Free DISA STIG and SRG Library | Vaulted

AIX 5.3 Security Technical Implementation Guide

Version 1 Release 2
2013-11-04
U_AIX_5.3-V1R2_STIG_Benchmark-xccdf.xml
The AIX Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via email to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Vulnerabilities (174)

The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.

Finding ID
GEN000400
Rule ID
SV-38932r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000400
CCI
CCI-000048
Target Key
(None)
Documentable
No
Discussion

Failure to display the login banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.

Fix Text

Edit /etc/security/login.cfg and assign the herald value for the default and /dev/console stanzas to one of the DoD login banners (based on the character limitations imposed by the system). # chsec -f /etc/security/login.cfg -s default -a herald="<DoD Login Banner>" OR # vi /etc/security/login.cfg and add a herald = <DoD Login Banner> statement to the default stanza DoD Login Banners: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. " OR "I've read & consent to terms in IS user agreem't."

Check Content

Responsibility

System Administrator

IA Controls

ECWM-1

The system must disable accounts after three consecutive unsuccessful login attempts.

Finding ID
GEN000460
Rule ID
SV-38671r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000460
CCI
CCI-000044
Target Key
(None)
Documentable
No
Discussion

Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.

Fix Text

Use the chsec command to configure the number of unsuccessful logins resulting in account lockout. # chsec -f /etc/security/user -s default -a loginretries=3 # chsec -f /etc/security/user -s <user id> -a loginretries=3

Check Content

Responsibility

System Administrator

IA Controls

ECLO-1, ECLO-2

The delay between login prompts following a failed login attempt must be at least 4 seconds.

Finding ID
GEN000480
Rule ID
SV-38839r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000480
CCI
CCI-000043
Target Key
(None)
Documentable
No
Discussion

Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks.

Fix Text

Use vi or the chsec command to change the login delay time period. #chsec -f /etc/security/login.cfg -s default -a logindelay=4 OR # vi /etc/security/login.cfg Add logindelay = 4 to the default stanza.

Check Content

Responsibility

System Administrator

IA Controls

ECLO-1, ECLO-2

The system must not have accounts configured with blank or null passwords.

Finding ID
GEN000560
Rule ID
SV-27107r1_rule
Severity
Cat I
CCE
(None)
Group Title
GEN000560
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured without a password, the entire system may be compromised. For user accounts not using password authentication, the account must be configured with a password lock value instead of a blank or null value.

Fix Text

Remove or configure a password for any account with a blank password. # passwd <user id> # smitty passwd To remove an account with a blank password. # smitty rmuser

Check Content

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

The root account must be the only account having an UID of 0.

Finding ID
GEN000880
Rule ID
SV-773r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000880
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

If an account has an UID of 0, it has root authority. Multiple accounts with an UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account.

Fix Text

Remove or change the UID of accounts other than root that have UID 0.

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1, IAIA-1, IAIA-2

The root user's home directory must not be the root directory (/).

Finding ID
GEN000900
Rule ID
SV-38940r1_rule
Severity
Cat III
CCE
(None)
Group Title
GEN000900
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places in its default directory. It also gives root the same discretionary access control for root's home directory as for the other plain user home directories.

Fix Text

The root home directory should be something other than / (such as /root). Procedure: # mkdir /root # chown root /root # chgrp sys /root # chmod 700 /root # cp -r /.??* /root/. Then, edit the passwd file and change the root home directory to /root. The cp -r /.??* command copies all files and subdirectories of file names that begin with "." into the new root directory, which preserves the previous root environment. Must be in the "/" directory when executing the "cp" command.

Check Content

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2

The root account's home directory (other than /) must have mode 0700.

Finding ID
GEN000920
Rule ID
SV-38941r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000920
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Permissions greater than 0700 could allow unauthorized users access to the root home directory.

Fix Text

The root home directory will have permissions of 0700. Do not change the protections of the / directory. Use the following command to change protections for the root home directory. # chmod 0700 /root.

Check Content

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2

The root account's executable search path must be the vendor default and must contain only absolute paths.

Finding ID
GEN000940
Rule ID
SV-40085r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000940
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.

Fix Text

Edit the root user's local initialization files. Change any found PATH variable settings to the vendor's default path for the root user. Remove any empty path entries or references to relative paths. # cd <root's home directory> # vi .profile .cshrc If the bash shell is installed, edit these additional files. # vi .bashrc .bash_profile

Check Content

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2, ECSC-1

The root account must not have world-writable directories in its executable search path.

Finding ID
GEN000960
Rule ID
SV-777r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000960
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

If the root search path contains a world-writable directory, malicious software could be placed in the path by intruders and/or malicious users and inadvertently run by root with all of root's privileges.

Fix Text

For each world-writable path in root's executable search path, perform one of the following. 1. Remove the world-writable permission on the directory. Procedure: # chmod o-w <path> 2. Remove the world-writable directory from the executable search path. Procedure: Identify and edit the initialization file referencing the world-writable directory and remove it from the PATH variable.

Check Content

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2

The system must prevent the root account from directly logging in except from the system console.

Finding ID
GEN000980
Rule ID
SV-38683r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000980
CCI
CCI-000770
Target Key
(None)
Documentable
No
Discussion

Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device.

Fix Text

The root account can be protected from non-console device logins by setting rlogin = false in the root: stanza of the /etc/security/user file. #chsec -f /etc/security/user -s root -a rlogin=false

Check Content

Responsibility

System Administrator

IA Controls

ECPA-1, ECSD-2

All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.

Finding ID
GEN000380
Rule ID
SV-27071r1_rule
Severity
Cat III
CCE
(None)
Group Title
GEN000380
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

If a user is assigned the GID of a group that does not exist on the system, and a group with that GID is subsequently created, the user may have unintended rights to the group.

Fix Text

Add a group to the system for each GID referenced without a corresponding group. # smitty mkgroup

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

System log files must have mode 0640 or less permissive.

Finding ID
GEN001260
Rule ID
SV-787r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001260
CCI
CCI-001314
Target Key
(None)
Documentable
No
Discussion

If the system log files are not protected, unauthorized users could change the logged data, eliminating its forensic value.

Fix Text

Change the mode of the system log file(s) to 0640 or less permissive. Procedure: # chmod 0640 /path/to/system-log-file NOTE: Do not confuse system log files with audit logs. Any subsystems that require less stringent permissions must be documented.

Check Content

Responsibility

System Administrator

IA Controls

ECTP-1

All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.

Finding ID
GEN001800
Rule ID
SV-38735r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001800
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files.

Fix Text

Change the mode of skeleton files with incorrect mode. # chmod 0644 /etc/security/.profile #chmod 0755 /etc/security/mkuser.sys

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

NIS/NIS+/yp files must be owned by root, sys, or bin.

Finding ID
GEN001320
Rule ID
SV-38775r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001320
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Fix Text

Change the owner of the NIS files to root, sys, or bin. Procedure (example): # chown root < directory>/< file >

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

NIS/NIS+/yp files must be group-owned by sys, bin, other, or system.

Finding ID
GEN001340
Rule ID
SV-38776r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001340
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Fix Text

Change the group owner of the NIS files to sys, bin, system, or other. Procedure: # chgrp system < directory>/< file >

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The NIS/NIS+/yp files must have mode 0755 or less permissive.

Finding ID
GEN001360
Rule ID
SV-38781r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001360
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise these processes and the system.

Fix Text

Change the mode of NIS/NIS+/yp files to 0755 or less permissive. Procedure (example): # chmod 0755 <filename>

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

All system command files must have mode 0755 or less permissive.

Finding ID
GEN001200
Rule ID
SV-794r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001200
CCI
CCI-001499
Target Key
(None)
Documentable
No
Discussion

Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default system executables and files present in directories included in the system's default executable search paths.

Fix Text

Change the mode for system command files to 0755 or less permissive. Procedure: # chmod 0755 <filename>

Check Content

Security Override Guidance

Elevate to Severity Code I if any file listed is world-writable.

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/security/passwd file must be owned by root.

Finding ID
GEN001400
Rule ID
SV-38944r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001400
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/security/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Fix Text

Change the ownership of the /etc/security/passwd file. # chown root /etc/security/passwd

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/passwd file must have mode 0644 or less permissive.

Finding ID
GEN001380
Rule ID
SV-798r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001380
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the password file is writable by a group owner or the world, the risk of password file compromise is increased. The password file contains the list of accounts on the system and associated information.

Fix Text

Change the mode of the passwd file to 0644. Procedure: # chmod 0644 /etc/passwd Document all changes.

