IBM AIX 7.x Security Technical Implementation Guide

Version

AIX7-00-001018

Vuln IDs

V-215183
V-91475

Rule IDs

SV-215183r508663_rule
SV-101573

Restricting permissions will protect the files from unauthorized modification.

Checks: C-16381r294000_chk

Check the ownership of system files, programs, and directories by running the following command: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin If any of the system files, programs, or directories are not owned by a system account, this is a finding. Note: For this check, the system-provided "ipsec" user is considered to be a system account.

Fix: F-16379r294001_fix

Change the owner of public directories to "root" or an application account using the following command: # chown root </public/directory> Note: Replace "root" with an application user as necessary.

b

AIX device files and directories must only be writable by users with a system account or as configured by the vendor.

CM-5 - Medium - CCI-001499 - V-215184 - SV-215184r508663_rule

RMF Control

CM-5

Severity

M

CCI

Version

AIX7-00-001019

Vuln IDs

V-215184
V-91483

Rule IDs

SV-215184r508663_rule
SV-101581

System device files in writable directories could be modified, removed, or used by an unprivileged user to control system hardware.

Checks: C-16382r294003_chk

Find all device files existing anywhere on the system using commands: # find / -type b -print | xargs ls -l > devicelistB # find / -type c -print | xargs ls -l > devicelistC Look at devicelistB and devicelistC files to check the permissions on the device files and directories above the subdirectories containing device files. If any of the device files or their parent directories are world-writable, excepting device files specifically intended to be world-writable, such as "/dev/null", this is a finding.

Fix: F-16380r294004_fix

Remove the world-writable permission from the device file(s) using command: # chmod o-w <device file>

b

AIX must configure the ttys value for all interactive users.

IA-3 - Medium - CCI-000778 - V-215186 - SV-215186r538429_rule

RMF Control

IA-3

Severity

M

CCI

CCI-000778

Version

AIX7-00-001025

Vuln IDs

V-215186
V-92245

Rule IDs

SV-215186r538429_rule
SV-102347

A user's "ttys" attribute controls from which device(s) the user can authenticate and log in. If the "ttys" attribute is not specified, all terminals can access the user account.

Checks: C-16384r569508_chk

Verify that the default "ttys" value is set for all users: # lssec -f /etc/security/user -s default -a ttys default ttys=ALL If the value returned is not "ttys=ALL", this is a finding. From the command prompt, run the following command to check "ttys" attribute value for all accounts: # lsuser -a ttys ALL The above command should yield the following output: root ttys=ALL user1 ttys=ALL user2 ttys=ALL user3 ttys=ALL If any interactive user account does not have "ttys=ALL", this is a finding.

Fix: F-16382r569436_fix

From the command prompt, run the following command to set "ttys=ALL" for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a ttys=ALL Run the following command to recheck "ttys" values for all users: # lsuser -a ttys ALL For each interactive user who does not have "ttys=ALL", set the value of "ttys" to "ALL" by running the following command from command prompt: # chsec -f /etc/security/user -s [user_name] -a ttys=ALL

b

AIX must provide the lock command to let users retain their session lock until users are reauthenticated.

AC-11 - Medium - CCI-000056 - V-215187 - SV-215187r508663_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000056

Version

AIX7-00-001028

Vuln IDs

V-215187
V-91229

Rule IDs

SV-215187r508663_rule
SV-101329

All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard. To lock the terminal, use the lock command.

Checks: C-16385r294012_chk

Check the system to determine if "bos.rte.security" is installed: # lslpp -L bos.rte.security Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- bos.rte.security 7.2.1.1 C F Base Security Function If the "bos.rte.security" fileset is not installed, this is a finding. Check if lock command exist using the following command: # ls /usr/bin/lock The above command should display the following: /usr/bin/lock If the above command does not show that "/usr/bin/lock" exists, this is a finding.

Fix: F-16383r294013_fix

Install "bos.rte.security" fileset from the AIX DVD Volume 1 using the following command (assuming that the DVD device is mounted to /dev/cd0): # installp -aXYgd /dev/cd0 -e /tmp/install.log bos.rte.security

b

AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated.

AC-11 - Medium - CCI-000056 - V-215188 - SV-215188r508663_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000056

Version

AIX7-00-001029

Vuln IDs

V-215188
V-91231

Rule IDs

SV-215188r508663_rule
SV-101331

All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard. If the interface is AIXwindows (CDE), use the xlock command to lock the sessions.

Checks: C-16386r294015_chk

If AIX CDE (X11) is not used, this is Not Applicable. Check the system to determine if "X11.apps.clients" is installed: # lslpp -L X11.apps.clients If the "X11.apps.clients" fileset is not installed, this is a finding. Check if "xlock" command exists using the following command: # ls /usr/bin/X11/xlock The above command should display the following: /usr/bin/X11/xlock If the above command does not show that "/usr/bin/X11/xlock" exists, this is a finding.

Fix: F-16384r294016_fix

Install "X11.apps.clients" fileset from the AIX DVD Volume 1 using the following command (assuming that the DVD is mounted to/dev/cd0): # installp -aXYgd /dev/cd0 -e /tmp/install.log X11.apps.clients

b

AIX system must prevent the root account from directly logging in except from the system console.

CM-6 - Medium - CCI-000366 - V-215189 - SV-215189r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001030

Vuln IDs

V-215189
V-91579

Rule IDs

SV-215189r508663_rule
SV-101677

Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device. A common attack method of potential hackers is to obtain the root password. To avoid this type of attack, disable direct access to the root ID and then require system administrators to obtain root privileges by using the su - command. In addition to permitting removal of the root user as a point of attack, restricting direct root access permits monitoring which users gained root access, as well as the time of their action. Do this by viewing the /var/adm/sulog file. Another alternative is to enable system auditing, which will report this type of activity. To disable remote login access for the root user, edit the /etc/security/user file. Specify False as the rlogin value on the entry for root.

Checks: C-16387r294018_chk

Check the remote login ability of the root account using command: # lsuser -a rlogin root root rlogin=false If the "rlogin" value is not "false", this is a finding.

Fix: F-16385r294019_fix

From the command prompt, run the following command to set "rlogin=false" for the root stanza in "/etc/security/user": # chsec -f /etc/security/user -s root -a rlogin=false

b

All AIX public directories must be owned by root or an application account.

CM-6 - Medium - CCI-000366 - V-215190 - SV-215190r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001031

Vuln IDs

V-215190
V-91589

Rule IDs

SV-215190r508663_rule
SV-101687

If a public directory has the sticky bit set and is not owned by a privileged UID, unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.

Checks: C-16388r294021_chk

Check the ownership of all public directories using command: # find / -type d -perm -1002 -exec ls -ld {} \; If any public directory is not owned by "root" or an application user, this is a finding.

Fix: F-16386r294022_fix

Use the following command to change the owner to "root" for public directories: # chown root [public_dir]

b

AIX administrative accounts must not run a web browser, except as needed for local service administration.

CM-6 - Medium - CCI-000366 - V-215191 - SV-215191r808444_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001032

Vuln IDs

V-215191
V-91607

Rule IDs

SV-215191r808444_rule
SV-101705

If a web browser flaw is exploited while running as a privileged user, the entire system could be compromised. Specific exceptions for local service administration should be documented in site-defined policy. These exceptions may include HTTP(S)-based tools used for the administration of the local system, services, or attached devices. Examples of possible exceptions are HP’s System Management Homepage (SMH), the CUPS administrative interface, and Sun's StorageTek Common Array Manager (CAM) when these services are running on the local system.

Checks: C-16389r808443_chk

Inspect the root account home directory for a ".netscape" or a ".mozilla" directory using the following commands: # find /root -name .netscape # find /root -name .mozilla If none exists, this is not a finding. If a file exists, verify with the root users and the ISSO the intent of the browsing. If a file exists and use of a web browser has not been authorized, this is a finding.

Fix: F-16387r294025_fix

Enforce policy requiring administrative accounts use web browsers only for local service administration.

b

AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.

CM-6 - Medium - CCI-000366 - V-215192 - SV-215192r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001033

Vuln IDs

V-215192
V-91609

Rule IDs

SV-215192r508663_rule
SV-101707

To centralize the management of privileged account crontabs, of the default system accounts, only root may have a crontab.

Checks: C-16390r294027_chk

Check the "cron.allow" and "cron.deny" files for the system using commands: # more /var/adm/cron/cron.allow # more /var/adm/cron/cron.deny If the "cron.allow" file exists and is empty, this is a finding. If a default system account (such as bin, sys, adm, or lpd) is listed in the "cron.allow" file, or not listed in the "cron.deny" file, this is a finding.

Fix: F-16388r294028_fix

Remove default system accounts (such as bin, sys, adm, or lpd) from the "cron.allow" file, or add those accounts to the "cron.deny" file.

b

The AIX root account must not have world-writable directories in its executable search path.

CM-6 - Medium - CCI-000366 - V-215193 - SV-215193r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001034

Vuln IDs

V-215193
V-91621

Rule IDs

SV-215193r508663_rule
SV-101719

If the root search path contains a world-writable directory, malicious software could be placed in the path by intruders and/or malicious users and inadvertently run by root with all of root's privileges.

Checks: C-16391r294030_chk

Check for world-writable permissions on all directories in the root user's executable search path: # ls -ld `echo $PATH | sed "s/:/ /g"` drwxr-xr-x 33 root system 8192 Nov 29 14:45 /etc drwxr-xr-x 3 bin bin 256 Aug 11 2017 /sbin drwxr-xr-x 4 bin bin 45056 Oct 31 12:59 /usr/bin drwxr-xr-x 1 bin bin 16 Aug 11 2017 /usr/bin/X11 drwxr-xr-x 2 bin bin 4096 Aug 11 2017 /usr/java7_64/bin drwxr-xr-x 4 bin bin 4096 Feb 17 2017 /usr/java7_64/jre/bin drwxr-xr-x 8 bin bin 49152 Oct 31 12:59 /usr/sbin drwxrwxr-x 2 bin bin 4096 Aug 11 2017 /usr/ucb If any of the directories in the "PATH" variable are world-writable, this is a finding.

Fix: F-16389r294031_fix

For each world-writable path in root's executable search path, perform one of the following. Remove the world-writable permission on the directory. Run command: # chmod o-w <path> -OR- Remove the world-writable directory from the executable search path. Identify and edit the initialization file referencing the world-writable directory and remove it from the PATH variable.

b

The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID.

CM-6 - Medium - CCI-000366 - V-215194 - SV-215194r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001035

Vuln IDs

V-215194
V-91623

Rule IDs

SV-215194r508663_rule
SV-101721

Reserved GIDs are typically used by system software packages. If non-system groups have GIDs in this range, they may conflict with system software, possibly leading to the group having permissions to modify system files.

Checks: C-16392r294033_chk

From the command prompt, run the following command: # more /etc/passwd root:!:0:0::/root:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: nobody:!:4294967294:4294967294::/: invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh srvproxy:*:203:0:Service Proxy Daemon:/home/srvproxy:/usr/bin/ksh esaadmin:*:7:0::/var/esa:/usr/bin/ksh sshd:*:212:203::/var/empty:/usr/bin/ksh doejohn:*:704:1776::/home/doej:/usr/bin/ksh Confirm all accounts with a primary GID of 99 and below are used by a system account. If a GID reserved for system accounts, 0 - 99, is used by a non-system account, this is a finding.

Fix: F-16390r294034_fix

Change the primary GID for non-system accounts that have reserved GIDs as their primary GIDs using the following command: # chuser pgrp=<non_reserved_group_name> <non_system_user_name>

b

UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems.

CM-6 - Medium - CCI-000366 - V-215195 - SV-215195r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001036

Vuln IDs

V-215195
V-91665

Rule IDs

SV-215195r508663_rule
SV-101763

Reserved UIDs are typically used by system software packages. If non-system accounts have UIDs in this range, they may conflict with system software, possibly leading to the user having permissions to modify system files.

Checks: C-16393r294036_chk

Check the UID assignments of all accounts using: # more /etc/passwd root:!:0:0::/root:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: nobody:!:4294967294:4294967294::/: invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh srvproxy:*:203:0:Service Proxy Daemon:/home/srvproxy:/usr/bin/ksh esaadmin:*:7:0::/var/esa:/usr/bin/ksh sshd:*:212:203::/var/empty:/usr/bin/ksh doej:*:704:1776::/home/doej:/usr/bin/ksh Confirm all accounts with a UID of 128 and below are used by a system account. If a UID reserved for system accounts (0-128) is used by a non-system account, this is a finding.

Fix: F-16391r294037_fix

Using the "usermod" command, change the UID numbers for non-system accounts with reserved UIDs (those less or equal to 128): # usermod -u <uid> [user_name]

b

The AIX root accounts list of preloaded libraries must be empty.

CM-6 - Medium - CCI-000366 - V-215196 - SV-215196r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001037

Vuln IDs

V-215196
V-91687

Rule IDs

SV-215196r508663_rule
SV-101785

The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded.

Checks: C-16394r294039_chk

Verify the "LDR_PRELOAD" environment variable is empty or not defined for the "root" user using command: # env | grep LDR_PRELOAD If a path is returned, this is a finding.

Fix: F-16392r294040_fix

Edit the "root" user's initialization files and remove any definition of "LDR_PRELOAD".

c

AIX must not have accounts configured with blank or null passwords.

CM-6 - High - CCI-000366 - V-215197 - SV-215197r877377_rule

RMF Control

CM-6

Severity

H

CCI

Version

AIX7-00-001038

Vuln IDs

V-215197
V-91737

Rule IDs

SV-215197r877377_rule
SV-101835

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured without a password, the entire system may be compromised. For user accounts not using password authentication, the account must be configured with a password lock value instead of a blank or null value.

Checks: C-16395r294042_chk

Verify no interactive accounts have blank passwords by running the following command: # pwdck -n ALL If any interactive account with a blank password is found, this is a finding.

Fix: F-16393r294043_fix

Configure a password for any interactive account with a blank password by running the following command: # passwd [user_name]

b

The AIX root accounts home directory (other than /) must have mode 0700.

CM-6 - Medium - CCI-000366 - V-215198 - SV-215198r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001039

Vuln IDs

V-215198
V-91753

Rule IDs

SV-215198r508663_rule
SV-101851

Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.

Checks: C-16396r294045_chk

Check the mode of the root home directory by running the following commands: # ls -ld `grep "^root" /etc/passwd | awk -F":" '{print $6}'` The above command should yield the following output: drwx------ 22 root system 4096 Sep 06 18:00 /root If the mode of the directory is not equal to "0700", this is a finding.

Fix: F-16394r294046_fix

Use the following command to change protections for the root home directory: # chmod 0700 /root.

b

The AIX root accounts home directory must not have an extended ACL.

CM-6 - Medium - CCI-000366 - V-215199 - SV-215199r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001040

Vuln IDs

V-215199
V-91765

Rule IDs

SV-215199r508663_rule
SV-101863

Excessive permissions on root home directories allow unauthorized access to root user files.

Checks: C-16397r294048_chk

Verify the "root" account's home directory has no extended ACL using command: # aclget ~root * * ACL_type AIXC * attributes: base permissions owner(root): rwx group(system): --- others: --- extended permissions disabled If extended permissions are enabled, the directory has an extended ACL, and this is a finding.

Fix: F-16395r294049_fix

Remove the extended ACL from the "root" account's home directory using command: # acledit ~root Change extended attributes to disabled.

b

AIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system.

AC-8 - Medium - CCI-000048 - V-215200 - SV-215200r508663_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

AIX7-00-001041

Vuln IDs

V-215200
V-91221

Rule IDs

SV-215200r508663_rule
SV-101321

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."

Checks: C-16398r294051_chk

Check the herald is set to have the Standard Mandatory DoD Notice and Consent Banner: # lssec -f /etc/security/login.cfg -s default -a herald The above command should display the herald setting like this: default herald="You are accessing a U.S. Government (USG) Information System (IS) that\n\ris provided for USG-authorized use only.\n\r\n\rBy using this IS (which includes any device attached to this IS), you\n\rconsent to the following conditions: \n\r\n\r-The USG routinely intercepts and monitors communications on this IS\n\rfor purposes including, but not limited to, penetration testing, COMSEC\n\rmonitoring, network operations and defense, personnel misconduct (PM),\n\rlaw enforcement (LE), and counterintelligence (CI) investigations. \n\r\n\r-At any time, the USG may inspect and seize data stored on this IS. \n\r\n\r-Communications using, or data stored on, this IS are not private, are\n\rsubject to routine monitoring, interception, and search, and may be\n\rdisclosed or used for any USG-authorized purpose. \n\r\n\r-This IS includes security measures (e.g., authentication and access\n\rcontrols) to protect USG interests--not for your personal benefit or\n\rprivacy. \n\r\n\r-Notwithstanding the above, using this IS does not constitute consent\n\rto PM, LE or CI investigative searching or monitoring of the content\n\rof privileged communications, or work product, related to personal\n\rrepresentation or services by attorneys, psychotherapists, or clergy,\n\rand their assistants. Such communications and work product are private\n\rand confidential. See User Agreement for details.\n\r\n\rlogin:" If the herald string is not set, or it does not contain the Standard Mandatory DoD Notice and Consent Banner listed above, this is a finding.

Fix: F-16396r294052_fix

From the command prompt, run the following command to set the DoD banner to herald for the default stanza in the "/etc/security/login.cfg" file: # chsec -f /etc/security/login.cfg -s default -a herald="You are accessing a U.S. Government (USG) Information System (IS) that\n\ris provided for USG-authorized use only.\n\r\n\rBy using this IS (which includes any device attached to this IS), you\n\rconsent to the following conditions: \n\r\n\r-The USG routinely intercepts and monitors communications on this IS\n\rfor purposes including, but not limited to, penetration testing, COMSEC\n\rmonitoring, network operations and defense, personnel misconduct (PM),\n\rlaw enforcement (LE), and counterintelligence (CI) investigations. \n\r\n\r-At any time, the USG may inspect and seize data stored on this IS. \n\r\n\r-Communications using, or data stored on, this IS are not private, are\n\rsubject to routine monitoring, interception, and search, and may be\n\rdisclosed or used for any USG-authorized purpose. \n\r\n\r-This IS includes security measures (e.g., authentication and access\n\rcontrols) to protect USG interests--not for your personal benefit or\n\rprivacy. \n\r\n\r-Notwithstanding the above, using this IS does not constitute consent\n\rto PM, LE or CI investigative searching or monitoring of the content\n\rof privileged communications, or work product, related to personal\n\rrepresentation or services by attorneys, psychotherapists, or clergy,\n\rand their assistants. Such communications and work product are private\n\rand confidential. See User Agreement for details.\n\r\n\rlogin:"

b

The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts on AIX.

AC-8 - Medium - CCI-000048 - V-215201 - SV-215201r508663_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

AIX7-00-001042

Vuln IDs

V-215201
V-91223

Rule IDs

SV-215201r508663_rule
SV-101323

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."

Checks: C-16399r294054_chk

If AIX CDE (X11) is not used, this is Not Applicable. Check if file "/etc/dt/config/en_US/Xresources" exists: # ls /etc/dt/config/en_US/Xresources If the file does not exist, this is a finding. Check if the "Dtlogin*greeting.labelString" is set to the Standard Mandatory DoD Notice and Consent Banner: # grep "Dtlogin*greeting.labelString" /etc/dt/config/en_US/Xresources The above command should display the following: Dtlogin*greeting.labelString: You are accessing a U.S. Government (USG) Information System (IS) that\nis provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you\nconsent to the following conditions: \n\n-The USG routinely intercepts and monitors communications on this IS\nfor purposes including, but not limited to, penetration testing, COMSEC\nmonitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations. \n\n-At any time, the USG may inspect and seize data stored on this IS. \n\n-Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose. \n\n-This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or\nprivacy. \n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content\nof privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy,\nand their assistants. Such communications and work product are private\nand confidential. See User Agreement for details. If the "Dtlogin*greeting.labelString" variable is not set, or the label string does not contain the Standard Mandatory DoD Notice and Consent Banner, this is a finding.

Fix: F-16397r294055_fix

Edit the "Xresources" file to configure the system to display one of the DoD login banners (based on the character limitations imposed by the system) prior to, or as part of, the graphical desktop environment login process. For "Dtlogin", change the variable "Dtlogin*greeting.labelString:" in "Xresources" file. # cp /usr/dt/config/C/Xresources /etc/dt/config/en_US/Xresources # vi /etc/dt/config/en_US/Xresources Set variable "Dtlogin*greeting.labelString" as the following: Dtlogin*greeting.labelString: You are accessing a U.S. Government (USG) Information System (IS) that\nis provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you\nconsent to the following conditions: \n\n-The USG routinely intercepts and monitors communications on this IS\nfor purposes including, but not limited to, penetration testing, COMSEC\nmonitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations. \n\n-At any time, the USG may inspect and seize data stored on this IS. \n\n-Communications using, or data stored on, this IS are not private, are\nsubject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose. \n\n-This IS includes security measures (e.g., authentication and access\ncontrols) to protect USG interests--not for your personal benefit or\nprivacy. \n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content\nof privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy,\nand their assistants. Such communications and work product are private\nand confidential. See User Agreement for details. Save the above change to "Xresources" file.

b

The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX.

AC-8 - Medium - CCI-000048 - V-215202 - SV-215202r508663_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

AIX7-00-001043

Vuln IDs

V-215202
V-91225

Rule IDs

SV-215202r508663_rule
SV-101325

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."

Checks: C-16400r294057_chk

Check if file "/etc/motd.ssh" exists: # ls /etc/motd.ssh If the file does not exist, this is a finding. Check if "/etc/motd.ssh" contains The Standard Mandatory DoD Notice and Consent Banner: # cat /etc/motd.ssh The above command should display the following Standard Mandatory DoD Notice and Consent Banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the Standard Mandatory DoD Notice and Consent Banner is not displayed by the "cat" command, this is a finding. Check if /etc/motd.ssh is used as banner file in SSH config file: # grep -i "Banner /etc/motd.ssh" /etc/motd.ssh If the above grep command does not find "Banner /etc/motd.ssh" in the "/etc/motd.ssh" file, this is a finding.

Fix: F-16398r294058_fix

Create file "/etc/motd.ssh" to contain the following: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Modify "/etc/ssh/sshd_config" to contain the following line: Banner /etc/motd.ssh Restart the SSH daemon by running the following commands: # stopsrc -s sshd # startsrc -s sshd

b

Any publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

AC-8 - Medium - CCI-001384 - V-215203 - SV-215203r508663_rule

RMF Control

AC-8

Severity

M

CCI

CCI-001384

Version

AIX7-00-001044

Vuln IDs

V-215203
V-91459

Rule IDs

SV-215203r508663_rule
SV-101557

Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."

Checks: C-16401r294060_chk

Check the herald is set to have the Standard Mandatory DoD Notice and Consent Banner: # lssec -f /etc/security/login.cfg -s default -a herald The above command should display the herald setting like this: default herald="You are accessing a U.S. Government (USG) Information System (IS) that\n\ris provided for USG-authorized use only.\n\r\n\rBy using this IS (which includes any device attached to this IS), you\n\rconsent to the following conditions: \n\r\n\r-The USG routinely intercepts and monitors communications on this IS\n\rfor purposes including, but not limited to, penetration testing, COMSEC\n\rmonitoring, network operations and defense, personnel misconduct (PM),\n\rlaw enforcement (LE), and counterintelligence (CI) investigations. \n\r\n\r-At any time, the USG may inspect and seize data stored on this IS. \n\r\n\r-Communications using, or data stored on, this IS are not private, are\n\rsubject to routine monitoring, interception, and search, and may be\n\rdisclosed or used for any USG-authorized purpose. \n\r\n\r-This IS includes security measures (e.g., authentication and access\n\rcontrols) to protect USG interests--not for your personal benefit or\n\rprivacy. \n\r\n\r-Notwithstanding the above, using this IS does not constitute consent\n\rto PM, LE or CI investigative searching or monitoring of the content\n\rof privileged communications, or work product, related to personal\n\rrepresentation or services by attorneys, psychotherapists, or clergy,\n\rand their assistants. Such communications and work product are private\n\rand confidential. See User Agreement for details.\n\r\n\rlogin:" If the herald string is not set, or it does not contain the Standard Mandatory DoD Notice and Consent Banner listed above, this is a finding.

Fix: F-16399r294061_fix

From the command prompt, run the following command to set the DoD banner to herald for the default stanza in /etc/security/login.cfg: # chsec -f /etc/security/login.cfg -s default -a herald="You are accessing a U.S. Government (USG) Information System (IS) that\n\ris provided for USG-authorized use only.\n\r\n\rBy using this IS (which includes any device attached to this IS), you\n\rconsent to the following conditions: \n\r\n\r-The USG routinely intercepts and monitors communications on this IS\n\rfor purposes including, but not limited to, penetration testing, COMSEC\n\rmonitoring, network operations and defense, personnel misconduct (PM),\n\rlaw enforcement (LE), and counterintelligence (CI) investigations. \n\r\n\r-At any time, the USG may inspect and seize data stored on this IS. \n\r\n\r-Communications using, or data stored on, this IS are not private, are\n\rsubject to routine monitoring, interception, and search, and may be\n\rdisclosed or used for any USG-authorized purpose. \n\r\n\r-This IS includes security measures (e.g., authentication and access\n\rcontrols) to protect USG interests--not for your personal benefit or\n\rprivacy. \n\r\n\r-Notwithstanding the above, using this IS does not constitute consent\n\rto PM, LE or CI investigative searching or monitoring of the content\n\rof privileged communications, or work product, related to personal\n\rrepresentation or services by attorneys, psychotherapists, or clergy,\n\rand their assistants. Such communications and work product are private\n\rand confidential. See User Agreement for details.\n\r\n\rlogin:"

c

IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server.

IA-5 - High - CCI-000197 - V-215204 - SV-215204r877396_rule

RMF Control

IA-5

Severity

H

CCI

Version

AIX7-00-001045

Vuln IDs

V-215204
V-91297

Rule IDs

SV-215204r877396_rule
SV-101395

While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentication. SSL must be used in this case.

Checks: C-16402r294063_chk

Run the following command to check if "authtype" is "ldap_auth": # grep -iE "^authtype:[[:blank:]]*ldap_auth" /etc/security/ldap/ldap.cfg The above command should yield the following output: authtype:ldap_auth Run the following command to check if SSL is not used in the "/etc/security/ldap/ldap.cfg" file: # grep -iE "^useSSL:[[:blank:]]*yes" /etc/security/ldap/ldap.cfg The above command should yield the following output: useSSL:yes If the first command displays "authtype:ldap_auth" but the second command does not display "useSSL:yes", this is a finding.

Fix: F-16400r294064_fix

Edit the "/etc/security/ldap/ldap.cfg" file to have the following line: useSSL:yes Configure the LDAP server and LDAP client to use the SSL according to AIX LDAP documentation. Restart the client daemon: # restart-secldapclntd

b

If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day.

IA-5 - Medium - CCI-002007 - V-215205 - SV-215205r853454_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002007

Version

AIX7-00-001046

Vuln IDs

V-215205
V-91547

Rule IDs

SV-215205r853454_rule
SV-101645

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Checks: C-16403r294066_chk

If LDAP authentication is not required, this is Not Applicable. Verify the "/etc/security/ldap/ldap.cfg" file to see if the following two keywords have a value that is greater than "900" seconds: # grep -i usercachetimeout /etc/security/ldap/ldap.cfg usercachetimeout: 900 # grep -i groupcachetimeout /etc/security/ldap/ldap.cfg groupcachetimeout: 900 If any of the above keywords does not exist, is commented out, or any value of the above keywords are greater than "900", this is a finding.

Fix: F-16401r294067_fix

Edit the "/etc/security/ldap/ldap.cfg" file to set the following two keywords to have value of "900": usercachetimeout groupcachetimeout Restart LDAP client using command: # /usr/sbin/restart-secldapclntd

b

The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups.

CM-6 - Medium - CCI-000366 - V-215206 - SV-215206r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001047

Vuln IDs

V-215206
V-91671

Rule IDs

SV-215206r508663_rule
SV-101769

A plus (+) in system accounts files causes the system to lookup the specified entry using NIS. If the system is not using NIS, no such entries should exist.

Checks: C-16404r294069_chk

Check system configuration files for plus (+) entries using the following commands: # cat /etc/passwd | grep -v "^#" | grep "\+" # cat /etc/security/passwd | grep -v "^#" | grep "\+" # cat /etc/group | grep -v "^#" | grep "\+" If the "/etc/passwd", "/etc/security/passwd", and/or "/etc/group" files contain a plus (+) and do not define entries for NIS+ netgroups or LDAP netgroups, this is a finding.

Fix: F-16402r294070_fix

Edit "/etc/passwd", "/etc/security/passwd", and/or "/etc/group" files and remove entries containing a plus (+).

b

AIX must protect the confidentiality and integrity of all information at rest.

SC-28 - Medium - CCI-001199 - V-215207 - SV-215207r508663_rule

RMF Control

SC-28

Severity

M

CCI

CCI-001199

Version

AIX7-00-001048

Vuln IDs

V-215207
V-91449

Rule IDs

SV-215207r508663_rule
SV-101547

Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.

Checks: C-16405r294072_chk

If the organization does not require to encrypt the data at rest this is Not Applicable. Check if the "clic.rte" fileset is installed: # lslpp -l |grep clic The above command should yield the following output: clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel clic.rte.lib 4.10.0.1 COMMITTED CryptoLite for C Library clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel If the "clic.rte" fileset is not installed, this is a finding. To check if a JFS2 file system (mounted as /fs2_mnt) is EFS-enabled, use the following command: # lsfs -q /fs2_mnt Name Nodename Mount Pt VFS Size Options Auto Accounting /dev/fslv00 -- /fs2_mnt jfs2 262144 -- no no (lv size: 262144, fs size: 262144, block size: 4096, sparse files: yes, inline log: no, inline log size: 0, EAformat: v2, Quota: no, DMAPI: no, VIX: yes, EFS: no, ISNAPSHOT: no, MAXEXT: 0, MountGuard: no) If the above command shows "EFS: no", this is a finding.

Fix: F-16403r294073_fix

Install "clic.rte" fileset if it is not installed using command: # installp -aXYqg -d /dev/cd0 clic.rte Run the follow command to initialize and enable EFS on the system: # efsenable -a To create a new EFS-enabled JFS2 file system and mount the file system, using the following commands: # crfs -v jfs2 -g rootvg -m /fs2 -a size=100M -a efs=yes # mount /fs2 To enable EFS on a JFS2 file system (like, /fs3), run the following command: chfs -a efs=yes /fs3

b

AIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours.

AU-8 - Medium - CCI-001891 - V-215208 - SV-215208r877038_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001891

Version

AIX7-00-001053

Vuln IDs

V-215208
V-91523

Rule IDs

SV-215208r877038_rule
SV-101621

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144

Checks: C-16406r294075_chk

Check if time synchronization application "ntpd" is running using the command: # lssrc -s xntpd Subsystem Group PID Status xntpd tcpip 4784536 active If "ntpd" is showing "inoperative", this is a finding. Check that "ntp" server is configured using command: # grep server /etc/ntp.conf server 10.110.20.10 If the command returns no output, this is a finding. Check the poll interval is less than 24 hours using command: # grep maxpoll /etc/ntp.conf maxpoll=16 If "maxpoll" is set to larger than "16" (2^16 seconds ~= 18hr), this is a finding.

Fix: F-16404r294076_fix

Edit /etc/ntp.conf Configure ntp server by adding the following line: server server_ipaddr Set maxpoll to <value> <=16 by adding the maxpoll <value>. Restart the ntp daemon. # stopsrc -s xntpd # startsrc -s xntpd

b

All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions.

CM-6 - Medium - CCI-000366 - V-215209 - SV-215209r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001055

Vuln IDs

V-215209
V-91591

Rule IDs

SV-215209r508663_rule
SV-101689

When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and GID should be chosen from the system to provide the appropriate level of non-privileged access.

Checks: C-16407r294078_chk

Check if the "anon" option is set correctly for exported file systems. List exported file systems using command: # exportfs -v /home/doej rw,anon=-1,access=doej Note: Each of the exported file systems should include an entry for the "anon=" option set to "-1" or an equivalent (60001, 60002, 65534, or 65535). If an appropriate "anon=" setting is not present for an exported file system, this is a finding.

Fix: F-16405r294079_fix

Edit "/etc/exports" and set the "anon=-1" option for all exported file systems without it. Re-export the file systems using command: # exportfs -a

b

AIX nosuid option must be enabled on all NFS client mounts.

CM-6 - Medium - CCI-000366 - V-215210 - SV-215210r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001056

Vuln IDs

V-215210
V-91593

Rule IDs

SV-215210r508663_rule
SV-101691

Enabling the nosuid mount option prevents the system from granting owner or group-owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users with unprivileged access to the local system may be able to acquire privileged access by executing suid or sgid files located on the mounted NFS file system.

Checks: C-16408r294081_chk

Check the system for NFS mounts not using the "nosuid" option using command: # lsfs -v nfs Name Nodename Mount Pt VFS Size Options Auto Accounting /home/doej -- /mount/doej nfs 786432 -- yes no If the "mounted" file systems do not have the "nosuid option", this is a finding.

