discard service is used as a debugging and measurement tool. It sets up a listening socket and ignores data that it receives. This is a /dev/null service and is obsolete. This can be used in DoS attacks and therefore, must be disabled to prevent attacks.
SV-101483r1_rule AIX7-00-003073 CCI-000381 MEDIUM The dtspc daemon must be disabled on AIX. The dtspc service deals with the CDE interface of the X11 daemon. It is started automatically by the inetd daemon in response to a CDE client requesting a process to be started on the daemon's host. This makes it vulnerable to buffer overflow attacks, which may allow an attacker to gain root privileges on a host. This service must be disabled unless it is absolutely required.
SV-101485r1_rule AIX7-00-003074 CCI-000381 MEDIUM The pcnfsd daemon must be disabled on AIX. The pcnfsd service is an authentication and printing program, which uses NFS to provide file transfer services. This service is vulnerable and exploitable and permits the machine to be compromised both locally and remotely. If PC NFS clients are required within the environment, Samba is recommended as an alternative software solution. The pcnfsd daemon predates Microsoft's release of SMB specifications. This service should therefore be disabled to prevent attacks.
SV-101487r1_rule AIX7-00-003075 CCI-000381 MEDIUM The rstatd daemon must be disabled on AIX. The rstatd service is used to provide kernel statistics and other monitorable parameters pertinent to the system such as: CPU usage, system uptime, network usage etc. An attacker may use this information in a DoS attack. This service should be disabled.
SV-101489r1_rule AIX7-00-003076 CCI-000381 MEDIUM The rusersd daemon must be disabled on AIX. The rusersd service runs as root and provides a list of current users active on a system. An attacker may use this service to learn valid account names on the system. This is not an essential service and should be disabled.
SV-101491r1_rule AIX7-00-003105 CCI-000381 MEDIUM The rwalld daemon must be disabled on AIX. The rwalld service allows remote users to broadcast system wide messages. The service runs as root and should be disabled unless absolutely necessary to prevent attacks.
SV-101493r1_rule AIX7-00-003077 CCI-000381 MEDIUM The sprayd daemon must be disabled on AIX. The sprayd service is used as a tool to generate UDP packets for testing and diagnosing network problems. The service must be disabled if NFS is not in use, as it can be used by attackers in a Distributed Denial of Service (DDoS) attack.
SV-101495r1_rule AIX7-00-003078 CCI-000381 MEDIUM The klogin daemon must be disabled on AIX. The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text password exchanges on the network. However, it is still not as secure as SSH, which encrypts all traffic. If using klogin to log in to a system, the password is not sent in clear text; however, if using "su" to another user, that password exchange is open to detection from network-sniffing programs. The recommendation is to use SSH wherever possible instead of klogin. If the klogin service is used, use the latest Kerberos version available and make sure that all the latest patches are installed.
SV-101497r1_rule AIX7-00-003079 CCI-000381 MEDIUM The kshell daemon must be disabled on AIX. The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted communications. The recommendation is to use SSH wherever possible instead of kshell. If the kshell service is used, you should use the latest Kerberos version available and must make sure that all the latest patches are installed.
SV-101499r1_rule AIX7-00-003080 CCI-000381 MEDIUM The rquotad daemon must be disabled on AIX. The rquotad service allows NFS clients to enforce disk quotas on file systems that are mounted on the local system. This service should be disabled if to prevent attacks.
SV-101501r1_rule AIX7-00-003081 CCI-000381 MEDIUM The tftp daemon must be disabled on AIX. The tftp service allows remote systems to download or upload files to the tftp server without any authentication. It is therefore a service that should not run, unless needed. One of the main reasons for requiring this service to be activated is if the host is a NIM master. However, the service can be enabled and then disabled once a NIM operation has completed, rather than left running permanently.
SV-101503r1_rule AIX7-00-003082 CCI-000381 MEDIUM The imap2 service must be disabled on AIX. The imap2 service or Internet Message Access Protocol (IMAP) supports the IMAP4 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not required to prevent attacks.
SV-101505r1_rule AIX7-00-003083 CCI-000381 MEDIUM The pop3 daemon must be disabled on AIX. The pop3 service provides a pop3 server. It supports the pop3 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not required to prevent attacks.
SV-101507r1_rule AIX7-00-003084 CCI-000381 MEDIUM The finger daemon must be disabled on AIX. The fingerd daemon provides the server function for the finger command. This allows users to view real-time pertinent user login information on other remote systems. This service should be disabled as it may provide an attacker with a valid user list to target.
SV-101509r1_rule AIX7-00-003085 CCI-000381 MEDIUM The instsrv daemon must be disabled on AIX. The instsrv service is part of the Network Installation Tools, used for servicing servers running AIX 3.2. This service should be disabled to prevent attacks.
SV-101511r1_rule AIX7-00-003086 CCI-000381 MEDIUM The echo daemon must be disabled on AIX. The echo service can be used in Denial of Service or SMURF attacks. It can also be used by someone else to get through a firewall or start a data storm. The echo service is unnecessary and it increases the attack vector of the system.