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/security/passwd file must have mode 0400.

Finding ID
GEN001420
Rule ID
SV-38728r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001420
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/security/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which must not be accessible to users other than root.

Fix Text

Change the mode of the /etc/security/passwd file. # chmod 0400 /etc/security/passwd

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin.

Finding ID
GEN003720
Rule ID
SV-821r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003720
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Failure to give ownership of sensitive files or utilities to root provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Fix Text

Change the ownership of the inetd.conf file to root or bin. Procedure: # chown root /etc/inetd.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The inetd.conf and xinetd.conf files must have mode 0440 or less permissive.

Finding ID
GEN003740
Rule ID
SV-822r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003740
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The Internet service daemon configuration files must be protected as malicious modification could cause Denial of Service or increase the attack surface of the system.

Fix Text

Change the mode of the inetd.conf file. # chmod 0440 /etc/inetd.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The services file must be owned by root or bin.

Finding ID
GEN003760
Rule ID
SV-823r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003760
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Fix Text

Change the ownership of the services file to root or bin. Procedure: # chown root /etc/services

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The services file must have mode 0444 or less permissive.

Finding ID
GEN003780
Rule ID
SV-824r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003780
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The services file is critical to the proper operation of network services and must be protected from unauthorized modification. Unauthorized modification could result in the failure of network services.

Fix Text

Change the mode of the services file to 0444 or less permissive. Procedure: # chmod 0444 /etc/services

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

Global initialization files must contain the mesg -n or mesg n commands.

Finding ID
GEN001780
Rule ID
SV-38893r1_rule
Severity
Cat III
CCE
(None)
Group Title
GEN001780
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

If the mesg -n or mesg n command is not placed into the system profile, messaging can be used to cause a Denial of Service attack.

Fix Text

Edit /etc/profile or another global initialization script and add the mesg -n command.

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The alias file must be owned by root.

Finding ID
GEN004360
Rule ID
SV-40836r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN004360
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the alias file is not owned by root, an unauthorized user may modify the file to add aliases to run malicious code or redirect email.

Fix Text

Change the owner of the /etc/mail/aliases file (or equivalent, such as /usr/lib/aliases) to root. Procedure: # chown root /etc/mail/aliases

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The alias file must have mode 0644 or less permissive.

Finding ID
GEN004380
Rule ID
SV-40684r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN004380
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Excessive permissions on the aliases file may permit unauthorized modification. If the alias file is modified by an unauthorized user, they may modify the file to run malicious code or redirect email.

Fix Text

Change the mode of the /etc/mail/aliases file. Procedure: # chmod 0644 /etc/mail/aliases

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The ftpusers file must exist.

Finding ID
GEN004880
Rule ID
SV-28403r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN004880
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The ftpusers file contains a list of accounts not allowed to use FTP to transfer files. If this file does not exist, then unauthorized accounts can utilize FTP.

Fix Text

Create a /etc/ftpusers file containing a list of accounts not authorized for FTP.

Check Content

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2

The ftpusers file must be owned by root.

Finding ID
GEN004920
Rule ID
SV-28409r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN004920
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the file ftpusers is not owned by root, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.

Fix Text

Change the owner of the ftpusers file to root. # chown root /etc/ftpusers

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The ftpusers file must have mode 0640 or less permissive.

Finding ID
GEN004940
Rule ID
SV-28412r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN004940
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Excessive permissions on the ftpusers file could permit unauthorized modification. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized users to access the FTP service.

Fix Text

Change the mode of the ftpusers file to 0640. # chmod 0640 /etc/ftpusers

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

All users' home directories must have mode 0750 or less permissive.

Finding ID
GEN001480
Rule ID
SV-901r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001480
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Excessive permissions on home directories allow unauthorized access to user's files.

Fix Text

Change the mode of users' home directories to 0750 or less permissive. Procedure (example): # chmod 0750 <home directory>

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The NFS export configuration file must be owned by root.

Finding ID
GEN005740
Rule ID
SV-28445r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005740
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Failure to give ownership of the NFS export configuration file to root provides the designated owner and possible unauthorized users with the potential to change system configuration which could weaken the system's security posture.

Fix Text

Change the owner of the exports file to root. Example: # chown root /etc/exports

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The NFS export configuration file must have mode 0644 or less permissive.

Finding ID
GEN005760
Rule ID
SV-28447r1_rule
Severity
Cat III
CCE
(None)
Group Title
GEN005760
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Excessive permissions on the NFS export configuration file could allow unauthorized modification of the file, which could result in Denial of Service to authorized NFS exports and the creation of additional unauthorized exports.

Fix Text

# chmod 0644 /etc/exports

Check Content

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2, ECLP-1

Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).

Finding ID
GEN002960
Rule ID
SV-27318r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN002960
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The cron facility allows users to execute recurring jobs on a regular and unattended basis. The cron.allow file designates accounts allowed to enter and execute jobs using the cron facility. If neither cron.allow nor cron.deny exists, then any account may use the cron facility. This may open the facility up for abuse by system intruders and malicious users.

Fix Text

Create /var/adm/cron/cron.allow and/or /var/adm/cron/cron.deny with appropriate content.

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

Cron and crontab directories must have mode 0755 or less permissive.

Finding ID
GEN003100
Rule ID
SV-27342r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003100
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured.

Fix Text

Change the mode of the crontab directory. # chmod 0755 /var/spool/cron/crontabs

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

Cron and crontab directories must be owned by root or bin.

Finding ID
GEN003120
Rule ID
SV-27345r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003120
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron or crontab directories to root or to bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Fix Text

Change the owner of the crontab directory. # chown root /var/spool/cron/crontabs

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

Cron and crontab directories must be group-owned by system, sys, bin, or cron.

Finding ID
GEN003140
Rule ID
SV-39104r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003140
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. Failure to give group ownership of cron or crontab directories to a system group provides the designated group and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Fix Text

Change the group owner of the crontab directories to sys, system, bin, or cron. Procedure: # chown cron /var/spool/cron/crontabs

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

Access to the at utility must be controlled via the at.allow and/or at.deny file(s).

Finding ID
GEN003280
Rule ID
SV-27377r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003280
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The at facility selectively allows users to execute jobs at deferred times. It is usually used for one-time jobs. The at.allow file selectively allows access to the at facility. If there is no at.allow file, there is no ready documentation of who is allowed to submit at jobs.

Fix Text

Create at.allow and/or at.deny files containing appropriate lists of users to be allowed or denied access to the "at" daemon.

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The at.deny file must not be empty if it exists.

Finding ID
GEN003300
Rule ID
SV-27381r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003300
CCI
CCI-000225
Target Key
(None)
Documentable
Yes
Discussion

On some systems, if there is no at.allow file and there is an empty at.deny file, then the system assumes everyone has permission to use the at facility. This could create an insecure setting in the case of malicious users or system intruders.

Fix Text

Add appropriate users to the at.deny file, or remove the empty at.deny file if an at.allow file exists.

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.

Finding ID
GEN003320
Rule ID
SV-27385r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003320
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Default accounts, such as bin, sys, adm, uucp, daemon, and others, should never have access to the at facility. This would create a possible vulnerability open to intruders or malicious users.

Fix Text

Remove the default accounts (such as bin, sys, adm, and others) from the at.allow file.

Check Content

Responsibility

System Administrator

IA Controls

ECPA-1

The /usr/lib/smb.conf file must be owned by root.

Finding ID
GEN006100
Rule ID
SV-40724r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN006100
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /usr/lib/smb.conf file allows access to other machines on the network and grants permissions to certain users. If it is owned by another user, the file may be maliciously modified and the Samba configuration could be compromised.

Fix Text

Change the ownership of the smb.conf file. Procedure: # chown root /usr/lib/smb.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /usr/lib/smb.conf file must have mode 0644 or less permissive.

Finding ID
GEN006140
Rule ID
SV-39229r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN006140
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the smb.conf file has excessive permissions, the file may be maliciously modified and the Samba configuration could be compromised.

Fix Text

Change the mode of the smb.conf file to 0644 or less permissive. Procedure: # chmod 0644 /usr/lib/smb.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /var/private/smbpasswd file must be owned by root.

Finding ID
GEN006160
Rule ID
SV-40379r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN006160
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the smbpasswd file is not owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.

Fix Text

Change the owner of the smbpasswd file to root. # chown root /var/private/smbpasswd

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

Users must not be able to change passwords more than once every 24 hours.

