#
# (C) 2014 Tenable Network Security, Inc.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable Network Security, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_5_SLA_and_Subscription_Agreement.pdf
# http://static.tenable.com/prod_docs/Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.1 $
# $Date: 2014/07/22 14:54:51 $
#
# Description : This .audit file is written again the Center for Internet Security Configuration Benchmark For AIX 7.1 v1.1.0.
#
# https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf
#
# NOTE : Some queries in this .audit require site-specific data to be known to the query in order to function properly.
# Please note the following queries and edit their values accordingly.
#
# 4.11.20 - Account running scan must be able to su to root to access root's PATH.
# 4.12.19 - Account running scan must be able to su to root to access root's PATH.
#
#
#CIS IBM AIX 7.1 Benchmark v1.1.0 Level 1
#
system : "AIX"
type : CMD_EXEC
description : "AIX Version 7, Release 1 or greater, found"
cmd : "/usr/bin/uname -svr"
expect : "^AIX [1-9][0-9]* 7[\\s]*$"
dont_echo_cmd : YES
description : "CIS AIX 7.1 Benchmark v1.1.0 Level 1"
info : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf
This audit checks the testable level 1 guidance in the CIS IBM AIX 7.1 Benchmark document.
Level-I Benchmark recommendations are intended to:
o be practical and prudent,
o provide a clear security benefit
o do not inhibit the utility of the technology beyond acceptable means.
NOTE : Please read the .audit header before running a compliance scan. Please review the header notes as some queries may not behave as anticipated due to unique environmental variables that may be present on your system(s).
Thank you.
Tenable Network Security, Inc."
##
## 3.1 - AIX Security Expert - Password Policy
##
system : "AIX"
type : CMD_EXEC
description : "3.1.1 /etc/security/user - mindiff"
info : "Defines the minimum number of characters that are required in a new password which were not in the old password.
In setting the mindiff attribute, it ensures that users are not able to reuse the same or similar passwords."
solution : "In /etc/security/user, set the default user stanza mindiff attribute to be greater than or equal to 4-
chsec -f /etc/security/user -s default -a mindiff=4
This means that when a user password is set it needs to comprise of at least 4 characters not present in the previous password."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-3,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.3,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a mindiff"
expect : "^default[\\s]+mindiff[\\s]*=[\\s]*([4-9]|[1-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.2 /etc/security/user - minage"
info : "Defines the minimum number of weeks before a password can be changed.
In setting the minage attribute, it prohibits users changing their password until a set number of weeks have passed."
solution : "In/etc/security/user, set the default user stanza minage attribute to 1-
chsec -f /etc/security/user -s default -a minage=1
This means that a user cannot change their password until at least a week after being set."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-9,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.4,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minage"
expect : "^default[\\s]+minage[\\s]*=[\\s]*[1-9][\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.4 /etc/security/user - minlen"
info : "Defines the minimum length of a password.
In setting the minlen attribute, it ensures that passwords meet the required length criteria."
solution : "In /etc/security/user, set the default user stanza minlen attribute to be greater than or equal to 14
chsec -f /etc/security/user -s default -a minlen=14
This means that all user passwords must be at least 8 characters in length.NOTE- If a password length greater than 8 is required, an enhanced password hashing algorithm must be selected. The default crypt algorithm only supports 8 character passwords."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-3,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.3,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minlen"
expect : "^default[\\s]+minlen[\\s]*=[\\s]*(1[4-9]|[1-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.5 /etc/security/user - minalpha"
info : "Defines the minimum number of alphabetic characters in a password.
In setting the minalpha attribute, it ensures that passwords have a minimum number of alphabetic characters."
solution : "In/etc/security/user, set the default user stanza minalpha attribute to be greater than or equal to 2-
chsec -f /etc/security/user -s default -a minalpha=2
This means that there must be at least 2 alphabetic characters within an 8 character user password."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-3,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.3,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minalpha"
expect : "^default[\\s]+minalpha[\\s]*=[\\s]*([2-9]|[1-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.6 /etc/security/user - minother"
info : "Defines the number of characters within a password which must be non-alphabetic.
In setting the minother attribute, it increases password complexity by enforcing the use of non-alphabetic characters in every user password."
solution : "In /etc/security/user, set the default user stanza minother attribute to be greater than or equal to 2-
chsec -f /etc/security/user -s default -a minother=2
This means that there must be at least 2 non-alphabetic characters within an 8 character user password."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-3,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.3,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minother"
expect : "^default[\\s]+minother[\\s]*=[\\s]*([2-9]|[1-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.7 /etc/security/user - maxrepeats"
info : "Defines the maximum number of times a character may appear in a password.