SV-101513r1_rule AIX7-00-003087 CCI-000381 MEDIUM The Internet Network News (INN) server must be disabled on AIX. Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Transfer Protocol (NNTP) to transfer information from the Usenet to the server and from the server to authorized remote hosts. If this function is necessary to support a valid mission requirement, its use must be authorized and approved in the system accreditation package.
SV-101515r1_rule AIX7-00-003088 CCI-000382 MEDIUM If Stream Control Transmission Protocol (SCTP) must be disabled on AIX. The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the system to dynamically load a protocol handler by opening a socket using the protocol.
SV-101517r1_rule AIX7-00-003089 CCI-000382 MEDIUM The Reliable Datagram Sockets (RDS) protocol must be disabled on AIX. The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the system to dynamically load a protocol handler by opening a socket using the protocol. AIX has RDS protocol installed as part of the 'bos.net.tcp.client' fileset. The RDS protocol in primarily used for communication on INFI-Band interfaces. The protocol is manually loaded with the bypassctrl command. To prevent possible attacks this protocol must be disabled unless required.
SV-101519r1_rule AIX7-00-001008 CCI-000764 HIGH All accounts on AIX system must have unique account names. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
SV-101521r1_rule AIX7-00-001009 CCI-000764 HIGH All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users). To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062
SV-101523r1_rule AIX7-00-001010 CCI-000764 HIGH The AIX SYSTEM attribute must not be set to NONE for any account. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
SV-101525r1_rule AIX7-00-001011 CCI-000770 MEDIUM Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts. Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability.
SV-101527r1_rule AIX7-00-001012 CCI-001941 HIGH AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A privileged account is any information system account with authorizations of a privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058
SV-101535r1_rule AIX7-00-001014 CCI-001682 MEDIUM The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency accounts are different from infrequently used accounts (i.e., local login accounts used by the organization's system administrators when network or normal login/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
SV-101537r1_rule AIX7-00-001102 CCI-000877 HIGH AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.
SV-101541r1_rule AIX7-00-003096 CCI-000366 MEDIUM AIX must set Stack Execution Disable (SED) system wide mode to all. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Satisfies: SRG-OS-000142-GPOS-00071, SRG-OS-000480-GPOS-00227, SRG-OS-000433-GPOS-00192
SV-101545r1_rule AIX7-00-003002 CCI-001133 MEDIUM AIX must terminate all SSH login sessions after 10 minutes of inactivity. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at AIX level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that AIX terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
SV-101547r1_rule AIX7-00-001048 CCI-001199 MEDIUM AIX must protect the confidentiality and integrity of all information at rest. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.
SV-101549r1_rule AIX7-00-003006 CCI-001314 MEDIUM AIX log files must have mode 0640 or less permissive. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
SV-101551r1_rule AIX7-00-002070 CCI-001314 MEDIUM AIX log files must be owned by root. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
SV-101553r1_rule AIX7-00-002071 CCI-001314 MEDIUM AIX log files must be owned by privileged groups. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
SV-101555r1_rule AIX7-00-003007 CCI-001314 MEDIUM AIX log files must not have extended ACLs, except as needed to support authorized software. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
SV-101557r1_rule AIX7-00-001044 CCI-001384 MEDIUM Any publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
SV-101559r1_rule AIX7-00-001104 CCI-001453 MEDIUM If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions. If LDAP authentication is used, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.
SV-101561r1_rule AIX7-00-002023 CCI-001464 MEDIUM AIX must start audit at boot. If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
SV-101565r1_rule AIX7-00-002025 CCI-001493 MEDIUM AIX audit tools must be owned by root. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
SV-101567r1_rule AIX7-00-002026 CCI-001493 MEDIUM AIX audit tools must be group-owned by audit. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
SV-101569r1_rule AIX7-00-002027 CCI-001493 MEDIUM AIX audit tools must be set to 4550 or less permissive. Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
SV-101571r1_rule AIX7-00-002072 CCI-001499 MEDIUM AIX system files, programs, and directories must be group-owned by a system group. Restricting permissions will protect the files from unauthorized modification.
SV-101573r1_rule AIX7-00-001018 CCI-001499 MEDIUM All system files, programs, and directories must be owned by a system account. Restricting permissions will protect the files from unauthorized modification.
SV-101575r1_rule AIX7-00-002088 CCI-001499 MEDIUM AIX library files must have mode 0755 or less permissive. Unauthorized access could destroy the integrity of the library files.
SV-101577r1_rule AIX7-00-003009 CCI-001499 MEDIUM All system command files must not have extended ACLs. Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default system executables and files present in directories included in the system's default executable search paths.
SV-101579r1_rule AIX7-00-003010 CCI-001499 MEDIUM All library files must not have extended ACLs. Unauthorized access could destroy the integrity of the library files.
SV-101581r1_rule AIX7-00-001019 CCI-001499 MEDIUM AIX device files and directories must only be writable by users with a system account or as configured by the vendor. System device files in writable directories could be modified, removed, or used by an unprivileged user to control system hardware.
SV-101583r1_rule AIX7-00-001130 CCI-001619 MEDIUM AIX must enforce password complexity by requiring that at least one special character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
SV-101585r1_rule AIX7-00-003109 CCI-001665 MEDIUM In the event of a system failure, AIX must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving operating system state information helps to facilitate operating system restart and return to the operational mode of the organization with least disruption to mission/business processes.