Finding ID
GEN000540
Rule ID
SV-38768r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000540
CCI
CCI-000198
Target Key
(None)
Documentable
No
Discussion

The ability to change passwords frequently facilitates users reusing the same password. This can result in users effectively never changing their passwords. This would be accomplished by users changing their passwords when required and then immediately changing it to the original value.

Fix Text

Use SMIT or the chsec command to set the minimum password age to 1 week. # chsec -f /etc/security/user -s default -a minage=1 # chsec -f /etc/security/user -s <user id> -a minage=1 OR # smitty chuser

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The /usr/lib/smb.conf file must be group-owned by bin, sys, or system.

Finding ID
GEN006120
Rule ID
SV-39231r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN006120
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the group-owner of the smb.conf file is not root or a system group, the file may be maliciously modified and the Samba configuration could be compromised.

Fix Text

Change the group owner of the smb.conf file. Procedure: # chgrp system /usr/lib/smb.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /var/private/smbpasswd file must be group-owned by sys or system.

Finding ID
GEN006180
Rule ID
SV-39235r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN006180
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the smbpasswd file is not group-owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.

Fix Text

Use the chgrp command to change the group owner of the smbpasswd file to system. # chgrp system /var/private/smbpasswd

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /var/private/smbpasswd file must have mode 0600 or less permissive.

Finding ID
GEN006200
Rule ID
SV-40725r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN006200
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts.

Fix Text

Change the mode of the smbpasswd file to 0600. Procedure: # chmod 0600 /var/private/smbpasswd

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The system must prohibit the reuse of passwords within five iterations.

Finding ID
GEN000800
Rule ID
SV-38679r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000800
CCI
CCI-000200
Target Key
(None)
Documentable
No
Discussion

If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.

Fix Text

Use the chsec command to configure the system to prohibit the reuse of passwords within five iterations. # chsec -f /etc/security/user -s default -a histsize=5 # chuser histsize=5 < user id >

Check Content

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

The securetcpip command must be used.

Finding ID
GEN000000-AIX00040
Rule ID
SV-4284r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX00040
CCI
CCI-000032
Target Key
(None)
Documentable
No
Discussion

The AIX securetcpip command disables insecure network utilities, such as rcp, rlogin, rlogind, rsh, rshd, tftp, tftpd, and trpt/d. These services increase the attack surface of the system.

Fix Text

Ensure secure tcp/ip has been invoked before allowing operations on the system.

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

Remote consoles must be disabled or protected from unauthorized access.

Finding ID
GEN001000
Rule ID
SV-27149r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001000
CCI
CCI-000070
Target Key
(None)
Documentable
No
Discussion

The remote console feature provides an additional means of access to the system which could allow unauthorized access if not disabled or properly secured. With virtualization technologies, remote console access is essential as there is no physical console for virtual machines. Remote console access must be protected in the same manner as any other remote privileged access method.

Fix Text

Edit /etc/security/login.cfg and remove the alternate console definition.

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The cron.allow file must be owned by root, bin, or sys.

Finding ID
GEN003240
Rule ID
SV-27367r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003240
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the owner of the cron.allow file is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or to edit sensitive information.

Fix Text

# chown root /var/adm/cron/cron.allow

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The at directory must have mode 0755 or less permissive.

Finding ID
GEN003400
Rule ID
SV-38907r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003400
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the at directory has a mode more permissive than 0755, unauthorized users could be allowed to view or to edit files containing sensitive information within the at directory. Unauthorized modifications could result in Denial of Service to authorized at jobs.

Fix Text

Change the mode of the "at" directory to 0755. Procedure: # chmod 0755 < at directory >

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The at.allow file must be owned by root, bin, or sys.

Finding ID
GEN003460
Rule ID
SV-27393r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003460
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.

Fix Text

Change the owner of the at.allow file. # chown root /var/adm/cron/at.allow

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The at.deny file must be owned by root, bin, or sys.

Finding ID
GEN003480
Rule ID
SV-27397r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003480
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.

Fix Text

Change the owner of the at.deny file. # chown root /var/adm/cron/at.deny

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The traceroute command owner must be root.

Finding ID
GEN003960
Rule ID
SV-28393r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003960
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the traceroute command owner has not been set to root, an unauthorized user could use this command to obtain knowledge of the network topology inside the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.

Fix Text

Change the owner of the traceroute command to root. Example: # chown root /usr/bin/traceroute

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The traceroute command must be group-owned by sys, bin, or system.

Finding ID
GEN003980
Rule ID
SV-28397r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003980
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the group owner of the traceroute command has not been set to a system group, unauthorized users could have access to the command and use it to gain information regarding a network's topology inside of the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.

Fix Text

Change the group owner of the traceroute command to sys, bin, or system. Procedure: # chgrp system /usr/bin/traceroute

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The traceroute file must have mode 0700 or less permissive.

Finding ID
GEN004000
Rule ID
SV-28400r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN004000
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the mode of the traceroute executable is more permissive than 0700, malicious code could be inserted by an attacker and triggered whenever the traceroute command is executed by authorized users. Additionally, if an unauthorized user is granted executable permissions to the traceroute command, it could be used to gain information about the network topology behind the firewall. This information may allow an attacker to determine trusted routers and other network information possibly leading to system and network compromise.

Fix Text

Change the mode of the traceroute command. # chmod 0700 /usr/bin/traceroute

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The system must not use .forward files.

Finding ID
GEN004580
Rule ID
SV-4385r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN004580
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops which could degrade system performance.

Fix Text

Remove .forward files from the system.

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The /etc/syslog.conf file must be owned by root.

Finding ID
GEN005400
Rule ID
SV-4393r2_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005400
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the /etc/syslog.conf file is not owned by root, unauthorized users could be allowed to view, edit, or delete important system messages handled by the syslog facility.

Fix Text

Use the chown command to set the owner to root. # chown root /etc/syslog.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/syslog.conf file must be group-owned by bin, sys, or system.

Finding ID
GEN005420
Rule ID
SV-40364r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005420
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the group owner of /etc/syslog.conf is not root, bin, or sys, unauthorized users could be permitted to view, edit, or delete important system messages handled by the syslog facility.

Fix Text

Change the group owner of the /etc/syslog.conf file to bin, sys, or system. Procedure: # chgrp system /etc/syslog.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The cron.deny file must be owned by root, bin, or sys.

Finding ID
GEN003260
Rule ID
SV-27372r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003260
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Cron daemon control files restrict the scheduling of automated tasks and must be protected.

Fix Text

# chown root /var/adm/cron/cron.deny

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The rexec daemon must not be running.

Finding ID
GEN003840
Rule ID
SV-38878r1_rule
Severity
Cat I
CCE
(None)
Group Title
GEN003840
CCI
CCI-001435
Target Key
(None)
Documentable
Yes
Discussion

The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.

Fix Text

Edit /etc/inetd.conf and comment out the line for the rexec service. Refresh the inetd daemon. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

EBRP-1, ECSC-1

The system must not have the finger service active.

Finding ID
GEN003860
Rule ID
SV-27440r1_rule
Severity
Cat III
CCE
(None)
Group Title
GEN003860
CCI
CCI-001551
Target Key
(None)
Documentable
No
Discussion

The finger service provides information about the system's users to network clients. This information could expose information that could be used in subsequent attacks.

Fix Text

Edit /etc/inetd.conf and comment out the finger service line. Restart the inetd service.

Check Content

Responsibility

System Administrator

IA Controls

DCPP-1, EBRU-1

The operating system must be a supported release.

Finding ID
GEN000100
Rule ID
SV-27052r1_rule
Severity
Cat I
CCE
(None)
Group Title
GEN000100
CCI
CCI-001230
Target Key
(None)
Documentable
No
Discussion

An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.

Fix Text

Upgrade to a supported version of the operating system.

Check Content

Security Override Guidance

If an extended support agreement providing security patches for the unsupported product is procured from the vendor, this finding may be downgraded to a CAT III.

Responsibility

System Administrator

IA Controls

VIVM-1

The system must require passwords to contain a minimum of 14 characters.

Finding ID
GEN000580
Rule ID
SV-38936r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000580
CCI
CCI-000205
Target Key
(None)
Documentable
No
Discussion

The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space.

Fix Text

Change the minimum password length to 14 or more. # chsec -f /etc/security/user -s default -a minlen=14 # chuser minlen=14 <user id>

Check Content

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

The system must require that passwords contain at least one special character.