In setting the maxrepeats attribute, it enforces a maximum number of character repeats within a password."
solution : "In/etc/security/user, set the default user stanza maxrepeats attribute to 2-
chsec -f /etc/security/user -s default -a maxrepeats=2
This means that a user may not use the same character more than twice in a password."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-9,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.5,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a maxrepeats"
expect : "^default[\\s]+maxrepeats[\\s]*=[\\s]*[12][\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.8 /etc/security/user - histexpire"
info : "Defines the period of time in weeks that a user will not be able to reuse a password.
In setting the histexpire attribute, it ensures that a user cannot reuse a password within a set period of time."
solution : "In /etc/security/user, set the default user stanza histexpire attribute to be greater than or equal to 24-
chsec -f /etc/security/user -s default -a histexpire=24
This means that a user will not be able to reuse any password set in the last 13 weeks."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-9,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.5,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a histexpire"
expect : "^default[\\s]+histexpire[\\s]*=[\\s]*(2[4-9]|[3-9][0-9]|[1-9][0-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.9 /etc/security/user - histsize"
info : "Defines the number of previous passwords that a user may not reuse.
In setting the histsize attribute, it enforces a minimum number of previous passwords a user cannot reuse."
solution : "In /etc/security/user, set the default user stanza histsize attribute to be greater than or equal to 24-
chsec -f /etc/security/user -s default -a histsize=24
This means that a user may not reuse any of the previous 24 passwords."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-9,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.5,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a histsize"
expect : "^default[\\s]+histsize[\\s]*=[\\s]*(2[4-9]|[3-9][0-9]|[1-9][0-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.10 /etc/security/user - maxexpired"
info : "Defines the number of weeks after maxage, that a password can be reset by the user.
In setting the maxexpired attribute, it limits the number of weeks after password expiry when it may be changed by the user."
solution : "In /etc/security/user, set the default user stanza maxexpired attribute to 2-
chsec -f /etc/security/user -s default -a maxexpired=2
This means that a user can only reset their password up to 2 weeks after it has expired. After this an administrative user would need to reset the password."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-3,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.3,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a maxexpired"
expect : "^default[\\s]+maxexpired[\\s]*=[\\s]*[012][\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.11 /etc/security/user - minloweralpha"
info : "Defines the minimum number of lower case alphabetic characters in a password.
In setting the minloweralpha attribute, the password must contain a lower case alphabetic character when it is changed by the user."
solution : "In /etc/security/user, set the default user stanza minloweralpha attribute to 1-
chsec -f /etc/security/user -s default -a minloweralpha=1
This means that there must be at least 1 lower case alphabetic character within an 8 character user password."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-3,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.3,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minloweralpha"
expect : "^default[\\s]+minloweralpha[\\s]*=[\\s]*[1-9][0-9]*[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.12 /etc/security/user - minupperalpha"
info : "Defines the minimum number of upper case alphabetic characters in a password.
In setting the minupperalpha attribute, the password must contain an upper case alphabetic character when it is changed by the user."
solution : "In /etc/security/user, set the default user stanza minupperalpha attribute to 1-
chsec -f /etc/security/user -s default -a minupperalpha=1
This means that there must be at least 1 upper case alphabetic character within an 8 character user password."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-3,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.3,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minupperalpha"
expect : "^default[\\s]+minupperalpha[\\s]*=[\\s]*[1-9][0-9]*[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.13 /etc/security/user - mindigit"
info : "Defines the minimum number of digits in a password.
In setting the mindigit attribute, the password must contain a digit when it is changed by the user."
solution : "In /etc/security/user, set the default user stanza mindigit attribute to 1-
chsec -f /etc/security/user -s default -a mindigit=1
This means that there must be at least 1 digit within an 8 character user password."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-3,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.3,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a mindigit"
expect : "^default[\\s]+mindigit[\\s]*=[\\s]*[1-9][0-9]*[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.14 /etc/security/user - minspecialchar"
info : "Defines the minimum number of special characters in a password.
In setting the minspecialchar attribute, the password must contain a special character when it is changed by the user."
solution : "In /etc/security/user, set the default user stanza minspecialchar attribute to 1-
chsec -f /etc/security/user -s default -a minspecialchar=1
This means that there must be at least 1 special character within an 8 character user password."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-3,SANS_CSC|16-8,HIPAA|164.312(d),800-53|IA-5,PCI|8.2.3,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minspecialchar"
expect : "^default[\\s]+minspecialchar[\\s]*=[\\s]*[1-9][0-9]*[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.1.15 /etc/security/login.cfg - pwd_algorithm"
info : "Defines the loadable password algorithm used when storing user passwords.