SV-101587r1_rule AIX7-00-002028 CCI-001496 MEDIUM AIX must verify the hash of audit tools. Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
SV-101589r1_rule AIX7-00-002105 CCI-002361 MEDIUM AIX must config the SSH idle timeout interval. Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance.
SV-101591r1_rule AIX7-00-003003 CCI-000879 MEDIUM AIX must set inactivity time-out on login sessions and terminate all login sessions after 10 minutes of inactivity. Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. If a maintenance session or connection remains open after maintenance is completed, it may be hijacked by an attacker and used to compromise or damage the system. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at AIX level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that AIX terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000279-GPOS-00109, SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066
SV-101593r1_rule AIX7-00-002128 CCI-002364 LOW If bash is used, AIX must display logout messages. If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Information resources to which users gain access via authentication include, for example, local workstations and remote services. Logoff messages can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions, including, for example, remote login, information systems typically send logoff messages as final messages prior to terminating sessions.
SV-101595r1_rule AIX7-00-002129 CCI-002364 LOW If Bourne / ksh shell is used, AIX must display logout messages. If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Information resources to which users gain access via authentication include, for example, local workstations and remote services. Logoff messages can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions, including, for example, remote login, information systems typically send logoff messages as final messages prior to terminating sessions.
SV-101597r1_rule AIX7-00-002130 CCI-002364 LOW If csh/tcsh shell is used, AIX must display logout messages. If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Information resources to which users gain access via authentication include, for example, local workstations and remote services. Logoff messages can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions, including, for example, remote login, information systems typically send logoff messages as final messages prior to terminating sessions.
SV-101599r1_rule AIX7-00-001024 CCI-002314 LOW SSH must display the date and time of the last successful account login to AIX system upon login. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
SV-101601r1_rule AIX7-00-001137 CCI-002314 HIGH AIX must be able to control the ability of remote login for users. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
SV-101603r1_rule AIX7-00-003098 CCI-002164 MEDIUM AIX must allow admins to send a message to all the users who logged in currently. Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
SV-101605r1_rule AIX7-00-003099 CCI-002165 MEDIUM AIX must allow admins to send a message to a user who logged in currently. Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
SV-101607r1_rule AIX7-00-003020 CCI-002165 MEDIUM AIX must use Trusted Execution (TE) Check policy. Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
SV-101609r1_rule AIX7-00-001138 CCI-002233 MEDIUM NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs. The nosuid mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system not containing approved setuid files. Executing setuid files from untrusted file systems, or file systems not containing approved setuid files, increases the opportunity for unprivileged users to attain unauthorized administrative access.
SV-101613r1_rule AIX7-00-002032 CCI-001914 MEDIUM AIX must provide the function for assigned ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost. This requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting.
SV-101615r1_rule AIX7-00-002033 CCI-001849 MEDIUM AIX must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility. In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of AIX.
SV-101619r1_rule AIX7-00-002036 CCI-001878 MEDIUM AIX must provide a report generation function that supports on-demand audit review and analysis, on-demand reporting requirements, and after-the-fact investigations of security incidents. The report generation capability must support on-demand review and analysis in order to facilitate the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies. Report generation must be capable of generating on-demand (i.e., customizable, ad hoc, and as-needed) reports. On-demand reporting allows personnel to report issues more rapidly to more effectively meet reporting requirements. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective. Satisfies: SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140
SV-101621r1_rule AIX7-00-001053 CCI-001891 MEDIUM AIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144
SV-101625r1_rule AIX7-00-002038 CCI-001890 MEDIUM AIX must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by AIX include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
SV-101627r1_rule AIX7-00-002107 CCI-001814 MEDIUM AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions. Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
SV-101629r1_rule AIX7-00-003022 CCI-001814 HIGH AIX must disable trivial file transfer protocol. Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
SV-101631r1_rule AIX7-00-002133 CCI-001814 MEDIUM AIX must be configured to use syslogd to log events by TCPD. Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
SV-101633r1_rule AIX7-00-003025 CCI-001764 MEDIUM AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at AIX-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Verification of white-listed software occurs prior to execution or at system startup. This requirement applies to operating system programs, functions, and services designed to manage system processes and configurations (e.g., group policies). Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155
SV-101635r1_rule AIX7-00-002061 CCI-002038 HIGH AIX must remove NOPASSWD tag from sudo config files. sudo command does not require reauthentication if NOPASSWD tag is specified in /etc/sudoers config file, or sudoers files in /etc/sudoers.d/ directory. With this tag in sudoers file, users are not required to reauthenticate for privilege escalation.
SV-101637r1_rule AIX7-00-002062 CCI-002038 MEDIUM AIX must remove !authenticate option from sudo config files. sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are not required to reauthenticate for privilege escalation.
SV-101639r1_rule AIX7-00-002108 CCI-002038 MEDIUM If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication. GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.