Finding ID
GEN000640
Rule ID
SV-39503r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000640
CCI
CCI-001619
Target Key
(None)
Documentable
No
Discussion

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Fix Text

Use the chsec command to set the minother setting to 1. # chsec -f /etc/security/user -s default -a minother=1 # chuser minother=1 < user id >

Check Content

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

The system must require passwords to contain no more than three consecutive repeating characters.

Finding ID
GEN000680
Rule ID
SV-38675r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000680
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

To enforce the use of complex passwords, the number of consecutive repeating characters is limited. Passwords with excessive repeated characters may be more vulnerable to password-guessing attacks.

Fix Text

Use the chsec command to set maxrepeats to 3. # chsec -f /etc/security/user -s default -a maxrepeats=3 # chuser maxrepeats=3 < user id >

Check Content

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

User passwords must be changed at least every 60 days.

Finding ID
GEN000700
Rule ID
SV-38939r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000700
CCI
CCI-000180
Target Key
(None)
Documentable
No
Discussion

Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.

Fix Text

Use the chsec command to set the maxage field to 8 for each user. # chsec -f /etc/security/user -s default -a maxage=8 # chuser maxage=8 < user id >

Check Content

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

All global initialization files must have mode 0644 or less permissive.

Finding ID
GEN001720
Rule ID
SV-38882r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001720
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon.

Fix Text

Change the mode of the global initialization file(s) to 0444. # chmod 0444 <global initialization file>

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

All global initialization files must be owned by root.

Finding ID
GEN001740
Rule ID
SV-38884r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001740
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Fix Text

Change the ownership of global initialization files with incorrect ownership. Procedure: # chown bin <global initialization files>

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

All global initialization files must be group-owned by sys, bin, system, or security.

Finding ID
GEN001760
Rule ID
SV-38892r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001760
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Fix Text

Change the group ownership of the global initialization file(s) with incorrect group ownership. Procedure: # chgrp system <global initialization file>

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

All skeleton files and directories (typically in /etc/skel) must be owned by root or bin.

Finding ID
GEN001820
Rule ID
SV-38737r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001820
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Fix Text

Change the ownership of skeleton files with incorrect mode. # chown root /etc/security/.profile /etc/security/mkuser.sys

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

Process core dumps must be disabled unless needed.

Finding ID
GEN003500
Rule ID
SV-27402r1_rule
Severity
Cat III
CCE
(None)
Group Title
GEN003500
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Process core dumps contain the memory in use by the process when it crashed. Process core dump files can be of significant size and their use can result in file systems filling to capacity, which may result in Denial of Service. Process core dumps can be useful for software debugging.

Fix Text

# chsec -f /etc/security/limits -s default -a core=0

Check Content

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2

The system must not forward IPv4 source-routed packets.

Finding ID
GEN003600
Rule ID
SV-38948r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003600
CCI
CCI-001551
Target Key
(None)
Documentable
No
Discussion

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Fix Text

# /usr/sbin/no -po "ipsrcrouteforward=0"

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system's access control program must be configured to grant or deny system access to specific hosts.

Finding ID
GEN006620
Rule ID
SV-41532r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN006620
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.

Fix Text

Edit the /etc/hosts.allow and /etc/hosts.deny files to configure access restrictions.

Check Content

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2, ECSC-1

The SYSTEM attribute must not be set to NONE for any account.

Finding ID
GEN000000-AIX00080
Rule ID
SV-12536r2_rule
Severity
Cat I
CCE
(None)
Group Title
GEN000000-AIX00080
CCI
CCI-000764
Target Key
(None)
Documentable
No
Discussion

The SYSTEM attribute in /etc/security/user defines the mechanisms used to authenticate specific user accounts. If the value is set to NONE, other attributes will be used to determine the authentication mechanisms, but if these attributes are not present, no authentication will be performed. To ensure authentication is always used for the system's accounts, the SYSTEM attribute must always be set to a valid setting other than NONE.

Fix Text

Edit /etc/security/user and change any SYSTEM=NONE settings to a valid authentication setting.

Check Content

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

The system clock must be synchronized continuously, or at least daily.

Finding ID
GEN000241
Rule ID
SV-39091r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000241
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. Internal system clocks tend to drift and require periodic resynchronization to ensure their accuracy. Software, such as ntpd, can be used to continuously synchronize the system clock with authoritative sources. Alternatively, the system may be synchronized periodically, with a maximum of one day between synchronizations. If the system is completely isolated (no connections to networks or other systems), time synchronization is not required as no correlation of events or operation of time-dependent protocols between systems will be necessary. If the system is completely isolated, this requirement is not applicable.

Fix Text

Enable the NTP daemon for continuous synchronization. Edit /etc/rc.tcpip and enable xntpd daemon. Edit /etc/ntp.conf and add the ntp server entry. # startsrc -s xntpd OR Add a daily or more frequent cronjob to perform synchronization using ntpdate. NOTE: While it is possible to run ntpdate from a cron script, it is important to mention that ntpdate with contrived cron scripts is no substitute for the NTP daemon, which uses sophisticated algorithms to maximize accuracy and reliability while minimizing resource use. Finally, since ntpdate polling does not discipline the host clock frequency as does xntpd, the accuracy using ntpdate is limited. The process of passively listening for NTP broadcasts (i.e., placing the line broadcastclient yes in the /etc/ntp.conf file) is preferred over any procedural form of direct server polling for a large network with many nodes needing to be time synchronized. This method is preferred because it significantly reduces the network traffic load related to NTP.

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.

Finding ID
GEN000250
Rule ID
SV-40383r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000250
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system account, unauthorized modifications could result in the failure of time synchronization.

Fix Text

Change the owner of the ntp.conf file. # chown root ntp.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by bin, sys, or system.

Finding ID
GEN000251
Rule ID
SV-39093r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000251
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system group, unauthorized modifications could result in the failure of time synchronization.

Fix Text

Change the group owner of the NTP configuration file. Procedure: # chgrp system /etc/ntp.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.

Finding ID
GEN000252
Rule ID
SV-40384r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000252
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not protected, unauthorized modifications could result in the failure of time synchronization.

Fix Text

Change the mode of the ntp.conf file to 0640 or less permissive. # chmod 0640 /etc/ntp.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The system must enforce the entire password during authentication.

Finding ID
GEN000585
Rule ID
SV-38769r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000585
CCI
CCI-000205
Target Key
(None)
Documentable
No
Discussion

Some common password hashing schemes only process the first eight characters of a user's password, which reduces the effective strength of the password.

Fix Text

Configure the system to enforce the correctness of the entire password during authentication. Configure the system to use sha password hashing. #chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha256

Check Content

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

Finding ID
GEN000595
Rule ID
SV-38672r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000595
CCI
CCI-000196
Target Key
(None)
Documentable
No
Discussion

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.

Fix Text

Change the passwords for all accounts using non-compliant password hashes. # passwd account OR # smitty passwd (This requires that GEN000590 is already met.)

Check Content

Responsibility

System Administrator

IA Controls

DCNR-1, IAIA-1, IAIA-2

The system must require at least four characters be changed between the old and new passwords during a password change.

Finding ID
GEN000750
Rule ID
SV-38677r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000750
CCI
CCI-000195
Target Key
(None)
Documentable
No
Discussion

To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.

Fix Text

Use the chsec command to change mindiff to 4. # chsec -f /etc/security/user -s default -a mindiff=4 # chuser mindiff=4 < user id >

Check Content

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

The system must prevent the use of dictionary words for passwords.

Finding ID
GEN000790
Rule ID
SV-38678r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000790
CCI
CCI-000189
Target Key
(None)
Documentable
No
Discussion

An easily guessable password provides an open door to any external or internal malicious intruder. Many computer compromises occur as the result of account name and password guessing. This is generally done by someone with an automated script using repeated logon attempts until the correct account and password pair is guessed. Utilities, such as cracklib, can be used to validate that passwords are not dictionary words and meet other criteria during password changes.

Fix Text

Install the default dictionary of words from the 'bos.data' fileset with smitty or installp. # smitty installp #installp bos.data Customize or modify the dictionary in /usr/share/dict/words as necessary. #vi /usr/share/dict/words Add a dictionary list to /etc/security/user file with the chsec command. #chsec -f /etc/security/user -s default -a dictionlist=/usr/share/dict/words

Check Content

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

The system must restrict the ability to switch to the root user to members of a defined group.

Finding ID
GEN000850
Rule ID
SV-38680r1_rule
Severity
Cat III
CCE
(None)
Group Title
GEN000850
CCI
CCI-000009
Target Key
(None)
Documentable
No
Discussion

Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials.