Fix: F-16406r294082_fix

Edit "/etc/filesystems" and add the "nosuid" option for all NFS file systems. Remount the NFS file systems to make the change take effect.

b

AIX must be configured to allow users to directly initiate a session lock for all connection types.

AC-11 - Medium - CCI-000058 - V-215211 - SV-215211r508663_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000058

Version

AIX7-00-001100

Vuln IDs

V-215211
V-91235

Rule IDs

SV-215211r508663_rule
SV-101335

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.

Checks: C-16409r294084_chk

Check if the "lock" command exists by using the following command: # ls /usr/bin/lock The above command should display the following: /usr/bin/lock If the above command does not show that "/usr/bin/lock" exists, this is a finding. Check if the "xlock" command exists by using the following command: # ls /usr/bin/X11/xlock The above command should display the following: /usr/bin/X11/xlock If the above command does not show that "/usr/bin/xlock" exists, this is a finding.

Fix: F-16407r294085_fix

Install, or re-install, bos.rte.security fileset from the AIX DVD Volume 1 using the following command (assuming that the DVD device is /dev/cd0): # installp -aXYgd /dev/cd0 -e /tmp/install.log bos.rte.security

b

AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

AC-11 - Medium - CCI-000060 - V-215212 - SV-215212r508663_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000060

Version

AIX7-00-001101

Vuln IDs

V-215212
V-91237

Rule IDs

SV-215212r508663_rule
SV-101337

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed. Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.

Checks: C-16410r294087_chk

If CDE (X11) is not used on AIX, this is Not Applicable. Ensure that the screen saver and session timeout are not disabled. From the command prompt, run the following script: # AIX7-00-001101_Check.sh Note: This script is included in the STIG package. The above script should yield the following output: Checking config file /etc/dt/config/C/sys.resources... Missing config file /etc/dt/config/C/sys.resources Checking config file /etc/dt/config/POSIX/sys.resources... dtsession*saverTimeout: 15 dtsession*lockTimeout: 30 Checking config file /etc/dt/config/en_US/sys.resources... dtsession*saverTimeout: 15 dtsession*lockTimeout: 25 If the result of the script shows any config file missing, or any of the "dtsession*saverTimeout" or "dtsession*lockTimeout" values is greater than "15", this is a finding.

Fix: F-16408r294088_fix

From the command prompt, run the following script to set the default timeout parameters "dtsession*saverTimeout:" and "dtsession*lockTimeout:" as "15" minutes: # AIX7-00-001101_Fix.sh Note: This script is included in the STIG package.

c

AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

MA-4 - High - CCI-000877 - V-215213 - SV-215213r877395_rule

RMF Control

MA-4

Severity

H

CCI

CCI-000877

Version

AIX7-00-001102

Vuln IDs

V-215213
V-91439

Rule IDs

SV-215213r877395_rule
SV-101537

If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.

Checks: C-16411r294090_chk

From the command prompt, execute the following to check if "telnetd" is enabled. # lssrc -t telnet | grep active If the above command returns output, this is a finding.

Fix: F-16409r294091_fix

Disable telnet by executing the following command: # stopsrc -t telnet

b

If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.

AC-17 - Medium - CCI-001453 - V-215214 - SV-215214r877394_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001453

Version

AIX7-00-001104

Vuln IDs

V-215214
V-91461

Rule IDs

SV-215214r877394_rule
SV-101559

If LDAP authentication is used, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.

Checks: C-16412r294093_chk

Run the following command to check if ldap_auth is used: # grep -iE "^authtype:[[:blank:]]*ldap_auth" /etc/security/ldap/ldap.cfg If the command has no output, this is Not Applicable. Run the following command to check if SSL is used: # grep -iE "^useSSL:[[:blank:]]*yes" /etc/security/ldap/ldap.cfg useSSL:yes If the command has no output, this is a finding.

Fix: F-16410r294094_fix

Configure the LDAP client on AIX to use the SSL. Edit /etc/security/ldap/ldap.cfg to have the following line: useSSL:yes Restart the client daemon: # secldapclntd.

b

AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.

SC-23 - Medium - CCI-002470 - V-215215 - SV-215215r853456_rule

RMF Control

SC-23

Severity

M

CCI

CCI-002470

Version

AIX7-00-001105

Vuln IDs

V-215215
V-91557

Rule IDs

SV-215215r853456_rule
SV-101655

Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.

Checks: C-16413r294096_chk

Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd. Check if the system is using LDAP authentication: # grep LDAP /etc/security/user If no lines are returned, this requirement is not applicable. Check if the useSSL option is enabled: # grep '^useSSL' /etc/security/ldap/ldap.cfg useSSL:yes If "yes" is not the returned value, this is a finding. Verify a certificate is used for client authentication to the server: # grep -i '^ldapsslkeyf' /etc/security/ldap/ldap.cfg ldapsslkeyf:/tmp/key.kdb If no line is found, this is a finding. Identify the Key Database (KDB), and its password, by asking the ISSO/SA). If no Key Database exists on the system, this is a finding. List the certificate issuer with IBM GSK: # gsk8capicmd -cert -list CA -db <KDB_FILE> -pw <KDB_PASSWORD> Make note of the client Key Label: # gsk8capicmd -cert -details -showOID -db <KDB_FILE> -pw <KDB_PASSWORD> -label <Key Label> If the certificate is not issued by DoD PKI or a DoD-approved external PKI, this is a finding. The IBM GSK Database should only have certificates for the client system and for the LDAP server. If more certificates are in the key database than the LDAP server and the client, this is a finding.

Fix: F-16411r294097_fix

Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd. Create a key database with DoD PKI or DoD-approved certificate using one of the following commands: # gsk8capicmd -keydb -create -db <KDB_FILE> -pw <KDB_PASSWORD> -type cms -stash Edit "/etc/security/ldap/ldap.cfg" and add or edit the "ldapsslkeyf" setting to reference a KDB file containing a client certificate issued by DoD PKI or a DoD-approved external PKI. Install a certificate signed by a DoD PKI or a DoD-approved external PKI using the following command: # gsk8capicmd -cert -add -db <KDB_FILE> -pw <KDB_PASSWORD> -file <CERT_FILE> -label <CERT_LABEL> Remove un-needed CA certificates using one of the following commands: # gsk8capicmd -cert -delete -db <KDB_FILE> -pw <KDB_PASSWORD> -label <CERT_LABEL> Restart LDAP client using command: # /usr/sbin/restart-secldapclntd

b

AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

IA-7 - Medium - CCI-000803 - V-215216 - SV-215216r853457_rule

RMF Control

IA-7

Severity

M

CCI

CCI-000803

Version

AIX7-00-001108

Vuln IDs

V-215216
V-91565

Rule IDs

SV-215216r853457_rule
SV-101663

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. AIX must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. OpenSSL FIPS object module is a cryptographic module that is designed to meet the requirements for FIPS 140-2 validation by CMVP and is compatible with OpenSSL libraries. The 2.0.13 FIPS object module version has been FIPS validated and certified by CMVP for multiple AIX versions on Power 7 and Power 8 platforms under certificate #2398. IBM has released a FIPS capable OpenSSL (Fileset VRMF: 20.13.102.1000), which is OpenSSL 1.0.2j version with 2.0.13 object module. The fileset is available in Web Download Pack. Satisfies: SRG-OS-000120-GPOS-00061, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176

Checks: C-16414r294099_chk

Run the following command to determine the version of OpenSSL that is installed: # lslpp -l | grep -i openssl openssl.base 20.13.704.1776 COMMITTED Open Secure Socket Layer If the OpenSSL version is older than "20.13.102.1000", this is a finding.

Fix: F-16412r294100_fix

Use the following command to uninstall the old version of OpenSSL that is not FIPS 140-2 certified, then install OpenSSL VRMF 20.13.102.1000: # smitty install

c

AIX must enforce password complexity by requiring that at least one upper-case character be used.

IA-5 - High - CCI-000192 - V-215217 - SV-215217r508663_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000192

Version

AIX7-00-001120

Vuln IDs

V-215217
V-91281

Rule IDs

SV-215217r508663_rule
SV-101379

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-16415r294102_chk

From the command prompt, run the following command to check the system default "minupperalpha" attribute value: # lssec -f /etc/security/user -s default -a minupperalpha The above command should yield the following output: default minupperalpha=1 If the default "minupperalpha" value is not set, or its value is less than "1", this is a finding. From the command prompt, run the following command to check "minupperalpha" attribute value for all accounts: # lsuser -a minupperalpha ALL The above command should yield the following output: root minupperalpha=2 user2 minupperalpha=2 user3 minupperalpha=1 If any user's "minupperalpha" value is less than "1", this is a finding.

Fix: F-16413r294103_fix

From the command prompt, run the following command to set "minupperalpha=1" for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a minupperalpha=1 For each user who has "minupperalpha=0", set its "minupperalpha" to "1" by running the following command from command prompt: # chsec -f /etc/security/user -s [user_name] -a minupperalpha=1

c

AIX must enforce password complexity by requiring that at least one lower-case character be used.

IA-5 - High - CCI-000193 - V-215218 - SV-215218r508663_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000193

Version

AIX7-00-001121

Vuln IDs

V-215218
V-91283

Rule IDs

SV-215218r508663_rule
SV-101381

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-16416r294105_chk

From the command prompt, run the following command to check the system default "minloweralpha" attribute value: # lssec -f /etc/security/user -s default -a minloweralpha default minloweralpha=1 If the "default minloweralpha" value is not set, or its value is less than "1", this is a finding. From the command prompt, run the following command to check "minloweralpha" attribute value for all accounts: # lsuser -a minloweralpha ALL root minloweralpha=1 user2 minloweralpha=2 user3 minloweralpha=1 If any user's "minloweralpha" value is less than "1", this is a finding.

Fix: F-16414r294106_fix

From the command prompt, run the following command to set "minloweralpha=1" for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a minloweralpha=1 For each user who has "minloweralpha=0" set its "minloweralpha" to "1" by running the following command from command prompt: # chsec -f /etc/security/user -s [user_name] -a minloweralpha=1

c

AIX must enforce password complexity by requiring that at least one numeric character be used.

IA-5 - High - CCI-000194 - V-215219 - SV-215219r508663_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000194

Version

AIX7-00-001122

Vuln IDs

V-215219
V-91285

Rule IDs

SV-215219r508663_rule
SV-101383

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-16417r294108_chk

From the command prompt, run the following command to check the system default "mindigit" attribute value: # lssec -f /etc/security/user -s default -a mindigit default mindigit=1 If the default "mindigit" value is not set, or its value is less than "1", this is a finding. From the command prompt, run the following command to check mindigit attribute value for all accounts: # lsuser -a mindigit ALL root mindigit=1 user2 mindigit=2 If any user's "mindigit" value is less than "1", this is a finding.

Fix: F-16415r294109_fix

From the command prompt, run the following command to set "mindigit=1" for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a mindigit=1 For each user who has "mindigit=0" set its "mindigit" to "1" by running the following command from command prompt: # chsec -f /etc/security/user -s [user_name] -a mindigit=1

c

AIX must require the change of at least 50% of the total number of characters when passwords are changed.

IA-5 - High - CCI-000195 - V-215220 - SV-215220r508663_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000195

Version

AIX7-00-001123

Vuln IDs

V-215220
V-91287

Rule IDs

SV-215220r508663_rule
SV-101385

If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters.

Checks: C-16418r294111_chk

From the command prompt, run the following command to check the system default "mindiff" attribute value: # lssec -f /etc/security/user -s default -a mindiff default mindiff=8 If the default "mindiff" value is not set, or its value is less than "8", this is a finding. From the command prompt, run the following command to check "mindiff" attribute value for all accounts: # lsuser -a mindiff ALL root mindiff=9 user1 mindiff=8 user2 mindiff=8 user3 mindiff=10 If any user's "mindiff" value is less than "8", this is a finding.

Fix: F-16416r294112_fix

From the command prompt, run the following command to set "mindiff=8" (assume that the password is at least 15-character long) for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a mindiff=8 For each user who has "mindiff" value less than "8", set its "mindiff" value to "8" by running the following command from command prompt: # chsec -f /etc/security/user -s [user_name] -a mindiff=8

c

AIX root passwords must never be passed over a network in clear text form.

IA-5 - High - CCI-000197 - V-215221 - SV-215221r877396_rule

RMF Control

IA-5

Severity

H

CCI

Version

AIX7-00-001124

Vuln IDs

V-215221
V-91293

Rule IDs

SV-215221r877396_rule
SV-101391

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Checks: C-16419r294114_chk

Determine if root has logged in over an unencrypted network connection: # last | grep "root " | egrep -v "reboot|console" | more root pts/1 10.74.17.76 Jul 4 16:44 - 17:39 (00:54) Next, determine if the SSH daemon is running: # ps -ef |grep sshd root 3670408 6029762 0 Jan 24 - 0:00 /usr/sbin/sshd If root has logged in over the network and SSHD is not running, this is a finding.

Fix: F-16417r294115_fix

If OpenSSH server is not installed, install it from the from AIX DVD Volume 1 using the following command (assuming that the DVD device is /dev/cd0): # installp -aXYgd /dev/cd0 -e /tmp/install.log openssh.base.server Start SSH server if it is not started: # startsrc -s sshd Enable SSH on the system and use it for all remote connections used to attain root access. Disable direct root remote login: # chsec -f /etc/security/user -s root -a rlogin=false

b

AIX Operating systems must enforce 24 hours/1 day as the minimum password lifetime.

IA-5 - Medium - CCI-000198 - V-215222 - SV-215222r508663_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000198

Version

AIX7-00-001125

Vuln IDs

V-215222
V-91309

Rule IDs

SV-215222r508663_rule
SV-101407

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Checks: C-16420r294117_chk

From the command prompt, run the following command to check the system default "minage" attribute value: # lssec -f /etc/security/user -s default -a minage default minage=1 If the default "minage" value is not set, or its value is less than "1", this is a finding. From the command prompt, run the following command to check "minage" attribute value for all accounts: # lsuser -a minage ALL root minage=1 user1 minage=1 user2 minage=2 If any user's "minage" value is less than "1", this is a finding.

Fix: F-16418r294118_fix

From the command prompt, run the following command to set "minage=1" for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a minage=1 For each user who has "minage=0" set its "minage" to "1" by running the following command from command prompt: # chsec -f /etc/security/user -s [user_name] -a minage=1

b

AIX Operating systems must enforce a 60-day maximum password lifetime restriction.

IA-5 - Medium - CCI-000199 - V-215223 - SV-215223r508663_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000199

Version

AIX7-00-001126

Vuln IDs

V-215223
V-91311

Rule IDs

SV-215223r508663_rule
SV-101409

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Checks: C-16421r294120_chk

From the command prompt, run the following command to check the system default "maxage" attribute value: # lssec -f /etc/security/user -s default -a maxage default maxage=8 If the default "maxage" value is not set, or its value is great than "8", or its value is set to "0", this is a finding. From the command prompt, run the following command to check "maxage" attribute value for all accounts: # lsuser -a maxage ALL root maxage=8 user1 maxage=8 user2 maxage=8 If any user does not have "maxage" set, or its "maxage" value is greater than "8", or its value is set to "0", this is a finding.

Fix: F-16419r294121_fix

From the command prompt, run the following command to set "maxage=8" (56 days) for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a maxage=8 For each user who has "maxage" value great than "8", set its "maxage" to "8" by running the following command from command prompt: # chsec -f /etc/security/user -s [user_name] -a maxage=8

b

AIX must prohibit password reuse for a minimum of five generations.

IA-5 - Medium - CCI-000200 - V-215224 - SV-215224r508663_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000200

Version

AIX7-00-001127

Vuln IDs

V-215224
V-91313

Rule IDs

SV-215224r508663_rule
SV-101411

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Checks: C-16422r294123_chk

From the command prompt, run the following command to check the system default "histsize" attribute value: # lssec -f /etc/security/user -s default -a histsize default histsize=5 If the default "histsize" value is not set, or its value is less than "5", this is a finding. From the command prompt, run the following command to check "histsize" attribute value for all accounts: # lsuser -a histsize ALL root histsize=5 user1 histsize=5 user2 histsize=5 user3 histsize=6 If any user does not have "histsize" set, or its "histsize" value is less than "5", this is a finding.

Fix: F-16420r294124_fix

From the command prompt, run the following command to set "histsize=5" for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a histsize=5 For each user who has "histsize" value less than "5", set its "histsize" to "5" by running the following command from command prompt: # chsec -f /etc/security/user -s [user_name] -a histsize=5

c

AIX must use Loadable Password Algorithm (LPA) password hashing algorithm.

IA-5 - High - CCI-000205 - V-215225 - SV-215225r508663_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000205

Version

AIX7-00-001128

Vuln IDs

V-215225
V-91315

Rule IDs

SV-215225r508663_rule
SV-101413

The default legacy password hashing algorithm, crypt(), uses only the first 8 characters from the password string, meaning the user's password is truncated to eight characters. If the password is shorter than 8 characters, it is padded with zero bits on the right. The crypt() is a modified DES algorithm that is vulnerable to brute force password guessing attacks and also to cracking the DES-hashing algorithm by using techniques such as pre-computation. With the Loadable Password Algorithm (LPA) framework release, AIX implemented a set of LPAs using MD5, SHA2, and Blowfish algorithms. These IBM proprietary password algorithms support a password longer than 8 characters and Unicode characters in passwords.

Checks: C-16423r294126_chk

From the command prompt, run the following command to check system wide password algorithm: # lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm usw pwd_algorithm=ssha512 If the "pwd_algorithm" is not set to "ssha512", or "ssha256", this is a finding.

Fix: F-16421r294127_fix

From the command prompt, run the following command to set system wide password algorithm to "ssha512" so that it supports passwords longer than 8-character: # chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512 For each users who have hashed passwords in "/etc/security/passwd" file that does not start with "{ssha512}", run passwd commands to reset the users' passwords so that they have to change their passwords in the next login: # passwd [user_name]

c

AIX must enforce a minimum 15-character password length.

IA-5 - High - CCI-000205 - V-215226 - SV-215226r508663_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000205

Version

AIX7-00-001129

Vuln IDs

V-215226
V-91317

Rule IDs

SV-215226r508663_rule
SV-101415

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-16424r294129_chk

From the command prompt, run the following command to check the system default "minlen" attribute value: # lssec -f /etc/security/user -s default -a minlen default minlen=15 If the default "minlen" value is not set, or its value is less than "15", this is a finding. From the command prompt, run the following command to check "minlen" attribute value for all accounts: # lsuser -a minlen ALL root minlen=15 user1 minlen=20 user2 minlen=15 user3 minlen=15 If any users have "minlen" value less than "15", this is a finding.

Fix: F-16422r294130_fix

From the command prompt, run the following command to set "minlen=15" for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a minlen=15 For each user who has "minlen" value less than "15", set its "minlen" to "15" by running the following command from command prompt: # chsec -f /etc/security/user -s [user_name] -a minlen=15

b

AIX must enforce password complexity by requiring that at least one special character be used.

IA-5 - Medium - CCI-001619 - V-215227 - SV-215227r808442_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001619

Version

AIX7-00-001130

Vuln IDs

V-215227
V-91485

Rule IDs

SV-215227r808442_rule
SV-101583

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.

Checks: C-16425r808441_chk

Run the following command to check the system default value for "minspecialchar" attribute: # lssec -f /etc/security/user -s default -a minspecialchar The above command should yield the following output: default minspecialchar=1 If the default value is "0", or the default value is empty, this is a finding. From the command prompt, run the following command to check "minspecialchar" attribute value for all accounts: # lsuser -a minspecialchar ALL The above command should yield the following output: root minspecialchar=1 user1 minspecialchar=1 user2 minspecialchar=2 user3 minspecialchar=1 If any account has "minspecialchar=0", or the "minspecialchar" value is not set, this is a finding.

Fix: F-16423r294133_fix

From the command prompt, run the following command to set "minspecialchar=1" for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a minspecialchar=1 Run the following command to re-check "minspecialchar" values for all users: # lsuser -a minspecialchar ALL For each user who has "minspecialchar=0", set its "minspecialchar" to "1" by running the following command from command prompt: # chsec -f /etc/security/user -s [user_name] -a minspecialchar=1

b

AIX must implement a way to force an identified temporary user to renew their password at next login.

IA-5 - Medium - CCI-002041 - V-215228 - SV-215228r853458_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002041

Version

AIX7-00-001131

Vuln IDs

V-215228
V-91545

Rule IDs

SV-215228r853458_rule
SV-101643

Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial login. Temporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts which allow the users to log on, yet force them to change the password once they have successfully authenticated.

Checks: C-16426r294135_chk

To force a temporary user to renew their password at next login, admins can set the "flags" attribute of the user to contain "ADMCHG" flag. To check the "flags" attribute for a temporary user (<tmp_user>), using the following command: # lsuser -a flags <tmp_user> If the above command displays a "no" value for the "flags" attribute, or the value of the attribute does not contain "ADMCHG", this is a finding.

Fix: F-16424r294136_fix

Use the following command to force a temporary user (<tmp_user>) to change password at next login: # chsec -f /etc/security/passwd -s <tmp_user> -a "flags=ADMCHG"

b

AIX must prevent the use of dictionary words for passwords.

CM-6 - Medium - CCI-000366 - V-215229 - SV-215229r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001132

Vuln IDs

V-215229
V-91567

Rule IDs

SV-215229r508663_rule
SV-101665

If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

Checks: C-16427r294138_chk

From the command prompt, run the following command to check if the default "dictionlist" attribute is set: # lssec -f /etc/security/user -s default -a dictionlist The above command should yield the following output: dictionlist="/etc/security/ice/dictionary/English" If the above command shows an empty string for default "dictionlist" attribute, this is a finding. From the command prompt, run the following command to check if "dictionlist" attribute is set for all users: # lsuser -a dictionlist ALL The above command should yield the following output: root dictionlist=/etc/security/ice/dictionary/English daemon dictionlist=/etc/security/ice/dictionary/English bin dictionlist=/etc/security/ice/dictionary/English sys dictionlist=/etc/security/ice/dictionary/English If any user's "dictionlist" attribute is empty, this is a finding.

Fix: F-16425r294139_fix

From the command prompt, run the following command to set "dictionlist" attribute for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a dictionlist="/etc/security/ice/dictionary/English" From the command prompt, run the following command to set "dictionlist" attribute for users who have an empty "dictionlist" attribute: # chsec -f /etc/security/user -s [user_name] -a dictionlist="/etc/security/ice/dictionary/English"

b

The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

CM-6 - Medium - CCI-000366 - V-215230 - SV-215230r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001134

Vuln IDs

V-215230
V-91573

Rule IDs

SV-215230r508663_rule
SV-101671

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.

Checks: C-16428r294141_chk

Verify that the system wide password algorithm is set to {ssha256} or {ssha512} by running the following command: # lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm usw pwd_algorithm=ssha512 If the "pwd_algorithm" is not set to "ssha256" or "ssha512", this is a finding. Verify no password hashes in /etc/passwd by running the following command: # cat /etc/passwd | cut -f2,2 -d":" ! ! ! ! * * * * If there are password hashes present, this is a finding. Verify all password hashes in "/etc/security/passwd" begin with {ssha256} or {ssha512} by running commands: # cat /etc/security/passwd | grep password password = {ssha512}06$e58YOawe/7UhChqh$hZEWlP4040jarX1NeOujmcxd.7qerUvjW9lM9djJsDITtdjFvVpLX.r04xieOWrbH0qb0SJJ98a0tmgZBzPP.. password = {ssha512}06$Y6ztvMxKGdITxPex$B81/GDTEPt0xwp.BX1VhY9mAPaWHXdNoLI9D0T6dBExgo6r87X0etnfjxWODT73.udrbAY.F4HzaBR68lN5/.. password = {ssha512}06$iIXQQqs.mdGpC9Wu$cXSajikWYKAUacbF50FNlFgYYSgTklGf4uhXb1J/GyBGF5j5aWa4YG5Ah2uaAHv/Jmbmx.7yBm8iXz9Pz1LM.. password = {ssha512}06$3Sw24rPVdqDFFCIl$d1dZs7GYmTXnD9i270SxozIBxN0pqq/bNn0YbyKeDq0o6Y.j9qfkeH373DwkHBWgrifNcgj/K0pVyzjMg6QN.. If any password hashes are present not beginning with {ssha256} or {ssha512}, this is a finding.

Fix: F-16426r294142_fix

Set the system wide password algorithm to "ssha256" or "ssha512" by running the following command: # chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512 Change the passwords for all accounts using non-compliant password hashes by running the following command: $ passwd [user_name]

b

If SNMP service is enabled on AIX, the default SNMP password must not be used in the /etc/snmpd.conf config file.

CM-6 - Medium - CCI-000366 - V-215231 - SV-215231r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001135

Vuln IDs

V-215231
V-91583

Rule IDs

SV-215231r508663_rule
SV-101681

Use default SNMP password increases the chance of security vulnerability on SNMP service.

Checks: C-16429r294144_chk

Inspect "/etc/snmpd.conf" to find all the passwords that are used in the config file: # grep -v "^#" /etc/snmpd.conf | grep -E "public|private|password" If any results are returned, default passwords are being used and this is a finding.

Fix: F-16427r294145_fix

Edit "/etc/snmpd.conf" config file to remove or change all the default passwords that are used in the file. Restart snmpd: # stopsrc -s snmpd # startsrc -s snmpd

b

AIX must require passwords to contain no more than three consecutive repeating characters.

CM-6 - Medium - CCI-000366 - V-215232 - SV-215232r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001136

Vuln IDs

V-215232
V-91667

Rule IDs

SV-215232r508663_rule
SV-101765

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.

Checks: C-16430r294147_chk

Check system default for "maxrepeats" attribute: # lssec -f /etc/security/user -s default -a maxrepeats default maxrepeats=3 If the default "maxrepeats" is greater than "3", or its value is not set, or its value is set to "0", this is a finding. Check the "maxrepeats" setting for all users using: # lsuser -a maxrepeats ALL The above command should yield the following output: root maxrepeats=3 daemon maxrepeats=3 bin maxrepeats=3 sys maxrepeats=3 If the "maxrepeats" setting for any user is greater than "3", or its value is set to "0", this is a finding.

Fix: F-16428r294148_fix

Use the "chsec" command to set "maxrepeats" to "3" for the default stanza: # chsec -f /etc/security/user -s default -a maxrepeats=3 Use the "chsec" command to set "maxrepeats" to "3" for all the users who have "maxrepeats" values that are greater than "3", or its value is set to "0": # chuser maxrepeats=3 [user_name]

c

AIX must be able to control the ability of remote login for users.

AC-17 - High - CCI-002314 - V-215233 - SV-215233r853459_rule

RMF Control

AC-17

Severity

H

CCI

CCI-002314

Version

AIX7-00-001137

Vuln IDs

V-215233
V-91503

Rule IDs

SV-215233r853459_rule
SV-101601

Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).

Checks: C-16431r294150_chk

For users who are authorized to remote login through SSH, etc., this is Not Applicable. Ask ISSO/SA to obtain a list of users who are not authorized to remotely log in to AIX system. From the command prompt, run the following command to check if remote login is disabled for all individual users who are not authorized to remotely login to AIX: # lsuser -a rlogin ALL root rlogin=true daemon rlogin=true bin rlogin=true sys rlogin=true adm rlogin=true If "rlogin=true" for any user who should not login remotely, this is a finding.

Fix: F-16429r294151_fix

From the command prompt, run the following command to set "rlogin=false" for all users (user_name) who are not authorized to login remotely: # chsec -f /etc/security/user -s [user_name] -a rlogin=false

b

NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs.

AC-6 - Medium - CCI-002233 - V-215234 - SV-215234r853460_rule

RMF Control

AC-6

Severity

M

CCI

CCI-002233

Version

AIX7-00-001138

Vuln IDs

V-215234
V-91511

Rule IDs

SV-215234r853460_rule
SV-101609

The nosuid mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system not containing approved setuid files. Executing setuid files from untrusted file systems, or file systems not containing approved setuid files, increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks: C-16432r294153_chk

Obtain a list of NFS file systems that contain approved "setuid" or "setgid" files from the ISSO/ISSM. Check the "nosuid" mount option is used on all NFS file systems that do not contain approved "setuid" or "setgid" files: # mount | grep -E "options|nfs|---" node mounted mounted over vfs date options -------- --------------- --------------- ------ ------------ --------------- ausgsa.ibm.com /gsa/ausgsa/projects/a/aix/71 /mnt_1 nfs3 Nov 05 14:11 ro,bg,hard,intr,nosuid,sec=sys ausgsa.ibm.com /gsa/ausgsa/projects/a/aix/72 /mnt_2 nfs3 Nov 05 14:12 ro,bg,hard,intr,sec=sys If the NFS mounts do not show the "nosuid" setting in their "options" fields, along with other mount options, this is a finding.

Fix: F-16430r294154_fix

For each NFS file systems that does not contain approved "setuid" or "setgid" files, add the "nosuid" option, along with other mount options, to the "options" field in "/etc/filesystems" using the following command: # chfs -a options=ro,bg,hard,intr,nosuid,sec=sys <NFS_mount_point> Note that the other mount options (other than the nosuid options) may be different among NFS mounts.

b

AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option.

CM-6 - Medium - CCI-000366 - V-215235 - SV-215235r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-001139

Vuln IDs

V-215235
V-91701

Rule IDs

SV-215235r508663_rule
SV-101799

The nodev (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system not containing approved device files. Device files can provide direct access to system hardware and can compromise security if not protected.

Checks: C-16433r294156_chk

Identify any file system mounted from removable media, network shares, or file systems not containing any approved device files: # cat /etc/filesystems /: dev = /dev/hd4 vfs = jfs2 log = /dev/hd8 mount = automatic check = false type = bootfs vol = root free = true /home: dev = /dev/hd1 vol = "/home" mount = true check = true free = false vfs = jfs2 log = /dev/hd8 10.17.76.74:/opt/nfs /home/doejohn vfs = nfs log = /dev/hd8 mount = true options = nodev account = false If any file system mounted from removable media, network shares, or file systems not containing any approved device files is not using the "nodev" option, this is a finding.

Fix: F-16431r294157_fix

Edit "/etc/filesystems" and add the "options = nodev" to all entries for remote or removable media file systems, and file systems containing no approved device files.

b

AIX must produce audit records containing information to establish what the date, time, and type of events that occurred.

AU-3 - Medium - CCI-000130 - V-215236 - SV-215236r508663_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000130

Version

AIX7-00-002001

Vuln IDs

V-215236
V-91247

Rule IDs

SV-215236r508663_rule
SV-101347

Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in AIX audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016

Checks: C-16434r294159_chk

Check if audit is turned on by running the following command: # audit query | grep -i auditing auditing on The command should yield the following output: auditing on If the command shows "auditing off", this is a finding. The log file can be set by the "trail" variable in /etc/security/audit/config. # grep trail /etc/security/audit/config trail = /audit/trail Note: The default log file is "/audit/trail". Use the following command to display the audit events: # /usr/sbin/auditpr -i <audit log file> -helRtcp event login status time command process --------------- -------- ----------- ------------------------ ------------------------------- -------- PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit 9437656 FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh 12976466 FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658 PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls 9437658 FILE_Open root OK Wed Oct 31 23:01:44 2018 ls 9437658 If event type is not displayed, this is a finding. More information on the command options used above: -e the audit event. -l the login name of the user. -R the audit status. -t the time the record was written. -c the command name. -p the process ID.

Fix: F-16432r294160_fix

Reset the audit system with the following command: # /usr/sbin/audit shutdown Start the audit system with the following command: # /usr/sbin/audit start

b

AIX must produce audit records containing information to establish where the events occurred.

AU-3 - Medium - CCI-000132 - V-215237 - SV-215237r508663_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000132

Version

AIX7-00-002003

Vuln IDs

V-215237
V-91249

Rule IDs

SV-215237r508663_rule
SV-101349

Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as operating system components, modules, device identifiers, node names, file names, and functionality. Associating information about where the event occurred within AIX provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.

Checks: C-16435r294162_chk

Verify audit event detailed information is displayed: The log file can be set by the "trail" variable in /etc/security/audit/config. # grep trail /etc/security/audit/config trail = /audit/trail Note: The default log file is /audit/trail. Use the following command to display the audit events: # /usr/sbin/auditpr -i <audit log file> -v event login status time command wpar name --------------- -------- ----------- ------------------------ ------------------ ------------- ------------------------- FS_Chdir root OK Sat Aug 26 19:31:37 2017 ps Global change current directory to: /dev FS_Chdir root OK Sat Aug 26 19:31:47 2017 ps Global change current directory to: /dev FS_Chdir root OK Sat Aug 26 19:31:57 2017 ps Global change current directory to: /dev FS_Chdir root OK Sat Aug 26 19:32:07 2017 ps Global change current directory to: /dev FS_Chdir root OK Sat Aug 26 19:32:17 2017 ps Global change current directory to: /dev If event detailed information is not displayed, this is a finding. More information on the command options used above: - v detailed information for the event

Fix: F-16433r294163_fix

Reset the audit system with the following command: # /usr/sbin/audit shutdown Start the audit system with the following command: # /usr/sbin/audit start

b

AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event.