SV-101641r1_rule AIX7-00-003090 CCI-001958 MEDIUM If automated file system mounting tool is not required on AIX, it must be disabled. Automated file system mounting tools may provide unprivileged users with the ability to access local media and network shares. If this access is not necessary for the system’s operation, it must be disabled to reduce the risk of unauthorized access to these resources.
SV-101643r1_rule AIX7-00-001131 CCI-002041 MEDIUM AIX must implement a way to force an identified temporary user to renew their password at next login. Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial login. Temporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts which allow the users to log on, yet force them to change the password once they have successfully authenticated.
SV-101645r1_rule AIX7-00-001046 CCI-002007 MEDIUM If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day. If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
SV-101647r1_rule AIX7-00-002110 CCI-001991 MEDIUM AIX must setup SSH daemon to disable revoked public keys. Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
SV-101653r1_rule AIX7-00-002125 CCI-002465 MEDIUM AIX must request and perform data origin and integrity authentication verification on the name/address resolution responses the system receives from authoritative sources. If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed, which would result in query failure or DoS. Data origin and integrity authentication must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching Domain Name System (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity of response data. This is not applicable if DNSSEC is not implemented on the local network. Satisfies: SRG-OS-000399-GPOS-00178, SRG-OS-000400-GPOS-00179, SRG-OS-000401-GPOS-00180, SRG-OS-000402-GPOS-00181
SV-101655r1_rule AIX7-00-001105 CCI-002470 MEDIUM AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.
SV-101657r1_rule AIX7-00-003097 CCI-002385 MEDIUM AIX must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring AIX is implementing rate-limiting measures on impacted network interfaces. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of AIX to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
SV-101659r1_rule AIX7-00-002097 CCI-002418 MEDIUM AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods. Without protection of the transmitted or received information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
SV-101661r1_rule AIX7-00-003028 CCI-002617 MEDIUM AIX must remove all software components after updated versions have been installed. Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
SV-101663r1_rule AIX7-00-001108 CCI-000803 MEDIUM AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. AIX must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. OpenSSL FIPS object module is a cryptographic module that is designed to meet the requirements for FIPS 140-2 validation by CMVP and is compatible with OpenSSL libraries. The 2.0.13 FIPS object module version has been FIPS validated and certified by CMVP for multiple AIX versions on Power 7 and Power 8 platforms under certificate #2398. IBM has released a FIPS capable OpenSSL (Fileset VRMF: 20.13.102.1000), which is OpenSSL 1.0.2j version with 2.0.13 object module. The fileset is available in Web Download Pack. Satisfies: SRG-OS-000120-GPOS-00061, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176
SV-101665r1_rule AIX7-00-001132 CCI-000366 MEDIUM AIX must prevent the use of dictionary words for passwords. If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
SV-101667r1_rule AIX7-00-003029 CCI-000366 MEDIUM AIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt. Limiting the number of login attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
SV-101669r1_rule AIX7-00-002089 CCI-000366 MEDIUM Samba packages must be removed from AIX. If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.
SV-101671r1_rule AIX7-00-001134 CCI-000366 MEDIUM The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.
SV-101673r1_rule AIX7-00-002127 CCI-000366 MEDIUM AIX system must require authentication upon booting into single-user and maintenance modes. This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
SV-101675r1_rule AIX7-00-002102 CCI-000366 MEDIUM On AIX, the SSH server must not permit root logins using remote access programs. Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.
SV-101677r1_rule AIX7-00-001030 CCI-000366 MEDIUM AIX system must prevent the root account from directly logging in except from the system console. Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device. A common attack method of potential hackers is to obtain the root password. To avoid this type of attack, disable direct access to the root ID and then require system administrators to obtain root privileges by using the su - command. In addition to permitting removal of the root user as a point of attack, restricting direct root access permits monitoring which users gained root access, as well as the time of their action. Do this by viewing the /var/adm/sulog file. Another alternative is to enable system auditing, which will report this type of activity. To disable remote login access for the root user, edit the /etc/security/user file. Specify False as the rlogin value on the entry for root.
SV-101679r1_rule AIX7-00-003030 CCI-000366 MEDIUM AIX system must restrict the ability to switch to the root user to members of a defined group. Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials.
SV-101681r1_rule AIX7-00-001135 CCI-000366 MEDIUM If SNMP service is enabled on AIX, the default SNMP password must not be used in the /etc/snmpd.conf config file. Use default SNMP password increases the chance of security vulnerability on SNMP service.
SV-101683r1_rule AIX7-00-002111 CCI-000366 MEDIUM AIX SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.
SV-101685r1_rule AIX7-00-002077 CCI-000366 MEDIUM The inetd.conf file on AIX must be owned by root and system group. Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
SV-101687r1_rule AIX7-00-001031 CCI-000366 MEDIUM All AIX public directories must be owned by root or an application account. If a public directory has the sticky bit set and is not owned by a privileged UID, unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.
SV-101689r1_rule AIX7-00-001055 CCI-000366 MEDIUM All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions. When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and GID should be chosen from the system to provide the appropriate level of non-privileged access.
SV-101691r1_rule AIX7-00-001056 CCI-000366 MEDIUM AIX nosuid option must be enabled on all NFS client mounts. Enabling the nosuid mount option prevents the system from granting owner or group-owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users with unprivileged access to the local system may be able to acquire privileged access by executing suid or sgid files located on the mounted NFS file system.