Fix Text

Use the chsec command to only allow users in the adm group to su to root. #chsec -f /etc/security/user -s root -a sugroups=adm

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The root account's library search path must be the system default and must contain only absolute paths.

Finding ID
GEN000945
Rule ID
SV-38770r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000945
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The library search path environment variable(s) contains a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.

Fix Text

Edit the root user's initialization files and remove any definition of LD_LIBRARY_PATH and LIBPATH.

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The root account's list of preloaded libraries must be empty.

Finding ID
GEN000950
Rule ID
SV-38772r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000950
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. This variable is formatted as a space-separated list of libraries. Paths starting with (/) are absolute paths.

Fix Text

Edit the root user's initialization files and remove any definition of LDR_PRELOAD.

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The /etc/resolv.conf file must be owned by root.

Finding ID
GEN001362
Rule ID
SV-26395r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001362
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.

Fix Text

Change the owner of the /etc/resolv.conf file to root. # chown root /etc/resolv.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/resolv.conf file must be group-owned by bin, sys, or system.

Finding ID
GEN001363
Rule ID
SV-39099r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001363
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.

Fix Text

Change the group owner of the /etc/resolv.conf file to bin, sys, or system. Procedure: # chgrp system /etc/resolv.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/resolv.conf file must have mode 0644 or less permissive.

Finding ID
GEN001364
Rule ID
SV-26397r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001364
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.

Fix Text

Change the mode of the /etc/resolv.conf file to 0644 or less permissive. # chmod 0644 /etc/resolv.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/hosts file must be owned by root.

Finding ID
GEN001366
Rule ID
SV-26410r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001366
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.

Fix Text

Change the owner of the /etc/hosts file to root. # chown root /etc/hosts

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/hosts file must be group-owned by bin, sys, or system.

Finding ID
GEN001367
Rule ID
SV-39100r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001367
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.

Fix Text

Change the group owner of the /etc/hosts file to sys, bin, or system. Procedure: # chgrp system /etc/hosts

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/hosts file must have mode 0644 or less permissive.

Finding ID
GEN001368
Rule ID
SV-26412r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001368
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.

Fix Text

Change the mode of the /etc/hosts file to 0644 or less permissive. # chmod 0644 /etc/hosts

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/passwd file must be owned by root.

Finding ID
GEN001378
Rule ID
SV-26425r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001378
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.

Fix Text

Change the owner of the /etc/passwd file to root. # chown root /etc/passwd

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/passwd file must be group-owned by bin, security, sys, or system.

Finding ID
GEN001379
Rule ID
SV-38723r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001379
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.

Fix Text

Change the group owner of the /etc/passwd file to security, bin, sys, or system. Procedure: # chgrp security /etc/passwd

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/group file must be owned by root.

Finding ID
GEN001391
Rule ID
SV-26431r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001391
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/group file is critical to system security and must be owned by a privileged user. The group file contains a list of system groups and associated information.

Fix Text

Change the owner of the /etc/group file to root. # chown root /etc/group

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/group file must be group-owned by security, bin, sys, or system.

Finding ID
GEN001392
Rule ID
SV-38725r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001392
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.

Fix Text

Change the group owner of the /etc/group file to security, bin, sys, or system. # chgrp security /etc/group

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/group file must have mode 0644 or less permissive.

Finding ID
GEN001393
Rule ID
SV-26433r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001393
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.

Fix Text

Change the mode of the /etc/group file to 0644 or less permissive. # chmod 0644 /etc/group

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/security/passwd file must be group-owned by security, bin, sys, or system.

Finding ID
GEN001410
Rule ID
SV-38727r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001410
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/security/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which must not be accessible to users other than root.

Fix Text

Change the group owner of the /etc/security/passwd file to security, bin, sys, or system. Procedure: # chgrp security /etc/security/passwd

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/group file must not contain any group password hashes.

Finding ID
GEN001475
Rule ID
SV-26447r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001475
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Group passwords are typically shared and should not be used. Additionally, if password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes.

Fix Text

Edit /etc/group and change the password field to an exclamation point (!) to lock the group password.

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

All skeleton files (typically in /etc/skel) must be group-owned by security.

Finding ID
GEN001830
Rule ID
SV-38738r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN001830
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the skeleton files are not protected, unauthorized personnel could change user start-up parameters and possibly jeopardize user files.

Fix Text

Change the group owner of the skeleton file to security. Procedure: # chgrp security /etc/security/.profile /etc/security/mkuser.sys

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The cron.allow file must be group-owned by system, bin, sys, or cron.

Finding ID
GEN003250
Rule ID
SV-39346r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003250
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the group of the cron.allow is not set to system, bin, sys, or cron, the possibility exists for an unauthorized user to view or edit the list of users permitted to use cron. Unauthorized modification of this file could cause Denial of Service to authorized cron users or provide unauthorized users with the ability to run cron jobs.

Fix Text

Change the group owner of the cron.allow file to bin, sys, system, or cron. Procedure: # chgrp cron /var/adm/cron/cron.allow

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The at.deny file must have mode 0640 or less permissive.

Finding ID
GEN003252
Rule ID
SV-38787r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003252
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The at daemon control files restrict access to scheduled job manipulation and must be protected. Unauthorized modification of the at.deny file could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.

Fix Text

Change the mode of the at.deny file to 0640. # chmod 0640 /var/adm/cron/at.deny

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The cron.deny file must be group-owned by system, bin, sys, or cron.

Finding ID
GEN003270
Rule ID
SV-38789r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003270
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Cron daemon control files restrict the scheduling of automated tasks and must be protected. Unauthorized modification of the cron.deny file could result in Denial of Service to authorized cron users or could provide unauthorized users with the ability to run cron jobs.

Fix Text

Change the group owner of the cron.deny file to sys, system, bin, or cron. Procedure: # chgrp cron /var/adm/cron/cron.deny

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The "at" directory must be group-owned by system, bin, sys, or cron.

Finding ID
GEN003430
Rule ID
SV-39352r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003430
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the group of the "at" directory is not system, bin, sys, or cron, unauthorized users could be allowed to view or edit files containing sensitive information within the directory.

Fix Text

Change the group ownership of the file to bin, sys, system, or cron. Procedure: # chgrp cron /var/spool/cron/atjobs

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The at.allow file must be group-owned by system, bin, sys, or cron.

Finding ID
GEN003470
Rule ID
SV-39354r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003470
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the group-owner of the at.allow file is not set to system, bin, sys, or cron, unauthorized users could be allowed to view or edit the list of users permitted to run at jobs. Unauthorized modification could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.

Fix Text

Change the group owner of the at.allow file to sys, system, bin, or cron. Procedure: # chgrp cron /var/adm/cron/at.allow

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The at.deny file must be group-owned by system, bin, sys, or cron.

Finding ID
GEN003490
Rule ID
SV-39356r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003490
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the group owner of the at.deny file is not set to system, bin, sys, or cron, unauthorized users could be allowed to view or edit sensitive information contained within the file. Unauthorized modification could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.

Fix Text

Change the group owner of the at.deny file to bin, sys, system, or cron. Procedure: # chgrp cron /var/adm/cron/at.deny

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The system must prevent local applications from generating source-routed packets.

Finding ID
GEN003606
Rule ID
SV-38949r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003606
CCI
CCI-001551
Target Key
(None)
Documentable
No
Discussion

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.

Fix Text

# /usr/sbin/no -po "ipsrcroutesend=0"

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not accept source-routed IPv4 packets.

Finding ID
GEN003607
Rule ID
SV-38800r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003607
CCI
CCI-001551
Target Key
(None)
Documentable
No
Discussion

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv4 forwarding is enabled and the system is functioning as a router

Fix Text

Configure the system to not accept source-routed IPv4 packets. #/usr/sbin/no -p -o ipsrcrouterecv=0

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must ignore IPv4 ICMP redirect messages.

Finding ID
GEN003609
Rule ID
SV-38801r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003609
CCI
CCI-001551
Target Key
(None)
Documentable
No
Discussion

ICMP redirect messages are used by routers to inform hosts a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Fix Text

Configure the system to ignore IPv4 ICMP redirect messages. #/usr/sbin/no -p -o ipignoreredirects=1

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not send IPv4 ICMP redirects.

Finding ID
GEN003610
Rule ID
SV-38802r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003610
CCI
CCI-001551
Target Key
(None)
Documentable
No
Discussion

ICMP redirect messages are used by routers to inform hosts a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.

Fix Text

#/usr/sbin/no -p -o ipsendredirects=0

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.