AU-3 - Medium - CCI-000133 - V-215238 - SV-215238r508663_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000133

Version

AIX7-00-002004

Vuln IDs

V-215238
V-91251

Rule IDs

SV-215238r508663_rule
SV-101351

Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. In addition to logging where events occur within AIX, AIX must also generate audit records that identify sources of events. Sources of operating system events include, but are not limited to, processes and services. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event. Satisfies: SRG-OS-000040-GPOS-00018, SRG-OS-000255-GPOS-00096

Checks: C-16436r294165_chk

Verify the audit event "process id" is displayed: The log file can be set by the "trail" variable in /etc/security/audit/config. # grep trail /etc/security/audit/config trail = /audit/trail Note: The default log file is /audit/trail. Use the following command to display the audit events: # /usr/sbin/auditpr -i <audit log file> -helRtcp event login status time command process --------------- -------- ----------- ------------------------ ------------------ ------------- -------- PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit 9437656 FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh 12976466 FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658 PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls 9437658 FILE_Open root OK Wed Oct 31 23:01:44 2018 ls 9437658 If user id or process id is not displayed, this is a finding. More information on the command options used above: -e the audit event. -l the login name of the user. -R the audit status. -t the time the record was written. -c the command name. -p the process ID.

Fix: F-16434r294166_fix

Reset the audit system with the following command: # /usr/sbin/audit shutdown Start the audit system with the following command: # /usr/sbin/audit start

b

AIX must produce audit records containing information to establish the outcome of the events.

AU-3 - Medium - CCI-000134 - V-215239 - SV-215239r508663_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000134

Version

AIX7-00-002005

Vuln IDs

V-215239
V-91253

Rule IDs

SV-215239r508663_rule
SV-101353

Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.

Checks: C-16437r294168_chk

Verify the audit event "status" is displayed: The log file can be set by the "trail" variable in /etc/security/audit/config. # grep trail /etc/security/audit/config trail = /audit/trail Note: The default log file is /audit/trail. Use the following command to display the audit events: # /usr/sbin/auditpr -i <audit log file> -helRtcp event login status time command process --------------- -------- ----------- ------------------------ ------------------ ------------- -------- PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit 9437656 FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh 12976466 FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658 PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls 9437658 FILE_Open root OK Wed Oct 31 23:01:44 2018 ls 9437658 If audit status is not displayed, this is a finding. More information on the command options used above: -e the audit event. -l the login name of the user. -R the audit status. -t the time the record was written. -c the command name. -p the process ID.

Fix: F-16435r294169_fix

Reset the audit system with the following command: # /usr/sbin/audit shutdown Start the audit system with the following command: # /usr/sbin/audit start

b

AIX must produce audit records containing the full-text recording of privileged commands.

AU-3 - Medium - CCI-000135 - V-215240 - SV-215240r508663_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000135

Version

AIX7-00-002006

Vuln IDs

V-215240
V-91255

Rule IDs

SV-215240r508663_rule
SV-101355

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-16438r294171_chk

Verify the audit daemon is configured for full-text recording of privileged commands: The log file can be set by the "trail" variable in /etc/security/audit/config. # grep trail /etc/security/audit/config trail = /audit/trail Note: The default log file is /audit/trail. Use the following command to display the audit events: # /usr/sbin/auditpr -i <audit log file> -v event login status time command wpar name --------------- -------- ----------- ------------------------ ------------------ ------------- ------------------------- S_PASSWD_READ root OK Sat Aug 26 19:35:00 2017 cron Global audit object read event detected /etc/security/passwd S_PASSWD_READ root OK Sat Aug 26 19:35:00 2017 cron Global audit object read event detected /etc/security/passwd CRON_Start root OK Sat Aug 26 19:35:00 2017 cron Global event = start cron job cmd = /usr/sbin/dumpctrl -k >/dev/null 2>/dev/nul l time = Sat Aug 26 19:35:00 2017 FS_Chdir root OK Sat Aug 26 19:35:00 2017 cron Global change current directory to: / If the full-text recording of privileged command is not displayed, this is a finding. More information on the command options used above: - v detailed information for the event

Fix: F-16436r294172_fix

Reset the audit system with the following command: # /usr/sbin/audit shutdown Start the audit system with the following command: # /usr/sbin/audit start

b

AIX must be configured to generate an audit record when 75% of the audit file system is full.

AU-5 - Medium - CCI-000139 - V-215241 - SV-215241r508663_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000139

Version

AIX7-00-002008

Vuln IDs

V-215241
V-91257

Rule IDs

SV-215241r508663_rule
SV-101357

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Checks: C-16439r294174_chk

Check if "freespace" is configured for the audit subsystem: # grep -E freespace* /etc/security/audit/config freespace = 65536 If the above command returns empty, or if the value is less than 25% of the filesystem size, this is a finding.

Fix: F-16437r294175_fix

Ensure the "/etc/security/audit/config" file contains the following line: freepsace = <value> where <value> is greater than 25%* filesystem capacity Reset the audit system with the following command: # /usr/sbin/audit shutdown Start the audit system with the following command: # /usr/sbin/audit start

b

AIX must provide the function to filter audit records for events of interest based upon all audit fields within audit records, support on-demand reporting requirements, and an audit reduction function that supports on-demand audit review and analysis and after-the-fact investigations of security incidents.

AU-7 - Medium - CCI-000158 - V-215242 - SV-215242r853461_rule

RMF Control

AU-7

Severity

M

CCI

CCI-000158

Version

AIX7-00-002011

Vuln IDs

V-215242
V-91259

Rule IDs

SV-215242r853461_rule
SV-101359

The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. Events of interest can be identified by the content of specific audit record fields, including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents. The ability to perform on-demand audit review and analysis, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. If the audit reduction capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies. Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports. This requires operating systems to provide the capability to customize audit record reports based on all available criteria. Satisfies: SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137

Checks: C-16440r294177_chk

The application file "/usr/sbin/auditselect" provides the audit filtering function. Check if it exists: # ls -l /usr/sbin/auditselect -r-sr-x--- 1 root audit 36240 Jul 4 1776 /usr/sbin/auditselect If the "/usr/sbin/auditselect" file does not exist, this is a finding

Fix: F-16438r294178_fix

Re-install the "bos.rte.security" fileset from the base media. Use "installp" command (assume cd is mounted). # installp -aXYqg -d /dev/cd0 bos.rte.security

b

Audit logs on the AIX system must be owned by root.

AU-9 - Medium - CCI-000162 - V-215243 - SV-215243r508663_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

AIX7-00-002013

Vuln IDs

V-215243
V-91263

Rule IDs

SV-215243r508663_rule
SV-101363

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

Checks: C-16441r294180_chk

Check the log files under the audit logging directory have correct ownership. The default log file is /audit/trail. The log file can be set by the "trail" variable in /etc/security/audit/config. # grep trail /etc/security/audit/config trail = /audit/trail # ls -l <auditlog dir> total 240 -rw-rw---- 1 root system 0 Feb 23 08:44 bin1 -rw-rw---- 1 root system 0 Feb 23 08:44 bin2 -rw-r----- 1 root system 116273 Feb 23 08:44 trail If any file's ownership is not "root", this is a finding.

Fix: F-16439r294181_fix

Set the owner of the audit log file to "root". # chown root <auditlog file>

b

Audit logs on the AIX system must be group-owned by system.

AU-9 - Medium - CCI-000162 - V-215244 - SV-215244r508663_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

AIX7-00-002014

Vuln IDs

V-215244
V-91265

Rule IDs

SV-215244r508663_rule
SV-101365

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

Checks: C-16442r294183_chk

Check the log files under the audit logging directory have correct group ownership. The default log file is /audit/trail. The log file can be set by the "trail" variable in /etc/security/audit/config. # grep trail /etc/security/audit/config trail = /audit/trail # ls -l <auditlog dir> total 240 -rw-rw---- 1 root system 0 Feb 23 08:44 bin1 -rw-rw---- 1 root system 0 Feb 23 08:44 bin2 -rw-r----- 1 root system 116273 Feb 23 08:44 trail If any file's group ownership is not "system", this is a finding.

Fix: F-16440r294184_fix

Set the group of the audit log file to "system". # chgrp system <auditlog file>

b

Audit logs on the AIX system must be set to 660 or less permissive.

AU-9 - Medium - CCI-000162 - V-215245 - SV-215245r508663_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

AIX7-00-002015

Vuln IDs

V-215245
V-91267

Rule IDs

SV-215245r508663_rule
SV-101367

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

Checks: C-16443r294186_chk

Check the log files under the audit logging directory have correct permissions. The default log file is /audit/trail. The log file can be set by the "trail" variable in /etc/security/audit/config. # grep trail /etc/security/audit/config trail = /audit/trail # ls -l <auditlog dir> total 240 -rw-rw---- 1 root system 0 Feb 23 08:44 bin1 -rw-rw---- 1 root system 0 Feb 23 08:44 bin2 -rw-r----- 1 root system 116273 Feb 23 08:44 trail If any file has a mode more permissive than "660", this is a finding.

Fix: F-16441r294187_fix

Set the permission of the audit log file to "660". # chmod 660 <auditlog file>

b

AIX must provide audit record generation functionality for DoD-defined auditable events.

AC-2 - Medium - CCI-000018 - V-215246 - SV-215246r853463_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000018

Version

AIX7-00-002016

Vuln IDs

V-215246
V-91775

Rule IDs

SV-215246r853463_rule
SV-101873

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which AIX will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful login attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logins from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000051-GPOS-00024, SRG-OS-000064-GPOS-00033, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000277-GPOS-00107, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000327-GPOS-00127, SRG-OS-000327-GPOS-00127, SRG-OS-000364-GPOS-00151, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000476-GPOS-00221, SRG-OS-000477-GPOS-00222

Checks: C-16444r853462_chk

Ensure that auditing is properly configured. Run the "stig_audit_check.sh" script. If any results are returned from the script, this is a finding. Verify that the file "/etc/security/audit/objects" includes the following objects: /etc/security/environ: w = "S_ENVIRON_WRITE" /etc/security/group: w = "S_GROUP_WRITE" /etc/group: w = "S_GROUP_WRITE" /etc/security/limits: w = "S_LIMITS_WRITE" /etc/security/login.cfg: w = "S_LOGIN_WRITE" /etc/security/passwd: r = "S_PASSWD_READ" w = "S_PASSWD_WRITE" /etc/security/user: w = "S_USER_WRITE" /etc/security/audit/config: w = "AUD_CONFIG_WR" If any of the objects listed above are missing from "/etc/security/audit/objects", this is a finding.

Fix: F-16442r294190_fix

Use the "stig_audit_config.txt" file to configure the AIX audit process. Edit the /etc/security/audit/objects file and add or update the following lines to the listed values: /etc/security/environ: w = "S_ENVIRON_WRITE" /etc/security/group: w = "S_GROUP_WRITE" /etc/group: w = "S_GROUP_WRITE" /etc/security/limits: w = "S_LIMITS_WRITE" /etc/security/login.cfg: w = "S_LOGIN_WRITE" /etc/security/passwd: r = "S_PASSWD_READ" w = "S_PASSWD_WRITE" /etc/security/user: w = "S_USER_WRITE" /etc/security/audit/config: w = "AUD_CONFIG_WR" Restart the audit process: # /usr/sbin/audit shutdown # /usr/sbin/audit start Note: There are multiple default "classes" defined in the "/etc/security/audit/config" file. The only audit class that is required by this document is the "stig_aud_class". All other defined classes can be removed at the discretion of the organization.

b

AIX must start audit at boot.

AU-14 - Medium - CCI-001464 - V-215247 - SV-215247r508663_rule

RMF Control

AU-14

Severity

M

CCI

CCI-001464

Version

AIX7-00-002023

Vuln IDs

V-215247
V-91463

Rule IDs

SV-215247r508663_rule
SV-101561

If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.

Checks: C-16445r294192_chk

Check if /etc/rc contains the following line: /usr/sbin/audit start # grep "audit start" /etc/rc /usr/sbin/audit start If a result is not returned, this is a finding.

Fix: F-16443r294193_fix

To start auditing at system startup, add the following line to the /etc/rc file, just prior to the line reading dspmsg rc.cat 5 'Multi-user initialization completed': /usr/sbin/audit start Symmetrically add the '/usr/sbin/audit shutdown' command to /etc/rc.shutdown.

b

AIX audit tools must be owned by root.

AU-9 - Medium - CCI-001493 - V-215248 - SV-215248r508663_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

AIX7-00-002025

Vuln IDs

V-215248
V-91467

Rule IDs

SV-215248r508663_rule
SV-101565

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099

Checks: C-16446r294195_chk

Check the following audit tools are owned by "root": /usr/sbin/audit /usr/sbin/auditbin /usr/sbin/auditcat /usr/sbin/auditconv /usr/sbin/auditmerge /usr/sbin/auditpr /usr/sbin/auditselect /usr/sbin/auditstream /usr/sbin/auditldap # ls -l /usr/sbin/audit*|grep -v ldap -r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit -r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin -r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat -r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv -r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge -r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr -r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect -r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream -r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap If any above file's ownership is not "root", this is a finding.

Fix: F-16444r294196_fix

For each audit tool in: /usr/sbin/audit /usr/sbin/auditbin /usr/sbin/auditcat /usr/sbin/auditconv /usr/sbin/auditmerge /usr/sbin/auditpr /usr/sbin/auditselect /usr/sbin/auditstream Set the owner to "root". # chown root <audit tool> For /usr/sbin/auditldap Set the owner to "root". # chown root /usr/sbin/auditldap

b

AIX audit tools must be group-owned by audit.

AU-9 - Medium - CCI-001493 - V-215249 - SV-215249r508663_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

AIX7-00-002026

Vuln IDs

V-215249
V-91469

Rule IDs

SV-215249r508663_rule
SV-101567

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099

Checks: C-16447r294198_chk

Check the following audit tools are group-owned by "audit": /usr/sbin/audit /usr/sbin/auditbin /usr/sbin/auditcat /usr/sbin/auditconv /usr/sbin/auditmerge /usr/sbin/auditpr /usr/sbin/auditselect /usr/sbin/auditstream # ls -l /usr/sbin/audit*|grep -v ldap -r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit -r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin -r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat -r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv -r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge -r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr -r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect -r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream If any above file's are not group-owned by "audit", this is a finding. Verify that "/usr/sbin/auditldap" group-owned by "security": # ls -l /usr/sbin/auditldap -r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap If the group-owner of "/usr/sbin/auditldap" is not "security", this is a finding.

Fix: F-16445r294199_fix

For each audit tool in: /usr/sbin/audit /usr/sbin/auditbin /usr/sbin/auditcat /usr/sbin/auditconv /usr/sbin/auditmerge /usr/sbin/auditpr /usr/sbin/auditselect /usr/sbin/auditstream Set the group to "audit". # chgrp audit <audit tool> For /usr/sbin/auditldap: Set the group to "security". # chgrp security /usr/sbin/auditldap

b

AIX audit tools must be set to 4550 or less permissive.

AU-9 - Medium - CCI-001493 - V-215250 - SV-215250r508663_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

AIX7-00-002027

Vuln IDs

V-215250
V-91471

Rule IDs

SV-215250r508663_rule
SV-101569

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099

Checks: C-16448r294201_chk

Check the following audit tools are set to "4550" or less permissive: /usr/sbin/audit /usr/sbin/auditbin /usr/sbin/auditcat /usr/sbin/auditconv /usr/sbin/auditmerge /usr/sbin/auditpr /usr/sbin/auditselect /usr/sbin/auditstream # ls -l /usr/sbin/audit*|grep -v ldap -r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit -r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin -r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat -r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv -r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge -r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr -r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect -r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream If any above file's permission is greater than "4550", this is a finding. Verify that "/usr/sbin/auditldap" is set to "500" or less permissive: # ls -l /usr/sbin/auditldap -r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap If the permission of "/usr/sbin/auditldap" is greater than "500", this is a finding.

Fix: F-16446r294202_fix

For each audit tool in: /usr/sbin/audit /usr/sbin/auditbin /usr/sbin/auditcat /usr/sbin/auditconv /usr/sbin/auditmerge /usr/sbin/auditpr /usr/sbin/auditselect /usr/sbin/auditstream Set the permission to "4550". # chmod 4550 <audit tool> For /usr/sbin/auditldap: Set the permission to "500". # chmod 500 /usr/sbin/auditldap

b

AIX must verify the hash of audit tools.

AU-9 - Medium - CCI-001496 - V-215251 - SV-215251r877393_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001496

Version

AIX7-00-002028

Vuln IDs

V-215251
V-91489

Rule IDs

SV-215251r877393_rule
SV-101587

Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.

Checks: C-16449r294204_chk

Verify that Trusted Execution (TE) is "on" and "CHKEXEC" is "on" by running the following command: # trustchk -p TE=ON CHKEXEC=ON CHKSHLIB=OFF CHKSCRIPT=OFF CHKKERNEXT=OFF STOP_UNTRUSTD=OFF STOP_ON_CHKFAIL=OFF LOCK_KERN_POLICIES=OFF TSD_FILES_LOCK=OFF TSD_LOCK=OFF TEP=OFF TLP=OFF If the result show "TE=OFF" or "CHKEXEC=OFF", this is a finding. Verify that TSD (Trusted Signature Database) contains all the audit tools and their signatures by running the following command: # awk '/\/usr\/sbin\/audit/ {print; for(i=1; i<=10; i++) {getline; print}}' /etc/security/tsd/tsd.dat |grep -E "\/usr\/sbin\/audit|cert_tag|signature|hash_value" /usr/sbin/auditselect: cert_tag = 00d3cbd2922627b209 signature = 8f6044a166ad7d1256a2798432dcb06b528eb6c515f4d2d0af90dd17e6ba05665bd8d39ee8f15e8872e90d3b52e0e25c7be9d62c9c5d71cd16b662fb8511f168b6facb4105cc0e9c19c316e37459ad739b75b6037827f3ba60896eeeec62cf47e7514b10d4813c48cacd76b75dc5b0e1a87f7cd10552992021efb5b44eb33a1a hash_value = 002e02eda12663a2c9478e1b5154cc97452c07a68a8b9d5a6ca3408b008d95bb /usr/sbin/auditstream: cert_tag = 00d3cbd2922627b209 signature = 3d5a678962b684208f3996262a997d8838012c1625d83b7df75d9bb3a83065819ae476a21ada2ec7afd683828d9ce5c9d3eb829ed907d11fc2713d895419cbec5855e96b4a3b36a4f5b3c44a801555727b1ca799026262120b18fe2d93f53da8e95f6560c0cf5ea73dccd7daa9ec3df7e24ede0201b9d632becfb58a8f81fee4 hash_value = 5c434a89bf2fb50a2c21734a5ecd3c4e0a92c34d6685633d59a93caf1684e515 /usr/sbin/auditpr: cert_tag = 00d3cbd2922627b209 signature = 8356f57d227a85037620ec6f357204a9dd3ceeb89fab2ea8b4dea5529a37d290e111a46e9deca8ebd86b37c50b8b2d27599d09a02353081db9f7140780ace0d9986c8f7265d3d91eed7a2502050a6342c79cf1fd6c9b2633e353fdc3603de3b6fc341b2b7a0c6eb286155ae9542bdbbcc29eba84a50f1f8c4f6f5924403f6556 hash_value = 34bf3b145327d33f810e939d15ae084711dcd0eb7e7f3ebcb135f5ff7b3ba776 /usr/sbin/auditcat: cert_tag = 00d3cbd2922627b209 signature = abf001ee98c5e81ec730552cd26473221ee14694a7fea06d97ae030f1b8603bafdb3f4917cb50c87c90fc8ff03e8762b05c6b21d1907a05288736fa820fd4a05d38f236fec5cfc3813aeb5b0618294effe0356ac26be0e6701398cf181fb38897c5a2496154bba3eab513caaa74a9abb230ad6948190d24907a107d8968a0c27 hash_value = 78febbeb1e7e4ca1ed4015fb147d27bd451814ed8c81429b42ee9e2f8301bf58 /usr/sbin/auditbin: cert_tag = 00d3cbd2922627b209 signature = 9bb3fde97a70dd3ee93ecf556cf13e3981d1f0794c7a253701e011956574754eb17922525092f38a3b0f9375aef8fadfe3cb6e47f6aa7424e3449910af6cc6e1754f6fe8c2fb20867af7f9a048485ea2dfcd7b8f718d350d21ec2ffe394423f4c513b22ff9a654f1ef55f6e679424ad0e630404fcfd707ed91d542d64564c601 hash_value = 2deb07bbdf5b744168bb9484b25c0e61813b546f0dd0555d9b9ebcb8cf17272d /usr/sbin/auditldap: cert_tag = 00d3cbd2922627b209 signature = ab3ea5ba592ef8d1576f632c6154e10a172fbdad1c6379954a48d76bd2c365848a208dfa698e828008fa73b60daf0ad0ab9ad08035f9df2d39ac21a67873cfac3eb07103858903c47e5d1e264ace01de9599ff3c966b12d8cbc6c2b6e3c97f8c56b7a5a4fa33f15bbe472319266854f83fad57917d9dd0c09383fd2b5df41e6d hash_value = f929ca078995a6b2a28d1247e9837e03d06fa2c5b12a6c86e679201192694c8c /usr/sbin/auditconv: cert_tag = 00d3cbd2922627b209 signature = ab7a0e0e5aa62ec741db601cc1609bf7db6006705a3d6b7001b3aa4da5ab6bcfecea569d6891b67088b2033045fdf6532a24433711c74fcffc92744884f0f14211a7625c168f11d4b3de2e7083e57a5063933c0eea5b92c6ab9ea1b131ca8fe85143f616887e4d60cfb534da8b3a920c428279ea8eee04bf57ad70da3c69104c hash_value = 0d2a989fa77df6984348f5c66d20af1e71aebd5a0d9f85551873563ee9d851d7 /usr/sbin/audit: cert_tag = 00d3cbd2922627b209 signature = 2b6ed42788eca469aaaf960d4ea9956793182cdbf6b8570ded724762701354f62d003a3ed99db9b4fbb670c5864c9a641d485083789840c71005bbdcc4659dbbfbec0e8c63c8223be9e54f46240e3a5ebed8647fbd9e0e9f2db0d046e0cd73e72c87977c9dc394b61027c2856a27db0e51afb05e07c2d4f8ea3bc33564f2e7a6 hash_value = 0c5d10f7c7cefec133bee45bd0d30933b18041438a7c7b15b8aa7de60ce208af /usr/sbin/auditmerge: cert_tag = 00d3cbd2922627b209 signature = 64e0f95c1efa90f34b6ddd370fc0a277db2858b01b993a2f32eb9f0c86e6d901675f67f42158015ceafa37507a0bc36bbd58aca6685464f8b43edb099db670aa497db349c51fc0ed6066da43e2eb5529af8bbdd0c30b66b22158261c224213fc406ffee36e4df476107f867d8f7c09c24e4318a13e2b279d200a9fa4a8b515e4 hash_value = 6b4a1d1288a1d7e987ad14b395d0067890574a09956171bb32b9a022dc975015 If any of the cert_tag, signature, or hash values is missing or “= VOLATILE", this is a finding.

Fix: F-16447r294205_fix

Turn on Trusted Execution and check the integrity of audit tools. # /usr/sbin/trustchk -p TE=ON CHKEXEC=ON If audit tool integrity data is missing from "/etc/security/tsd/tsd.dat", re-install the "bos.rte.security" fileset from AIX DVD using the installp command (assume the DVD is mounted to /dev/cd0): # installp -aXYqg -d /dev/cd0 bos.rte.security

b

AIX must provide the function for assigned ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.

AU-12 - Medium - CCI-001914 - V-215252 - SV-215252r877036_rule

RMF Control

AU-12

Severity

M

CCI

CCI-001914

Version

AIX7-00-002032

Vuln IDs

V-215252
V-91515

Rule IDs

SV-215252r877036_rule
SV-101613

If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost. This requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting.

Checks: C-16450r294207_chk

Verify that an audit admin role has been configured to include the authorizations for auditing, namely "aix.security.audit,aix.security.user.audit,aix.security.role.audit": # lsrole ALL |grep "aix.security.audit" |grep "aix.security.user.audit" |grep "aix.security.role.audit" auditadm authorizations=aix.security.audit,aix.security.user.audit,aix.security.role.audit rolelist= groups= visibility=1 screens=* dfltmsg=Audit Administrator msgcat=role_desc.cat msgnum=15 msgset=1 auth_mode=INVOKER id=16 If the above command has no output, this is a finding.

Fix: F-16448r294208_fix

Create a role "auditadm" that is assigned with security related authorization with the following commend: # mkrole authorizations="aix.security.audit,aix.security.user.audit,aix.security.role.audit" auditadm

b

AIX must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.

AU-4 - Medium - CCI-001849 - V-215253 - SV-215253r877391_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

AIX7-00-002033

Vuln IDs

V-215253
V-91517

Rule IDs

SV-215253r877391_rule
SV-101615

In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of AIX.

Checks: C-16451r294210_chk

Check the file system size where the log file resides is greater than the organizationally defined size of audit logs for one week (1GB). Find out where the audit log resides: # grep trail /etc/security/audit/config trail = /audit/trail Find out the available space in the file system hosting the audit logs. # df /audit/trail Filesystem 512-blocks Free %Used Iused %Iused Mounted on /dev/hd4 1966080 1792872 9% 3913 2% / If the "512-blocks" multiplied by "Free" is less than the required size for the audit logs, this is a finding.

Fix: F-16449r294211_fix

Increase the size of the file system hosting the audit logs (by 1GB). # chfs -a size=+1G <root of file system for audit logs>

b

AIX must provide a report generation function that supports on-demand audit review and analysis, on-demand reporting requirements, and after-the-fact investigations of security incidents.

AU-7 - Medium - CCI-001878 - V-215254 - SV-215254r877386_rule

RMF Control

AU-7

Severity

M

CCI

CCI-001878

Version

AIX7-00-002036

Vuln IDs

V-215254
V-91521

Rule IDs

SV-215254r877386_rule
SV-101619

The report generation capability must support on-demand review and analysis in order to facilitate the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies. Report generation must be capable of generating on-demand (i.e., customizable, ad hoc, and as-needed) reports. On-demand reporting allows personnel to report issues more rapidly to more effectively meet reporting requirements. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective. Satisfies: SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140

Checks: C-16452r294213_chk

Check to see if the application for generating audit reports exists ("/usr/sbin/auditpr"): # ls -l /usr/sbin/auditpr -r-sr-x--- 1 root audit 54793 Feb 14 2017 /usr/sbin/auditpr If the file does not exist, this is a finding.

Fix: F-16450r294214_fix

Use the installp command to install a fileset (assume cd is mounted). # installp -aXYqg -d /dev/cd0 bos.rte.security

b

AIX must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

AU-8 - Medium - CCI-001890 - V-215255 - SV-215255r877383_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001890

Version

AIX7-00-002038

Vuln IDs

V-215255
V-91527

Rule IDs

SV-215255r877383_rule
SV-101625

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by AIX include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.

Checks: C-16453r755149_chk

Check the time zone setting by the following command: # echo $TZ UTC If the result is not UTC or GMT, this is a finding.

Fix: F-16451r755150_fix

Change time zone setting to either UTC or GMT, then reboot the system for the setting to take effect. # chtz UTC Or change time zone to GMT # chtz GMT The system must be rebooted for the change to take affect: # reboot

b

AIX audit logs must be rotated daily.

CM-6 - Medium - CCI-000366 - V-215256 - SV-215256r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002057

Vuln IDs

V-215256
V-91651

Rule IDs

SV-215256r508663_rule
SV-101749

Rotate audit logs daily to preserve audit file system space and to conform to the DoD/DISA requirement. If it is not rotated daily and moved to another location, then there is more of a chance for the compromise of audit data by malicious users.

Checks: C-16454r294219_chk

Check for any "crontab" entries that rotate audit logs: # crontab -l 30 23 * * * /root/logrotate.sh #Daily log rotation script If such a cron job is found, this is not a finding. Otherwise, query the SA. If there is a process automatically rotating audit logs, this is not a finding. If the SA manually rotates audit logs, this is a finding. If the audit output is not archived daily, to tape or disk, this is a finding. Review the audit log directory. If more than one file is there, or if the file does not have today's date, this is a finding.

Fix: F-16452r294220_fix

Configure a cron job or other automated process to rotate the audit logs on a daily basis.

c

The AIX rexec daemon must not be running.

IA-5 - High - CCI-000197 - V-215257 - SV-215257r877396_rule

RMF Control

IA-5

Severity

H

CCI

Version

AIX7-00-002058

Vuln IDs

V-215257
V-91303

Rule IDs

SV-215257r877396_rule
SV-101401

The exec service is used to execute a command sent from a remote server. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the rexecd daemon will be disabled. This function, if required, should be facilitated through SSH.

Checks: C-16455r294222_chk

Determine if the "rexec" daemon is running by running the following command: # grep "^exec[[:blank:]]" /etc/inetd.conf If the above grep command returned a line that contains "rexecd", this is a finding.

Fix: F-16453r294223_fix

Disable the "rexecd" entry in "/etc/inetd.conf" using command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'exec' -p 'tcp6' Reload the inetd process: # refresh -s inetd

c

AIX telnet daemon must not be running.

IA-5 - High - CCI-000197 - V-215258 - SV-215258r877396_rule

RMF Control

IA-5

Severity

H

CCI

Version

AIX7-00-002059

Vuln IDs

V-215258
V-91305

Rule IDs

SV-215258r877396_rule
SV-101403

This telnet service is used to service remote user connections. This is historically the most commonly used remote access method for UNIX servers. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the telnetd daemon will be disabled. This function, if required, should be facilitated through SSH.

Checks: C-16456r294225_chk

Determine if the "telnet" daemon is running by running the following command: # grep -v '^#' /etc/inetd.conf | grep telnet If an entry is returned, this is a finding.

Fix: F-16454r294226_fix

Disable the "telnet" entry in "/etc/inetd.conf" using command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'telnet' -p 'tcp6' Reload the inetd process: # refresh -s inetd

c

AIX ftpd daemon must not be running.

IA-5 - High - CCI-000197 - V-215259 - SV-215259r877396_rule

RMF Control

IA-5

Severity

H

CCI

Version

AIX7-00-002060

Vuln IDs

V-215259
V-91307

Rule IDs

SV-215259r877396_rule
SV-101405

The ftp service is used to transfer files from or to a remote machine. The username and passwords are passed over the network in clear text and therefore insecurely. Remote file transfer, if required, should be facilitated through SSH.

Checks: C-16457r294228_chk

Determine if the "ftp" daemon is running by running the following command: # grep "^ftp[[:blank:]]" /etc/inetd.conf If an entry is returned like the following line, the "ftp" daemon is running: ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd If the above grep command returned a line that contains "ftpd", this is a finding.

Fix: F-16455r294229_fix

Disable "ftp" daemon entry in "/etc/inetd.conf" using command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'ftp' -p 'tcp6' Reload the inetd process: # refresh -s inetd

c

AIX must remove NOPASSWD tag from sudo config files.

IA-11 - High - CCI-002038 - V-215260 - SV-215260r853468_rule

RMF Control

IA-11

Severity

H

CCI

CCI-002038

Version

AIX7-00-002061

Vuln IDs

V-215260
V-91537

Rule IDs

SV-215260r853468_rule
SV-101635

sudo command does not require reauthentication if NOPASSWD tag is specified in /etc/sudoers config file, or sudoers files in /etc/sudoers.d/ directory. With this tag in sudoers file, users are not required to reauthenticate for privilege escalation.

Checks: C-16458r294231_chk

If sudo is not used on AIX, this is Not Applicable. Run the following command to find the "NOPASSWD" tag in "/etc/sudoers" file: # grep NOPASSWD /etc/sudoers If there is a "NOPASSWD" tag found in "/etc/sudoers" file, this is a finding. Run the following command to find the "NOPASSWD" tag in one of the sudo config files in "/etc/sudoers.d/" directory: # find /etc/sudoers.d -type f -exec grep -l NOPASSWD {} \; The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "NOPASSWD" tag. If above command found a config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tag, this is a finding.

Fix: F-16456r294232_fix

Edit "/etc/sudoers" using "visudo" command to remove all the "NOPASSWD" tags: # visudo -f Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tags, use "visudo" the command as follows: # visudo -f /etc/sudoers.d/<config_file_name>

b

AIX must remove !authenticate option from sudo config files.

IA-11 - Medium - CCI-002038 - V-215261 - SV-215261r853469_rule

RMF Control

IA-11

Severity

M

CCI

CCI-002038

Version

AIX7-00-002062

Vuln IDs

V-215261
V-91539

Rule IDs

SV-215261r853469_rule
SV-101637

sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are not required to reauthenticate for privilege escalation.

Checks: C-16459r294234_chk

If sudo is not used on AIX, this is Not Applicable. Run the following command to find "!authenticate" option in "/etc/sudoers" file: # grep "!authenticate" /etc/sudoers If there is a "!authenticate" option found in "/etc/sudoers" file, this is a finding. Run the following command to find "!authenticate" option in one of the sudo config files in "/etc/sudoers.d/" directory: # find /etc/sudoers.d -type f -exec grep -l "!authenticate" {} \; The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "!authenticate" option. If above command found a config file that is in "/etc/sudoers.d/" directory and that contains the "!authenticate" option, this is a finding.