A development in AIX 6.1 was the ability to use different password algorithms as defined in /etc/security/pwdalg.cfg. The traditional UNIX password algorithm is crypt, which is a one-way hash function supporting only 8 character passwords. The use of brute force password guessing attacks means that crypt no longer provides an appropriate level of security and so other encryption mechanisms are recommended.
The recommendation of this benchmark is to set the password algorithm to ssha256. This algorithm supports long passwords, up to 255 characters in length and allows passphrases including the use of the extended ASCII table and the space character. Any passwords already set using crypt will remain supported, but there can only one system password algorithm active at any one time."
solution : "In/etc/security/login.cfg, set the usw user stanza pwd_algorithm attribute to ssha256-
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha256
Impact-Ensure that all running applications support SHA256 password encyption."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-6,SANS_CSC|16-17,800-53|IA-5,PCI|8.2.1,CSF|PR.AC-1"
cmd : "/usr/bin/lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm"
expect : "^usw[\\s]+pwd_algorithm[\\s]*=[\\s]*ssha256[\\s]*$"
##
## 3.2 - AIX Security Expert - Login Policy
##
system : "AIX"
type : CMD_EXEC
description : "3.2.2 /etc/security/login.cfg - logininterval"
info : "Defines the time interval, in seconds, when the unsuccessful logins must occur to disable a port. This parameter is applicable to all tty connections and the system console.
In setting the logininterval attribute, a port will be disabled if the incorrect password is entered a pre-defined number of times, set via logindisable, within this interval."
solution : "In/etc/security/login.cfg, set the default stanza logininterval attribute to 7200 or less-
chsec -f /etc/security/login.cfg -s default -a logininterval=7200
This means that the port will be disabled if the incorrect password is typed the appropriate number of times, within a 300 second interval."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|16-9,HIPAA|164.312(d),800-53|AC-7,PCI|2.2.4"
cmd : "/usr/bin/lssec -f /etc/security/login.cfg -s default -a logininterval"
expect : "^default[\\s]+logininterval[\\s]*=[\\s]*(7200|7[0-1][0-9][0-9]|[0-6][0-9][0-9][0-9])[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.2.5 /etc/security/login.cfg - logintimeout"
info : "Defines the number of seconds during which the password must be typed at login.
In setting the logintimeout attribute, a password must be entered within a specified time period."
solution : "In /etc/security/login.cfg, set the usw stanza logintimeout attribute to 30 or less-
chsec -f /etc/security/login.cfg -s usw -a logintimeout=30
This means that a user will have 30 seconds, from prompting, in which to type in their password."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|16-9,HIPAA|164.312(d),800-53|AC-7,PCI|2.2.4"
cmd : "/usr/bin/lssec -f /etc/security/login.cfg -s default -a logintimeout"
expect : "^default[\\s]+logintimeout[\\s]*=[\\s]*([1-9]|[1-5][0-9]|60)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.2.6 /etc/security/login.cfg - logindelay"
info : "Defines the number of seconds delay between each failed login attempt. This works as a multiplier, so if the parameter is set to 10, after the first failed login it would delay for 10 seconds, after the second failed login 20 seconds etc.
In setting the logindelay attribute, this implements a delay multiplier in-between unsuccessful login attempts."
solution : "In /etc/security/login.cfg, set the default stanza logindelay attribute to 10 or greater-
chsec -f /etc/security/login.cfg -s default -a logindelay=10
This means that a user will have to wait 10 seconds before being able to re-enter their password. During subsequent attempts this delay will increase as a multiplier of (the number of failed login attempts * logindelay)"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|16-9,HIPAA|164.312(d),800-53|AC-7,PCI|2.2.4"
cmd : "/usr/bin/lssec -f /etc/security/login.cfg -s default -a logindelay"
expect : "^default[\\s]+logindelay[\\s]*=[\\s]*[1-9][0-9]+[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.2.7 /etc/security/user - loginretries"
info : "Defines the number of attempts a user has to login to the system before their account is disabled.