Finding ID
GEN003612
Rule ID
SV-38803r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003612
CCI
CCI-001092
Target Key
(None)
Documentable
No
Discussion

A TCP SYN flood attack can cause Denial of Service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are a mechanism used to not track a connection until a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This technique does not operate in a fully standards-compliant manner, but is only activated when a flood condition is detected, and allows defense of the system while continuing to service valid requests.

Fix Text

#/usr/sbin/no -p -o clean_partial_conns=1

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by bin, sys, or system.

Finding ID
GEN003730
Rule ID
SV-40385r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003730
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.

Fix Text

Change the group ownership of the inetd configuration file. Procedure: # chgrp system /etc/inetd.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The services file must be group-owned by bin, sys, or system.

Finding ID
GEN003770
Rule ID
SV-39112r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003770
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Failure to give ownership of system configuration files to root or a system group provides the designated owner and unauthorized users with the potential to change the system configuration which could weaken the system's security posture.

Fix Text

Change the group owner of the services file. Procedure: # chgrp system /etc/services

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The portmap or rpcbind service must not be installed unless needed.

Finding ID
GEN003815
Rule ID
SV-38952r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003815
CCI
CCI-000305
Target Key
(None)
Documentable
No
Discussion

The portmap and rpcbind services increase the attack surface of the system and should only be used when needed. The portmap or rpcbind services are used by a variety of services using Remote Procedure Calls (RPCs).

Fix Text

If the portmap or rpcbind service is part of a removable package, consult vendor documentation for the procedure to remove the package. If the service cannot be removed, prevent service activation by removing all permissions from the executable. Procedure: # chmod 0000 /usr/sbin/portmap

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The rlogind service must not be running.

Finding ID
GEN003830
Rule ID
SV-38876r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003830
CCI
CCI-000068
Target Key
(None)
Documentable
No
Discussion

The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.

Fix Text

Disable the rlogind service out of the '/etc/inetd.conf' file. # vi /etc/inetd.conf Comment out the rlogind service. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

DCPP-1

The hosts.lpd (or equivalent) file must be group-owned by bin, sys, or system.

Finding ID
GEN003930
Rule ID
SV-39875r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003930
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Failure to give group ownership of the hosts.lpd file to bin, sys, or system provides the members of the owning group and possible unauthorized users, with the potential to modify the hosts.lpd file. Unauthorized modifications could disrupt access to local printers from authorized remote hosts or permit unauthorized remote access to local printers.

Fix Text

Change the group owner of the hosts.lpd file. Procedure: # chgrp sys /etc/hosts.lpd

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The aliases file must be group-owned by sys, bin, or system.

Finding ID
GEN004370
Rule ID
SV-40683r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN004370
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the alias file is not group-owned by a system group, an unauthorized user may modify the file to add aliases to run malicious code or redirect e-mail.

Fix Text

Change the group owner of the /etc/mail/aliases file. Procedure: # chgrp system /etc/mail/aliases

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The ftpusers file must be group-owned by bin, sys, or system.

Finding ID
GEN004930
Rule ID
SV-39180r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN004930
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If the ftpusers file is not group-owned by a system group, an unauthorized user may modify the file to allow unauthorized accounts to use FTP.

Fix Text

Change the group owner of the ftpusers file. Procedure: # chgrp system /etc/ftpusers

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/syslog.conf file must have mode 0640 or less permissive.

Finding ID
GEN005390
Rule ID
SV-26740r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005390
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Unauthorized users must not be allowed to access or modify the /etc/syslog.conf file.

Fix Text

Change the permissions of the syslog configuration file. # chmod 0640 /etc/syslog.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The SSH client must be configured to not use CBC-based ciphers.

Finding ID
GEN005511
Rule ID
SV-26755r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005511
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.

Fix Text

Edit /etc/ssh/ssh_config and add or edit the "Ciphers" line. Only include ciphers that start with "3des" or "aes" and do not contain "cbc". For the list of available ciphers for the particular version of your software, consult the ssh_config manpage.

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

Finding ID
GEN005512
Rule ID
SV-26756r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005512
CCI
CCI-001453
Target Key
(None)
Documentable
No
Discussion

DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.

Fix Text

Edit the SSH client configuration and remove any MACs other than hmac-sha1. If necessary, add a MACs line.

Check Content

Responsibility

System Administrator

IA Controls

DCNR-1

The SSH daemon must restrict login ability to specific users and/or groups.

Finding ID
GEN005521
Rule ID
SV-26763r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005521
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Restricting SSH logins to a limited group of users, such as system administrators, prevents password-guessing and other SSH attacks from reaching system accounts and other accounts not authorized for SSH access.

Fix Text

Edit the SSH daemon configuration and add an AllowGroups directive.

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The SSH public host key files must have mode 0644 or less permissive.

Finding ID
GEN005522
Rule ID
SV-26764r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005522
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Fix Text

Change the permissions for the SSH public host key files. # chmod 0644 /etc/ssh/*key.pub

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The SSH private host key files must have mode 0600 or less permissive.

Finding ID
GEN005523
Rule ID
SV-26765r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005523
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

Fix Text

Change the permissions for the SSH private host key files. # chmod 0600 /etc/ssh/*key

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The SSH daemon must not permit GSSAPI authentication unless needed.

Finding ID
GEN005524
Rule ID
SV-40714r1_rule
Severity
Cat III
CCE
(None)
Group Title
GEN005524
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.

Fix Text

Edit /etc/ssh/sshd_config and remove the GSSAPIAuthentication setting or change the value to "no".

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The SSH client must not permit GSSAPI authentication unless needed.

Finding ID
GEN005525
Rule ID
SV-40715r1_rule
Severity
Cat III
CCE
(None)
Group Title
GEN005525
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.

Fix Text

Edit the /etc/ssh/ssh_config file and remove the GSSAPIAuthentication setting or change the GSSAPIAuthentication setting to "no".

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The SSH daemon must not permit Kerberos authentication unless needed.

Finding ID
GEN005526
Rule ID
SV-40716r1_rule
Severity
Cat III
CCE
(None)
Group Title
GEN005526
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.

Fix Text

Edit the /etc/ssh/sshd_config file and remove the KerberosAuthentication setting or change the value of the setting to "no".

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The SSH daemon must perform strict mode checking of home directory configuration files.

Finding ID
GEN005536
Rule ID
SV-40720r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005536
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.

Fix Text

Edit the /etc/sshd/sshd_config file and remove the StrictModes setting or change the value of the StrictModes setting to "yes".

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The SSH daemon must use privilege separation.

Finding ID
GEN005537
Rule ID
SV-40721r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005537
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.

Fix Text

Edit the /etc/ssh/sshd_config file and remove the UsePrivilegeSeparation setting or change the value of the UsePrivilegeSeparation setting to "yes".

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The SSH daemon must not allow rhosts RSA authentication.

Finding ID
GEN005538
Rule ID
SV-40722r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005538
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

If SSH permits rhosts RSA authentication, a user may be able to log in based on the keys of the host originating the request and not any user-specific authentication.

Fix Text

Edit the /etc/ssh/sshd_config file and remove the RhostsRSAAuthentication setting or change the value of the RhostsRSAAuthentication setting to "no".

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The SSH daemon must not allow compression or must only allow compression after successful authentication.

Finding ID
GEN005539
Rule ID
SV-40723r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN005539
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.

Fix Text

Edit the /etc/ssh/sshd_config file and remove the Compression setting or set the Compression setting to "delayed" or "no".

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The DHCP client must be disabled if not needed.

Finding ID
GEN007840
Rule ID
SV-38931r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN007840
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

DHCP allows for the unauthenticated configuration of network parameters on the system by exchanging information with a DHCP server.

Fix Text

Disable the system's DHCP client. Edit /etc/rc.tcpip, comment out the line starting dhcpcd. Reboot the system to ensure the DHCP client has been disabled fully. Configure a static IP for the system, if network connectivity is required.

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The DHCP client must not send dynamic DNS updates.

Finding ID
GEN007850
Rule ID
SV-38963r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN007850
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed.

Fix Text

Configure the system's DHCP client to not send dynamic DNS updates. Remove / comment updateDNS lines from the /etc/dhcpcd.ini and /etc/dhcpc.opt files.

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must ignore IPv6 ICMP redirect messages.

Finding ID
GEN007860
Rule ID
SV-38825r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN007860
CCI
CCI-001551
Target Key
(None)
Documentable
No
Discussion

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Fix Text

Configure the system to ignore IPv6 ICMP redirect messages. # /usr/sbin/no -p -o ipignoreredirects=1

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not send IPv6 ICMP redirects.