Fix: F-16457r294235_fix

Edit "/etc/sudoers" using "visudo" command to remove all the "!authenticate" options: # visudo -f /etc/sudoers Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains "!authenticate" options, use the "visudo" command as follows: # visudo -f /etc/sudoers.d/<config_file_name>

b

AIX must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.

CM-6 - Medium - CCI-000366 - V-215262 - SV-215262r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002063

Vuln IDs

V-215262
V-91659

Rule IDs

SV-215262r508663_rule
SV-101757

If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks.

Checks: C-16460r294237_chk

Check the system for an IPv4 default route using command: # netstat -r |grep default default 10.11.20.1 UG 1 1811 en0 - - If a default route is not defined, this is a finding.

Fix: F-16458r294238_fix

Set a default gateway for IPv4 using: # route add 0 <ip address of gateway>

b

IP forwarding for IPv4 must not be enabled on AIX unless the system is a router.

CM-6 - Medium - CCI-000366 - V-215263 - SV-215263r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002064

Vuln IDs

V-215263
V-91681

Rule IDs

SV-215263r508663_rule
SV-101779

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Checks: C-16461r294240_chk

From the command prompt, run the following command: # no -o ipforwarding ipforwarding = 0 If the value returned is not "0", this is a finding.

Fix: F-16459r294241_fix

Disable IPv4 forwarding on the system by running command: # no -p -o ipforwarding=0

b

AIX must be configured with a default gateway for IPv6 if the system uses IPv6 unless the system is a router.

CM-6 - Medium - CCI-000366 - V-215264 - SV-215264r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002065

Vuln IDs

V-215264
V-91707

Rule IDs

SV-215264r508663_rule
SV-101805

If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks.

Checks: C-16462r294243_chk

If the system is a router, this is Not Applicable. If the system does not use IPv6, this is Not Applicable. Determine if the system has a default route configured for IPv6 by running: # netstat -r | grep default default 10.11.20.1 UG 1 1823 en0 - - If a default route is not defined, this is a finding.

Fix: F-16460r294244_fix

Configure an IPv6 default route on the system: # smitty route

b

AIX must not have IP forwarding for IPv6 enabled unless the system is an IPv6 router.

CM-6 - Medium - CCI-000366 - V-215265 - SV-215265r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002066

Vuln IDs

V-215265
V-91709

Rule IDs

SV-215265r508663_rule
SV-101807

If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.

Checks: C-16463r294246_chk

From the command prompt, run the following command: # /usr/sbin/no -o ip6forwarding ip6forwarding = 0 If the value returned is not "0", this is a finding.

Fix: F-16461r294247_fix

Disable IPv6 forwarding on the system: # /usr/sbin/no -p -o ip6forwarding=0

b

AIX log files must be owned by a system account.

SI-11 - Medium - CCI-001314 - V-215266 - SV-215266r508663_rule

RMF Control

SI-11

Severity

M

CCI

Version

AIX7-00-002070

Vuln IDs

V-215266
V-91453

Rule IDs

SV-215266r508663_rule
SV-101551

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-16464r569437_chk

Check the owner of log files: # ls -lL /var/log /var/log/syslog /var/adm /var/adm: total 376 drw-r----- 2 root system 256 Jan 24 12:31 SRC drwx------ 4 root system 256 Jan 24 07:28 config -rw-r----- 1 root system 1081 Jan 24 09:05 dev_pkg.fail -rw-r----- 1 root system 250 Jan 24 09:05 dev_pkg.success -rw------- 1 root system 64 Jan 24 09:43 sulog drwxr-xr-x 3 root system 256 Jan 24 12:28 sw drwx------ 2 root system 256 Jan 24 08:06 wpars -rw-r----- 1 adm adm 7517448 Apr 29 14:10 wtmp /var/log: total 8 drwxr-xr-x 2 root system 256 Jan 24 08:44 aso -rw-r----- 1 root system 603 Jan 24 10:30 cache_mgt.dr.log If any of the log files are not owned by a system account, this is a finding.

Fix: F-16462r569438_fix

Change the owner of the system log file(s) to a system account: # chown [system_account] /path/to/system-log-file

b

AIX log files must be owned by a system group.

SI-11 - Medium - CCI-001314 - V-215267 - SV-215267r508663_rule

RMF Control

SI-11

Severity

M

CCI

Version

AIX7-00-002071

Vuln IDs

V-215267
V-91455

Rule IDs

SV-215267r508663_rule
SV-101553

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-16465r569440_chk

Check the group of log files: # ls -lL /var/log /var/log/syslog /var/adm /var/adm: total 376 drw-r----- 2 root system 256 Jan 24 12:31 SRC drwx------ 4 root system 256 Jan 24 07:28 config -rw-r----- 1 root system 1081 Jan 24 09:05 dev_pkg.fail -rw-r----- 1 root system 250 Jan 24 09:05 dev_pkg.success -rw------- 1 root system 64 Jan 24 09:43 sulog drwxr-xr-x 3 root system 256 Jan 24 12:28 sw drwx------ 2 root system 256 Jan 24 08:06 wpars -rw-r----- 1 adm adm 7517448 Apr 29 14:10 wtmp /var/log: total 8 drwxr-xr-x 2 root system 256 Jan 24 08:44 aso -rw-r----- 1 root system 603 Jan 24 10:30 cache_mgt.dr.log If any of the log files have group other than a system group, this is a finding.

Fix: F-16463r569441_fix

Change the group of the system log file(s) to a system group: # chgrp [system_group] /path/to/system-log-file

b

AIX system files, programs, and directories must be group-owned by a system group.

CM-5 - Medium - CCI-001499 - V-215268 - SV-215268r508663_rule

RMF Control

CM-5

Severity

M

CCI

Version

AIX7-00-002072

Vuln IDs

V-215268
V-91473

Rule IDs

SV-215268r508663_rule
SV-101571

Restricting permissions will protect the files from unauthorized modification.

Checks: C-16466r294255_chk

Check the group ownership of system files, programs, and directories run the following command: # ls -lLa /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin If any system file, program, or directory is not group-owned by a system group, this is a finding. Note: For this check, the system-provided "ipsec" group is also acceptable.

Fix: F-16464r294256_fix

Change the group owner of system files to a system group by running the following command: # chgrp sys /path/to/system/file Note: System groups other than "sys" may be used.

b

The inetd.conf file on AIX must be owned by root.

CM-6 - Medium - CCI-000366 - V-215269 - SV-215269r755154_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002077

Vuln IDs

V-215269
V-91587

Rule IDs

SV-215269r755154_rule
SV-101685

Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Checks: C-16467r755152_chk

Check the ownership of "/etc/inetd.conf": # ls -al /etc/inetd.conf The above command should yield the following output: -rw-r----- root system 993 Mar 11 07:04 /etc/inetd.conf If the file is not owned by root, this is a finding.

Fix: F-16465r755153_fix

Change the ownership of "/etc/inetd.conf": # chown root /etc/inetd.conf

b

AIX cron and crontab directories must be owned by root or bin.

CM-6 - Medium - CCI-000366 - V-215270 - SV-215270r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002078

Vuln IDs

V-215270
V-91595

Rule IDs

SV-215270r508663_rule
SV-101693

Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron or crontab directories to root or to bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Checks: C-16468r294261_chk

Check the owner of the "crontab" directory using command: # ls -ld /var/spool/cron/crontabs drwxrwx--- 2 bin cron 256 Jan 25 12:33 /var/spool/cron/crontabs If the owner of the "crontab" directory is not "root" or "bin", this is a finding.

Fix: F-16466r294262_fix

Change the owner of the "crontab" directory: # chown root /var/spool/cron/crontabs

b

AIX audio devices must be group-owned by root, sys, bin, or system.

CM-6 - Medium - CCI-000366 - V-215271 - SV-215271r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002079

Vuln IDs

V-215271
V-91597

Rule IDs

SV-215271r508663_rule
SV-101695

Without privileged group owners, audio devices will be vulnerable to being used as eaves-dropping devices by malicious users or intruders to possibly listen to conversations containing sensitive information.

Checks: C-16469r294264_chk

Check the group owner of audio devices using commands: # /usr/sbin/lsdev -C | grep -i audio aud0 Available USB Audio Device # ls -lL /dev/*aud0 cr--r--r-- 1 root system 16, 0 Jan 24 07:25 aud0 If the group owner of an audio device is not "root", "sys", "bin", or "system", this is a finding.

Fix: F-16467r294265_fix

Change the group owner of the audio device using command: # chgrp system <audio device>

b

AIX time synchronization configuration file must be owned by root.

CM-6 - Medium - CCI-000366 - V-215272 - SV-215272r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002081

Vuln IDs

V-215272
V-91601

Rule IDs

SV-215272r508663_rule
SV-101699

A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system account, unauthorized modifications could result in the failure of time synchronization.

Checks: C-16470r294267_chk

Check the ownership of /etc/ntp.conf using command: # ls -al /etc/ntp.conf The above command should yield the following output: -rw-r----- 1 root system 993 Aug 25 18:26 /etc/ntp.conf If the file is not owned by root, this is a finding.

Fix: F-16468r294268_fix

Change the ownership of the file to root using command: # chown root /etc/ntp.conf

b

AIX time synchronization configuration file must be group-owned by bin, or system.

CM-6 - Medium - CCI-000366 - V-215273 - SV-215273r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002082

Vuln IDs

V-215273
V-91603

Rule IDs

SV-215273r508663_rule
SV-101701

A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system group, unauthorized modifications could result in the failure of time synchronization.

Checks: C-16471r294270_chk

Check "/etc/ntp.conf" file group ownership: # ls -al /etc/ntp.conf The above command should yield the following output: -rw-r----- 1 root system 993 Aug 25 18:26 /etc/ntp.conf If the file is not group-owned by "system", this is a finding.

Fix: F-16469r294271_fix

Change the group owner of the files in "/etc/news" to "system" using: # chgrp system /etc/ntp.conf

b

The AIX /etc/group file must be owned by root.

CM-6 - Medium - CCI-000366 - V-215274 - SV-215274r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002083

Vuln IDs

V-215274
V-91611

Rule IDs

SV-215274r508663_rule
SV-101709

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Checks: C-16472r294273_chk

Verify the "/etc/group" file is owned by "root" using command: # ls -l /etc/group The above command should yield the following output: -rw-r--r-- 1 root security 387 Sep 06 11:40 /etc/group If the file is not owned by "root", this is a finding.

Fix: F-16470r294274_fix

Change the owner of the "/etc/group" file to "root": # chown root /etc/group

b

The AIX /etc/group file must be group-owned by security.

CM-6 - Medium - CCI-000366 - V-215275 - SV-215275r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002084

Vuln IDs

V-215275
V-91613

Rule IDs

SV-215275r508663_rule
SV-101711

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Checks: C-16473r294276_chk

Verify the "/etc/group" file is group-owned by "security" using command: # ls -l /etc/group The above command should yield the following output: -rw-r--r-- 1 root security 387 Sep 06 11:40 /etc/group If the file is not group-owned by "security", this is a finding.

Fix: F-16471r294277_fix

Change the group of the "/etc/group" file to "security": # chgrp security /etc/group

b

All AIX interactive users home directories must be owned by their respective users.

CM-6 - Medium - CCI-000366 - V-215276 - SV-215276r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002085

Vuln IDs

V-215276
V-91761

Rule IDs

SV-215276r508663_rule
SV-101859

System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.

Checks: C-16474r294279_chk

Check the ownership of each user's home directory listed in the "/etc/passwd file": # cut -d: -f6 /etc/passwd | xargs ls -lLd drwxr-xr-x 21 root system 4096 Jan 29 09:58 / drwxr-xr-x 4 bin bin 45056 Jan 24 12:31 /bin drwxr-xr-x 2 doejohn staff 256 Jan 25 13:18 /home/doejohn drwxr-xr-x 2 sshd system 256 Aug 11 2017 /home/srvproxy drwx------ 2 root system 256 Jan 30 12:54 /root drwxrwxr-x 4 bin bin 256 Mar 23 2017 /usr/sys drwxrwxr-x 15 root adm 4096 Jan 24 12:26 /var/adm drwxr-xr-x 6 root system 4096 Jan 24 07:34 /var/adm/invscout drwxr-xr-x 8 esaadmin system 256 Jan 24 09:02 /var/esa If any user's home directory is not owned by the assigned user, this is a finding.

Fix: F-16472r294280_fix

Change the owner of a user's home directory to its assigned user using command: # chown <user> <home directory>

b

All AIX interactive users home directories must be group-owned by the home directory owner primary group.

CM-6 - Medium - CCI-000366 - V-215277 - SV-215277r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002086

Vuln IDs

V-215277
V-91763

Rule IDs

SV-215277r508663_rule
SV-101861

If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files.

Checks: C-16475r294282_chk

Check the group ownership for each user in the "/etc/passwd" file using command: # cut -d: -f6 /etc/passwd | xargs ls -lLd drwxr-xr-x 21 root system 4096 Jan 29 09:58 / drwxr-xr-x 4 bin bin 45056 Jan 24 12:31 /bin drwxr-xr-x 2 doejohn staff 256 Jan 25 13:18 /home/doejohn drwxr-xr-x 2 sshd system 256 Aug 11 2017 /home/srvproxy drwx------ 2 root system 256 Jan 30 12:54 /root drwxrwxr-x 4 bin bin 256 Mar 23 2017 /usr/sys drwxrwxr-x 15 root adm 4096 Jan 24 12:26 /var/adm drwxr-xr-x 6 root system 4096 Jan 24 07:34 /var/adm/invscout drwxr-xr-x 8 esaadmin system 256 Jan 24 09:02 /var/esa If any user's home directory is not group-owned by the assigned user's primary group, this is a finding. Home directories for application accounts requiring different group ownership must be documented using site-defined procedures.

Fix: F-16473r294283_fix

Change the group owner for users home directories to the primary group of the assigned user: # chgrp <groupname> <directoryname> (Replace examples with appropriate group and home directory.) Document all changes.

b

All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member.

CM-6 - Medium - CCI-000366 - V-215278 - SV-215278r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002087

Vuln IDs

V-215278
V-91769

Rule IDs

SV-215278r508663_rule
SV-101867

If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files.

Checks: C-16476r294285_chk

Check the contents of user home directories for files group-owned by a group of which the home directory's owner is not a member. List the user accounts: # cut -d : -f 1 /etc/passwd root daemon bin sys adm uucp nobody invscout snapp ipsec srvproxy esaadmin sshd doejohn dirtjoe For each user account, get a list of group names for files in the user's home directory: # find < users home directory > -exec ls -lLd {} \; Obtain the list of group names associated with the user's account: # lsuser -a groups < user name > doejohn groups=staff Check the group name lists: # cat /etc/group system:!:0:root,srvproxy,esaadmin staff:!:1:ipsec,srvproxy,esaadmin,sshd,doejohn bin:!:2:root,bin sys:!:3:root,bin,sys adm:!:4:bin,adm mail:!:6: security:!:7:root cron:!:8:root audit:!:10:root ecs:!:28: nobody:!:4294967294:nobody,lpd usr:!:100:dirtjoe perf:!:20: shutdown:!:21: invscout:!:12:invscout snapp:!:13:snapp ipsec:!:200: sshd:!:201:sshd If there are group names in the file list not present in the user list, this is a finding.

Fix: F-16474r294286_fix

Change the group of a file not group-owned by a group where the home directory's owner is a member using command: # chgrp [user's primary group] [file with bad group ownership]

b

AIX library files must have mode 0755 or less permissive.

CM-5 - Medium - CCI-001499 - V-215279 - SV-215279r508663_rule

RMF Control

CM-5

Severity

M

CCI

Version

AIX7-00-002088

Vuln IDs

V-215279
V-91477

Rule IDs

SV-215279r508663_rule
SV-101575

Unauthorized access could destroy the integrity of the library files.

Checks: C-16477r294288_chk

Check the mode of library files by running the following command: # ls -lLR /usr/lib /lib If any of the library files have a mode more permissive than "0755", this is a finding.

Fix: F-16475r294289_fix

Change the mode of library files to "0755" or less permissive by running the following command: # chmod 0755 <path>/<library-file> NOTE: Library files should have an extension of .a or .so (a=archive, so=shared object) extension, possibly followed by a version.

b

Samba packages must be removed from AIX.

CM-6 - Medium - CCI-000366 - V-215280 - SV-215280r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002089

Vuln IDs

V-215280
V-91571

Rule IDs

SV-215280r508663_rule
SV-101669

If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.

Checks: C-16478r294291_chk

Run the following command to check if samba packages are installed on AIX: # lslpp -l samba* If the above command shows that samba packages are installed, this is a finding.

Fix: F-16476r294292_fix

Run the following command to un-install the samba packages: # installp -ug samba*

b

AIX time synchronization configuration file must have mode 0640 or less permissive.

CM-6 - Medium - CCI-000366 - V-215281 - SV-215281r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002090

Vuln IDs

V-215281
V-91605

Rule IDs

SV-215281r508663_rule
SV-101703

A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. File permissions more permissive than 0640 for time synchronization configuration file may allow access and change the config file by system intruders or malicious users, could result in the failure of time synchronization.

Checks: C-16479r294294_chk

Determine the mode of the ntp.conf file: # ls -l /etc/ntp.conf The above command should yield the following output: -rw-r----- 1 root system 993 Aug 25 18:26 /etc/ntp.conf If the mode is more permissive than "0640", this is a finding.

Fix: F-16477r294295_fix

Change the mode of the "ntp.conf" file to "0640" or less permissive: # chmod 0640 /etc/ntp.conf

b

The AIX /etc/group file must have mode 0644 or less permissive.

CM-6 - Medium - CCI-000366 - V-215282 - SV-215282r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002091

Vuln IDs

V-215282
V-91615

Rule IDs

SV-215282r508663_rule
SV-101713

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Checks: C-16480r294297_chk

Verify the "/etc/group" file has the mode "0644" using command: # ls -l /etc/group The above command should yield the following output: -rw-r--r-- 1 root security 387 Sep 06 11:40 /etc/group If the file does not have mode "0644" or less permissive, this is a finding.

Fix: F-16478r294298_fix

Change the mode of the "/etc/group" file to "0644": # chmod 0644 /etc/group

b

AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required.

CM-6 - Medium - CCI-000366 - V-215283 - SV-215283r853470_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002096

Vuln IDs

V-215283
V-91723

Rule IDs

SV-215283r853470_rule
SV-101821

The AIX Encrypted File System (EFS) is a J2 filesystem-level encryption through individual key stores. This allows for file encryption in order to protect confidential data from attackers with physical access to the computer. User authentication and access control lists can protect files from unauthorized access (even from root user) while the operating system is running. Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000405-GPOS-00184, SRG-OS-000404-GPOS-00183

Checks: C-16481r294300_chk

If the organization does not require to encrypt the data at rest, this is Not Applicable. Check if "clic.rte" fileset is installed: # lslpp -l |grep clic The above command should yield the following output: clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel clic.rte.lib 4.10.0.1 COMMITTED CryptoLite for C Library clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel If the "clic.rte.lib", or the "clic.rte.kernext", fileset is not installed, this is a finding. To check if a JFS2 file system (mounted as /fs2_mnt) is EFS-enabled, use the following command: # lsfs -q /fs2_mnt Name Nodename Mount Pt VFS Size Options Auto Accounting /dev/fslv00 -- /fs2_mnt jfs2 262144 -- no no (lv size: 262144, fs size: 262144, block size: 4096, sparse files: yes, inline log: no, inline log size: 0, EAformat: v2, Quota: no, DMAPI: no, VIX: yes, EFS: no, ISNAPSHOT: no, MAXEXT: 0, MountGuard: no) If the above command shows "EFS: no", this is a finding.

Fix: F-16479r294301_fix

Install "clic.rte" filesets from AIX DVD Volume 1 using the following commands (assuming that the DVD device is /dev/cd0): # installp -aXYgd /dev/cd0 -e /tmp/install.log clic.rte.lib # installp -aXYgd /dev/cd0 -e /tmp/install.log clic.rte.kernext Run the follow command to initialize and enable EFS on the system: # efsenable -a To create a new EFS-enabled JFS2 file system and mount the file system, using the following commands: # crfs -v jfs2 -g rootvg -m /fs2 -a size=100M -a efs=yes # mount /fs2 To enable EFS on a JFS2 file system (like, /fs3), run the following command: chfs -a efs=yes /fs3

b

AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods.

SC-8 - Medium - CCI-002418 - V-215284 - SV-215284r853471_rule

RMF Control

SC-8

Severity

M

CCI

CCI-002418

Version

AIX7-00-002097

Vuln IDs

V-215284
V-91561

Rule IDs

SV-215284r853471_rule
SV-101659

Without protection of the transmitted or received information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

Checks: C-16482r294303_chk

Run the following command to check if SSH server package is installed: # lslpp -l | grep -i ssh openssh.base.client 6.0.0.6201 COMMITTED Open Secure Shell Commands openssh.base.server 6.0.0.6201 COMMITTED Open Secure Shell Server openssh.man.en_US 6.0.0.6201 COMMITTED Open Secure Shell If package "openssh.base.server" is not installed, this is a finding. Run the following command to check if the SSH daemon is running: # lssrc -s sshd | grep active sshd ssh 3670408 active If "sshd" is "inoperative", this is a finding.

Fix: F-16480r294304_fix

If the SSH server package is not installed, install "openssh.base.server" package and config the SSH daemon. If the ssh demon is not "active", run the following command to start it: # startsrc -s sshd

b

AIX must monitor and record successful remote logins.

AC-17 - Medium - CCI-000067 - V-215285 - SV-215285r508663_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000067

Version

AIX7-00-002100

Vuln IDs

V-215285
V-91239

Rule IDs

SV-215285r508663_rule
SV-101339

Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).

Checks: C-16483r294306_chk

Check if the file "/var/adm/wtmp" is a symlink by using the following command: # ls -al /var/adm/wtmp The above command should yield the following output: -rw-rw-r-- 1 adm adm 45360 Sep 05 15:00 /var/adm/wtmp If the file "/var/adm/wtmp" is a symlink, this is a finding.

Fix: F-16481r294307_fix

Remove the symlink of "/var/adm/wtmp" file by using the following command: # rm /var/adm/wtmp The "/var/adm/wtmp" file will be created when the system logs event for successful or failed login.

b

AIX must monitor and record unsuccessful remote logins.

AC-17 - Medium - CCI-000067 - V-215286 - SV-215286r508663_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000067

Version

AIX7-00-002101

Vuln IDs

V-215286
V-91241

Rule IDs

SV-215286r508663_rule
SV-101341

Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).

Checks: C-16484r294309_chk

Check if the file "/etc/security/failedlogin" is a symlink by using the following command: # ls -al /etc/security/failedlogin The above command should yield the following output: -rw------- 1 root system 648 Sep 05 14:59 /etc/security/failedlogin If the file "/etc/security/failedlogin" is a symlink, this is a finding.

Fix: F-16482r294310_fix

Remove the symlink of "/etc/security/failedlogin" file by using the following command: # rm /etc/security/failedlogin The "/etc/security/failedlogin" file will be created when system logs event for a failed login.

b

On AIX, the SSH server must not permit root logins using remote access programs.

CM-6 - Medium - CCI-000366 - V-215287 - SV-215287r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002102

Vuln IDs

V-215287
V-91577

Rule IDs

SV-215287r508663_rule
SV-101675

Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.

Checks: C-16485r294312_chk

Determine if the SSH daemon is configured to disable root logins: # grep -iE "PermitRootLogin[[:blank:]]*no" /etc/ssh/sshd_config | grep -v \# If the above command displays a line, the root login is disabled. If the root login is not disabled, this is a finding.

Fix: F-16483r294313_fix

Edit the "/etc/ssh/sshd_config" file to have the following line and save the change: PermitRootLogin no Restart SSH daemon: # stopsrc -s sshd # startsrc -s sshd

b

All AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins.

CM-6 - Medium - CCI-000366 - V-215288 - SV-215288r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002103

Vuln IDs

V-215288
V-91641

Rule IDs

SV-215288r508663_rule
SV-101739

The /etc/shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell.

Checks: C-16486r294315_chk

Confirm the login shells referenced in the "/etc/passwd" file are listed in the "/etc/security/login.cfg" file's "shells =variable" in the usw stanza by running commands: # more /etc/security/login.cfg | grep shells | grep -v '*' shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh # more /etc/shells /bin/csh /bin/ksh /bin/psh /bin/tsh /bin/bsh /usr/bin/csh /usr/bin/ksh /usr/bin/psh /usr/bin/tsh /usr/bin/bsh The "/usr/bin/false", "/bin/false", "/dev/null", "/sbin/nologin" (and equivalents), and "sdshell" will be considered valid shells for use in the "/etc/passwd" file, but will not be listed in the shells stanza. If a shell referenced in "/etc/passwd" is not listed in the shells stanza, excluding the above mentioned shells, this is a finding.

Fix: F-16484r294316_fix

Use the "chsh" utility or edit the "/etc/passwd" file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the "/etc/shells file". Alternatively, use the SMIT to change the "/etc/passwd" shell entry.

b

The AIX SSH server must use SSH Protocol 2.

AC-17 - Medium - CCI-000068 - V-215289 - SV-215289r877398_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000068

Version

AIX7-00-002104

Vuln IDs

V-215289
V-91245

Rule IDs

SV-215289r877398_rule
SV-101345

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.

Checks: C-16487r294318_chk

From the command prompt, run the following command: # grep ^Protocol /etc/ssh/sshd_config The above command should yield the following output: Protocol 2 If the above command does not show the ssh server supporting "Protocol 2" only, this is a finding.

Fix: F-16485r294319_fix

Add or edit the following line in the "/etc/ssh/sshd_config" file to support "Protocol 2" only: Protocol 2 Save the change to /etc/ssh/sshd_config Restart ssh daemon: # stopsrc -s sshd # startsrc -s sshd

b

AIX must config the SSH idle timeout interval.

SC-10 - Medium - CCI-001133 - V-215290 - SV-215290r853472_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

AIX7-00-002105

Vuln IDs

V-215290
V-91491

Rule IDs

SV-215290r853472_rule
SV-101589

Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance. Satisfies: SRG-OS-000163-GPOS-00072

Checks: C-16488r648725_chk

Run the following command to check if "ClientAliveInterval" and "ClientAliveCountMax" are set for SSH server: # grep -E "^ClientAliveInterval|^ClientAliveCountMax" /etc/ssh/sshd_config ClientAliveInterval 600 ClientAliveCountMax 0 If "ClientAliveCountMax" is not set or its value is not "0", this is a finding. If "ClientAliveInterval" is not set, or its value is not "600" (10-minutes) or less, this is a finding.

Fix: F-16486r648726_fix

Add or update the following lines in "/etc/ssh/sshd_config": ClientAliveInterval 600 ClientAliveCountMax 0 Restart sshd: # stopsrc -s sshd # startsrc -s sshd

b

AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions.

CM-5 - Medium - CCI-001814 - V-215291 - SV-215291r853473_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001814

Version

AIX7-00-002107

Vuln IDs

V-215291
V-91529

Rule IDs

SV-215291r853473_rule
SV-101627

Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.

Checks: C-16489r294324_chk

Check the SSH daemon configuration for the Kerberos authentication setting: # grep -i KerberosAuthentication /etc/ssh/sshd_config | grep -v '^#' If the setting is present and set to "yes", this is a finding.

Fix: F-16487r294325_fix

Edit the "/etc/ssh/sshd_config" file and add or change the "KerberosAuthentication" value of the setting to "no". Refresh sshd: # stopsrc -s sshd # startsrc -s sshd

b

If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication.

IA-11 - Medium - CCI-002038 - V-215292 - SV-215292r853474_rule

RMF Control

IA-11

Severity

M

CCI

CCI-002038

Version

AIX7-00-002108

Vuln IDs

V-215292
V-91541

Rule IDs

SV-215292r853474_rule
SV-101639

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.

Checks: C-16490r294327_chk

Ask the SA if GSSAPI authentication is used for SSH authentication to the system. If so, this is not applicable. Check the SSH daemon configuration for the GSSAPI authentication setting: # grep -i GSSAPIAuthentication /etc/ssh/sshd_config | grep -v '^#' GSSAPIAuthentication no If the setting is not set to "no", this is a finding.

Fix: F-16488r294328_fix

Edit "/etc/ssh/sshd_config" and remove the "GSSAPIAuthentication" setting or change the value to "no". Refresh sshd: # stopsrc -s sshd # startsrc -s sshd

b

AIX must setup SSH daemon to disable revoked public keys.

IA-5 - Medium - CCI-001991 - V-215293 - SV-215293r853475_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001991

Version

AIX7-00-002110

Vuln IDs

V-215293
V-91549

Rule IDs

SV-215293r853475_rule
SV-101647

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Checks: C-16491r294330_chk

If public keys are not used for SSH authentication, this is Not Applicable. Run the following command: # grep "^RevokedKeys" /etc/ssh/sshd_config RevokedKeys /etc/ssh/RevokedKeys.txt If the command does not find the "RevokedKeys" setting, or the value for "RevokedKeys" is set to "none", this is a finding.

Fix: F-16489r294331_fix

Obtain the file that contains all the public keys that need to be revoked from ISSO/SA and save the file in /etc/ssh/ directory. Edit the "/etc/ssh/sshd_config" file to allow "RevokedKeys" to point to the revoked key file obtained above. Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

b

AIX SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

CM-6 - Medium - CCI-000366 - V-215294 - SV-215294r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002111

Vuln IDs

V-215294
V-91585

Rule IDs

SV-215294r508663_rule
SV-101683

DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.

Checks: C-16492r294333_chk

Check the SSH daemon configuration for allowed MACs by running the following command: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96 If no lines are returned, or the returned MAC list contains any MAC that is not FIPS 140-2 approved, this is a finding.

Fix: F-16490r294334_fix

Edit the "/etc/ssh/sshd_config" file and add/edit the following line to contain FIPS 140-2 approved ciphers: MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96 Restart SSH daemon: # stopsrc -s sshd # startsrc -s sshd Note: If the "MACs" configuration contains any ciphers that are not FIPS 140-2 approved, they should be removed from the configuration file.

b

The AIX SSH daemon must be configured for IP filtering.

CM-6 - Medium - CCI-000366 - V-215295 - SV-215295r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002112

Vuln IDs

V-215295
V-91679

Rule IDs

SV-215295r508663_rule
SV-101777

The SSH daemon must be configured for IP filtering to provide a layered defense against connection attempts from unauthorized addresses.

Checks: C-16493r294336_chk

Check the TCP wrappers configuration files to determine if SSHD is configured to use TCP wrappers using commands: # grep sshd /etc/hosts.deny sshd : ALL # grep sshd /etc/hosts.allow sshd : 10.10.20.* If no entries are returned, the TCP wrappers are not configured for SSHD, this is a finding.

Fix: F-16491r294337_fix

Add appropriate IP restrictions for SSH to the "/etc/hosts.deny" and/or "/etc/hosts.allow" files. TCP Wrappers can be installed from the AIX Expansion Pack by installing fileset "netsec.options.tcpwrappers" using the following command (assume AIX Expansion Pack is mounted on /dev/cd0): # installp -aXYgd /dev/cd0 -e /tmp/install.log netsec.options.tcpwrappers

b

The AIX SSH daemon must not allow compression.

CM-6 - Medium - CCI-000366 - V-215296 - SV-215296r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002113

Vuln IDs

V-215296
V-91705

Rule IDs

SV-215296r508663_rule
SV-101803

If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.

Checks: C-16494r294339_chk

Check the SSH daemon configuration for the Compression setting by running: # grep -i Compression /etc/ssh/sshd_config | grep -v '^#' Compression no If the setting is not present, or it is not set to "no", this is a finding.

Fix: F-16492r294340_fix

Edit the "/etc/ssh/sshd_config" file and add (or modify) the following line: Compression no Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

b

AIX must turn on SSH daemon privilege separation.

CM-6 - Medium - CCI-000366 - V-215297 - SV-215297r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002114

Vuln IDs

V-215297
V-91725

Rule IDs

SV-215297r508663_rule
SV-101823

SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.

Checks: C-16495r294342_chk

Check the SSH daemon configuration for the "UsePrivilegeSeparation" setting using command: # grep -i UsePrivilegeSeparation /etc/ssh/sshd_config | grep -v '^#' UsePrivilegeSeparation yes If the setting is not present or the setting is "no", this is a finding.

Fix: F-16493r294343_fix

Edit the "/etc/sshd/sshd_config" file and add the following line: UsePrivilegeSeparation yes Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

b

AIX must turn on SSH daemon reverse name checking.

CM-6 - Medium - CCI-000366 - V-215298 - SV-215298r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002115

Vuln IDs

V-215298
V-91727

Rule IDs

SV-215298r508663_rule
SV-101825

If reverse name checking is off, SSH may allow a remote attacker to circumvent security policies and attempt to or actually login from IP addresses that are not permitted to access resources.

Checks: C-16496r294345_chk

Check the SSH daemon configuration for the "VerifyReverseMapping" setting using command: # grep -i VerifyReverseMapping /etc/ssh/sshd_config | grep -v '^#' VerifyReverseMapping yes If the setting is not present or the setting is "no", this is a finding.