In setting the loginretries attribute, this ensures that a user can have a pre-defined number of attempts to get their password right, prior to locking the account."
solution : "In /etc/security/user, set the default stanza loginretries attribute to 3-
chsec -f /etc/security/user -s default -a loginretries=3
This means that a user will have 3 attempts to enter the correct password. This does not apply to the root user, which has its own stanza entry disabling this feature."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|16-9,HIPAA|164.312(d),800-53|AC-7,PCI|8.1.6"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a loginretries"
expect : "^default[\\s]+loginretries[\\s]*=[\\s]*[1-3][\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.2.8 /etc/security/user - rlogin"
info : "Defines whether or not the root user can login remotely.
In setting the rlogin attribute to false, this ensures that the root user cannot remotely log into the system. All remote logins as root should be prohibited, instead elevation to root should only be allowed once a user has authenticated locally through their individual user account."
solution : "In /etc/security/user, set the root stanza rlogin attribute to false-
chsec -f /etc/security/user -s root -a rlogin=false
This means that the root user will not be able to log in the system directly."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-14,800-53|AC-17,PCI|2.2.4,CSF|PR.AC-3"
cmd : "/usr/bin/lssec -f /etc/security/user -s root -a rlogin"
expect : "^root[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.2.9 /etc/security/user - sugroups"
info : "Restricts access to root, via su, to members of a specific group.
In setting the sugroups attribute to system, this ensures that only members of the system group are able to su root. This makes it difficult for an attacker to use a stolen root password as the attacker first has to get access to a system user ID."
solution : "In /etc/security/user, set the root stanza sugroups attribute to system-
chuser su=true sugroups=system root"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-14,800-53|AC-3,PCI|2.2.4,CSF|PR.AC-4"
cmd : "/usr/bin/lssec -f /etc/security/user -s root -a rlogin"
expect : "^root[\\s]+subgroups[\\s]*=[\\s]*system[\\s]+su[\\s]*=[\\s]*true[\\s]*$"
##
## 3.3 - AIX Security Expert - System Services Management
##
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.3.24 /etc/inetd.conf - telnet"
info : "This entry starts the telnetd daemon when required. This provides a protocol for command line
access, from a remote machine. This telnet service is used to service remote user connections. This is historically the most commonly used remote access method for UNIX servers. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the telnetd daemon will be disabled.Many older legacy systems do not support SSH and still require telnet as a protocol for access. If this is not required, it is recommended that telnet is disabled and SSH is used as a replacement authentication mechanism."
solution : "In /etc/inetd.conf, comment out the telnet entry-
chsubserver -r inetd -C /etc/inetd.conf -d -v 'telnet' -p 'tcp6'"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.2,CSF|PR.PT-3"
file : "/etc/inetd.conf"
regex : "^[\\s]*telnet[\\s]"
expect : "^[\\s]*telnet[\\s]"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.3.25 /etc/inetd.conf - exec"
info : "This entry starts the rexecd daemon when required. This daemon executes a command from a remote system, once the connection has been authenticated.
The exec service is used to execute a command sent from a remote server. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the rexecd daemon will be disabled. This function, if required, should be facilitated through SSH."
solution : "In /etc/inetd.conf, comment out the exec entry-
chsubserver -r inetd -C /etc/inetd.conf -d -v 'exec' -p 'tcp6'"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.2,CSF|PR.PT-3"
file : "/etc/inetd.conf"
regex : "^[\\s]*exec[\\s]"
expect : "^[\\s]*exec[\\s]"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.3.26 /etc/inetd.conf - daytime"
info : "This entry starts the daytime servicewhen required. This provides the current date and time to other servers on a network.
This daytime service is a defunct time service, typically used for testing purposes only. The service should be disabled as it can leave the system vulnerable to DoS ping attacks."
solution : "In /etc/inetd.conf, comment out the daytime entries-
chsubserver -r inetd -C /etc/inetd.conf -d -v 'daytime' -p 'tcp'
chsubserver -r inetd -C /etc/inetd.conf -d -v 'daytime' -p 'udp'"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.2,CSF|PR.PT-3"
file : "/etc/inetd.conf"
regex : "^[\\s]*daytime[\\s]"
expect : "^[\\s]*daytime[\\s]"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.3.27 /etc/inetd.conf - shell"
info : "This entry starts the rshd daemon when required. This daemon executes a command from a remote system.