SV-101693r1_rule AIX7-00-002078 CCI-000366 MEDIUM AIX cron and crontab directories must be owned by root or bin. Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron or crontab directories to root or to bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.
SV-101695r1_rule AIX7-00-002079 CCI-000366 MEDIUM AIX audio devices must be group-owned by root, sys, bin, or system. Without privileged group owners, audio devices will be vulnerable to being used as eaves-dropping devices by malicious users or intruders to possibly listen to conversations containing sensitive information.
SV-101697r1_rule AIX7-00-003013 CCI-000366 MEDIUM AIX passwd.nntp file must have mode 0600 or less permissive. File permissions more permissive than 0600 for /etc/news/passwd.nntp may allow access to privileged information by system intruders or malicious users.
SV-101699r1_rule AIX7-00-002081 CCI-000366 MEDIUM AIX time synchronization configuration file must be owned by root. A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system account, unauthorized modifications could result in the failure of time synchronization.
SV-101701r1_rule AIX7-00-002082 CCI-000366 MEDIUM AIX time synchronization configuration file must be group-owned by bin, or system. A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system group, unauthorized modifications could result in the failure of time synchronization.
SV-101703r1_rule AIX7-00-002090 CCI-000366 MEDIUM AIX time synchronization configuration file must have mode 0640 or less permissive. A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. File permissions more permissive than 0640 for time synchronization configuration file may allow access and change the config file by system intruders or malicious users, could result in the failure of time synchronization.
SV-101705r1_rule AIX7-00-001032 CCI-000366 MEDIUM AIX administrative accounts must not run a web browser, except as needed for local service administration. If a web browser flaw is exploited while running as a privileged user, the entire system could be compromised. Specific exceptions for local service administration should be documented in site-defined policy. These exceptions may include HTTP(S)-based tools used for the administration of the local system, services, or attached devices. Examples of possible exceptions are HP’s System Management Homepage (SMH), the CUPS administrative interface, and Sun's StorageTek Common Array Manager (CAM) when these services are running on the local system.
SV-101707r1_rule AIX7-00-001033 CCI-000366 MEDIUM AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist. To centralize the management of privileged account crontabs, of the default system accounts, only root may have a crontab.
SV-101709r1_rule AIX7-00-002083 CCI-000366 MEDIUM The AIX /etc/group file must be owned by root. The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
SV-101711r1_rule AIX7-00-002084 CCI-000366 MEDIUM The AIX /etc/group file must be group-owned by security. The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
SV-101713r1_rule AIX7-00-002091 CCI-000366 MEDIUM The AIX /etc/group file must have mode 0644 or less permissive. The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
SV-101715r1_rule AIX7-00-003015 CCI-000366 MEDIUM The AIX /etc/group file must not have an extended ACL. The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
SV-101717r1_rule AIX7-00-003016 CCI-000366 MEDIUM The AIX ldd command must be disabled. The ldd command provides a list of dependent libraries needed by a given binary, which is useful for troubleshooting software. Instead of parsing the binary file, some ldd implementations invoke the program with a special environment variable set, which causes the system dynamic linker to display the list of libraries. Specially crafted binaries can specify an alternate dynamic linker which may cause a program to be executed instead of examined. If the program is from an untrusted source, such as in a user home directory, or a file suspected of involvement in a system compromise, unauthorized software may be executed with the rights of the user running ldd.
SV-101719r1_rule AIX7-00-001034 CCI-000366 MEDIUM The AIX root account must not have world-writable directories in its executable search path. If the root search path contains a world-writable directory, malicious software could be placed in the path by intruders and/or malicious users and inadvertently run by root with all of root's privileges.
SV-101721r1_rule AIX7-00-001035 CCI-000366 MEDIUM The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID. Reserved GIDs are typically used by system software packages. If non-system groups have GIDs in this range, they may conflict with system software, possibly leading to the group having permissions to modify system files.
SV-101723r1_rule AIX7-00-003033 CCI-000366 MEDIUM All AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file. If a user is assigned the GID of a group not existing on the system, and a group with that GID is subsequently created, the user may have unintended rights to the group.
SV-101725r1_rule AIX7-00-003034 CCI-000366 MEDIUM All AIX files and directories must have a valid owner. Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
SV-101727r1_rule AIX7-00-003035 CCI-000366 MEDIUM The sticky bit must be set on all public directories on AIX systems. Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage - such as /tmp - and for directories requiring global read/write access.
SV-101729r1_rule AIX7-00-003036 CCI-000366 MEDIUM The AIX global initialization files must contain the mesg -n or mesg n commands. Command "mesg -n" allows only the root user the permission to send messages to your workstation to avoid having others clutter your display with incoming messages.
SV-101731r1_rule AIX7-00-003037 CCI-000366 MEDIUM The AIX hosts.lpd file must not contain a + character. Having the '+' character in the hosts.lpd (or equivalent) file allows all hosts to use local system print resources.
SV-101733r1_rule AIX7-00-003038 CCI-000366 MEDIUM AIX sendmail logging must not be set to less than nine in the sendmail.cf file. If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the sendmail service.