Fix: F-16494r294346_fix

Edit the "/etc/sshd/sshd_config" file and add the following line: VerifyReverseMapping yes Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

b

AIX SSH daemon must perform strict mode checking of home directory configuration files.

CM-6 - Medium - CCI-000366 - V-215299 - SV-215299r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002116

Vuln IDs

V-215299
V-91729

Rule IDs

SV-215299r508663_rule
SV-101827

If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.

Checks: C-16497r294348_chk

Check the SSH daemon configuration for the "StrictModes" setting using command: # grep -i StrictModes /etc/ssh/sshd_config | grep -v '^#' StrictModes yes If the setting is missing or is set to "no", this is a finding.

Fix: F-16495r294349_fix

Edit the "/etc/sshd/sshd_config" file and add or change the "StrictModes" setting to "yes". Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

b

AIX must turn off X11 forwarding for the SSH daemon.

CM-6 - Medium - CCI-000366 - V-215300 - SV-215300r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002117

Vuln IDs

V-215300
V-91731

Rule IDs

SV-215300r508663_rule
SV-101829

X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed.

Checks: C-16498r294351_chk

If X11 forwarding has been authorized for use, this is Not Applicable. Check the SSH daemon configuration for the "X11Forwarding" directive using command: # grep -i X11Forwarding /etc/ssh/sshd_config | grep -v '^#' X11Forwarding no If the setting is not present or the setting is "yes", this is a finding.

Fix: F-16496r294352_fix

Edit the "/etc/sshd/sshd_config" file to add the following line and save the change: X11Forwarding no Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

b

AIX must turn off TCP forwarding for the SSH daemon.

CM-6 - Medium - CCI-000366 - V-215301 - SV-215301r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002118

Vuln IDs

V-215301
V-91733

Rule IDs

SV-215301r508663_rule
SV-101831

SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.

Checks: C-16499r294354_chk

If TCP forwarding is approved for use by the ISSO, this is not applicable. Check the SSH daemon configuration for the "AllowTcpForwarding" directive using command: # grep -i AllowTcpForwarding /etc/ssh/sshd_config | grep -v '^#' AllowTcpForwarding no If the setting is not present or the setting is "yes", this is a finding.

Fix: F-16497r294355_fix

Edit the "/etc/sshd/sshd_config" file to add the following line and save the change: AllowTcpForwarding no Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

b

The AIX SSH daemon must be configured to disable empty passwords.

CM-6 - Medium - CCI-000366 - V-215302 - SV-215302r877377_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002120

Vuln IDs

V-215302
V-91743

Rule IDs

SV-215302r877377_rule
SV-101841

When password authentication is allowed, PermitEmptyPasswords specifies whether the server allows login to accounts with empty password strings. If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Checks: C-16500r294357_chk

Check the SSH daemon configuration for allowed empty passwords using command: # grep -i PermitEmptyPasswords /etc/ssh/sshd_config | grep -v '^#' PermitEmptyPasswords no If no lines are returned, or the returned "PermitEmptyPasswords" directive contains "yes", this is a finding.

Fix: F-16498r294358_fix

Edit "/etc/ssh/sshd_config" and add or edit the "PermitEmptyPasswords " line as: PermitEmptyPasswords no Save the change and restart ssh daemon: # stopsrc -s sshd # startsrc -s sshd

b

The AIX SSH daemon must be configured to disable user .rhosts files.

CM-6 - Medium - CCI-000366 - V-215303 - SV-215303r877377_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002121

Vuln IDs

V-215303
V-91745

Rule IDs

SV-215303r877377_rule
SV-101843

Trust .rhost file means a compromise on one host can allow an attacker to move trivially to other hosts.

Checks: C-16501r294360_chk

Check the SSH daemon configuration for allowed ".rhosts" using command: # grep -i IgnoreRhosts /etc/ssh/sshd_config | grep -v '^#' IgnoreRhosts yes If no lines are returned, or the returned "IgnoreRhosts" directive is not set to "yes", this is a finding.

Fix: F-16499r294361_fix

Edit "/etc/ssh/sshd_config" and add or update the "IgnoreRhosts " line as: IgnoreRhosts yes Save the change and restart ssh daemon: # stopsrc -s sshd # startsrc -s sshd

b

The AIX SSH daemon must be configured to not use host-based authentication.

CM-6 - Medium - CCI-000366 - V-215304 - SV-215304r877377_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002122

Vuln IDs

V-215304
V-91747

Rule IDs

SV-215304r877377_rule
SV-101845

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Checks: C-16502r294363_chk

Check the SSH daemon configuration for allowed host-based authentication using command: # grep -i HostbasedAuthentication /etc/ssh/sshd_config | grep -v '^#' HostbasedAuthentication no If no lines are returned, or the returned "HostbasedAuthentication" directive contains "yes", this is a finding.

Fix: F-16500r294364_fix

Edit "/etc/ssh/sshd_config" and add or update the "HostbasedAuthentication" line as: HostbasedAuthentication no Save the change and restart ssh daemon: # stopsrc -s sshd # startsrc -s sshd

b

The AIX SSH daemon must not allow RhostsRSAAuthentication.

CM-6 - Medium - CCI-000366 - V-215305 - SV-215305r877377_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002123

Vuln IDs

V-215305
V-91749

Rule IDs

SV-215305r877377_rule
SV-101847

If SSH permits rhosts RSA authentication, a user may be able to log in based on the keys of the host originating the request and not any user-specific authentication.

Checks: C-16503r294366_chk

Check the SSH daemon configuration for the "RhostsRSAAuthentication" setting by running: # grep -i RhostsRSAAuthentication /etc/ssh/sshd_config | grep -v '^#' The above command should yield the following output: RhostsRSAAuthentication no If the setting is present and set to "yes", this is a finding.

Fix: F-16501r294367_fix

Edit the "/etc/ssh/sshd_config file", add the following line, and save the change: RhostsRSAAuthentication no Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

b

If AIX SSH daemon is required, the SSH daemon must only listen on the approved listening IP addresses.

CM-6 - Medium - CCI-000366 - V-215306 - SV-215306r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002124

Vuln IDs

V-215306
V-91773

Rule IDs

SV-215306r508663_rule
SV-101871

The SSH daemon should only listen on the approved listening IP addresses. Otherwise the SSH service could be subject to unauthorized access.

Checks: C-16504r294369_chk

From the command prompt, run the following command to check if "ListenAddress" is defined in SSH config file: # grep -i ListenAddress /etc/ssh/sshd_config | grep -v '^#' ListenAddress 10.17.76.74 If no configuration is returned, or if a returned listen configuration contains addresses not permitted, this is a finding.

Fix: F-16502r294370_fix

Edit the SSH daemon config file and add/modify the "ListenAddress" network addresses: # vi /etc/ssh/sshd_config Restart SSH daemon: # stopsrc -s sshd # startsrc -s sshd

b

AIX system must require authentication upon booting into single-user and maintenance modes.

CM-6 - Medium - CCI-000366 - V-215308 - SV-215308r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002127

Vuln IDs

V-215308
V-91575

Rule IDs

SV-215308r508663_rule
SV-101673

This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

Checks: C-16506r294375_chk

Verify that the "root" account has a password assigned: # cut -d: -f1,2 /etc/passwd | grep root root:! If the "root" account is not listed with an "!", this is a finding.

Fix: F-16504r294376_fix

Assign the "root" account a password using passwd command while logged on as "root": # passwd

a

If bash is used, AIX must display logout messages.

AC-12 - Low - CCI-002364 - V-215309 - SV-215309r853476_rule

RMF Control

AC-12

Severity

L

CCI

CCI-002364

Version

AIX7-00-002128

Vuln IDs

V-215309
V-91495

Rule IDs

SV-215309r853476_rule
SV-101593

If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Information resources to which users gain access via authentication include, for example, local workstations and remote services. Logoff messages can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions, including, for example, remote login, information systems typically send logoff messages as final messages prior to terminating sessions.

Checks: C-16507r294378_chk

Identify any users that are using the BASH shell: # cut -d: -f1,7 /etc/passwd | grep -i bash doejohn:/bin/bash If no users are assigned the BASH shell, this is Not Applicable Verify that each BASH shell user has a ".bash_logout" file: # for home in `cut -d: -f6 /etc/passwd`; do ls -alL $home/.bash_logout; done -rwxr----- 1 doejohn staff 297 Jan 29 09:47 /home/doejohn/.bash_logout If a user does not have their ".bash_logout" file, this is a finding. Verify that each ".bash_logout" file identified above contains a logout message: # cat <user_home_directory>/.bash_logout echo "You are being disconnected." sleep 5 If the ".bash_logout" file is not configured to display a logout message, this is a finding.

Fix: F-16505r294379_fix

Create the ".bash_logout" file if it does not exist. Add the following two lines to ".bash_logout" to display a logout message and sleep for "5" seconds: echo "You are being disconnected." sleep 5

a

If Bourne / ksh shell is used, AIX must display logout messages.

AC-12 - Low - CCI-002364 - V-215310 - SV-215310r853477_rule

RMF Control

AC-12

Severity

L

CCI

CCI-002364

Version

AIX7-00-002129

Vuln IDs

V-215310
V-91497

Rule IDs

SV-215310r853477_rule
SV-101595

If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Information resources to which users gain access via authentication include, for example, local workstations and remote services. Logoff messages can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions, including, for example, remote login, information systems typically send logoff messages as final messages prior to terminating sessions.

Checks: C-16508r294381_chk

Verify users have a ".logout" file in their home directory: # for home in `cut -d: -f6 /etc/passwd`; do ls -alL $home/.logout; done -rwxr----- 1 root system 297 Jan 29 09:47 /root/.logout -rwxr----- 1 doejohn staff 297 Jul 4 00:47 /home/doejohn/.logout If an interactive user does not have their ".logout" file, this is a finding. Verify that each ".logout" file identified above contains a logout message: # cat <user_home_directory>/.logout echo "You are being disconnected." sleep 5 If the ".logout" file does not display a logout message, this is a finding. Verify each users' ".profile" file calls "$HOME/.logout" while logging out: # grep "trap '$HOME/.logout' EXIT " <user_home_directory>/.profile trap '$HOME/.logout' EXIT If the ".profile" file does not call "$HOME/.logout", this is a finding.

Fix: F-16506r294382_fix

Create the ".logout" file if it does not exist. Add the following two lines to ".logout" to display a logout message and sleep for "5" seconds: echo "You are being disconnected." sleep 5 Create, or modify, ".profile" to include the following line: trap '$HOME/.logout' EXIT

a

If csh/tcsh shell is used, AIX must display logout messages.

AC-12 - Low - CCI-002364 - V-215311 - SV-215311r853478_rule

RMF Control

AC-12

Severity

L

CCI

CCI-002364

Version

AIX7-00-002130

Vuln IDs

V-215311
V-91499

Rule IDs

SV-215311r853478_rule
SV-101597

If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Information resources to which users gain access via authentication include, for example, local workstations and remote services. Logoff messages can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions, including, for example, remote login, information systems typically send logoff messages as final messages prior to terminating sessions.

Checks: C-16509r294384_chk

Check if users have their "$HOME/.logout" files. If a user does not have their ".logout" file, or the ".logout" file does not display a logout message, this is a finding.

Fix: F-16507r294385_fix

Create the ".logout" file if it does not exist. Add the following two lines to ".logout" to display a logout message and sleep for "5" seconds: echo "You are being disconnected." sleep 5

b

AIX must implement a remote syslog server that is documented using site-defined procedures.

CM-6 - Medium - CCI-000366 - V-215312 - SV-215312r853479_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002131

Vuln IDs

V-215312
V-91657

Rule IDs

SV-215312r853479_rule
SV-101755

If a remote log host is in use and it has not been justified and documented, sensitive information could be obtained by unauthorized users without the administrator’s knowledge. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Checks: C-16510r294387_chk

Examine the "syslog.conf" file for any references to remote log hosts using command: # grep -v "^#" /etc/syslog.conf | grep '@' @<loghost> Ask ISSO/SA for a list of valid remote syslog servers justified and documented using site-defined procedures. Destination locations beginning with "@" represent log hosts. If the log host name is a local alias, such as log host, consult the "/etc/hosts" or other name databases as necessary to obtain the canonical name or address for the log host. Determine if the host referenced is a syslog host documented using site-defined procedures. If a loghost is not defined, not documented, or is commented out this is a finding.

Fix: F-16508r294388_fix

Edit the /etc/syslog.conf file to include a documented and approved remote log host.

b

The AIX syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.

CM-6 - Medium - CCI-000366 - V-215313 - SV-215313r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002132

Vuln IDs

V-215313
V-91677

Rule IDs

SV-215313r508663_rule
SV-101775

Unintentionally running a syslog server accepting remote messages puts the system at increased risk. Malicious syslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.

Checks: C-16511r294390_chk

Verify "syslogd" is running with the "-R" option using command: # ps -ef | grep syslogd | grep -v grep The above command should yield the following output: root 4063356 3342368 0 Sep 11 - 0:01 /usr/sbin/syslogd -R If the "-R" option is not present with the syslogd process, this is a finding.

Fix: F-16509r294391_fix

Change the "syslogd" arguments in the src subsystem control and restart the "syslogd" daemon using the following commands: # chssys -s syslogd -a '-R' # stopsrc -s syslogd # startsrc -s syslogd

b

AIX must be configured to use syslogd to log events by TCPD.

CM-5 - Medium - CCI-001814 - V-215314 - SV-215314r853480_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001814

Version

AIX7-00-002133

Vuln IDs

V-215314
V-91533

Rule IDs

SV-215314r853480_rule
SV-101631

Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.

Checks: C-16512r294393_chk

Normally, TCPD logs to the "mail" facility in "/etc/syslog.conf". Determine if syslog is configured to log events by TCPD. Procedure: # more /etc/syslog.conf Look for entries similar to the following: mail.debug /var/adm/maillog mail.none /var/adm/maillog mail.* /var/log/mail auth.info /var/log/messages The above entries would indicate mail alerts are being logged. If no entries for "mail" exist, then TCPD is not logging and this is a finding.

Fix: F-16510r294394_fix

Configure the access restriction program to log every access attempt. Ensure the implementation instructions for TCP_WRAPPERS are followed, so system access attempts are logged into the system log files. If an alternate application is used, it must support this function. Edit the "/etc/syslog.conf" file by writing the following to the file. auth.info /var/log/messages # touch /var/log/messages # refresh -s yslogd

b

The AIX audit configuration files must be owned by root.

AU-12 - Medium - CCI-000171 - V-215315 - SV-215315r508663_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000171

Version

AIX7-00-002200

Vuln IDs

V-215315
V-91271

Rule IDs

SV-215315r508663_rule
SV-101369

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-16513r294396_chk

Check that all the audit configuration files under /etc/security/audit/* have correct ownership. # ls -l /etc/security/audit/* -rw-r----- 1 root audit 37 Oct 10 2016 /etc/security/audit/bincmds -rw-r----- 1 root audit 2838 Sep 05 16:33 /etc/security/audit/config -rw-r----- 1 root audit 26793 Oct 10 2016 /etc/security/audit/events -rw-r----- 1 root audit 340 Oct 10 2016 /etc/security/audit/objects -rw-r----- 1 root audit 54 Oct 10 2016 /etc/security/audit/streamcmds If any file's ownership is not "root", this is a finding.

Fix: F-16511r294397_fix

Set the owner audit configuration files to "root". # chown root /etc/security/audit/*

b

The AIX audit configuration files must be group-owned by audit.

AU-12 - Medium - CCI-000171 - V-215316 - SV-215316r508663_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000171

Version

AIX7-00-002201

Vuln IDs

V-215316
V-91273

Rule IDs

SV-215316r508663_rule
SV-101371

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-16514r294399_chk

Check that all the audit configuration files under /etc/security/audit/* have group ownership. # ls -l /etc/security/audit/* -rw-r----- 1 root audit 37 Oct 10 2016 /etc/security/audit/bincmds -rw-r----- 1 root audit 2838 Sep 05 16:33 /etc/security/audit/config -rw-r----- 1 root audit 26793 Oct 10 2016 /etc/security/audit/events -rw-r----- 1 root audit 340 Oct 10 2016 /etc/security/audit/objects -rw-r----- 1 root audit 54 Oct 10 2016 /etc/security/audit/streamcmds If any file's group ownership is not "audit", this is a finding.

Fix: F-16512r294400_fix

Set the group of the audit configuration files to "audit". # chgrp audit /etc/security/audit/*

b

The AIX audit configuration files must be set to 640 or less permissive.

AU-12 - Medium - CCI-000171 - V-215317 - SV-215317r508663_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000171

Version

AIX7-00-002202

Vuln IDs

V-215317
V-91275

Rule IDs

SV-215317r508663_rule
SV-101373

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-16515r294402_chk

Check that all the audit configuration files under /etc/security/audit/* have correct permissions. # ls -l /etc/security/audit/* -rw-r----- 1 root audit 37 Oct 10 2016 /etc/security/audit/bincmds -rw-r----- 1 root audit 2838 Sep 05 16:33 /etc/security/audit/config -rw-r----- 1 root audit 26793 Oct 10 2016 /etc/security/audit/events -rw-r----- 1 root audit 340 Oct 10 2016 /etc/security/audit/objects -rw-r----- 1 root audit 54 Oct 10 2016 /etc/security/audit/streamcmds If any file has a mode more permissive than "640", this is a finding.

Fix: F-16513r294403_fix

Change the permission of the audit configuration files to "640". # chmod 640 /etc/security/audit/*

b

AIX must automatically lock after 15 minutes of inactivity in the CDE Graphical desktop environment.

AC-11 - Medium - CCI-000057 - V-215318 - SV-215318r508663_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000057

Version

AIX7-00-003000

Vuln IDs

V-215318
V-91233

Rule IDs

SV-215318r508663_rule
SV-101333

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled.

Checks: C-16516r294405_chk

If CDE (X11) is not used on AIX, this is Not Applicable. From the command prompt, run the following script: for file in /usr/dt/config/*/sys.resources; do etc_file=`echo $file | sed -e s/usr/etc/` echo "\nChecking config file "$etc_file"..." if [[ ! -f $etc_file ]]; then echo "Missing config file "$etc_file else cat $etc_file |grep 'dtsession\*saverTimeout:' cat $etc_file |grep 'dtsession\*lockTimeout:' fi done The above script should yield the following output: Checking config file /etc/dt/config/C/sys.resources... Missing config file /etc/dt/config/C/sys.resources Checking config file /etc/dt/config/POSIX/sys.resources... dtsession*saverTimeout: 15 dtsession*lockTimeout: 30 Checking config file /etc/dt/config/en_US/sys.resources... dtsession*saverTimeout: 15 dtsession*lockTimeout: 25 If the result of the script shows any config file missing, or any of the "dtsession*saverTimeout" or "dtsession*lockTimeout" values are greater than "15", this is a finding.

Fix: F-16514r294406_fix

From the command prompt, run the following script to set the default timeout parameters "dtsession*saverTimeout:" and "dtsession*lockTimeout:" as "15" minutes: for file in /usr/dt/config/*/sys.resources; do etc_file=`echo $file | sed -e s/usr/etc/` echo "\nupdating config file "$etc_file"..." if [[ ! -f $etc_file ]]; then dir=`dirname $file | sed -e s/usr/etc/` mkdir -p $dir echo 'dtsession*saverTimeout: 15' >> $dir/sys.resources echo 'dtsession*lockTimeout: 15' >> $dir/sys.resources else cp $etc_file $etc_file.bak cat $etc_file | grep -v 'dtsession\*saverTimeout:' > $etc_file.sav cat $etc_file.sav | grep -v 'dtsession\*lockTimeout:' > $etc_file echo 'dtsession*saverTimeout: 15' >> $etc_file echo 'dtsession*lockTimeout: 15' >> $etc_file fi done

b

AIX must set inactivity time-out on login sessions and terminate all login sessions after 10 minutes of inactivity.

MA-4 - Medium - CCI-000879 - V-215320 - SV-215320r853481_rule

RMF Control

MA-4

Severity

M

CCI

CCI-000879

Version

AIX7-00-003003

Vuln IDs

V-215320
V-91493

Rule IDs

SV-215320r853481_rule
SV-101591

Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. If a maintenance session or connection remains open after maintenance is completed, it may be hijacked by an attacker and used to compromise or damage the system. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at AIX level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that AIX terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000279-GPOS-00109, SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066

Checks: C-16518r294411_chk

Check if "TMOUT" and "TIMEOUT" environment variables are set to "600" (in seconds) in "/etc/profile" file: # grep -E " TMOUT|TIMEOUT" /etc/profile readonly TMOUT=600; readonly TIMEOUT=600; export TMOUT TIMEOUT If they are not set in "/etc/profile" file, are commented out, or their values are greater than "600", this is a finding.

Fix: F-16516r294412_fix

Add or update the following line in the "/etc/profile" file: readonly TMOUT=600; readonly TIMEOUT=600; export TMOUT TIMEOUT

b

AIX SSH private host key files must have mode 0600 or less permissive.

IA-5 - Medium - CCI-000186 - V-215321 - SV-215321r508663_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000186

Version

AIX7-00-003004

Vuln IDs

V-215321
V-91279

Rule IDs

SV-215321r508663_rule
SV-101377

If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.

Checks: C-16519r294414_chk

Check the permissions for SSH private host key files: # ls -lL /etc/ssh/*key The above command should yield the following output: -rw------- 1 root system 668 Jan 18 2017 /etc/ssh/ssh_host_dsa_key -rw------- 1 root system 227 Jan 18 2017 /etc/ssh/ssh_host_ecdsa_key -rw------- 1 root system 965 Jan 18 2017 /etc/ssh/ssh_host_key -rw------- 1 root system 1675 Jan 18 2017 /etc/ssh/ssh_host_rsa_key If any file has a mode more permissive than "0600", this is a finding.

Fix: F-16517r294415_fix

Change the permissions for the SSH private host key files: # chmod 0600 /etc/ssh/*key

c

AIX must disable /usr/bin/rcp, /usr/bin/rlogin, /usr/bin/rsh, /usr/bin/rexec and /usr/bin/telnet commands.

IA-5 - High - CCI-000197 - V-215322 - SV-215322r877396_rule

RMF Control

IA-5

Severity

H

CCI

Version

AIX7-00-003005

Vuln IDs

V-215322
V-91295

Rule IDs

SV-215322r877396_rule
SV-101393

The listed applications permit the transmission of passwords in plain text. Alternative applications such as SSH, which encrypt data, should be use instead.

Checks: C-16520r294417_chk

From the command prompt, execute the following commands: # ls -l /usr/bin/rcp | awk '{print $1}' # ls -l /usr/bin/rlogin | awk '{print $1}' # ls -l /usr/bin/rsh | awk '{print $1}' # ls -l /usr/bin/telnet | awk '{print $1}' # ls -l /usr/bin/rexec | awk '{print $1}' Each of the above commands should return with the following permissions: ---------- If the permissions are more permissive, this is a finding.

Fix: F-16518r294418_fix

Use the chmod command to remove all permissions on these commands: # chmod ugo= /usr/bin/rcp # chmod ugo= /usr/bin/rlogin # chmod ugo= /usr/bin/rsh # chmod ugo= /usr/bin/rexec # chmod ugo= /usr/bin/telnet

b

AIX log files must have mode 0640 or less permissive.

SI-11 - Medium - CCI-001314 - V-215323 - SV-215323r508663_rule

RMF Control

SI-11

Severity

M

CCI

Version

AIX7-00-003006

Vuln IDs

V-215323
V-91451

Rule IDs

SV-215323r508663_rule
SV-101549

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-16521r294420_chk

Check the mode of log files: # ls -lL /var/log /var/log/syslog /var/adm /var/adm: total 376 drw-r----- 2 root system 256 Jan 24 12:31 SRC drwx------ 4 root system 256 Jan 24 07:28 config -rw-r----- 1 root system 1081 Jan 24 09:05 dev_pkg.fail -rw-r----- 1 root system 250 Jan 24 09:05 dev_pkg.success -rw------- 1 root system 64 Jan 24 09:43 sulog drwxr-xr-x 3 root system 256 Jan 24 12:28 sw drwx------ 2 root system 256 Jan 24 08:06 wpars /var/log: total 8 drwxr-xr-x 2 root system 256 Jan 24 08:44 aso -rw-r----- 1 root system 603 Jan 24 10:30 cache_mgt.dr.log If any of the log files have modes more permissive than "0640", this is a finding. NOTE: Do not confuse system logfiles with audit logs. Any subsystems that require less stringent permissions must be documented.

Fix: F-16519r294421_fix

Change the mode of the system log file(s) to "0640" or less permissive: # chmod 0640 /path/to/system-log-file

b

AIX log files must not have extended ACLs, except as needed to support authorized software.

SI-11 - Medium - CCI-001314 - V-215324 - SV-215324r508663_rule

RMF Control

SI-11

Severity

M

CCI

Version

AIX7-00-003007

Vuln IDs

V-215324
V-91457

Rule IDs

SV-215324r508663_rule
SV-101555

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-16522r294423_chk

With the assistance of the system administrator, identify all of the system log files. For each system log file identified, verify that extended ACL's are disabled: #aclget <system_log_file> * * ACL_type AIXC * attributes: base permissions owner(root): rw- group(system): r-- others: r-- extended permissions disabled If "extended permissions" is set to "enabled" and is not documented, this is a finding.

Fix: F-16520r294424_fix

Remove the extended ACL(s) from the system log file(s): # acledit <system_log_file> Set "extended permissions" to "disabled".

b

All system command files must not have extended ACLs.

CM-5 - Medium - CCI-001499 - V-215325 - SV-215325r508663_rule

RMF Control

CM-5

Severity

M

CCI

Version

AIX7-00-003009

Vuln IDs

V-215325
V-91479

Rule IDs

SV-215325r508663_rule
SV-101577

Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default system executables and files present in directories included in the system's default executable search paths.

Checks: C-16523r294426_chk

Verify all system command files have no extended ACLs by running the following commands: # aclget /etc # aclget /bin # aclget /usr/bin # aclget /usr/lbin # aclget /usr/ucb # aclget /sbin # aclget /usr/sbin If any of the command files have extended permissions enabled, this is a finding.

Fix: F-16521r294427_fix

Remove the extended ACL(s) from the system command file(s) and set the extended permissions to disabled by running the following command: # acledit [command-path ]/[ command-file]

b

All library files must not have extended ACLs.

CM-5 - Medium - CCI-001499 - V-215326 - SV-215326r508663_rule

RMF Control

CM-5

Severity

M

CCI

Version

AIX7-00-003010

Vuln IDs

V-215326
V-91481

Rule IDs

SV-215326r508663_rule
SV-101579

Unauthorized access could destroy the integrity of the library files.

Checks: C-16524r294429_chk

The following system library directories need to be checked: /usr/lib/security/ /usr/lib/methods/ Determine if any system library file has an extended ACL by running the follow script: find /usr/lib/security /usr/lib/methods/ -type f | while read file do aclget -o /tmp/111.acl $file > /dev/null 2>&1 if [ $? -eq 0 ]; then grep -e "[[:space:]]enabled$" /tmp/111.acl > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "$file has ACL" fi fi done If the above script yield any output, this is a finding.

Fix: F-16522r294430_fix

Remove the extended ACL(s) from the system library file(s) and disable extended permissions using the follow script: find /usr/lib/security /usr/lib/methods/ -type f | while read file do aclget -o /tmp/111.acl $file > /dev/null 2>&1 if [ $? -eq 0 ]; then grep -e "[[:space:]]enabled$" /tmp/111.acl > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "Removing ACL from "$file cat /tmp/111.acl | head -n9 > /tmp/222.acl echo " disabled" >> /tmp/222.acl aclput -i /tmp/222.acl $file fi fi done

b

AIX passwd.nntp file must have mode 0600 or less permissive.

CM-6 - Medium - CCI-000366 - V-215327 - SV-215327r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003013

Vuln IDs

V-215327
V-91599

Rule IDs

SV-215327r508663_rule
SV-101697

File permissions more permissive than 0600 for /etc/news/passwd.nntp may allow access to privileged information by system intruders or malicious users.

Checks: C-16525r294432_chk

If NNTP is not being used, this is Not Applicable. Check passwd.nntp file permissions using command: # find / -name passwd.nntp -exec ls -lL {} \; The above command may yield the following output: -rw------- 1 root system 19 Oct 16 10:46 /etc/news/passwd.nntp If a "passwd.nntp" file has a mode more permissive than "0600", this is a finding.

Fix: F-16523r294433_fix

Change the mode of all the found passwd.nntp files that have mode more permissive than "0600" using command: # chmod 0600 <passwd.nntp_file>

b

The AIX /etc/group file must not have an extended ACL.

CM-6 - Medium - CCI-000366 - V-215328 - SV-215328r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003015

Vuln IDs

V-215328
V-91617

Rule IDs

SV-215328r508663_rule
SV-101715

The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

Checks: C-16526r294435_chk

Check the ACL of the "/etc/group" file: # aclget /etc/group The above command should yield the following output: * * ACL_type AIXC * attributes: base permissions owner(root): rw- group(security): r-- others: r-- extended permissions disabled If the extended ACL are not "disabled", this is a finding.

Fix: F-16524r294436_fix

Remove the extended ACL from the "/etc/group" using command: # acledit /etc/group

b

The AIX ldd command must be disabled.

CM-6 - Medium - CCI-000366 - V-215329 - SV-215329r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003016

Vuln IDs

V-215329
V-91619

Rule IDs

SV-215329r508663_rule
SV-101717

The ldd command provides a list of dependent libraries needed by a given binary, which is useful for troubleshooting software. Instead of parsing the binary file, some ldd implementations invoke the program with a special environment variable set, which causes the system dynamic linker to display the list of libraries. Specially crafted binaries can specify an alternate dynamic linker which may cause a program to be executed instead of examined. If the program is from an untrusted source, such as in a user home directory, or a file suspected of involvement in a system compromise, unauthorized software may be executed with the rights of the user running ldd.

Checks: C-16527r294438_chk

Consult vendor documentation concerning the "ldd" command. If the command provides protection from the execution of untrusted executables, this is not a finding. Determine the location of the system's "ldd" command: # find / -name ldd If no file exists, this is not a finding. Check the permissions of the found "ldd" file: # ls -lL <path to ldd> ---------- 1 bin bin 6289 Feb 28 2017 /usr/bin/ldd If the file mode of the file is more permissive than "0000", this is a finding

Fix: F-16525r294439_fix

Disable the "ldd" command by removing its permissions using command: # chmod 0000 <path to ldd>

b

AIX NFS server must be configured to restrict file system access to local hosts.

CM-6 - Medium - CCI-000366 - V-215330 - SV-215330r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003017

Vuln IDs

V-215330
V-91643

Rule IDs

SV-215330r508663_rule
SV-101741

The NFS access option limits user access to the specified level. This assists in protecting exported file systems. If access is not restricted, unauthorized hosts may be able to access the system's NFS exports.

Checks: C-16528r294441_chk

Check the permissions on exported NFS file systems by running command: # exportfs -v /export/shared -ro,access=10.17.76.74 If the exported file systems do not contain the "rw" or "ro" options specifying a list of hosts or networks, this is a finding.

Fix: F-16526r294442_fix

Edit "/etc/exports" and add "ro" and/or "rw" options (as appropriate) specifying a list of hosts or networks which are permitted access. Re-export the file systems: # /usr/sbin/exportfs -a

b

All AIX users home directories must have mode 0750 or less permissive.

CM-6 - Medium - CCI-000366 - V-215331 - SV-215331r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003018

Vuln IDs

V-215331
V-91759

Rule IDs

SV-215331r508663_rule
SV-101857

Excessive permissions on home directories allow unauthorized access to user files.

Checks: C-16529r294444_chk

Check the home directory mode of each interactive user in "/etc/passwd": #cut -d : -f 6 /etc/passwd | xargs -n1 ls -ld | more drwxr-xr-x 20 root system 4096 Jan 28 13:46 / drwxr-xr-x 33 root system 8192 Jan 28 13:51 /etc lrwxrwxrwx 1 bin bin 8 Jan 24 07:23 /bin -> /usr/bin drwxrwxr-x 4 bin bin 256 Mar 23 2017 /usr/sys drwxrwxr-x 15 root adm 4096 Jan 24 12:26 /var/adm drwxr-xr-x 2 root sys 4096 Jan 24 08:43 /usr/lib/uucp drwxr-xr-x 6 root system 4096 Jan 24 07:34 /var/adm/invscout drwxr-xr-x 3 ipsec ipsec 256 Jan 24 08:43 /etc/ipsec drwxr-xr-x 2 sshd system 256 Aug 11 2017 /home/srvproxy drwxr-xr-x 8 esaadmin system 256 Jan 24 09:02 /var/esa drwxr-x--- 2 doejohn staff 256 Jan 25 13:18 /home/doejohn If an interactive user's home directory's mode is more permissive than "0750", this is a finding. NOTE: Application directories are allowed and may need "0755" permissions (or greater) for correct operation.

Fix: F-16527r294445_fix

Change the mode of interactive users' home directories to "0750" or less permissive using the following command: # chmod 0750 <home directory>

b

The AIX user home directories must not have extended ACLs.

CM-6 - Medium - CCI-000366 - V-215332 - SV-215332r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003019

Vuln IDs

V-215332
V-91767

Rule IDs

SV-215332r508663_rule
SV-101865

Excessive permissions on home directories allow unauthorized access to user files.