This shell service is used to execute a command from a remote server. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the rshd daemon will be disabled. This function, if required, should be facilitated through SSH."
solution : "In /etc/inetd.conf, comment out the shell entry-
chsubserver -r inetd -C /etc/inetd.conf -d -v 'shell' -p 'tcp6'"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.2,CSF|PR.PT-3"
file : "/etc/inetd.conf"
regex : "^[\\s]*shell[\\s]"
expect : "^[\\s]*shell[\\s]"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.3.32 /etc/inetd.conf - login"
info : "This entry starts the rlogin daemon when required. This service authenticates remote user logins.
This login service is used to authenticate a remote user connection when logging in via the rlogin command. The username and password are passed over the network in clear text and therefore insecurely. Unless required the rlogin daemon will be disabled. This function, if required, should be facilitated through SSH."
solution : "In /etc/inetd.conf, comment out the login entry-
chsubserver -r inetd -C /etc/inetd.conf -d -v 'login' -p 'tcp'"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.2,CSF|PR.PT-3"
file : "/etc/inetd.conf"
regex : "^[\\s]*login[\\s]"
expect : "^[\\s]*login[\\s]"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.3.35 /etc/inetd.conf - ftp"
info : "This entry starts the ftpd daemon when required. This service is used for transferring files from/to a remote machine.
This ftp service is used to transfer files from or to a remote machine. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the ftpd daemon will be disabled.Many older legacy systems do not support SSH and still required ftp as a service for data copying. If this is not required it is recommended that ftp is disabled and sftp is used as a replacement file and directory copying mechanism."
solution : "In /etc/inetd.conf, comment out the ftp entry-
chsubserver -r inetd -C /etc/inetd.conf -d -v 'ftp' -p 'tcp6'"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.2,CSF|PR.PT-3"
file : "/etc/inetd.conf"
regex : "^[\\s]*ftp[\\s]"
expect : "^[\\s]*ftp[\\s]"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.3.36 /etc/inetd.conf - chargen"
info : "This entry starts the chargen service when required. This service is used to test the integrity of TCP/IP packets arriving at the destination.
This chargen service is a character generator service and is used for testing the integrity of TCP/IP packets arriving at the destination. An attacker may spoof packets between machines running the chargen service and thus provide an opportunity for DoS attacks. You must disable this service unless you are testing your network."
solution : "In /etc/inetd.conf, comment out the chargen entries-
chsubserver -r inetd -C /etc/inetd.conf -d -v 'chargen' -p 'tcp'
chsubserver -r inetd -C /etc/inetd.conf -d -v 'chargen' -p 'udp'"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.2,CSF|PR.PT-3"
file : "/etc/inetd.conf"
regex : "^[\\s]*chargen[\\s]"
expect : "^[\\s]*chargen[\\s]"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.3.37 /etc/inetd.conf - discard"
info : "This entry starts the discard service when required. This service is used as a debugging tool by setting up a listening socket which ignores the data it receives.
The discard service is used as a debugging and measurement tool. It sets up a listening socket and ignores data that it receives. This is a /dev/null service and is obsolete. This can be used in DoS attacks and therefore, must be disabled."
solution : "In /etc/inetd.conf, comment out the discard entries-
chsubserver -r inetd -C /etc/inetd.conf -d -v 'discard' -p 'tcp'"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.2,CSF|PR.PT-3"
file : "/etc/inetd.conf"
regex : "^[\\s]*discard[\\s]"
expect : "^[\\s]*discard[\\s]"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.3.39 /etc/inetd.conf - echo"
info : "This entry starts the echo service when required. This service sends back data received by it on a specified port.
The echo service sends back data received by it on a specified port. This can be misused by an attacker to launch DoS attacks or Smurf attacks by initiating a data storm and causing network congestion. The service is used for testing purposes and therefore must be disabled if not required."
solution : "In /etc/inetd.conf, comment out the echo entries-
chsubserver -r inetd -C /etc/inetd.conf -d -v 'echo' -p 'tcp'"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.2,CSF|PR.PT-3"
file : "/etc/inetd.conf"
regex : "^[\\s]*echo[\\s]"
expect : "^[\\s]*echo[\\s]"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.3.44 /etc/inetd.conf - sprayd"
info : "This entry starts the sprayd daemon when required. This service is used as a tool to generate UDP packets for testing and diagnosing network problems.
The sprayd service is used as a tool to generate UDP packets for testing and diagnosing network problems. The service must be disabled if you are not running NFS, as it can be used by attackers in a Distributed Denial of Service (DDoS) attack."
solution : "In /etc/inetd.conf, comment out the sprayd entry-
chsubserver -r inetd -C /etc/inetd.conf -d -v 'sprayd' -p 'udp'"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.2,CSF|PR.PT-3"
file : "/etc/inetd.conf"
regex : "^[\\s]*sprayd[\\s]"
expect : "^[\\s]*sprayd[\\s]"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.3.51 /etc/inetd.conf - finger"
info : "This entry starts the fingerd daemon.