Finding ID
GEN007880
Rule ID
SV-38826r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN007880
CCI
CCI-001551
Target Key
(None)
Documentable
No
Discussion

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table that could reveal portions of the network topology.

Fix Text

Configure the system to not send IPv6 ICMP redirects. # /usr/sbin/no -p -o ipsendredirects=0

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not forward IPv6 source-routed packets.

Finding ID
GEN007920
Rule ID
SV-38827r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN007920
CCI
CCI-001551
Target Key
(None)
Documentable
No
Discussion

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Fix Text

Configure the system so it does not forward IPv6 source-routed packets. # /usr/sbin/no -p -o ip6srcrouteforward=0

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not accept source-routed IPv6 packets.

Finding ID
GEN007940
Rule ID
SV-38828r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN007940
CCI
CCI-001551
Target Key
(None)
Documentable
No
Discussion

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Fix Text

Configure the system to not accept source-routed IPv6 packets. # /usr/sbin/no -p -o ipsrcrouterecv=0

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

If the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive.

Finding ID
GEN008060
Rule ID
SV-38969r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN008060
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.

Fix Text

Change the permissions of the /etc/security/ldap/ldap.cfg file to 0644 or less permissive. # chmod 0644 /etc/security/ldap/ldap.cfg

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.

Finding ID
GEN008080
Rule ID
SV-38970r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN008080
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.

Fix Text

Change the owner of the /etc/security/ldap/ldap.cfg file. # chown root /etc/security/ldap/ldap.cfg

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by security, bin, sys, or system.

Finding ID
GEN008100
Rule ID
SV-38971r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN008100
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.

Fix Text

Change the group owner of the /etc/security/ldap/ldap.cfg file to security, bin, sys, or system. Procedure: # chgrp security /etc/security/ldap/ldap.cfg

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.

Finding ID
GEN000410
Rule ID
SV-38934r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000410
CCI
CCI-000048
Target Key
(None)
Documentable
No
Discussion

Failure to display the login banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. NOTE: SFTP and FTPS are encrypted alternatives to FTP and should be used in place of FTP. SFTP is implemented by the SSH service and uses its banner configuration.

Fix Text

Configure the system to display one of the DoD login banners (based on the character limitations imposed by the system) prior to any FTP login attempt. Add a banner file to the system with the DoD login banner. #vi /etc/herald <Add DoD banner to file> #chmod 644 /etc/herald #chown root:system /etc/herald Add a herald line to the /etc/ftpaccess.ctl file. #vi /etc/ftpaccess.ctl <add/update line in /etc/ftpaccess.ctl> herald: /etc/herald #chown root:system /etc/ftpaccess.ctl #chmod 640 /etc/ftpaccess.ctl DoD Login Banners: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." OR "I've read & consent to terms in IS user agreem't."

Check Content

Responsibility

System Administrator

IA Controls

ECWM-1

TCP backlog queue sizes must be set appropriately.

Finding ID
GEN003601
Rule ID
SV-38796r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN003601
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

To provide some mitigation to TCP DoS attacks, the clear_partial_conns parameter must be enabled.

Fix Text

# /usr/sbin/no -po clean_partial_conns=1

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The telnet daemon must not be running.

Finding ID
GEN003850
Rule ID
SV-38953r1_rule
Severity
Cat I
CCE
(None)
Group Title
GEN003850
CCI
CCI-000197
Target Key
(None)
Documentable
No
Discussion

The telnet daemon provides a typically unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised.

Fix Text

Edit the /etc/inetd.conf file and comment out the telnet line. Reload the inetd process. # refresh -s inetd

Check Content

Responsibility

System Administrator

Mitigations

GEN003850

Mitigation Control

If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated, and this is not a finding.

IA Controls

DCPP-1

The /etc/netsvc.conf file must be root owned.

Finding ID
GEN000000-AIX0085
Rule ID
SV-38695r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0085
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/netsvc.conf file is used to specify the ordering of name resolution for the sendmail command, alias resolution for the sendmail command, and host name resolution routines. Malicious changes could prevent the system from functioning correctly or compromise system security.

Fix Text

Change the owner of the /etc/netsvc.conf file to root. # chown root /etc/netsvc.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/netsvc.conf file must be group-owned by bin, sys, or system.

Finding ID
GEN000000-AIX0090
Rule ID
SV-38696r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0090
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/netsvc.conf file is used to specify the ordering of name resolution for the sendmail command, alias resolution for the sendmail command, and host name resolution routines. Malicious changes could prevent the system from functioning correctly or compromise system security.

Fix Text

Change the group owner of the /etc/netsvc.conf file to bin, sys, or system. Procedure: # chgrp system /etc/netsvc.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/netsvc.conf file must have mode 0644 or less permissive.

Finding ID
GEN000000-AIX0100
Rule ID
SV-38697r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0100
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

The /etc/netsvc.conf file is used to specify the ordering of name resolution for the sendmail command, alias resolution for the sendmail command, and host name resolution routines. Malicious changes could prevent the system from functioning correctly or compromise system security.

Fix Text

Change the mode of the /etc/netsvc.conf file to 0644 or less permissive. # chmod 0644 /etc/netsvc.conf

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The system must not allow directed broadcasts to gateway.

Finding ID
GEN000000-AIX0200
Rule ID
SV-38699r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0200
CCI
CCI-000032
Target Key
(None)
Documentable
No
Discussion

Disabling directed broadcast prevents packets directed to a gateway to be broadcasted on a remote network.

Fix Text

Configure directed_broadcast to 0. # /usr/sbin/no -p -o directed_broadcast=0

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must provide protection from Internet Control Message Protocol (ICMP) attacks on TCP connections.

Finding ID
GEN000000-AIX0210
Rule ID
SV-38700r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0210
CCI
CCI-000032
Target Key
(None)
Documentable
No
Discussion

The ICMP attacks may be of the form of ICMP source quench attacks and Path MTU Discovery (PMTUD) attacks. If this network option tcp_icmpsecure is turned on, the system does not react to ICMP source quench messages. This will protect against ICMP source quench attacks. The payload of the ICMP message is tested to determine if the sequence number of the TCP header portion of the payload is within the range of acceptable sequence numbers. This will mitigate PMTUD attacks to a large extent.

Fix Text

Set the tcp_icmpsecure parameter to 1. # /usr/sbin/no -p -o tcp_icmpsecure=1

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must provide protection for the TCP stack against connection resets, SYN, and data injection attacks.

Finding ID
GEN000000-AIX0220
Rule ID
SV-38701r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0220
CCI
CCI-000032
Target Key
(None)
Documentable
No
Discussion

The tcp_tcpsecure parameter provides protection for TCP connections from fake SYN's, fake RST, and data injections on established connections. The first vulnerability involves sending a fake SYN to an established connection to abort the connection. The second vulnerability involves sending a fake RST to an established connection to abort the connection. The third vulnerability involves injecting fake data in an established TCP connection.

Fix Text

Set the tcp_tcpsecure parameter to 7. # /usr/sbin/no -p -o tcp_tcpsecure=7

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must provide protection against IP fragmentation attacks.

Finding ID
GEN000000-AIX0230
Rule ID
SV-38702r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0230
CCI
CCI-000032
Target Key
(None)
Documentable
No
Discussion

The parameter ip_nfrag provides an additional layer of protection against IP fragmentation attacks. The value the ip_nfrag specifies is the maximum number of fragments of an IP packet that can be kept in the IP reassembly queue at any time. The default value of this network option is 200. This is a reasonable value for most environments and offers protection from IP fragmentation attacks.

Fix Text

Set the ip_nfrag parameter to 200. # /usr/sbin/no -p -o ip_nfrag=200

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the bootp service active.

Finding ID
GEN000000-AIX0300
Rule ID
SV-38703r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0300
CCI
CCI-000032
Target Key
(None)
Documentable
No
Discussion

The bootp service is used for Network Installation Management (NIM) and remote booting of systems. The bootp service should not be active unless it is needed for NIM servers or booting remote systems. Running unnecessary services increases the attack vector of the system.

Fix Text

Disable the bootp service from /etc/inetd.conf. Edit /etc/inetd.conf and comment out bootp service line. Restart the inetd service. #refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the chargen service active.

Finding ID
GEN009140
Rule ID
SV-38704r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009140
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

When contacted, chargen responds with some random characters. When contacted via UDP, it will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until the client closes the connection. An easy attack is 'ping-pong' in which an attacker spoofs a packet between two machines running chargen. This will cause them to spew characters at each other, slowing the machines down and saturating the network. The chargen service is unnecessary and provides an opportunity for Denial of Service attack.