SV-101735r1_rule AIX7-00-003039 CCI-000366 MEDIUM AIX run control scripts executable search paths must contain only absolute paths. The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands.
SV-101737r1_rule AIX7-00-003110 CCI-000366 MEDIUM The /etc/shells file must exist on AIX systems. The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell.
SV-101739r1_rule AIX7-00-002103 CCI-000366 MEDIUM All AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins. The /etc/shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell.
SV-101741r1_rule AIX7-00-003017 CCI-000366 MEDIUM AIX NFS server must be configured to restrict file system access to local hosts. The NFS access option limits user access to the specified level. This assists in protecting exported file systems. If access is not restricted, unauthorized hosts may be able to access the system's NFS exports.
SV-101743r1_rule AIX7-00-003111 CCI-000366 MEDIUM AIX public directories must be the only world-writable directories and world-writable files must be located only in public directories. World-writable files and directories make it easy for a malicious user to place potentially compromising files on the system. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage (e.g., /tmp) and for directories requiring global read/write access.
SV-101745r1_rule AIX7-00-003112 CCI-000366 MEDIUM AIX must be configured to only boot from the system boot device. The ability to boot from removable media is the same as being able to boot into single user or maintenance mode without a password. This ability could allow a malicious user to boot the system and perform changes possibly compromising or damaging the system. It could also allow the system to be used for malicious purposes by a malicious anonymous user.
SV-101747r1_rule AIX7-00-003113 CCI-000366 MEDIUM AIX must not use removable media as the boot loader. Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader.
SV-101749r1_rule AIX7-00-002057 CCI-000366 MEDIUM AIX audit logs must be rotated daily. Rotate audit logs daily to preserve audit file system space and to conform to the DoD/DISA requirement. If it is not rotated daily and moved to another location, then there is more of a chance for the compromise of audit data by malicious users.
SV-101751r1_rule AIX7-00-003114 CCI-000366 LOW If the AIX host is running an SMTP service, the SMTP greeting must not provide version information. The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version.
SV-101753r1_rule AIX7-00-003115 CCI-000366 LOW AIX must contain no .forward files. The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops which could degrade system performance.
SV-101755r1_rule AIX7-00-002131 CCI-000366 MEDIUM AIX must implement a remote syslog server that is documented using site-defined procedures. If a remote log host is in use and it has not been justified and documented, sensitive information could be obtained by unauthorized users without the administrator’s knowledge. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
SV-101757r1_rule AIX7-00-002063 CCI-000366 MEDIUM AIX must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router. If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks.
SV-101759r1_rule AIX7-00-003116 CCI-000366 MEDIUM The sendmail server must have the debug feature disabled on AIX systems. Debug mode is a feature present in older versions of Sendmail which, if not disabled, may allow an attacker to gain access to a system through the Sendmail service.
SV-101761r1_rule AIX7-00-003117 CCI-000366 MEDIUM SMTP service must not have the EXPN or VRFY features active on AIX systems. The SMTP EXPN function allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. EXPN may also provide additional information concerning users on the system, such as the full names of account owners. The VRFY (Verify) command allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. VRFY may provide additional information about users on the system, such as the full names of account owners.
SV-101763r1_rule AIX7-00-001036 CCI-000366 MEDIUM UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems. Reserved UIDs are typically used by system software packages. If non-system accounts have UIDs in this range, they may conflict with system software, possibly leading to the user having permissions to modify system files.
SV-101765r1_rule AIX7-00-001136 CCI-000366 MEDIUM AIX must require passwords to contain no more than three consecutive repeating characters. Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
SV-101767r1_rule AIX7-00-003120 CCI-000366 MEDIUM All global initialization file executable search paths must contain only absolute paths. Failure to restrict system access to authenticated users negatively impacts operating system security.
SV-101769r1_rule AIX7-00-001047 CCI-000366 MEDIUM The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups. A plus (+) in system accounts files causes the system to lookup the specified entry using NIS. If the system is not using NIS, no such entries should exist.
SV-101771r1_rule AIX7-00-003093 CCI-000366 MEDIUM AIX process core dumps must be disabled. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
SV-101773r1_rule AIX7-00-003122 CCI-000366 MEDIUM The SMTP service HELP command must not be enabled on AIX. The HELP command should be disabled to mask version information. The version of the SMTP service software could be used by attackers to target vulnerabilities present in specific software versions.
SV-101775r1_rule AIX7-00-002132 CCI-000366 MEDIUM The AIX syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures. Unintentionally running a syslog server accepting remote messages puts the system at increased risk. Malicious syslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.
SV-101777r1_rule AIX7-00-002112 CCI-000366 MEDIUM The AIX SSH daemon must be configured for IP filtering. The SSH daemon must be configured for IP filtering to provide a layered defense against connection attempts from unauthorized addresses.
SV-101779r1_rule AIX7-00-002064 CCI-000366 MEDIUM IP forwarding for IPv4 must not be enabled on AIX unless the system is a router. IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
SV-101781r1_rule AIX7-00-003123 CCI-000366 MEDIUM NIS maps must be protected through hard-to-guess domain names on AIX. The use of hard-to-guess NIS domain names provides additional protection from unauthorized access to the NIS directory information.