Checks: C-16530r294447_chk

Verify user home directories have no extended ACLs using command: # cat /etc/passwd | cut -f 6,6 -d ":" | xargs -n1 aclget * * ACL_type AIXC * attributes: base permissions owner(root): rwx group(system): r-x others: r--- extended permissions disabled If extended permissions are not disabled, this is a finding.

Fix: F-16528r294448_fix

Remove the extended ACL from the user home directory and disable extended permissions: # acledit <directory>

b

AIX must use Trusted Execution (TE) Check policy.

AC-3 - Medium - CCI-002165 - V-215333 - SV-215333r853482_rule

RMF Control

AC-3

Severity

M

CCI

CCI-002165

Version

AIX7-00-003020

Vuln IDs

V-215333
V-91509

Rule IDs

SV-215333r853482_rule
SV-101607

Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.

Checks: C-16531r294450_chk

Run the following command to show the current status of the "TE", "CHKEXEC", and "CHKKERNEXT" on the system: # trustchk -p 2>&1 | egrep -e "TE=|CHKEXEC|CHKKERNEXT" The above command should yield the following output: TE=ON CHKEXEC=ON CHKKERNEXT=ON If "TE", "CHKEXEC", or "CHKKERNEXT" is "OFF", this is a finding.

Fix: F-16529r294451_fix

Run the following command to turn on the all parts of Trusted Execution (TE): # trustchk -p TE=on CHKEXEC=on CHKKERNEXT=on

c

AIX must disable trivial file transfer protocol.

CM-5 - High - CCI-001814 - V-215334 - SV-215334r853483_rule

RMF Control

CM-5

Severity

H

CCI

CCI-001814

Version

AIX7-00-003022

Vuln IDs

V-215334
V-91531

Rule IDs

SV-215334r853483_rule
SV-101629

Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.

Checks: C-16532r294453_chk

From the command prompt, execute the following command: # grep "^tftp[[:blank:]]" /etc/inetd.conf If there is any output from the command, it is a finding.

Fix: F-16530r294454_fix

In "/etc/inetd.conf", comment out the "tftp" entry: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'tftp' -p 'udp' Restart inetd: # refresh -s inetd

b

AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

CM-7 - Medium - CCI-001764 - V-215335 - SV-215335r853484_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001764

Version

AIX7-00-003025

Vuln IDs

V-215335
V-91535

Rule IDs

SV-215335r853484_rule
SV-101633

Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at AIX-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Verification of white-listed software occurs prior to execution or at system startup. This requirement applies to operating system programs, functions, and services designed to manage system processes and configurations (e.g., group policies). Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155

Checks: C-16533r294456_chk

Run the following command to show the current status of the "TE" running on the system: # trustchk -p The above command should yield the following output: TE=ON If the output is "TE=OFF", this is a finding.

Fix: F-16531r294457_fix

Run the following command to turn on Trusted Execution: # trustchk -p TE=ON

b

AIX must remove all software components after updated versions have been installed.

SI-2 - Medium - CCI-002617 - V-215336 - SV-215336r853485_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002617

Version

AIX7-00-003028

Vuln IDs

V-215336
V-91563

Rule IDs

SV-215336r853485_rule
SV-101661

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.

Checks: C-16534r294459_chk

Run the following command to check any installed components that are in APPLY state: # lslpp -cl | grep :APPLIED: If the command returns any entries, this is a finding.

Fix: F-16532r294460_fix

Run the following command to commit any applied components: # installp -c all

b

AIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt.

CM-6 - Medium - CCI-000366 - V-215337 - SV-215337r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003029

Vuln IDs

V-215337
V-91569

Rule IDs

SV-215337r508663_rule
SV-101667

Limiting the number of login attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Checks: C-16535r294462_chk

From the command prompt, run the following command to check the default "logindelay" value: # lssec -f /etc/security/login.cfg -s default -a logindelay The above command should yield the following output: default logindelay=4 If the above command displays the "logindelay" value less than "4", this is a finding.

Fix: F-16533r294463_fix

From the command prompt, run the following command to set "logindelay=4" for the default stanza in "/etc/security/login.cfg": # chsec -f /etc/security/login.cfg -s default -a logindelay=4

b

AIX system must restrict the ability to switch to the root user to members of a defined group.

CM-6 - Medium - CCI-000366 - V-215338 - SV-215338r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003030

Vuln IDs

V-215338
V-91581

Rule IDs

SV-215338r508663_rule
SV-101679

Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials.

Checks: C-16536r294465_chk

Examine the "sugroups" of the root user. Generally only users in the adm group should have su to root capacity. Run the following command: # lsuser -a sugroups root root sugroups=system,staff,security If "sugroups" is blank or "ALL", this is a finding.

Fix: F-16534r294466_fix

Use the "chsec" command to only allow users in the adm group to su to root: # chsec -f /etc/security/user -s root -a sugroups=adm

b

All AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.

CM-6 - Medium - CCI-000366 - V-215339 - SV-215339r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003033

Vuln IDs

V-215339
V-91625

Rule IDs

SV-215339r508663_rule
SV-101723

If a user is assigned the GID of a group not existing on the system, and a group with that GID is subsequently created, the user may have unintended rights to the group.

Checks: C-16537r294468_chk

Verify that there are no GIDs referenced in "/etc/passwd" that are not defined in "/etc/group": # cut -d: -f4 /etc/passwd 0 1 2 3 4 203 204 # cut -d: -f3 /etc/group 0 1 2 3 4 203 204 If there are GID's listed in the "/etc/passwd" file that are not listed in the "/etc/group" file, this is a finding.

Fix: F-16535r294469_fix

Add a group to the system for each GID referenced without a corresponding group by running "mkgroup" command.

b

All AIX files and directories must have a valid owner.

CM-6 - Medium - CCI-000366 - V-215340 - SV-215340r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003034

Vuln IDs

V-215340
V-91627

Rule IDs

SV-215340r508663_rule
SV-101725

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

Checks: C-16538r294471_chk

Check the system for files with no assigned owner using the following command: # find / -nouser -print If any files have no assigned owner, this is a finding.

Fix: F-16536r294472_fix

All directories and files (executable and data) will have an identifiable owner and group name. Either trace files to an authorized user, change the file's owner to "root", or delete them. Determine the legitimate owner of the files and use the "chown" command to set the owner and group to the correct value. If the legitimate owner cannot be determined, change the owner to "root" (but make sure none of the changed files remain executable because they could be trojan horses or other malicious code). Examine the files to determine their origin and the reason for their lack of an owner/group. From the command prompt, run the following command to set the owner and/or group on a file: # chown <a-valid-user>.<a-valid-group> <directory>/<file>

b

The sticky bit must be set on all public directories on AIX systems.

CM-6 - Medium - CCI-000366 - V-215341 - SV-215341r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003035

Vuln IDs

V-215341
V-91629

Rule IDs

SV-215341r508663_rule
SV-101727

Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage - such as /tmp - and for directories requiring global read/write access.

Checks: C-16539r294474_chk

Verify all world-writable directories have the sticky bit set by running the command: # find / -type d -perm -002 ! -perm -1000 > wwlist # cat wwlist If any directories are listed in the "wwlist" file, this is a finding.

Fix: F-16537r294475_fix

Set the sticky bit on all public directories, such as: # chmod 1777 /tmp (Replace /tmp with the public directory missing the sticky bit, if necessary.)

b

The AIX global initialization files must contain the mesg -n or mesg n commands.

CM-6 - Medium - CCI-000366 - V-215342 - SV-215342r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003036

Vuln IDs

V-215342
V-91631

Rule IDs

SV-215342r508663_rule
SV-101729

Command "mesg -n" allows only the root user the permission to send messages to your workstation to avoid having others clutter your display with incoming messages.

Checks: C-16540r294477_chk

Check global initialization files for the presence of "mesg n" command by running: # grep "mesg" /etc/profile /etc/environment /etc/security/environ /etc/security/.profile /etc/csh.login /etc/csh.cshrc /etc/profile:mesg n /etc/environment:mesg n If any global initialization file does not contain "mesg n", or it contains the "mesg y" command, this is a finding.

Fix: F-16538r294478_fix

Edit the global initialization files that do not contain "mesg n" command and add the following line to the initialization files: mesg n

b

The AIX hosts.lpd file must not contain a + character.

CM-6 - Medium - CCI-000366 - V-215343 - SV-215343r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003037

Vuln IDs

V-215343
V-91633

Rule IDs

SV-215343r508663_rule
SV-101731

Having the '+' character in the hosts.lpd (or equivalent) file allows all hosts to use local system print resources.

Checks: C-16541r294480_chk

Look for the presence of a print service configuration file by running the following commands: # find /etc -name hosts.lpd -print # find /etc -name Systems -print # find /etc -name printers.conf If none of the files are found, this is not applicable. Otherwise, examine the configuration file by running: # more <print service file> | grep "+" @+hamlet +lear @+prospero If any lines are found that contain only a "+" character, this is a finding.

Fix: F-16539r294481_fix

Remove the "+" entries from the "hosts.lpd" (or equivalent) file.

b

AIX sendmail logging must not be set to less than nine in the sendmail.cf file.

CM-6 - Medium - CCI-000366 - V-215344 - SV-215344r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003038

Vuln IDs

V-215344
V-91635

Rule IDs

SV-215344r508663_rule
SV-101733

If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the sendmail service.

Checks: C-16542r294483_chk

Check if "Sendmail" logging is set to level "9" by running command: # grep "^O LogLevel" /etc/mail/sendmail.cf O LogLevel=9 If logging is set to less than "9", this is a finding.

Fix: F-16540r294484_fix

Edit /etc/mail/sendmail.cf file, locate the "O LogLevel" line, or add a new line if necessary, and change the log level to "9". The new LogLevel line should be: O LogLevel=9

b

AIX run control scripts executable search paths must contain only absolute paths.

CM-6 - Medium - CCI-000366 - V-215345 - SV-215345r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003039

Vuln IDs

V-215345
V-91637

Rule IDs

SV-215345r508663_rule
SV-101735

The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands.

Checks: C-16543r294486_chk

Verify run control scripts' library search paths by running: # grep -r PATH /etc/rc* /etc/rc:PATH=/usr/sbin:/usr/bin:/usr/ucb:/etc /etc/rc:export PATH ODMDIR /etc/rc.C2:export PATH=/usr/bin:/etc:/usr/sbin:/sbin:/usr/ucb /etc/rc.CC:export PATH=/usr/bin:/etc:/usr/sbin:/sbin:/usr/ucb /etc/rc.bsdnet:export PATH=/usr/bin:/usr/sbin:$PATH This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/) or other than "$PATH", it is a relative path, this is a finding.

Fix: F-16541r294487_fix

Edit the run control script and remove the relative path entry from the executable search path variable.

c

The AIX rsh daemon must be disabled.

IA-5 - High - CCI-000197 - V-215346 - SV-215346r877396_rule

RMF Control

IA-5

Severity

H

CCI

Version

AIX7-00-003040

Vuln IDs

V-215346
V-91299

Rule IDs

SV-215346r877396_rule
SV-101397

The rsh daemon permits username and passwords to be passed over the network in clear text.

Checks: C-16544r294489_chk

From the command prompt, run the following command: # grep -v "^#" /etc/inetd.conf |grep rshd The above command may show the daemon is enabled like this: shell stream tcp6 nowait root /usr/sbin/rshd rshd If the above grep command returned a line that contains "rshd", this is a finding.

Fix: F-16542r294490_fix

Edit the "/etc/inetd.conf" file and comment out the "rshd" service. Restart the inetd service: # refresh -s inetd

c

The AIX rlogind service must be disabled.

IA-5 - High - CCI-000197 - V-215347 - SV-215347r877396_rule

RMF Control

IA-5

Severity

H

CCI

Version

AIX7-00-003041

Vuln IDs

V-215347
V-91301

Rule IDs

SV-215347r877396_rule
SV-101399

The rlogin daemon permits username and passwords to be passed over the network in clear text.

Checks: C-16545r294492_chk

Determine if the "rlogind" service is running by running the following command: # grep -v "^#" /etc/inetd.conf |grep rlogin If the above grep command returned a line that contains "rlogin", this is a finding.

Fix: F-16543r294493_fix

Disable the rlogind service by editing the "'etc/inetd.conf" file. # vi /etc/inetd.conf Comment out the "rlogind" service. Restart the inetd service: # refresh -s inetd

b

The AIX qdaemon must be disabled if local or remote printing is not required.

CM-7 - Medium - CCI-000381 - V-215348 - SV-215348r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003042

Vuln IDs

V-215348
V-91321

Rule IDs

SV-215348r508663_rule
SV-101419

The qdaemon program is the printing scheduling daemon that manages the submission of print jobs to the piobe service. To prevent remote attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16546r294495_chk

From the command prompt, execute the following command: # lsitab qdaemon If the command yields any output, this is a finding.

Fix: F-16544r294496_fix

In "/etc/inittab", remove the "qdaemon" entry by running the following command: # rmitab qdaemon To request the init command to re-examine the "/etc/inittab" file, enter: # telinit q

b

If AIX system does not act as a remote print server for other servers, the lpd daemon must be disabled.

CM-7 - Medium - CCI-000381 - V-215349 - SV-215349r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003043

Vuln IDs

V-215349
V-91323

Rule IDs

SV-215349r508663_rule
SV-101421

The lpd daemon accepts remote print jobs from other systems. To prevent remote attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16547r294498_chk

From the command prompt, execute the following command: # lsitab lpd If the command yields any output, this is a finding.

Fix: F-16545r294499_fix

In "/etc/inittab", remove the "lpd" entry by running the following command: # rmitab lpd To request the init command to re-examine the "/etc/inittab" file, enter: # telinit q

b

If AIX system does not support either local or remote printing, the piobe service must be disabled.

CM-7 - Medium - CCI-000381 - V-215350 - SV-215350r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003044

Vuln IDs

V-215350
V-91325

Rule IDs

SV-215350r508663_rule
SV-101423

The piobe daemon is the I/O back end for the printing process, handling the job scheduling and spooling. To prevent remote attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16548r294501_chk

From the command prompt, execute the following command: # lsitab piobe If the command yields any output, this is a finding.

Fix: F-16546r294502_fix

In "/etc/inittab", remove the "piobe" entry by running the following command: # rmitab piobe To request the init command to re-examine the "/etc/inittab" file, enter: # telinit q

b

If there are no X11 clients that require CDE on AIX, the dt service must be disabled.

CM-7 - Medium - CCI-000381 - V-215351 - SV-215351r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003045

Vuln IDs

V-215351
V-91327

Rule IDs

SV-215351r508663_rule
SV-101425

This entry executes the CDE startup script which starts the AIX Common Desktop Environment. To prevent attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16549r294504_chk

From the command prompt, execute the following command: # lsitab dt If the command yields any output, this is a finding.

Fix: F-16547r294505_fix

In "/etc/inittab", remove the "dt" entry by running the following command: # rmitab dt To request the init command to re-examine the "/etc/inittab" file, enter: # telinit q

b

If NFS is not required on AIX, the NFS daemon must be disabled.

CM-7 - Medium - CCI-000381 - V-215352 - SV-215352r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003046

Vuln IDs

V-215352
V-91329

Rule IDs

SV-215352r508663_rule
SV-101427

The rcnfs entry starts the NFS daemons during system boot. NFS is a service with numerous historical vulnerabilities and should not be enabled unless there is no alternative. If NFS serving is required, then read-only exports are recommended and no filesystem or directory should be exported with root access. Unless otherwise required the NFS daemons (rcnfs) will be disabled.

Checks: C-16550r294507_chk

From the command prompt, execute the following command: # lsitab rcnfs If the command yields any output, this is a finding.

Fix: F-16548r294508_fix

In "/etc/inittab", remove the "rcnfs" entry by running the following command: # rmitab rcnfs To request the init command to re-examine the "/etc/inittab" file, enter: # telinit q

b

If sendmail is not required on AIX, the sendmail service must be disabled.

CM-7 - Medium - CCI-000381 - V-215353 - SV-215353r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003047

Vuln IDs

V-215353
V-91331

Rule IDs

SV-215353r508663_rule
SV-101429

The sendmail service has many historical vulnerabilities and, where possible, should be disabled. If the system is not required to operate as a mail server i.e. sending, receiving or processing e-mail, disable the sendmail daemon.

Checks: C-16551r294510_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/lib/sendmail" /etc/rc.tcpip If the above command produces any output, this is a finding.

Fix: F-16549r294511_fix

In "/etc/rc.tcpip", comment out the "sendmail" entry by running command: # chrctcp -d sendmail

b

If SNMP is not required on AIX, the snmpd service must be disabled.

CM-7 - Medium - CCI-000381 - V-215354 - SV-215354r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003048

Vuln IDs

V-215354
V-91333

Rule IDs

SV-215354r508663_rule
SV-101431

The snmpd daemon is used by many 3rd party applications to monitor the health of the system. This allows remote monitoring of network and server configuration. To prevent remote attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16552r294513_chk

Verify there is no "snmpd" service running on the AIX by doing the following: From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/snmpd" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16550r294514_fix

In "/etc/rc.tcpip", comment out the "snmpd" entry by running command: # chrctcp -d snmpd

b

The AIX DHCP client must be disabled.

CM-6 - Medium - CCI-000366 - V-215355 - SV-215355r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003049

Vuln IDs

V-215355
V-91335

Rule IDs

SV-215355r508663_rule
SV-101433

The dhcpcd daemon receives address and configuration information from the DHCP server. DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. To prevent remote attacks this daemon should not be enabled unless there is no alternative. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227

Checks: C-16553r294516_chk

If the DHCP client is needed by the system and is documented, this is Not Applicable. Determine if the DHCP client is running: # ps -ef |grep dhcpcd If "dhcpcd" is running, this is a finding. Verify that DHCP is disabled on startup: # grep "^start[[:blank:]]/usr/sbin/dhcpcd" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16551r294517_fix

Disable the system's DHCP client. In "/etc/rc.tcpip", comment out the "dhcpcd" entry by running command: # chrctcp -d dhcpcd Reboot the system to ensure the DHCP client has been disabled fully. Configure a static IP for the system, if network connectivity is required.

b

If DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled.

CM-7 - Medium - CCI-000381 - V-215356 - SV-215356r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003050

Vuln IDs

V-215356
V-91337

Rule IDs

SV-215356r508663_rule
SV-101435

The dhcprd daemon listens for broadcast packets, receives them, and forwards them to the appropriate server. To prevent remote attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16554r294519_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/dhcprd" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16552r294520_fix

In "/etc/rc.tcpip", comment out the "dhcprd" entry by running command: # chrctcp -d dhcprd

b

If IPv6 is not utilized on AIX server, the autoconf6 daemon must be disabled.

CM-7 - Medium - CCI-000381 - V-215357 - SV-215357r513945_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003051

Vuln IDs

V-215357
V-91341

Rule IDs

SV-215357r513945_rule
SV-101439

"autoconf6" is used to automatically configure IPv6 interfaces at boot time. Running this service may allow other hosts on the same physical subnet to connect via IPv6, even when the network does not support it. Disable this unless you use IPv6 on the server.

Checks: C-16555r569497_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/autoconf6" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16553r569498_fix

In "/etc/rc.tcpip", comment out the "autoconf6" entry by running command: # chrctcp -d autoconf6

b

If AIX server is not functioning as a network router, the gated daemon must be disabled.

CM-7 - Medium - CCI-000381 - V-215358 - SV-215358r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003052

Vuln IDs

V-215358
V-91343

Rule IDs

SV-215358r508663_rule
SV-101441

This daemon provides gateway routing functions for protocols such as RIP and SNMP. To prevent remote attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16556r294525_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/gated" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16554r294526_fix

In "/etc/rc.tcpip", comment out the "gated" entry by running command: # chrctcp -d gated

b

If AIX server is not functioning as a multicast router, the mrouted daemon must be disabled.

CM-7 - Medium - CCI-000381 - V-215359 - SV-215359r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003053

Vuln IDs

V-215359
V-91345

Rule IDs

SV-215359r508663_rule
SV-101443

This daemon is an implementation of the multicast routing protocol. To prevent remote attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16557r294528_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/mrouted" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16555r294529_fix

In "/etc/rc.tcpip", comment out the "mrouted" entry by running command: # chrctcp -d mrouted

b

If AIX server is not functioning as a DNS server, the named daemon must be disabled.

CM-7 - Medium - CCI-000381 - V-215360 - SV-215360r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003054

Vuln IDs

V-215360
V-91347

Rule IDs

SV-215360r508663_rule
SV-101445

This is the server for the DNS protocol and controls domain name resolution for its clients. To prevent attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16558r294531_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/named" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16556r294532_fix

In "/etc/rc.tcpip", comment out the "named" entry by running command: # chrctcp -d named

b

If AIX server is not functioning as a network router, the routed daemon must be disabled.

CM-7 - Medium - CCI-000381 - V-215361 - SV-215361r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003055

Vuln IDs

V-215361
V-91349

Rule IDs

SV-215361r508663_rule
SV-101447

The routed daemon manages the network routing tables in the kernel. To prevent attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16559r294534_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/routed" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16557r294535_fix

In "/etc/rc.tcpip", comment out the "routed" entry by running command: # chrctcp -d routed

b

If rwhod is not required on AIX, the rwhod daemon must be disabled.

CM-7 - Medium - CCI-000381 - V-215362 - SV-215362r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003056

Vuln IDs

V-215362
V-91351

Rule IDs

SV-215362r508663_rule
SV-101449

This is the remote WHO service. To prevent remote attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16560r294537_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/rwhod" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16558r294538_fix

In "/etc/rc.tcpip", comment out the "rwhod" entry by running command: # chrctcp -d rwhod

b

The timed daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215363 - SV-215363r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003057

Vuln IDs

V-215363
V-91353

Rule IDs

SV-215363r508663_rule
SV-101451

This is the old UNIX time service. The timed daemon is the old UNIX time service. Disable this service and use xntp, if time synchronization is required in the environment.

Checks: C-16561r294540_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/timed" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16559r294541_fix

In "/etc/rc.tcpip", comment out the "timed" entry by running command: # chrctcp -d timed

b

If AIX server does not host an SNMP agent, the dpid2 daemon must be disabled.

CM-7 - Medium - CCI-000381 - V-215364 - SV-215364r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003058

Vuln IDs

V-215364
V-91355

Rule IDs

SV-215364r508663_rule
SV-101453

The dpid2 daemon acts as a protocol converter, which enables DPI (SNMP v2) sub-agents, such as hostmibd, to talk to a SNMP v1 agent that follows SNMP MUX protocol. To prevent attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16562r294543_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/dpid2" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16560r294544_fix

In "/etc/rc.tcpip", comment out the "dpid2" entry by running command: # chrctcp -d dpid2

b

If SNMP is not required on AIX, the snmpmibd daemon must be disabled.

CM-7 - Medium - CCI-000381 - V-215365 - SV-215365r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003060

Vuln IDs

V-215365
V-91359

Rule IDs

SV-215365r508663_rule
SV-101457

The snmpmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. If snmpd is not required, it is recommended that it is disabled.

Checks: C-16563r294546_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/snmpmibd" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16561r294547_fix

In "/etc/rc.tcpip", comment out the "snmpmibd" entry by running command: # chrctcp -d snmpmibd

b

The aixmibd daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215366 - SV-215366r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003061

Vuln IDs

V-215366
V-91361

Rule IDs

SV-215366r508663_rule
SV-101459

The aixmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. To prevent attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16564r294549_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/aixmibd" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16562r294550_fix

In "/etc/rc.tcpip", comment out the "aixmibd" entry by running command: # chrctcp -d aixmibd

b

The ndpd-host daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215367 - SV-215367r808440_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003062

Vuln IDs

V-215367
V-91363

Rule IDs

SV-215367r808440_rule
SV-101461

This is the Neighbor Discovery Protocol (NDP) daemon, required in IPv6. The ndpd-host is the NDP daemon for the server. Unless the server utilizes IPv6, this is not required and should be disabled to prevent attacks.

Checks: C-16565r808439_chk

If the system is using IPv6, this is Not Applicable. From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/ndpd-host" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16563r294553_fix

In "/etc/rc.tcpip", comment out the "ndpd-host" entry by running command: # chrctcp -d ndpd-host

b

The ndpd-router must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215368 - SV-215368r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003063

Vuln IDs

V-215368
V-91365

Rule IDs

SV-215368r508663_rule
SV-101463

This manages the Neighbor Discovery Protocol (NDP) for non-kernel activities, required in IPv6. The ndpd-router manages NDP for non-kernel activities. Unless the server utilizes IPv6, this is not required and should be disabled to prevent attacks.

Checks: C-16566r294555_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/ndpd-router" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16564r294556_fix

In "/etc/rc.tcpip", comment out the "ndpd-router" entry by running command: # chrctcp -d ndpd-router

b

The daytime daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215369 - SV-215369r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003064

Vuln IDs

V-215369
V-91367

Rule IDs

SV-215369r508663_rule
SV-101465

The daytime service provides the current date and time to other servers on a network. This daytime service is a defunct time service, typically used for testing purposes only. The service should be disabled as it can leave the system vulnerable to DoS ping attacks.

Checks: C-16567r294558_chk

From the command prompt, execute the following command: # grep "^daytime[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16565r294559_fix

In "/etc/inetd.conf", comment out the "daytime" entries by running commands: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'daytime' -p 'tcp' # chsubserver -r inetd -C /etc/inetd.conf -d -v 'daytime' -p 'udp' Restart inetd: # refresh -s inetd

b

The cmsd daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215370 - SV-215370r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003065

Vuln IDs

V-215370
V-91369

Rule IDs

SV-215370r508663_rule
SV-101467

This is a calendar and appointment service for CDE. The cmsd service is utilized by CDE to provide calendar functionality. If CDE is not required, this service should be disabled to prevent attacks.

Checks: C-16568r294561_chk

From the command prompt, execute the following command: # grep "^#cmsd[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16566r294562_fix

In "/etc/inetd.conf", comment out the "cmsd" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'cmsd' -p 'sunrpc_udp' Restart inetd: # refresh -s inetd

b

The ttdbserver daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215371 - SV-215371r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003066

Vuln IDs

V-215371
V-91371

Rule IDs

SV-215371r508663_rule
SV-101469

The ttdbserver service is the tool-talk database service for CDE. This service runs as root and should be disabled. Unless required the ttdbserver service will be disabled to prevent attacks.

Checks: C-16569r294564_chk

From the command prompt, execute the following command: # grep "^#ttdbserver[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16567r294565_fix

In "/etc/inetd.conf", comment out the "ttdbserver" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'ttdbserver' -p 'sunrpc_tcp' Restart inetd: # refresh -s inetd

b

The uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215372 - SV-215372r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003067

Vuln IDs

V-215372
V-91373

Rule IDs

SV-215372r508663_rule
SV-101471

This service facilitates file copying between networked servers. The uucp (UNIX to UNIX Copy Program), service allows users to copy files between networked machines. Unless an application or process requires UUCP this should be disabled to prevent attacks.

Checks: C-16570r294567_chk

From the command prompt, execute the following command: # grep "^uucp[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16568r294568_fix

In "/etc/inetd.conf", comment out the "uucp" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'uucp' -p 'tcp' Restart inetd: # refresh -s inetd

b

The time daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215373 - SV-215373r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003068

Vuln IDs

V-215373
V-91375

Rule IDs

SV-215373r508663_rule
SV-101473

This service can be used to synchronize system clocks. The time service is an obsolete process used to synchronize system clocks at boot time. This has been superseded by NTP, which should be used if time synchronization is necessary. Unless required the time service must be disabled.

Checks: C-16571r294570_chk

From the command prompt, execute the following command: # grep "^time[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16569r294571_fix

In "/etc/inetd.conf", comment out the "time" entries by running commands: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'time' -p 'udp' # chsubserver -r inetd -C /etc/inetd.conf -d -v 'time' -p 'tcp' Restart inetd: # refresh -s inetd

b

The talk daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215374 - SV-215374r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003069

Vuln IDs

V-215374
V-91377

Rule IDs

SV-215374r508663_rule
SV-101475

This talk service is used to establish an interactive two-way communication link between two UNIX users. Unless required the talk service will be disabled to prevent attacks.

Checks: C-16572r294573_chk

From the command prompt, execute the following command: # grep "^talk[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16570r294574_fix

In "/etc/inetd.conf", comment out the "talkd" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'talk' -p 'udp' Restart inetd: # refresh -s inetd

c

The ntalk daemon must be disabled on AIX.

CM-7 - High - CCI-000381 - V-215375 - SV-215375r508663_rule

RMF Control

CM-7

Severity

H

CCI

Version

AIX7-00-003070

Vuln IDs

V-215375
V-91379

Rule IDs

SV-215375r508663_rule
SV-101477

This service establishes a two-way communication link between two users, either locally or remotely. Unless required the ntalk service will be disabled to prevent attacks.

Checks: C-16573r294576_chk

From the command prompt, execute the following command: # grep "^ntalk[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16571r294577_fix

In "/etc/inetd.conf", comment out the "ntalk" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'ntalk' -p 'udp' Restart inetd: # refresh -s inetd

b

The chargen daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215376 - SV-215376r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003071

Vuln IDs

V-215376
V-91381

Rule IDs

SV-215376r508663_rule
SV-101479

This service is used to test the integrity of TCP/IP packets arriving at the destination. This chargen service is a character generator service and is used for testing the integrity of TCP/IP packets arriving at the destination. An attacker may spoof packets between machines running the chargen service and thus provide an opportunity for DoS attacks. Disable this service to prevent attacks unless testing the network.

Checks: C-16574r294579_chk

From the command prompt, execute the following command: # grep "^chargen[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16572r294580_fix

In "/etc/inetd.conf", comment out the "chargen" entries by running commands: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'chargen' -p 'tcp' # chsubserver -r inetd -C /etc/inetd.conf -d -v 'chargen' -p 'udp' Restart inetd: # refresh -s inetd

b

The discard daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215377 - SV-215377r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003072

Vuln IDs

V-215377
V-91383

Rule IDs

SV-215377r508663_rule
SV-101481

The discard service is used as a debugging and measurement tool. It sets up a listening socket and ignores data that it receives. This is a /dev/null service and is obsolete. This can be used in DoS attacks and therefore, must be disabled to prevent attacks.

Checks: C-16575r294582_chk

From the command prompt, execute the following command: # grep "^discard[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16573r294583_fix

In "/etc/inetd.conf", comment out the "discard" entries by running commands: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'discard' -p 'tcp' # chsubserver -r inetd -C /etc/inetd.conf -d -v 'discard' -p 'udp' Restart inetd: # refresh -s inetd

b

The dtspc daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215378 - SV-215378r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003073

Vuln IDs

V-215378
V-91385

Rule IDs

SV-215378r508663_rule
SV-101483

The dtspc service deals with the CDE interface of the X11 daemon. It is started automatically by the inetd daemon in response to a CDE client requesting a process to be started on the daemon's host. This makes it vulnerable to buffer overflow attacks, which may allow an attacker to gain root privileges on a host. This service must be disabled unless it is absolutely required.

Checks: C-16576r294585_chk

From the command prompt, execute the following command: # grep "^dtspc[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16574r294586_fix

In "/etc/inetd.conf", comment out the "dtspc" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'dtspc' -p 'tcp' Restart inetd: # refresh -s inetd

b

The pcnfsd daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215379 - SV-215379r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003074

Vuln IDs

V-215379
V-91387

Rule IDs

SV-215379r508663_rule
SV-101485

The pcnfsd service is an authentication and printing program, which uses NFS to provide file transfer services. This service is vulnerable and exploitable and permits the machine to be compromised both locally and remotely. If PC NFS clients are required within the environment, Samba is recommended as an alternative software solution. The pcnfsd daemon predates Microsoft's release of SMB specifications. This service should therefore be disabled to prevent attacks.

Checks: C-16577r294588_chk

From the command prompt, execute the following command: # grep "^pcnfsd[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16575r294589_fix

In "/etc/inetd.conf", comment out the "pcnfsd" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'pcnfsd' -p 'udp' Restart inetd: # refresh -s inetd

b

The rstatd daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215380 - SV-215380r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003075

Vuln IDs

V-215380
V-91389

Rule IDs

SV-215380r508663_rule
SV-101487

The rstatd service is used to provide kernel statistics and other monitorable parameters pertinent to the system such as: CPU usage, system uptime, network usage etc. An attacker may use this information in a DoS attack. This service should be disabled.

Checks: C-16578r294591_chk

From the command prompt, execute the following command: # grep "^rstatd[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16576r294592_fix

In "/etc/inetd.conf", comment out the "rstatd" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'rstatd' -p 'udp' Restart inetd: # refresh -s inetd

b

The rusersd daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215381 - SV-215381r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003076

Vuln IDs

V-215381
V-91391

Rule IDs

SV-215381r508663_rule
SV-101489

The rusersd service runs as root and provides a list of current users active on a system. An attacker may use this service to learn valid account names on the system. This is not an essential service and should be disabled.