Fix Text

Edit /etc/inetd.conf and comment out the chargen service line for both udp and tcp protocols. Restart the inetd service. #refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the Calendar Manager Service Daemon (CMSD) service active.

Finding ID
GEN009160
Rule ID
SV-38705r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009160
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The CMSD service for CDE is an unnecessary process that runs a root and increases attack vector of the system. Buffer overflow attacks against the CMSD process can potentially give access to the system.

Fix Text

Edit /etc/inetd.conf and comment out the CMSD service. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the tool-talk database server (ttdbserver) service active.

Finding ID
GEN009180
Rule ID
SV-38706r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009180
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The ttdbserver service for CDE is an unnecessary service that runs as root and might be compromised.

Fix Text

Edit /etc/inetd.conf and comment out ttdbserver service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the comsat service active.

Finding ID
GEN009190
Rule ID
SV-38707r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009190
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The comsat daemon notifies users on incoming email. This is an unnecessary service and is vulnerable to a flood attack. Running unnecessary services increases the attack vector of the system.

Fix Text

Edit /etc/inetd.conf and comment out comsat service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the daytime service active.

Finding ID
GEN009200
Rule ID
SV-38708r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009200
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The daytime service runs as root from the inetd daemon and can provide an opportunity for Denial of Service PING or PING-PONG attacks. The daytime service is unnecessary and it increases the attack vector of the system.

Fix Text

Edit /etc/inetd.conf and comment out daytime service lines for both TCP and UDP protocols. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the discard service active.

Finding ID
GEN009210
Rule ID
SV-38709r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009210
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The discard service runs as root from the inetd server and can be used in Denial of Service attacks. The discard service is unnecessary and it increases the attack vector of the system.

Fix Text

Edit /etc/inetd.conf and comment out the discard service line for both TCP and UDP protocols. Restart the inetd service. #refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the dtspc service active.

Finding ID
GEN009220
Rule ID
SV-38710r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009220
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

This service is started automatically by the inetd daemon with root permission in response to a CDE client requesting a process to be started on the daemon’s host system. Running the dtscp service is unnecessary and it increases the attack vector of the system.

Fix Text

Edit /etc/inetd.conf and comment out dtspc service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the echo service active.

Finding ID
GEN009230
Rule ID
SV-38711r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009230
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The echo service can be used in Denial of Service or SMURF attacks. It can also used at someone else to get through a firewall or start a data storm. The echo service is unnecessary and it increases the attack vector of the system.

Fix Text

Edit /etc/inetd.conf and comment out the echo service lines for both TCP and UDP. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have Internet Message Access Protocol (IMAP) service active.

Finding ID
GEN009240
Rule ID
SV-38712r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009240
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The IMAP service should not be running unless the system is acting as a mail server for client connections. Running unnecessary services increases the attack vector on the system.

Fix Text

Edit /etc/inetd.conf and comment out the imap2 service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the PostOffice Protocol (POP3) service active.

Finding ID
GEN009250
Rule ID
SV-38713r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009250
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The POP3 service is only needed if the server is acting as a mail server and clients are using applications that only support POP3. Users' ids and passwords are sent in plain text to the POP3 service. If mail client access is needed, consider using IMAP or SSL enabled POP3.

Fix Text

Edit /etc/inetd.conf and comment out POP3 the service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the talk or ntalk services active.

Finding ID
GEN009260
Rule ID
SV-38714r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009260
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The talk and ntalk commands allow users on the same or different systems on converse. The talk daemons are started from the inetd process and run as root. These unnecessary processes increase the attack vector of the system and may cause Denial of Service by scrambling the users display.

Fix Text

Edit /etc/inetd.conf and comment out TCP and UDP for the talk service. Edit /etc/inetd.conf and comment out TCP and UDP for the ntalk service. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the netstat service active on the inetd process.

Finding ID
GEN009270
Rule ID
SV-38715r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009270
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The netstat service can potentially give out network information on active connections if it is running. The information given out can aid in an attack and weaken the systems defensive posture.

Fix Text

Edit /etc/inetd.conf and comment out the netstat service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the PCNFS service active.

Finding ID
GEN009280
Rule ID
SV-38716r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009280
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The PCNFS service predates Microsoft’s SMB specifications. If a similar service is needed to share files from a Windows based OS to a UNIX based OS, consider SAMBA.

Fix Text

Edit /etc/inetd.conf and comment out the PCNFS service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the systat service active.

Finding ID
GEN009290
Rule ID
SV-38717r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009290
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The systat daemon allows remote users to see the running process and who is running them. This may aid in information collection for an attack and weaken the security posture of the system.

Fix Text

Edit /etc/inetd.conf and comment out systat the service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The inetd time service must not be active on the system on the inetd daemon.

Finding ID
GEN009300
Rule ID
SV-38718r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009300
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The time service is an internal inetd function is used by the rdate command. This service is sometimes used to synchronize clocks at boot time. The service is outdated. Use the ntpdate command instead.

Fix Text

Edit the /etc/inetd.conf file and comment out the time service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the rusersd service active.

Finding ID
GEN009310
Rule ID
SV-38719r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009310
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The rusersd daemon gives out a list of current uses on the system. The rusersd daemon is unnecessary and it increases the attack vector of the system by providing information on the current users of the system.

Fix Text

Edit the /etc/inetd.conf file and comment out the rusersd service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the sprayd service active.

Finding ID
GEN009320
Rule ID
SV-38720r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009320
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The sprayd service is sometimes used for network and nfs troubleshooting. The spray service can be used for both buffer overflow and Denial of Service attacks by saturating the network. The sprayd daemon is an unnecessary service.

Fix Text

Edit the /etc/inetd.conf file and comment out the sprayd service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The system must not have the rstatd service active.

Finding ID
GEN009330
Rule ID
SV-38721r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN009330
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

The rstatd can give out information on the running system, such as the CPU usage, the system uptime, its network usage, and other system information that could potentially aid in an attack. The rstatd service is unnecessary and it weakens the defensive posture of the system. If systems monitoring is needed, use a third party tool or SNMP.

Fix Text

Edit the /etc/inetd.conf file and comment out the rstatd service line. Restart the inetd service. # refresh -s inetd

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The /etc/ftpaccess.ctl file must exist.

Finding ID
GEN000000-AIX0310
Rule ID
SV-38750r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0310
CCI
CCI-000032
Target Key
(None)
Documentable
No
Discussion

The ftpaccess.ctl file contains options for the ftp daemon, such as herald, motd, user access, and permissions to files and directories. If the ftpaccess.ctl file does not exist, the ftpd process will not display any warning banners, and permissions will only be enforced using basic UNIX permissions.

Fix Text

Create a /etc/ftpaccess.ctl file. #touch /etc/ftpaccess.ctl Add at least the herald: /path to login banner to the /etc/ftpaccess.ctl file. #vi /etc/ftpaccess.ctl

Check Content

Responsibility

System Administrator

IA Controls

ECSC-1

The /etc/ftpaccess.ctl file must be owned by root.

Finding ID
GEN000000-AIX0320
Rule ID
SV-38751r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0320
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

If the ftpaccess.ctl file is not owned by root, an unauthorized user may modify the file to allow unauthorized access to change the file. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized access to system information.

Fix Text

Change the owner of the ftpaccess.ctl file to root. # chown root /etc/ftpaccess.ctl

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/ftpaccess.ctl file must be group-owned by bin, sys, or system.

Finding ID
GEN000000-AIX0330
Rule ID
SV-38752r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0330
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

If the ftpaccess.ctl file is not group-owned by a system group, an unauthorized user may modify the file to allow unauthorized access to modify the file. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized access to system information.

Fix Text

Change the group owner of the /etc/ftpaccess.ctl file. # chgrp system /etc/ftpaccess.ctl

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1

The /etc/ftpaccess.ctl file must have mode 0640 or less permissive.

Finding ID
GEN000000-AIX0340
Rule ID
SV-38753r1_rule
Severity
Cat II
CCE
(None)
Group Title
GEN000000-AIX0340
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Excessive permissions on the ftpaccess.ctl file could permit unauthorized modification. Unauthorized modification could result in Denial of Service to authorized FTP users or permit unauthorized access to system information.

Fix Text

Change the mode of the /etc/ftpaccess.ctl file to 0640. # chmod 0640 /etc/ftpaccess.ctl

Check Content

Responsibility

System Administrator

IA Controls

ECLP-1