SV-101783r1_rule AIX7-00-003124 CCI-000366 MEDIUM The AIX systems access control program must be configured to grant or deny system access to specific hosts. If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.
SV-101785r1_rule AIX7-00-001037 CCI-000366 MEDIUM The AIX root accounts list of preloaded libraries must be empty. The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded.
SV-101787r1_rule AIX7-00-003125 CCI-000366 MEDIUM All AIX files and directories must have a valid group owner. Failure to restrict system access to authenticated users negatively impacts operating system security.
SV-101789r1_rule AIX7-00-003126 CCI-000366 MEDIUM AIX control scripts library search paths must contain only absolute paths. The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.
SV-101791r1_rule AIX7-00-003127 CCI-000366 MEDIUM The control script lists of preloaded libraries must contain only absolute paths on AIX systems. The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded.
SV-101793r1_rule AIX7-00-003128 CCI-000366 MEDIUM The global initialization file lists of preloaded libraries must contain only absolute paths on AIX. The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded.
SV-101795r1_rule AIX7-00-003129 CCI-000366 MEDIUM The local initialization file library search paths must contain only absolute paths on AIX. The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is interpreted as the current working directory.
SV-101797r1_rule AIX7-00-003130 CCI-000366 MEDIUM The local initialization file lists of preloaded libraries must contain only absolute paths on AIX. The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. This variable is formatted as a space-separated list of libraries.
SV-101799r1_rule AIX7-00-001139 CCI-000366 MEDIUM AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option. The nodev (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system not containing approved device files. Device files can provide direct access to system hardware and can compromise security if not protected.
SV-101801r1_rule AIX7-00-003094 CCI-000366 MEDIUM AIX kernel core dumps must be disabled unless needed. Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial of Service by exhausting the available space on the target file system. The kernel core dump process may increase the amount of time a system is unavailable due to a crash. Kernel core dumps can be useful for kernel debugging.
SV-101803r1_rule AIX7-00-002113 CCI-000366 MEDIUM The AIX SSH daemon must not allow compression. If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.
SV-101805r1_rule AIX7-00-002065 CCI-000366 MEDIUM AIX must be configured with a default gateway for IPv6 if the system uses IPv6 unless the system is a router. If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks.
SV-101807r1_rule AIX7-00-002066 CCI-000366 MEDIUM AIX must not have IP forwarding for IPv6 enabled unless the system is an IPv6 router. If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.
SV-101809r1_rule AIX7-00-003131 CCI-000366 MEDIUM AIX package management tool must be used daily to verify system software. Verification using the system package management tool can be used to determine that system software has not been tampered with. This requirement is not applicable to systems not using package management tools.
SV-101813r1_rule AIX7-00-003132 CCI-000366 MEDIUM The AIX DHCP client must not send dynamic DNS updates. Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed.
SV-101815r1_rule AIX7-00-003133 CCI-000366 MEDIUM AIX must not run any routing protocol daemons unless the system is a router. Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
SV-101817r1_rule AIX7-00-003134 CCI-000366 MEDIUM AIX must not process ICMP timestamp requests. The processing of Internet Control Message Protocol (ICMP) timestamp requests increases the attack surface of the system.
SV-101819r1_rule AIX7-00-003135 CCI-000366 MEDIUM AIX must not respond to ICMPv6 echo requests sent to a broadcast address. Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks.
SV-101821r1_rule AIX7-00-002096 CCI-000366 MEDIUM AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required. The AIX Encrypted File System (EFS) is a J2 filesystem-level encryption through individual key stores. This allows for file encryption in order to protect confidential data from attackers with physical access to the computer. User authentication and access control lists can protect files from unauthorized access (even from root user) while the operating system is running. Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000405-GPOS-00184, SRG-OS-000404-GPOS-00183
SV-101823r1_rule AIX7-00-002114 CCI-000366 MEDIUM AIX must turn on SSH daemon privilege separation. SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.
SV-101825r1_rule AIX7-00-002115 CCI-000366 MEDIUM AIX must turn on SSH daemon reverse name checking. If reverse name checking is off, SSH may allow a remote attacker to circumvent security policies and attempt to or actually login from IP addresses that are not permitted to access resources.
SV-101827r1_rule AIX7-00-002116 CCI-000366 MEDIUM AIX SSH daemon must perform strict mode checking of home directory configuration files. If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
SV-101829r1_rule AIX7-00-002117 CCI-000366 MEDIUM AIX must turn off X11 forwarding for the SSH daemon. X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed.
SV-101831r1_rule AIX7-00-002118 CCI-000366 MEDIUM AIX must turn off TCP forwarding for the SSH daemon. SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.
SV-101833r1_rule AIX7-00-003137 CCI-000366 MEDIUM AIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
SV-101835r1_rule AIX7-00-001038 CCI-000366 HIGH AIX must not have accounts configured with blank or null passwords. If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured without a password, the entire system may be compromised. For user accounts not using password authentication, the account must be configured with a password lock value instead of a blank or null value.