Checks: C-16579r294594_chk

From the command prompt, execute the following command: # grep "^rusersd[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16577r294595_fix

In "/etc/inetd.conf", comment out the "rusersd" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'rusersd' -p 'udp' Restart inetd: # refresh -s inetd

b

The sprayd daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215382 - SV-215382r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003077

Vuln IDs

V-215382
V-91395

Rule IDs

SV-215382r508663_rule
SV-101493

The sprayd service is used as a tool to generate UDP packets for testing and diagnosing network problems. The service must be disabled if NFS is not in use, as it can be used by attackers in a Distributed Denial of Service (DDoS) attack.

Checks: C-16580r294597_chk

From the command prompt, execute the following command: # grep "^sprayd[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16578r294598_fix

In "/etc/inetd.conf", comment out the "sprayd" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'sprayd' -p 'udp' Restart inetd: # refresh -s inetd

b

The klogin daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215383 - SV-215383r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003078

Vuln IDs

V-215383
V-91397

Rule IDs

SV-215383r508663_rule
SV-101495

The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text password exchanges on the network. However, it is still not as secure as SSH, which encrypts all traffic. If using klogin to log in to a system, the password is not sent in clear text; however, if using "su" to another user, that password exchange is open to detection from network-sniffing programs. The recommendation is to use SSH wherever possible instead of klogin. If the klogin service is used, use the latest Kerberos version available and make sure that all the latest patches are installed.

Checks: C-16581r294600_chk

From the command prompt, execute the following command: # grep "^klogin[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16579r294601_fix

In "/etc/inetd.conf", comment out the "klogin" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'klogin' -p 'tcp' Restart inetd: # refresh -s inetd

b

The kshell daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215384 - SV-215384r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003079

Vuln IDs

V-215384
V-91399

Rule IDs

SV-215384r508663_rule
SV-101497

The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted communications. The recommendation is to use SSH wherever possible instead of kshell. If the kshell service is used, you should use the latest Kerberos version available and must make sure that all the latest patches are installed.

Checks: C-16582r294603_chk

From the command prompt, execute the following command: # grep "^kshell[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16580r294604_fix

In "/etc/inetd.conf", comment out the "kshell" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'kshell' -p 'tcp' Restart inetd: # refresh -s inetd

b

The rquotad daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215385 - SV-215385r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003080

Vuln IDs

V-215385
V-91401

Rule IDs

SV-215385r508663_rule
SV-101499

The rquotad service allows NFS clients to enforce disk quotas on file systems that are mounted on the local system. This service should be disabled if to prevent attacks.

Checks: C-16583r294606_chk

From the command prompt, execute the following command: # grep "^rquotad[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16581r294607_fix

In "/etc/inetd.conf", comment out the "rquotad" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'rquotad' -p 'udp' Restart inetd: # refresh -s inetd

b

The tftp daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215386 - SV-215386r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003081

Vuln IDs

V-215386
V-91403

Rule IDs

SV-215386r508663_rule
SV-101501

The tftp service allows remote systems to download or upload files to the tftp server without any authentication. It is therefore a service that should not run, unless needed. One of the main reasons for requiring this service to be activated is if the host is a NIM master. However, the service can be enabled and then disabled once a NIM operation has completed, rather than left running permanently.

Checks: C-16584r294609_chk

From the command prompt, execute the following command: # grep "^tftp[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16582r294610_fix

In "/etc/inetd.conf", comment out the "tftp" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'tftp' -p 'udp' Restart inetd: # refresh -s inetd

b

The imap2 service must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215387 - SV-215387r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003082

Vuln IDs

V-215387
V-91405

Rule IDs

SV-215387r508663_rule
SV-101503

The imap2 service or Internet Message Access Protocol (IMAP) supports the IMAP4 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not required to prevent attacks.

Checks: C-16585r294612_chk

From the command prompt, execute the following command: # grep "^imap2[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16583r294613_fix

In "/etc/inetd.conf", comment out the "imap2" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'imap2' -p 'tcp' Restart inetd: # refresh -s inetd

b

The pop3 daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215388 - SV-215388r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003083

Vuln IDs

V-215388
V-91407

Rule IDs

SV-215388r508663_rule
SV-101505

The pop3 service provides a pop3 server. It supports the pop3 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not required to prevent attacks.

Checks: C-16586r294615_chk

From the command prompt, execute the following command: # grep "^pop3[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16584r294616_fix

In "/etc/inetd.conf", comment out the "pop3" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'pop3' -p 'tcp' Restart inetd: # refresh -s inetd

b

The finger daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215389 - SV-215389r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003084

Vuln IDs

V-215389
V-91409

Rule IDs

SV-215389r508663_rule
SV-101507

The fingerd daemon provides the server function for the finger command. This allows users to view real-time pertinent user login information on other remote systems. This service should be disabled as it may provide an attacker with a valid user list to target.

Checks: C-16587r294618_chk

From the command prompt, execute the following command: # grep "^finger[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16585r294619_fix

In "/etc/inetd.conf", comment out the "finger" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'finger' -p 'tcp' Restart inetd: # refresh -s inetd

b

The instsrv daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215390 - SV-215390r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003085

Vuln IDs

V-215390
V-91411

Rule IDs

SV-215390r508663_rule
SV-101509

The instsrv service is part of the Network Installation Tools, used for servicing servers running AIX 3.2. This service should be disabled to prevent attacks.

Checks: C-16588r294621_chk

From the command prompt, execute the following command: # grep "^instsrv[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16586r294622_fix

In "/etc/inetd.conf", comment out the "instsrv" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'instsrv' -p 'tcp' Restart inetd: # refresh -s inetd

b

The echo daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215391 - SV-215391r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003086

Vuln IDs

V-215391
V-91413

Rule IDs

SV-215391r508663_rule
SV-101511

The echo service can be used in Denial of Service or SMURF attacks. It can also be used by someone else to get through a firewall or start a data storm. The echo service is unnecessary and it increases the attack vector of the system.

Checks: C-16589r294624_chk

Check the /etc/inetd.conf for TCP and UDP echo service entries using command: # grep echo /etc/inetd.conf | grep -v \# If there is any output from the command, this is a finding.

Fix: F-16587r294625_fix

In "/etc/inetd.conf", comment out the "echo" entries by running commands: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'echo' -p 'tcp' # chsubserver -r inetd -C /etc/inetd.conf -d -v 'echo' -p 'udp' Restart inetd: # refresh -s inetd

b

The Internet Network News (INN) server must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215392 - SV-215392r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003087

Vuln IDs

V-215392
V-91415

Rule IDs

SV-215392r508663_rule
SV-101513

Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Transfer Protocol (NNTP) to transfer information from the Usenet to the server and from the server to authorized remote hosts. If this function is necessary to support a valid mission requirement, its use must be authorized and approved in the system accreditation package.

Checks: C-16590r294627_chk

From the command prompt, run the following command: # ps -ef | egrep "innd|nntpd" If the above command produced any result, this is a finding. Check if "innd" or "nntpd" is started from "/etc/onetd.conf" using the following command: # egrep "innd|nntpd" /etc/inetd.conf | grep -v ^# If the above command produced any result, this is a finding. Check if "innd" or "nntpd" is added as a subsystem to the System Resource Controller (SRC): # lssrc -s innd # lssrc -s nntpd If the above commands found that "innd" or "nntpd" is defined in SRC, this is a finding.

Fix: F-16588r294628_fix

To stop "innd" or "nntpd" from running, use the following commands: # stopsrc -s innd # stopsrc -s nntpd Some versions of "innd" and "nntpd" need the following commands to stop them: # kill -1 [innd_pid] # kill -1 [nntpd_pid] To remove "innd" and 'nntpd" from SRC, run the following commands: # rmssys -s innd # rmssys -s nntpd To stop running "innd" and "nntpd" from "/etc/inetd.conf", comment out the "innd" and "nntpd" lines in "/etc/inetd.conf", then refresh the "inetd": # refresh -s inetd

b

If Stream Control Transmission Protocol (SCTP) must be disabled on AIX.

CM-7 - Medium - CCI-000382 - V-215393 - SV-215393r508663_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

AIX7-00-003088

Vuln IDs

V-215393
V-91417

Rule IDs

SV-215393r508663_rule
SV-101515

The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the system to dynamically load a protocol handler by opening a socket using the protocol.

Checks: C-16591r294630_chk

Check the system to determine if SCTP is installed: # lslpp -L bos.net.sctp Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- lslpp: 0504-132 Fileset bos.net.sctp not installed. If the "bos.net.sctp" fileset is not listed, SCTP is not installed, this is not a finding. If the "bos.net.sctp" fileset is listed then SCTP is installed, this is a finding.

Fix: F-16589r294631_fix

If SCTP is installed, unload it from the kernel and uninstall it from the system using the following commands: # sctpctrl unload # installp -ug bos.net.sctp

b

The Reliable Datagram Sockets (RDS) protocol must be disabled on AIX.

CM-7 - Medium - CCI-000382 - V-215394 - SV-215394r508663_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

AIX7-00-003089

Vuln IDs

V-215394
V-91419

Rule IDs

SV-215394r508663_rule
SV-101517

The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the system to dynamically load a protocol handler by opening a socket using the protocol. AIX has RDS protocol installed as part of the 'bos.net.tcp.client' fileset. The RDS protocol in primarily used for communication on INFI-Band interfaces. The protocol is manually loaded with the bypassctrl command. To prevent possible attacks this protocol must be disabled unless required.

Checks: C-16592r294633_chk

Determine if RDS is currently loaded: # genkex | grep rds If there is any output from the command, this is a finding.

Fix: F-16590r294634_fix

Configure the system to not automatically load the RDS protocol handler. Check startup scripts for "bypasscrtl load rds" and comment out the "bypassctrl" commands. Unload the driver from the kernel: # bypassctrl unload rds

b

If automated file system mounting tool is not required on AIX, it must be disabled.

IA-3 - Medium - CCI-001958 - V-215395 - SV-215395r853486_rule

RMF Control

IA-3

Severity

M

CCI

CCI-001958

Version

AIX7-00-003090

Vuln IDs

V-215395
V-91543

Rule IDs

SV-215395r853486_rule
SV-101641

Automated file system mounting tools may provide unprivileged users with the ability to access local media and network shares. If this access is not necessary for the system’s operation, it must be disabled to reduce the risk of unauthorized access to these resources.

Checks: C-16593r294636_chk

Determine if the system uses "automated" by using command: # lssrc -s automountd Subsystem Group PID Status automountd autofs inoperative If the automountd process is active, this is a finding.

Fix: F-16591r294637_fix

Disable the automated file system mounting tools. Empty the /etc/auto_master file. From the command prompt, run the following command: # stopsrc -s automountd

b

AIX process core dumps must be disabled.

CM-6 - Medium - CCI-000366 - V-215396 - SV-215396r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003093

Vuln IDs

V-215396
V-91673

Rule IDs

SV-215396r508663_rule
SV-101771

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

Checks: C-16594r294639_chk

From the command prompt, run the following command: # lsuser -a core ALL root core=0 daemon core=0 bin core=0 sys core=0 adm core=0 uucp core=0 snapp core=0 ipsec core=0 srvproxy core=0 esaadmin core=0 sshd core=0 doejohn core=0 If any user does not have a value of "core = 0", this is a finding.

Fix: F-16592r294640_fix

Run command: # chsec -f /etc/security/limits -s default -a core=0

b

AIX kernel core dumps must be disabled unless needed.

CM-6 - Medium - CCI-000366 - V-215397 - SV-215397r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003094

Vuln IDs

V-215397
V-91703

Rule IDs

SV-215397r508663_rule
SV-101801

Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial of Service by exhausting the available space on the target file system. The kernel core dump process may increase the amount of time a system is unavailable due to a crash. Kernel core dumps can be useful for kernel debugging.

Checks: C-16595r294642_chk

Determine if kernel core dumps are enabled on the system using command: # sysdumpdev -l primary /dev/sysdumpnull secondary /dev/sysdumpnull Look at both the primary and secondary dump devices. If either the primary or secondary dump device is not "/dev/sysdumpnull", this is a finding.

Fix: F-16593r294643_fix

Disable kernel core dumps on the system by setting primary and secondary dump devices to "sysdumpnull" by running following commands: # sysdumpdev -P -p /dev/sysdumpnull # sysdumpdev -P -s /dev/sysdumpnull

b

AIX must set Stack Execution Disable (SED) system wide mode to all.

CM-6 - Medium - CCI-000366 - V-215398 - SV-215398r853487_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003096

Vuln IDs

V-215398
V-91443

Rule IDs

SV-215398r853487_rule
SV-101541

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Satisfies: SRG-OS-000142-GPOS-00071, SRG-OS-000480-GPOS-00227, SRG-OS-000433-GPOS-00192

Checks: C-16596r294645_chk

From the command prompt, run the following command to display SED systemwide mode: # sedmgr Stack Execution Disable (SED) mode: all SED configured in kernel: all If the above command shows a systemwide SED mode other than "all", this is a finding.

Fix: F-16594r294646_fix

From the command prompt, run the following command to set the SED systemwide mode to select: # sedmgr -m all AIX has to be rebooted for the new SED mode to take effect.

b

AIX must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring AIX is implementing rate-limiting measures on impacted network interfaces.

SC-5 - Medium - CCI-002385 - V-215399 - SV-215399r853488_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

AIX7-00-003097

Vuln IDs

V-215399
V-91559

Rule IDs

SV-215399r853488_rule
SV-101657

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of AIX to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.

Checks: C-16597r294648_chk

Check to see if bos.net.tcp.client_core package is installed: # lslpp -l | grep bos.net.tcp.client_core bos.net.tcp.client_core 7.2.1.1 COMMITTED TCP/IP Client Core Support bos.net.tcp.client_core 7.2.1.1 COMMITTED TCP/IP Client Core Support If the packages are not "COMMITTED", this is a finding. Check that the value set for "clean_partial_conns" is "1": # /usr/sbin/no -o clean_partial_conns clean_partial_conns = 1 If the value returned is "0", this is a finding.

Fix: F-16595r294649_fix

Make sure "bos.net.tcp.client_core" package is installed on the system. Set the Network performance tuning attribute value for "clean_partial_connections to "1" to avoid SYN attacks. # /usr/sbin/no -o clean_partial_conns=1

b

AIX must allow admins to send a message to all the users who logged in currently.

AC-3 - Medium - CCI-002164 - V-215400 - SV-215400r853489_rule

RMF Control

AC-3

Severity

M

CCI

CCI-002164

Version

AIX7-00-003098

Vuln IDs

V-215400
V-91505

Rule IDs

SV-215400r853489_rule
SV-101603

Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.

Checks: C-16598r294651_chk

Run following command to see if wall command is installed: # ls -al /usr/sbin/wall If "/usr/sbin/wall" does not exist, this is a finding.

Fix: F-16596r294652_fix

Install the "bos.rte.misc_cmds" package from AIX DVD Volume 1 using the following command (assuming that the DVD device is /dev/cd0): # installp -aXYgd /dev/cd0 -e /tmp/install.log bos.rte.misc_cmds

b

AIX must allow admins to send a message to a user who logged in currently.

AC-3 - Medium - CCI-002165 - V-215401 - SV-215401r853490_rule

RMF Control

AC-3

Severity

M

CCI

CCI-002165

Version

AIX7-00-003099

Vuln IDs

V-215401
V-91507

Rule IDs

SV-215401r853490_rule
SV-101605

Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.

Checks: C-16599r294654_chk

Run following command to see if the "write" command is installed: # ls -al /usr/bin/write If "/usr/bin/write" does not exist, this is a finding.

Fix: F-16597r294655_fix

Install the "bos.rte.misc_cmds" package from AIX DVD Volume 1 using the following command (assuming that the DVD device is /dev/cd0): # installp -aXYgd /dev/cd0 -e /tmp/install.log bos.rte.misc_cmds

b

The AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers.

AC-17 - Medium - CCI-000068 - V-215402 - SV-215402r877398_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000068

Version

AIX7-00-003100

Vuln IDs

V-215402
V-91243

Rule IDs

SV-215402r877398_rule
SV-101343

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.

Checks: C-16600r294657_chk

Check the SSH daemon configuration for allowed ciphers by running the following command: # grep -i ciphers /etc/ssh/sshd_config | grep -v '^#' The above command should yield the following output: Ciphers aes128-ctr,aes192-ctr,aes256-ctr If any of the following conditions are true, this is a finding. 1. No line is returned (default ciphers); 2. The returned ciphers list contains any cipher not starting with aes; 3. The returned ciphers list contains any cipher ending with cbc.

Fix: F-16598r294658_fix

Edit the "/etc/ssh/sshd_config" file and add or edit a "Ciphers" line like this: Ciphers aes128-ctr,aes192-ctr,aes256-ctr Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

c

The AIX system must have no .netrc files on the system.

IA-5 - High - CCI-000196 - V-215403 - SV-215403r877397_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000196

Version

AIX7-00-003101

Vuln IDs

V-215403
V-91289

Rule IDs

SV-215403r877397_rule
SV-101387

Unencrypted passwords for remote FTP servers may be stored in .netrc files. Policy requires passwords be encrypted in storage and not used in access scripts.

Checks: C-16601r294660_chk

Check the system for the existence of any ".netrc" files by running the following command: # find / -name .netrc If any ".netrc" file exists, this is a finding.

Fix: F-16599r294661_fix

Remove all ".netrc" file(s): # find / -name .netrc -exec rm {} \;

b

AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.

AC-3 - Medium - CCI-000213 - V-215404 - SV-215404r853491_rule

RMF Control

AC-3

Severity

M

CCI

CCI-000213

Version

AIX7-00-003102

Vuln IDs

V-215404
V-91319

Rule IDs

SV-215404r853491_rule
SV-101417

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code. Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. Operating system functionality will vary, and while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages, such as from an approved software repository. AIX or software configuration management utility must enforce control of software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000134-GPOS-00068, SRG-OS-000312-GPOS-00123, SRG-OS-000362-GPOS-00149

Checks: C-16602r569500_chk

Run the following command to retrieve the system RBAC mode: # lsattr -E -l sys0 -a enhanced_RBAC enhanced_RBAC true Enhanced RBAC Mode If the RBAC mode is not "true", this is a finding.

Fix: F-16600r569501_fix

Enable the enhanced RBAC mode by running the following command: # chdev -l sys0 -a enhanced_RBAC=true Reboot the system: # reboot

b

If DHCP server is not required on AIX, the DHCP server must be disabled.

CM-7 - Medium - CCI-000381 - V-215405 - SV-215405r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003104

Vuln IDs

V-215405
V-91339

Rule IDs

SV-215405r508663_rule
SV-101437

The dhcpsd daemon is the DHCP server that serves addresses and configuration information to DHCP clients in the network. To prevent remote attacks this daemon should not be enabled unless there is no alternative.

Checks: C-16603r294666_chk

From the command prompt, execute the following command: # grep "^start[[:blank:]]/usr/sbin/dhcpsd" /etc/rc.tcpip If there is any output from the command, this is a finding.

Fix: F-16601r294667_fix

In "/etc/rc.tcpip", comment out the "dhcpsd" entry by running command: # chrctcp -d dhcpsd

b

The rwalld daemon must be disabled on AIX.

CM-7 - Medium - CCI-000381 - V-215406 - SV-215406r508663_rule

RMF Control

CM-7

Severity

M

CCI

Version

AIX7-00-003105

Vuln IDs

V-215406
V-91393

Rule IDs

SV-215406r508663_rule
SV-101491

The rwalld service allows remote users to broadcast system wide messages. The service runs as root and should be disabled unless absolutely necessary to prevent attacks.

Checks: C-16604r294669_chk

From the command prompt, execute the following command: # grep "^rwalld[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix: F-16602r294670_fix

In "/etc/inetd.conf", comment out the "rwalld" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'rwalld' -p 'udp' Restart inetd: # refresh -s inetd

b

In the event of a system failure, AIX must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.

SC-24 - Medium - CCI-001665 - V-215407 - SV-215407r508663_rule

RMF Control

SC-24

Severity

M

CCI

CCI-001665

Version

AIX7-00-003109

Vuln IDs

V-215407
V-91487

Rule IDs

SV-215407r508663_rule
SV-101585

Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving operating system state information helps to facilitate operating system restart and return to the operational mode of the organization with least disruption to mission/business processes.

Checks: C-16605r294672_chk

To display the current dump device settings enter the following command: #sysdumpdev -l primary /dev/lg_dumplv secondary /dev/sysdumpnull copy directory /var/adm/ras forced copy flag TRUE always allow dump FALSE dump compression ON type of dump fw-assisted full memory dump disallow If the primary device and copy directory is not configured, this is a finding.

Fix: F-16603r294673_fix

The "sysdumpdev" command should be used to configure dump device. #sysdumpdev -p "Primary dump device" #sysdumpdev -d <directory> Note: The "-d <directory> " specifies the directory the device is copied to at boot time.

b

The /etc/shells file must exist on AIX systems.

CM-6 - Medium - CCI-000366 - V-215408 - SV-215408r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003110

Vuln IDs

V-215408
V-91639

Rule IDs

SV-215408r508663_rule
SV-101737

The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell.

Checks: C-16606r294675_chk

AIX ships the following shells that should be considered as "approved" shells: /bin/sh /bin/bsh /bin/csh /bin/ksh /bin/tsh /bin/ksh93 /usr/bin/sh /usr/bin/bsh /usr/bin/csh /usr/bin/ksh /usr/bin/tsh /usr/bin/ksh93 /usr/bin/rksh /usr/bin/rksh93 /usr/sbin/uucp/uucico /usr/sbin/sliplogin /usr/sbin/snappd ISSO/SA may install other shells. Ask ISSO/SA for other approved shells other than the shells shipped by AIX. Check if file "/etc/shells" exists by running: # ls -la /etc/shells rw-r--r-- 1 bin bin 111 Jun 01 2015 /etc/shells If "/etc/shells" file does not exist, this is a finding. Verify that "/etc/shells" only contains approved shells: # cat /etc/shells /bin/csh /bin/ksh /bin/psh /bin/tsh /bin/bsh /usr/bin/csh /usr/bin/ksh /usr/bin/tsh /usr/bin/bsh If "/etc/shells" file contains a non-approved shell, this is a finding. Check "/etc/security/login.cfg" for the shells attribute value of "usw:" stanza: # lssec -f /etc/security/login.cfg -s usw -a shells usw shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd If the shells attribute value does not exist or is empty, this is a finding. If the returned shells attribute value contains a shell that is not defined in "/etc/shells" file, this is a finding. If the returned shells attribute value contains a non-approved shell, this is a finding.

Fix: F-16604r294676_fix

Run the following command to set shells attribute for stanza usw in "/etc/security/login.cfg": # chsec -f /etc/security/login.cfg -s usw -a shells=<list of approved shells separated by comma> Create the "/etc/shells" file and add all approved shells there, one shell per line: # vi /etc/shells Change the ownership and mode-bit of "/etc/shells": # chown bin.bin /etc/shells # chmod 644 /etc/shells

b

AIX public directories must be the only world-writable directories and world-writable files must be located only in public directories.

CM-6 - Medium - CCI-000366 - V-215409 - SV-215409r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003111

Vuln IDs

V-215409
V-91645

Rule IDs

SV-215409r508663_rule
SV-101743

World-writable files and directories make it easy for a malicious user to place potentially compromising files on the system. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage (e.g., /tmp) and for directories requiring global read/write access.

Checks: C-16607r294678_chk

Check the system for world-writable files and directories by running command: # find / -perm -2 -a $ -type d -o -type f $ -exec ls -ld {} \; If any world-writable files or directories are located, except those required for proper system or application operation, such as "/tmp" and "/dev/null", this is a finding.

Fix: F-16605r294679_fix

Remove or change the mode for any world-writable file or directory on the system that is not required to be world-writable by running command: # chmod o-w <file/directory> Document all changes.

b

AIX must be configured to only boot from the system boot device.

CM-6 - Medium - CCI-000366 - V-215410 - SV-215410r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003112

Vuln IDs

V-215410
V-91647

Rule IDs

SV-215410r508663_rule
SV-101745

The ability to boot from removable media is the same as being able to boot into single user or maintenance mode without a password. This ability could allow a malicious user to boot the system and perform changes possibly compromising or damaging the system. It could also allow the system to be used for malicious purposes by a malicious anonymous user.

Checks: C-16608r294681_chk

Determine if the system is configured to boot from devices other than the system startup media by running command: # bootlist -m normal -o The returned values should be "hdisk{x}". If the system is setup to boot from a non-hard disk device, this is a finding. Additionally, ask the SA if the machine is setup for "multi-boot" in the SMS application. If multi-boot is enabled, the firmware will stop at boot time and request which image to boot from the user. If "multi-boot" is enabled, this is a finding.

Fix: F-16606r294682_fix

Configure the system to only boot from system startup media: # bootlist -m normal hdisk<x> Set "multi-boot" to "off" in the SMS application.

b

AIX must not use removable media as the boot loader.

CM-6 - Medium - CCI-000366 - V-215411 - SV-215411r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003113

Vuln IDs

V-215411
V-91649

Rule IDs

SV-215411r508663_rule
SV-101747

Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader.

Checks: C-16609r294684_chk

Check the servers boot lists for the "normal", "service", "both", or "prevboot" modes by command: # bootlist -m <mode> -o Ensure "hdisk{x}" is the only devices listed. If boot devices, such as "cd{x}", "fd{x}", "rmt{x}", or "ent{x}" are used, this is a finding.

Fix: F-16607r294685_fix

Configure the system to use a bootloader installed on fixed media, such as: # bootlist -m normal hdisk0 # bootlist -m service hdisk0

a

If the AIX host is running an SMTP service, the SMTP greeting must not provide version information.

CM-6 - Low - CCI-000366 - V-215412 - SV-215412r508663_rule

RMF Control

CM-6

Severity

L

CCI

Version

AIX7-00-003114

Vuln IDs

V-215412
V-91653

Rule IDs

SV-215412r508663_rule
SV-101751

The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version.

Checks: C-16610r294687_chk

If the AIX host is not running an SMTP service, this is Not Applicable. Check the value of the "SmtpGreetingMessage" parameter in the "sendmail.cf" file: # grep SmtpGreetingMessage /etc/mail/sendmail.cf If the value of the "SmtpGreetingMessage" parameter contains the "$v" or "$Z" macros, this is a finding.

Fix: F-16608r294688_fix

Ensure "Sendmail" or its equivalent has been configured to mask the version information. If necessary, change the "O SmtpGreetingMessage" line in the "/etc/sendmail.cf" file from: O SmtpGreetingMessage=$j Sendmail $v/$Z; $b to: O SmtpGreetingMessage= Mail Server Ready ; $b

a

AIX must contain no .forward files.

CM-6 - Low - CCI-000366 - V-215413 - SV-215413r508663_rule

RMF Control

CM-6

Severity

L

CCI

Version

AIX7-00-003115

Vuln IDs

V-215413
V-91655

Rule IDs

SV-215413r508663_rule
SV-101753

The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops which could degrade system performance.

Checks: C-16611r294690_chk

Search for any ".forward" files on the system using command: # find / -name .forward -print If any ".forward" files are found on the system, this is a finding.

Fix: F-16609r294691_fix

Run the following command to remove all ".forward" files on the system: # find / -name .forward -exec rm -rf {} \;

b

The sendmail server must have the debug feature disabled on AIX systems.

CM-6 - Medium - CCI-000366 - V-215414 - SV-215414r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003116

Vuln IDs

V-215414
V-91661

Rule IDs

SV-215414r508663_rule
SV-101759

Debug mode is a feature present in older versions of Sendmail which, if not disabled, may allow an attacker to gain access to a system through the Sendmail service.

Checks: C-16612r294693_chk

Check the version of "sendmail" installed on the system using: # echo \$Z | /usr/sbin/sendmail -bt -d0 The above command should yield the following output: Version AIX7.2/8.14.4 Compiled with: DNSMAP LDAPMAP LDAP_REFERRALS LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB NIS NISPLUS PIPELINING SCANF USERDB USE_LDAP_INIT USE_TTYPATH XDEBUG If the "sendmail" reported version is less than "8.6", this is a finding.

Fix: F-16610r294694_fix

Obtain and install a more recent version of "Sendmail", which does not implement the DEBUG feature.

b

SMTP service must not have the EXPN or VRFY features active on AIX systems.

CM-6 - Medium - CCI-000366 - V-215415 - SV-215415r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003117

Vuln IDs

V-215415
V-91663

Rule IDs

SV-215415r508663_rule
SV-101761

The SMTP EXPN function allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. EXPN may also provide additional information concerning users on the system, such as the full names of account owners. The VRFY (Verify) command allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. VRFY may provide additional information about users on the system, such as the full names of account owners.

Checks: C-16613r294696_chk

Check the "PrivacyOptions" parameter in "/etc/mail/sendmail.cf": # grep -v "^#" /etc/mail/sendmail.cf |grep -i privacyoptions The above command should yield the following output: O PrivacyOptions=goaway The "O PrivacyOptions" should have the "goaway" option (covering both noexpn and novrfy). If the "O PrivacyOptions" value does not contain "goaway", this is a finding.

Fix: F-16611r294697_fix

Edit the "sendmail.cf" file and add or edit the following line: O PrivacyOptions=goaway Restart the "Sendmail" service: # startsrc -s sendmail -a "-bd -q30m"

b

All global initialization file executable search paths must contain only absolute paths.

CM-6 - Medium - CCI-000366 - V-215416 - SV-215416r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003120

Vuln IDs

V-215416
V-91669

Rule IDs

SV-215416r508663_rule
SV-101767

Failure to restrict system access to authenticated users negatively impacts operating system security.

Checks: C-16614r294699_chk

Check the global initialization files' executable search paths using: # grep -i PATH /etc/profile /etc/bashrc /etc/csh.login /etc/csh.cshrc /etc/environment /etc/.login /etc/security/environ /etc/environment:PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java7_64/jre/bin:/usr/java7_64/bin /etc/environment:LOCPATH=/usr/lib/nls/loc /etc/environment:NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat:/usr/lib/nls/msg/%l.%c/%N:/usr/lib/nls/msg/%l.%c/%N.cat This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/) or other than "$PATH", it is a relative path, and this is a finding.

Fix: F-16612r294700_fix

Edit the global initialization file(s) with "PATH" variables containing relative paths. Edit the file and remove the relative path from the PATH variable.

b

The SMTP service HELP command must not be enabled on AIX.

CM-6 - Medium - CCI-000366 - V-215417 - SV-215417r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003122

Vuln IDs

V-215417
V-91675

Rule IDs

SV-215417r508663_rule
SV-101773

The HELP command should be disabled to mask version information. The version of the SMTP service software could be used by attackers to target vulnerabilities present in specific software versions.

Checks: C-16615r294702_chk

Run the following command to get the "HELP" file location: # grep "^O HelpFile" /etc/mail/sendmail.cf The above command should yield the following output: O HelpFile=/etc/mail/helpfile If the above command does not yield any output, this is not a finding. The "HELP" file should be referenced by the "HelpFile" option. Check to see if the "HELP" file exists: # ls <helpfile_path> If the "HELP" file exists, this is a finding.

Fix: F-16613r294703_fix

To disable the SMTP service HELP command remove the HELP file using command: # rm <helpfile_path>

b

NIS maps must be protected through hard-to-guess domain names on AIX.

CM-6 - Medium - CCI-000366 - V-215418 - SV-215418r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003123

Vuln IDs

V-215418
V-91683

Rule IDs

SV-215418r508663_rule
SV-101781

The use of hard-to-guess NIS domain names provides additional protection from unauthorized access to the NIS directory information.

Checks: C-16616r294705_chk

Check the domain name for NIS maps using command: # domainname If no ouput is returned or the name returned is simple to guess, such as the organization name, building, or room name, etc., this is a finding.

Fix: F-16614r294706_fix

Change the NIS domain name to a value difficult to guess. Consult vendor documentation for the required procedure.

b

The AIX systems access control program must be configured to grant or deny system access to specific hosts.

CM-6 - Medium - CCI-000366 - V-215419 - SV-215419r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003124

Vuln IDs

V-215419
V-91685

Rule IDs

SV-215419r508663_rule
SV-101783

If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.

Checks: C-16617r294708_chk

Check for the existence of the "/etc/hosts.allow" and "/etc/hosts.deny" files using commands: # ls -la /etc/hosts.allow -rw-r--r-- 1 root system 11 Jan 28 11:09 /etc/hosts.allow # ls -la /etc/hosts.deny -rw-r--r-- 1 root system 0 Jan 28 11:02 /etc/hosts.deny If either file does not exist, this is a finding. Check for the presence of a default deny entry using command: # grep -E "ALL:[[:blank:]]*ALL" /etc/hosts.deny ALL:ALL If the "ALL: ALL" entry is not present in the "/etc/hosts.deny" file, any TCP service from a host or network not matching other rules will be allowed access. If the entry is not in "/etc/hosts.deny", this is a finding.

Fix: F-16615r294709_fix

Edit the "/etc/hosts.allow" and "/etc/hosts.deny" files to configure access restrictions. Add "ALL: ALL" entry to "/etc/hosts.deny" file.

b

All AIX files and directories must have a valid group owner.

CM-6 - Medium - CCI-000366 - V-215420 - SV-215420r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003125

Vuln IDs

V-215420
V-91689

Rule IDs

SV-215420r508663_rule
SV-101787

Failure to restrict system access to authenticated users negatively impacts operating system security.

Checks: C-16618r294711_chk

Determine if any file on the system does not have a valid group owner using command: # find / -nogroup -print If any such files are found, this is a finding.

Fix: F-16616r294712_fix

Change the group owner for each file without a valid group owner using command: # chgrp <a-valid-group> /tmp/a-file-without-a-valid-group-owner

b

AIX control scripts library search paths must contain only absolute paths.

CM-6 - Medium - CCI-000366 - V-215421 - SV-215421r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003126

Vuln IDs

V-215421
V-91691

Rule IDs

SV-215421r508663_rule
SV-101789

The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is interpreted as the current working directory. Paths starting with a slash (/) are absolute paths.

Checks: C-16619r294714_chk

Verify run control scripts' library search paths: # grep -r LIBPATH /etc/rc* /etc/rc.teboot:export LIBPATH=/../usr/lib /etc/rc.teboot:export LIBPATH=/usr/lib This variable is formatted as a colon-separated list of paths. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/) or other than "$PATH", it is a relative path, and this is a finding.

Fix: F-16617r294715_fix

Edit run control scripts' library search "PATH" variables. Remove empty entries or entries that are not absolute paths.

b

The control script lists of preloaded libraries must contain only absolute paths on AIX systems.

CM-6 - Medium - CCI-000366 - V-215422 - SV-215422r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003127

Vuln IDs

V-215422
V-91693

Rule IDs

SV-215422r508663_rule
SV-101791

The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded.

Checks: C-16620r294717_chk

Verify run control scripts' library preload list using command: # grep -r LDR_PRELOAD /etc/rc* /etc/rc.teboot:export LDR_PRELOAD=/../usr/bin /etc/rc.teboot:export LDR_PRELOAD=/usr/bin This variable is formatted as a colon-separated list of paths. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/) or other than "$PATH", it is a relative path, and this is a finding.

Fix: F-16618r294718_fix

Edit the run control scripts' library preload list and remove relative paths.

b

The global initialization file lists of preloaded libraries must contain only absolute paths on AIX.

CM-6 - Medium - CCI-000366 - V-215423 - SV-215423r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003128

Vuln IDs

V-215423
V-91695

Rule IDs

SV-215423r508663_rule
SV-101793

The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded.

Checks: C-16621r294720_chk

Check the global initialization files' library preload list using command: # grep LDR_PRELOAD /etc/profile /etc/bashrc /etc/security/.login /etc/environment /etc/security/environ /etc/environment:LDR_PRELOAD=:/usr/bin/X11:/sbin:/usr/java7_64/jre/bin:/usr/java7_64/bin This variable is formatted as a colon-separated list of paths. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/) or other than "$PATH", it is a relative path, and this is a finding.

Fix: F-16619r294721_fix

Edit the global initialization files and remove the relative path entry from the library preload list variable 'LDR_PRELOAD'.

b

The local initialization file library search paths must contain only absolute paths on AIX.

CM-6 - Medium - CCI-000366 - V-215424 - SV-215424r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003129

Vuln IDs

V-215424
V-91697

Rule IDs

SV-215424r508663_rule
SV-101795

The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is interpreted as the current working directory.

Checks: C-16622r294723_chk

Identify local initialization files that have library search paths: # cat /etc/passwd | cut -f 1,1 -d ":" | xargs -n1 -IUSER sh -c 'grep -l LIB ~USER/.*' /root/.sh_history /home/doejohn/.profile /home/doejane/.profile For each file identified above, verify the search path contains only absolute paths: Note: The "LIBPATH" and "LD_LIBRARY_PATH" variables are formatted as a colon-separated list of directories. # cat <local_initilization_file> | grep -Ei 'lib|library' LD_LIBRARY_PATH=/usr/lib LIBPATH=/usr/lib If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/) or other than "$PATH", it is a relative path, and this is a finding.

Fix: F-16620r294724_fix

Edit the local initialization file(s) and remove the relative path entry from the library search path.

b

The local initialization file lists of preloaded libraries must contain only absolute paths on AIX.

CM-6 - Medium - CCI-000366 - V-215425 - SV-215425r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003130

Vuln IDs

V-215425
V-91699

Rule IDs

SV-215425r508663_rule
SV-101797

The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. This variable is formatted as a space-separated list of libraries.

Checks: C-16623r294726_chk

Identify local initialization files that have library search paths: # cat /etc/passwd | cut -f 1,1 -d ":" | xargs -n1 -IUSER sh -c 'grep -l LDR_PRELOAD ~USER/.*' /root/.sh_history /home/doejohn/.profile /home/doejane/.profile For each file identified above, verify the search path contains only absolute paths: Note: This variable is formatted as a colon-separated list of paths. # cat <local_initilization_file> | grep -Ei 'ldr|preload' LDR_PRELOAD=/usr/lib If the paths listed have not been documented and authorized by the ISSO/ISSM, this is a finding. If there is an empty entry, such as a leading or trailing colon, or two consecutive colons, this is a finding. If an entry begins with a character other than a slash (/) or other than "$PATH", it is a relative path, and this is a finding.

Fix: F-16621r294727_fix

Edit the local initialization file and remove the relative path entry from the library preload variable "LDR_PRELOAD".

b

AIX package management tool must be used daily to verify system software.

CM-6 - Medium - CCI-000366 - V-215426 - SV-215426r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003131

Vuln IDs

V-215426
V-91711

Rule IDs

SV-215426r508663_rule
SV-101809

Verification using the system package management tool can be used to determine that system software has not been tampered with. This requirement is not applicable to systems not using package management tools.

Checks: C-16624r294729_chk

Check the root crontab for a daily job invoking the system package management tool to verify the integrity of installed packages. From the command prompt, run the following command: # crontab -l | grep lppchk 55 22 * * * /lppchk.sh # Daily LPP check script If no such job exists, this is a finding.

Fix: F-16622r294730_fix

Add a job to the root crontab invoking the following system package management tool to verify the integrity of installed packages and email the result to root user. Run the following command to add the cron job: # crontab -e Within crontab command, add the following daily job to the cron table, then save the change: 0 23 * * * /usr/bin/lppchk -c > /tmp/111 2>&1; sendmail root < /tmp/111

b

The AIX DHCP client must not send dynamic DNS updates.

CM-6 - Medium - CCI-000366 - V-215427 - SV-215427r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003132

Vuln IDs

V-215427
V-91715

Rule IDs

SV-215427r508663_rule
SV-101813

Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed.

Checks: C-16625r294732_chk

If AIX does not use DHCP client, this is Not Applicable. Determine if the system's DHCP client is configured to send dynamic DNS updates: # grep "^updateDNS" /etc/dhcpc.opt /etc/dhcpcd.ini If any lines are returned, this is a finding.

Fix: F-16623r294733_fix

Configure the system's DHCP client to not send dynamic DNS updates. Remove or comment-out "updateDNS" lines from the "/etc/dhcpcd.ini" and "/etc/dhcpc.opt" files.

b

AIX must not run any routing protocol daemons unless the system is a router.

CM-6 - Medium - CCI-000366 - V-215428 - SV-215428r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003133

Vuln IDs

V-215428
V-91717

Rule IDs

SV-215428r508663_rule
SV-101815

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Checks: C-16626r294735_chk

Fix: F-16624r294736_fix

Kill any routing protocol daemons by running the following command: # ps -ef |egrep '(ospf|route|bgp|zebra|quagga|gate)' | grep -v egrep | awk -F " " '{print $2}' | while read pid;do kill $pid;done

b

AIX must not process ICMP timestamp requests.

CM-6 - Medium - CCI-000366 - V-215429 - SV-215429r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003134

Vuln IDs

V-215429
V-91719

Rule IDs

SV-215429r508663_rule
SV-101817

The processing of Internet Control Message Protocol (ICMP) timestamp requests increases the attack surface of the system.

Checks: C-16627r294738_chk

From the command prompt, run the following command to check if "ipsec_v4" and "ipsec_v6" devices are active: # lsdev -Cc ipsec The above command should yield the following output: ipsec_v4 Available IP Version 4 Security Extension ipsec_v6 Available IP Version 6 Security Extension If "ipsec_v4" or "ipsec_v6" is not displayed, or it is not in "Available" state, this is a finding. Determine if the system is configured to respond to ICMP Timestamp requests using the following command: # lsfilt Beginning of IPv4 filter rules. Rule 1: Rule action : permit Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : no Protocol : udp Source Port : eq 4001 Destination Port : eq 4001 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : yes Expiration Time : 0 Description : Default Rule Rule 2: *** Dynamic filter placement rule for IKE tunnels *** Logging control : no Rule 3: Rule action : deny Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : yes Protocol : icmp ICMP type : any 0 ICMP code : eq 13 Scope : both Direction : inbound Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description : Rule 4: Rule action : deny Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : yes Protocol : icmp ICMP type : eq 14 ICMP code : any 0 Scope : both Direction : outbound Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description : Rule 0: Rule action : permit Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : yes Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description : Default Rule End of IPv4 filter rules. If there is no rule blocking ICMP packet type of "13" and ICMP packet type of "14" (rule #3 and rule #4 above), this is a finding.

Fix: F-16625r294739_fix

From the command prompt, run the following commands to create and activate "ipsec_v4" and "ipsec_v6" devices: # mkdev -l ipsec -t 4 # mkdev -l ipsec -t 6 Run the following commands to create 2 IPsec rules to block the ICMP timestamp request and reply: # genfilt -v 4 -a D -s 0 -m 0 -d 0 -M 0 -c icmp -O eq -P 13 -r B -w I -i all # genfilt -v 4 -a D -s 0 -m 0 -d 0 -M 0 -c icmp -o eq -p 14 -r B -w O -i all From the command prompt, run the following command to activate all the filter rules in the rule database: # mkfilt -u

b

AIX must not respond to ICMPv6 echo requests sent to a broadcast address.

CM-6 - Medium - CCI-000366 - V-215430 - SV-215430r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003135

Vuln IDs

V-215430
V-91721

Rule IDs

SV-215430r508663_rule
SV-101819

Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks.

Checks: C-16628r294741_chk

From the command prompt, run the following command: # /usr/sbin/no -o bcastping bcastping = 0 If the value returned is not "0", this is a finding.

Fix: F-16626r294742_fix

Configure the system to not respond to IPv6 multicast ICMP ECHO_REQUESTs by running: # /usr/sbin/no -p -o bcastping=0

b

AIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

CM-6 - Medium - CCI-000366 - V-215431 - SV-215431r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003137

Vuln IDs

V-215431
V-91735

Rule IDs

SV-215431r508663_rule
SV-101833

Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.

Checks: C-16629r294744_chk

Check if "/etc/security/.profile" contains the proper "umask" setting by running the following command: # grep "umask 077" /etc/security/.profile umask 077 If the above command does not output the "umask 077", this is a finding. From the command prompt, run the following command to check if "umask=077" for the default stanza in "/etc/security/user": # lssec -f /etc/security/user -s default -a umask default umask=077 If the "umask" for the default stanza is not "077", or the "umask" is not set, this is a finding.

Fix: F-16627r294745_fix

Add the following line to "/etc/security/.profile": umask 077 Run the following command to set "umask=077" for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a umask=077

b

There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the AIX system.

CM-6 - Medium - CCI-000366 - V-215432 - SV-215432r877377_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003138

Vuln IDs

V-215432
V-91739

Rule IDs

SV-215432r877377_rule
SV-101837

Trust files are convenient, but when used in conjunction with the remote login services, they can allow unauthenticated access to a system.

Checks: C-16630r294747_chk

Check for the existence of the files using: # find / -name .rhosts # find / -name .shosts # find / -name hosts.equiv # find / -name shosts.equiv If ".rhosts", ".shosts", "hosts.equiv", or "shosts.equiv" are found, this is a finding.

Fix: F-16628r294748_fix

Remove the ".rhosts", ".shosts", "hosts.equiv", and/or "shosts.equiv" files.

b

The .rhosts file must not be supported in AIX PAM.

CM-6 - Medium - CCI-000366 - V-215433 - SV-215433r877377_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003139

Vuln IDs

V-215433
V-91741

Rule IDs

SV-215433r877377_rule
SV-101839

.rhosts files are used to specify a list of hosts permitted remote access to a particular account without authenticating. The use of such a mechanism defeats strong identification and authentication requirements.

Checks: C-16631r294750_chk

Check the PAM configuration for "rhosts_auth" using command: # grep rhosts_auth /etc/pam.conf |grep -v \# If a "rhosts_auth" entry is found, this is a finding.

Fix: F-16629r294751_fix

Edit "/etc/pam.conf" and remove the reference(s) to the "rhosts_auth" module.

b

The AIX root user home directory must not be the root directory (/).

CM-6 - Medium - CCI-000366 - V-215434 - SV-215434r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003140

Vuln IDs

V-215434
V-91751

Rule IDs

SV-215434r508663_rule
SV-101849

Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places in its default directory. It also gives root the same discretionary access control for root's home directory as for the other plain user home directories.

Checks: C-16632r294753_chk

Determine if root is assigned a home directory other than "/" by listing its home directory by running command: # grep "^root" /etc/passwd | awk -F":" '{print $6}' /root If the root user's home directory is "/", this is a finding.

Fix: F-16630r294754_fix

The root home directory should be something other than "/" (such as /root). Run commands: # mkdir /root # chown root /root # chgrp system /root # chmod 700 /root Then, edit the passwd file and change the root home directory to "/root".

b

All AIX interactive users must be assigned a home directory in the passwd file and the directory must exist.

CM-6 - Medium - CCI-000366 - V-215435 - SV-215435r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003141

Vuln IDs

V-215435
V-91755

Rule IDs

SV-215435r508663_rule
SV-101853

All users must be assigned a home directory in the passwd file. Failure to have a home directory may result in the user being put in the root directory. This could create a Denial of Service because the user would not be able to perform useful tasks in this location.

Checks: C-16633r294756_chk

Verify each interactive user is assigned a home directory: # cut -d: -f1,6 /etc/passwd root srvproxy doejohn If an interactive user is not assigned a home directory, this is a finding. Verify that the interactive user home directories exist on the system: # cut -d: -f6 /etc/passwd | xargs -n1 ls -ld drwxr-xr-x 2 doejohn staff 256 Jan 25 13:18 /home/doejohn drwxr-xr-x 2 sshd system 256 Aug 11 2017 /home/srvproxy drwx------ 2 root system 256 Jan 30 12:54 /root If any interactive user home directory does not exist, this is a finding.

Fix: F-16631r294757_fix

Remove any unauthorized accounts with no home directory. If the account is valid, create the home directory using the appropriate system administration utility or process.

b

The AIX operating system must use Multi Factor Authentication.

IA-2 - Medium - CCI-000765 - V-215436 - SV-215436r853492_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000765

Version

AIX7-00-003200

Vuln IDs

V-215436
V-92941

Rule IDs

SV-215436r853492_rule
SV-103029

To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160

Checks: C-16634r294759_chk

Verify that all required packages are installed: # lslpp -l |grep -i powerscmfa powerscMFA.license 1.2.0.1 COMMITTED PowerSC MFA license files powerscMFA.pam.base 1.2.0.1 COMMITTED PowerSC MFA standard inband powerscMFA.pam.fallback 1.2.0.1 COMMITTED PowerSC MFA Password fallback powerscMFA.pam.pmfamapper 1.2.0.1 COMMITTED USB Smartcard Interface to powerscMFA.pam.usbsmartcard If any of the above packages are not installed, this is a finding.

Fix: F-16632r294760_fix

Install the IBM PowerSC MFA product.

b

The AIX operating system must be configured to authenticate using Multi Factor Authentication.

CM-6 - Medium - CCI-000366 - V-215437 - SV-215437r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003201

Vuln IDs

V-215437
V-92943

Rule IDs

SV-215437r508663_rule
SV-103031

To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication.

Checks: C-16635r294762_chk

Verify the global "auth_type" is configured to use PAM: # grep auth_type /etc/security/login.cfg |grep AUTH auth_type = PAM_AUTH If "auth_type" is not set to "PAM_AUTH", this is a finding. Verify that the user stanza is configured to use PAM: # lssec -f /etc/security/login.cfg -susw -a auth_type usw auth_type=PAM_AUTH If "auth_type" is not set to "PAM_AUTH", this is a finding.

Fix: F-16633r294763_fix

Run the following command to set the global and user stanza "auth_type": # chsec -f /etc/security/login.cfg -susw -a auth_type=PAM_AUTH

b

The AIX operating system must be configured to use Multi Factor Authentication for remote connections.

CM-6 - Medium - CCI-000366 - V-215438 - SV-215438r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003202

Vuln IDs

V-215438
V-92945

Rule IDs

SV-215438r508663_rule
SV-103033

To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication.

Checks: C-16636r294765_chk

Verify SSH is configured to use multi factor authentication: # grep ^sshd /etc/pam.conf | head -3 sshd auth required pam_ckfile sshd auth required pam_permission file=/etc/security/access.conf found=allow sshd auth required pam_pmfa /etc/security/pmfa/pam_pmfa.conf If the output does not match the above lines, any lines are missing, or commented out, this is a finding.

Fix: F-16634r294766_fix

Add or update the following lines in the /etc/pam.conf file: sshd auth required pam_ckfile sshd auth required pam_permission file=/etc/security/access.conffound=allow sshd auth required pam_pmfa /etc/security/pmfa/pam_pmfa.conf

b

AIX must have the have the PowerSC Multi Factor Authentication Product configured.

CM-6 - Medium - CCI-000366 - V-215439 - SV-215439r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003203

Vuln IDs

V-215439
V-92947

Rule IDs

SV-215439r508663_rule
SV-103035

To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication.

Checks: C-16637r294768_chk

Verify /etc/security/pmfa/pam_pmfa.conf is configured correctly. # grep -i "trustedcas" /etc/security/pmfa/pam_pmfa.conf | grep -v '#' TRUSTEDCAS = /<path_to_file>/server_ca.pem Note: Verify with the SA/ISSO as to the location of the "server_ca.pem" file. If "TRUSTEDCAS" is not configured to point to a valid "server_ca.pem" file or is missing, this is a finding. # grep -i "mfa-url" /etc/security/pmfa/pam_pmfa.conf | grep -v '#' MFA-URL = https://pmfa.example.com:6793/policyAuth/ If the "MFA-URL" is missing or does not point to a valid address, this is a finding. # grep -i "server-version" /etc/security/pmfa/pam_pmfa.conf | grep -v '#' SERVER-VERSION = 2 If "SERVER-VERSION" is missing or is not set to "2", this is a finding. # grep -i "ctc-prompt" /etc/security/pmfa/pam_pmfa.conf | grep -v '#' CTC-PROMPT-ONLY = Y If "CTC-PROMPT-ONLY" is missing or is not set to "Y", this is a finding.

Fix: F-16635r294769_fix

Add or update the following lines in the "/etc/security/pmfa/pam_pmfa.conf" file: TRUSTEDCAS = /<path_to_file>/server_ca.pem Note: Verify with the SA/ISSO as to the location of the "server_ca.pem" file. MFA-URL = https://pmfa.example.com:6793/policyAuth/ SERVER-VERSION = 2 CTC-PROMPT-ONLY = Y

b

The AIX operating system must be configured to use a valid server_ca.pem file.

CM-6 - Medium - CCI-000366 - V-215440 - SV-215440r508663_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003204

Vuln IDs

V-215440
V-92949

Rule IDs

SV-215440r508663_rule
SV-103037

To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication.

Checks: C-16638r294771_chk

Verify the location of the "server_ca.pem" file: # grep -i "trustedcas" /etc/security/pmfa/pam_pmfa.conf | grep -v '#' TRUSTEDCAS = /<path_to_file>/server_ca.pem Verify that the configured "server_ca.pem" file exists in the defined location: # ls -la /<path_to_file>/server_ca.pem If the file does not exist, this is a finding.

Fix: F-16636r294772_fix

Configure the system to use a valid "server_ca.pem" file.

b

The AIX operating system must accept and verify Personal Identity Verification (PIV) credentials.

IA-2 - Medium - CCI-001953 - V-215441 - SV-215441r853493_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001953

Version

AIX7-00-003205

Vuln IDs

V-215441
V-92951

Rule IDs

SV-215441r853493_rule
SV-103039

The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. Satisfies: SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162

Checks: C-16639r294774_chk

Verify that the " bos.ahafs" package is installed: # lslpp -l |grep bos.ahafs bos.ahafs 7.1.5.15 COMMITTED Aha File System If the "bos.ahafs" package is not installed, this is a finding. Verify "pmfahotplugd" service is running: # lssrc -s pmfahotplugd If the " pmfahotplugd" service is not running, this is a finding.

Fix: F-16637r294775_fix

Install "bos.ahafs" fileset from the PowerSC MFA DVD using the following command (assuming that the DVD device is mounted to /dev/cd0): # installp -aXYgd /dev/cd0 -e /tmp/install.log bos.ahafs Start the "pmfahotplugd" service: # startsrc-s pmfahotplugd

b

AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.

CM-6 - Medium - CCI-000366 - V-219057 - SV-219057r853494_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-003143

Vuln IDs

V-219057
V-91771

Rule IDs

SV-219057r853494_rule
SV-101869

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.

Checks: C-20868r294777_chk

From the command prompt, run the following commands to check if the "all traffic" filter rules, the predefined rule with Rule-ID 0, are defined to deny all packages: # lsfilt -v4 -n0 # lsfilt -v6 -n0 Rule 0: Rule action : deny Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : yes Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description : Default Rule Rule 0: Rule action : deny Source Address : :: Source Mask : 0 Destination Address : :: Destination Mask : 0 Source Routing : yes Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description : Default Rule If any of the "all traffic" rules has "Rule action : permit", this is a finding.

Fix: F-20867r294778_fix

From the command prompt, run the following commands to create and activate "ipsec_v4" and "ipsec_v6" devices: # mkdev -l ipsec -t 4 # mkdev -l ipsec -t 6 From the command prompt, run the following commands to change the "all traffic" rules to block all packages: # chfilt -a D -v 4 -n 0 # chfilt -a D -v 6 -n 0 Assume that the local host has IP address 10.10.10.10 and the remote host has IP address 11.11.11.11, run the following command to generate a user-defined filter rule that allow all IPv4 traffic between these 2 hosts: # genfilt -w B -v 4 -s 10.10.10.10 -p 0 -P 0 -o any -O any -m 255.255.255.255 -M 255.255.255.255 -i all -g Y -d 11.11.11.11 -c all -a P From the command prompt, run the following command to activate all the filter rules in the rule database: # mkfilt -u

b

AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.

AU-4 - Medium - CCI-001851 - V-219956 - SV-219956r877390_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

AIX7-00-002017

Vuln IDs

V-219956
V-100005

Rule IDs

SV-219956r877390_rule
SV-109109

Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

Checks: C-21667r853495_chk

Verify the action the operating system takes if the disk the audit records are written to becomes full. Verify that the file "/etc/security/audit/config" includes the required settings with the following command: # cat /etc/security/audit/config bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 25000 cmds = /etc/security/audit/bincmds freespace = 65536 backuppath = /audit backupsize = 0 bincompact = off If any of the configurations listed above is missing or not set to the listed value or greater, this is a finding.

Fix: F-21666r853496_fix

Edit the /etc/security/audit/config file and add/modify the following values: Note: The values for "binsize" and "freespace" are the minimum required values. These values can be increased to meet organizationally defined values that exceed the listed values. bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 25000 cmds = /etc/security/audit/bincmds freespace = 65536 backuppath = /audit backupsize = 0 bincompact = off Restart the audit process: # /usr/sbin/audit shutdown # /usr/sbin/audit start

b

The AIX /etc/hosts file must be owned by root.

CM-6 - Medium - CCI-000366 - V-245557 - SV-245557r818794_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002140

Vuln IDs

V-245557

Rule IDs

SV-245557r818794_rule

Unauthorized ownership of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It is also possible to use the /etc/hosts file to block detection by security software by blocking the traffic to all the download or update servers of well-known security vendors.

Checks: C-48836r818792_chk

Check the ownership of /etc/hosts using command: # ls -al /etc/hosts The above command should yield the following output: -rw-r----- 1 root system 993 Mar 11 07:04 /etc/hosts If the file is not owned by root, this is a finding.

Fix: F-48791r818793_fix

Change the ownership of the file to root using command: # chown root /etc/hosts

b

The AIX /etc/hosts file must be group-owned by system.

CM-6 - Medium - CCI-000366 - V-245558 - SV-245558r818797_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002141

Vuln IDs

V-245558

Rule IDs

SV-245558r818797_rule

Unauthorized group ownership of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It is also possible to use the /etc/hosts file to block detection by security software by blocking the traffic to all the download or update servers of well-known security vendors.

Checks: C-48837r818795_chk

Check the group ownership of /etc/hosts using command: # ls -al /etc/hosts The above command should yield the following output: -rw-r----- 1 root system 993 Mar 11 07:04 /etc/hosts If the file is not group-owned by system, this is a finding.

Fix: F-48792r818796_fix

Change the group ownership of the file to system using command: # chgrp system /etc/hosts

b

The AIX /etc/hosts file must have a mode of 0640 or less permissive.

CM-6 - Medium - CCI-000366 - V-245559 - SV-245559r818800_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002142

Vuln IDs

V-245559

Rule IDs

SV-245559r818800_rule

Unauthorized permissions of the /etc/hosts file can lead to the ability for a malicious actor to redirect traffic to servers of their choice. It is also possible to use the /etc/hosts file to block detection by security software by blocking the traffic to all the download or update servers of well-known security vendors.

Checks: C-48838r818798_chk

Check the mode of /etc/hosts using command: # ls -al /etc/hosts The above command should yield the following output: -rw-r----- 1 root system 993 Mar 11 07:04 /etc/hosts If the file has a mode more permissive than "0640", this is a finding.

Fix: F-48793r818799_fix

Change the mode of the file to 0640 using command: # chmod 0640 /etc/hosts

b

AIX cron and crontab directories must have a mode of 0640 or less permissive.

CM-6 - Medium - CCI-000366 - V-245560 - SV-245560r755121_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002143

Vuln IDs

V-245560

Rule IDs

SV-245560r755121_rule

Incorrect permissions of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to set proper permissions of cron or crontab directories provides unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Checks: C-48839r755119_chk

Check the mode of the "crontab" directory using command: # ls -ld /var/spool/cron/crontabs drw-r----- 2 bin cron 256 Jan 25 12:33 /var/spool/cron/crontabs If the file has a mode more permissive than "0640", this is a finding.

Fix: F-48794r755120_fix

Change the owner of the "crontab" directory: # chmod 640 /var/spool/cron/crontabs

b

The AIX /etc/syslog.conf file must be owned by root.

CM-6 - Medium - CCI-000366 - V-245561 - SV-245561r818803_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002144

Vuln IDs

V-245561

Rule IDs

SV-245561r818803_rule

Unauthorized ownership of the /etc/syslog.conf file can lead to the ability for a malicious actor to alter or disrupt system logging activities. This can aid the malicious actor in avoiding detection and further their ability to conduct malicious activities on the system.

Checks: C-48840r818801_chk

Check the ownership of /etc/syslog.conf using command: # ls -al /etc/syslog.conf The above command should yield the following output: -rw-r----- 1 root system 993 Mar 11 07:04 /etc/syslog.conf If the file is not owned by root, this is a finding.

Fix: F-48795r818802_fix

Change the ownership of the file to root using command: # chown root /etc/syslog.conf

b

The AIX /etc/syslog.conf file must be group-owned by system.

CM-6 - Medium - CCI-000366 - V-245562 - SV-245562r818806_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002145

Vuln IDs

V-245562

Rule IDs

SV-245562r818806_rule

Unauthorized group ownership of the /etc/syslog.conf file can lead to the ability for a malicious actor to alter or disrupt system logging activities. This can aid the malicious actor in avoiding detection and further their ability to conduct malicious activities on the system.

Checks: C-48841r818804_chk

Check the group ownership of /etc/syslog.conf using command: # ls -al /etc/syslog.conf The above command should yield the following output: -rw-r----- 1 root system 993 Mar 11 07:04 /etc/syslog.conf If the file is not group-owned by system, this is a finding.

Fix: F-48796r818805_fix

Change the group ownership of the file to system using command: # chgrp system /etc/syslog.conf

b

The AIX /etc/syslog.conf file must have a mode of 0640 or less permissive.

CM-6 - Medium - CCI-000366 - V-245563 - SV-245563r818809_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002146

Vuln IDs

V-245563

Rule IDs

SV-245563r818809_rule

Unauthorized permissions of the /etc/syslog.conf file can lead to the ability for a malicious actor to alter or disrupt system logging activities. This can aid the malicious actor in avoiding detection and further their ability to conduct malicious activities on the system.

Checks: C-48842r818807_chk

Check the mode of /etc/syslog.conf using command: # ls -al /etc/syslog.conf The above command should yield the following output: -rw-r----- 1 root system 993 Mar 11 07:04 /etc/syslog.conf If the file has a mode more permissive than "0640", this is a finding.

Fix: F-48797r818808_fix

Change the mode of the file to 0640 using command: # chmod 0640 /etc/syslog.conf

b

The inetd.conf file on AIX must be group owned by the "system" group.

CM-6 - Medium - CCI-000366 - V-245564 - SV-245564r755133_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002092

Vuln IDs

V-245564

Rule IDs

SV-245564r755133_rule

Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Checks: C-48843r755131_chk

Check the group ownership of "/etc/inetd.conf": # ls -al /etc/inetd.conf The above command should yield the following output: -rw-r----- root system /etc/inetd.conf If the file is not group owned by system, this is a finding.

Fix: F-48798r755132_fix

Change the group ownership of "/etc/inetd.conf": # chgrp system /etc/inetd.conf

b

The AIX /etc/inetd.conf file must have a mode of 0640 or less permissive.

CM-6 - Medium - CCI-000366 - V-245565 - SV-245565r755136_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002093

Vuln IDs

V-245565

Rule IDs

SV-245565r755136_rule

Failure to set proper permissions of sensitive files or utilities may provide unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Checks: C-48844r755134_chk

Check the group ownership of "/etc/inetd.conf": # ls -al /etc/inetd.conf The above command should yield the following output: -rw-r----- root system /etc/inetd.conf If the file has a mode more permissive than "0640", this is a finding.

Fix: F-48799r755135_fix

Change the ownership of the file to root using command: # chmod 0640 /etc/inetd.conf

b

The AIX /var/spool/cron/atjobs directory must be owned by root or bin.

CM-6 - Medium - CCI-000366 - V-245566 - SV-245566r832900_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002147

Vuln IDs

V-245566

Rule IDs

SV-245566r832900_rule

Unauthorized ownership of the /var/spool/cron/atjobs directory could permit unauthorized users the ability to alter atjobs and run automated jobs as privileged users. Failure to set proper permissions of the /var/spool/cron/atjobs directory provides unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Checks: C-48845r832898_chk

Check the ownership of the /var/spool/cron/atjobs directory using command: # ls -ld /var/spool/cron/atjobs The above command should yield the following output: drw-r----- 1 bin cron 993 Mar 11 07:04 /var/spool/cron/atjobs If the owner of the "atjobs" directory is not "root" or "bin", this is a finding.

Fix: F-48800r832899_fix

Change the ownership of the "atjobs" directory to bin using command: # chown bin /var/spool/cron/atjobs

b

The AIX /var/spool/cron/atjobs directory must be group-owned by cron.

CM-6 - Medium - CCI-000366 - V-245567 - SV-245567r832903_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002148

Vuln IDs

V-245567

Rule IDs

SV-245567r832903_rule

Unauthorized group ownership of the /var/spool/cron/atjobs directory could permit unauthorized users the ability to alter atjobs and run automated jobs as privileged users. Failure to set proper permissions of the /var/spool/cron/atjobs directory provides unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Checks: C-48846r832901_chk

Check the group ownership of the /var/spool/cron/atjobs directory using command: # ls -ld /var/spool/cron/atjobs The above command should yield the following output: drw-r----- 1 bin cron 993 Mar 11 07:04 /var/spool/cron/atjobs If the group owner of the "atjobs" directory is not "cron", this is a finding.

Fix: F-48801r832902_fix

Change the group ownership of the "atjobs" directory to cron using command: # chgrp cron /var/spool/cron/atjobs

b

The AIX /var/spool/cron/atjobs directory must have a mode of 0640 or less permissive.

CM-6 - Medium - CCI-000366 - V-245568 - SV-245568r755145_rule

RMF Control

CM-6

Severity

M

CCI

Version

AIX7-00-002149

Vuln IDs

V-245568

Rule IDs

SV-245568r755145_rule

Incorrect permissions of the /var/spool/cron/atjobs directory could permit unauthorized users the ability to alter atjobs and run automated jobs as privileged users. Failure to set proper permissions of the /var/spool/cron/atjobs directory provides unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Checks: C-48847r755143_chk

Check the mode of the /var/spool/cron/atjobs directory using command: # ls -ld /var/spool/cron/atjobs drw-r----- 1 daemon daemon 993 Mar 11 07:04 /var/spool/cron/atjobs If the directory has a mode more permissive than "0640", this is a finding.

Fix: F-48802r755144_fix

Change the mode of the /var/spool/cron/atjobs directory: # chmod 640 /var/spool/cron/atjobs

b

The AIX cron and crontab directories must be group-owned by cron.

CM-6 - Medium - CCI-000366 - V-245569 - SV-245569r832906_rule

RMF Control

CM-6

Severity

M

CCI