SV-101837r1_rule AIX7-00-003138 CCI-000366 MEDIUM There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the AIX system. Trust files are convenient, but when used in conjunction with the remote login services, they can allow unauthenticated access to a system.
SV-101839r1_rule AIX7-00-003139 CCI-000366 MEDIUM The .rhosts file must not be supported in AIX PAM. .rhosts files are used to specify a list of hosts permitted remote access to a particular account without authenticating. The use of such a mechanism defeats strong identification and authentication requirements.
SV-101841r1_rule AIX7-00-002120 CCI-000366 MEDIUM The AIX SSH daemon must be configured to disable empty passwords. When password authentication is allowed, PermitEmptyPasswords specifies whether the server allows login to accounts with empty password strings. If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
SV-101843r1_rule AIX7-00-002121 CCI-000366 MEDIUM The AIX SSH daemon must be configured to disable user .rhosts files. Trust .rhost file means a compromise on one host can allow an attacker to move trivially to other hosts.
SV-101845r1_rule AIX7-00-002122 CCI-000366 MEDIUM The AIX SSH daemon must be configured to not use host-based authentication. SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
SV-101847r1_rule AIX7-00-002123 CCI-000366 MEDIUM The AIX SSH daemon must not allow RhostsRSAAuthentication. If SSH permits rhosts RSA authentication, a user may be able to log in based on the keys of the host originating the request and not any user-specific authentication.
SV-101849r1_rule AIX7-00-003140 CCI-000366 MEDIUM The AIX root user home directory must not be the root directory (/). Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places in its default directory. It also gives root the same discretionary access control for root's home directory as for the other plain user home directories.
SV-101851r1_rule AIX7-00-001039 CCI-000366 MEDIUM The AIX root accounts home directory (other than /) must have mode 0700. Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.
SV-101853r1_rule AIX7-00-003141 CCI-000366 MEDIUM All AIX interactive users must be assigned a home directory in the passwd file and the directory must exist. All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory. This could create a Denial of Service because the user would not be able to perform useful tasks in this location.
SV-101857r1_rule AIX7-00-003018 CCI-000366 MEDIUM All AIX users home directories must have mode 0750 or less permissive. Excessive permissions on home directories allow unauthorized access to user files.
SV-101859r1_rule AIX7-00-002085 CCI-000366 MEDIUM All AIX interactive users home directories must be owned by their respective users. System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
SV-101861r1_rule AIX7-00-002086 CCI-000366 MEDIUM All AIX interactive users home directories must be group-owned by the home directory owner primary group. If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files.
SV-101863r1_rule AIX7-00-001040 CCI-000366 MEDIUM The AIX root accounts home directory must not have an extended ACL. Excessive permissions on root home directories allow unauthorized access to root user files.
SV-101865r1_rule AIX7-00-003019 CCI-000366 MEDIUM The AIX user home directories must not have extended ACLs. Excessive permissions on home directories allow unauthorized access to user files.
SV-101867r1_rule AIX7-00-002087 CCI-000366 MEDIUM All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member. If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files.
SV-101869r1_rule AIX7-00-003143 CCI-000366 MEDIUM AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.
SV-101871r1_rule AIX7-00-002124 CCI-000366 MEDIUM If AIX SSH daemon is required, the SSH daemon must only listen on the approved listening IP addresses. The SSH daemon should only listen on the approved listening IP addresses. Otherwise the SSH service could be subject to unauthorized access.
SV-101873r1_rule AIX7-00-002016 CCI-000018 MEDIUM AIX must provide audit record generation functionality for DoD-defined auditable events. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which AIX will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful login attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logins from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000051-GPOS-00024, SRG-OS-000064-GPOS-00033, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000277-GPOS-00107, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000327-GPOS-00127, SRG-OS-000327-GPOS-00127, SRG-OS-000364-GPOS-00151, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000476-GPOS-00221, SRG-OS-000477-GPOS-00222
SV-102347r1_rule AIX7-00-001025 CCI-000778 MEDIUM AIX must configure the ttys value for all interactive users. A user's "ttys" attribute controls from which device(s) the user can authenticate and log in. If the "ttys" attribute is not specified, all terminals can access the user account.
SV-103029r1_rule AIX7-00-003200 CCI-000765 MEDIUM The AIX operating system must use Multi Factor Authentication. To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160
SV-103031r1_rule AIX7-00-003201 CCI-000366 MEDIUM The AIX operating system must be configured to authenticate using Multi Factor Authentication. To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication.
SV-103033r1_rule AIX7-00-003202 CCI-000366 MEDIUM The AIX operating system must be configured to use Multi Factor Authentication for remote connections. To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication.
SV-103035r1_rule AIX7-00-003203 CCI-000366 MEDIUM AIX must have the have the PowerSC Multi Factor Authentication Product configured. To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication.
SV-103037r1_rule AIX7-00-003204 CCI-000366 MEDIUM The AIX operating system must be configured to use a valid server_ca.pem file. To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication.
SV-103039r1_rule AIX7-00-003205 CCI-001953 MEDIUM The AIX operating system must accept and verify Personal Identity Verification (PIV) credentials. The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. Satisfies: SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162