The fingerd daemon provides the server function for the finger command. This allows users to view real-time pertinent user login information on other remote systems. This service should be disabled as it may provide an attacker with a valid user list to target."
solution : "In /etc/inetd.conf, comment out the finger entry-
chsubserver -r inetd -C /etc/inetd.conf -d -v 'finger' -p 'tcp'"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.2,CSF|PR.PT-3"
file : "/etc/inetd.conf"
regex : "^[\\s]*finger[\\s]"
expect : "^[\\s]*finger[\\s]"
system : "AIX"
type : FILE_CHECK
description : "3.3.53 /etc/inetd.conf - permissions and ownership"
info : "The recommended permissions and ownership for /etc/inetd.conf are applied.
The/etc/inetd.conf file contains the list of services that inetd controls and determines their current status i.e. active or disabled. This file must be protected from unauthorized access and modifications to ensure that the services disabled in this benchmark remain locked down."
solution : "Set the recommended permissions and ownership to /etc/inetd.conf-
chmod u=rw,go=r /etc/inetd.conf
chown root:system /etc/inetd.conf"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|11-1,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/inetd.conf"
owner : "root"
group : "system"
mask : "133"
##
## 3.4 - AIX Security Expert - Disabling Remote Services
##
##
## 3.5 - AIX Security Expert - Automated Authentication
##
##
## 3.6 - AIX Security Expert - TCP/IP Hardening
##
##
## 3.7 - AIX Security Expert - Miscellaneous Enhancements
##
system : "AIX"
type : FILE_CONTENT_CHECK
description : "3.7.3 Miscellaneous Enhancements - /etc/ftpusers"
info : "This change adds the root user to the /etc/ftpusers file, which disables ftp for root.
This change ensures that direct root ftp access is disabled. As detailed previously, ftp as a service should be disabled. If the service has to be enabled then this change must be implemented to ensure that remote root file transfer access is not enabled."
solution : "Add root to the /etc/ftpusers file-
echo 'root' >> /etc/ftpusers"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/ftpusers"
regex : "^root$"
expect : "^root$"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "3.7.5 Miscellaneous Enhancements - guest account removal"
info : "This change removes the guest user and home directory from the system.
This change removes the guest user. If a user logs in with a generic username, audit trails are of limited value as it is not necessarily possible to identify who has accessed an account. The guest account should be removed and all users should be given specific logon ids to ensure traceability and accountability."
solution : "Remove the guest user-
rmuser -p guest
rm -r /home/guest"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-4,800-53|AC-2,PCI|2.1,CSF|PR.AC-1"
file : "/etc/passwd"
regex : "^guest:"
expect : "^guest:"
system : "AIX"
type : CMD_EXEC
description : "3.7.6 Miscellaneous Enhancements - crontab permissions"
info : "This script checks the permissions of all the root crontab entries, to ensure that they are owned and writable by the root user only.
All root crontab entries must be owned and writable by the root user only. If a script had group or world writable access, it could be replaced or edited with malicious content, which would then subsequently run on the system with root authority."
solution : "Ensure that all root crontab entries are owned and writable by root only.The script below traverses up each individual directory path, ensuring that all directories are not group/world writable and that they are owned by the root or bin user-
crontab -l |egrep -v '^#' |awk '{print $6}' |grep '^/' |sort -u | while read
DIR
do
DIR=${DIR--$(pwd)}
while [[ -a ${DIR} ]]
do
[[ '$(ls -ld ${DIR})' = @(????????w? *) ]] && print ' WARNING ${DIR} is world writable'
[[ '$(ls -ld ${DIR})' = @(?????w???? *) ]] && print ' WARNING ${DIR} is group writable'
[[ '$(ls -ld ${DIR} |awk '{print $3}')' != @(root|bin) ]] && print ' WARNING ${DIR} is not owned by root or bin'
DIR=${DIR%/*}
done
done
NOTE- Review the output and manually change the directories, if possible. Directories which are group and/or world writable or not owned by root are marked with 'WARNING'.
To manually change permissions on the files or directories-
o To remove group writable access- chmod g-w
o To remove world writable access-chmod o-w
o To remove both group and world writable access-chmod go-w
o To change the owner of a file or directory-chown "
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
cmd : "/usr/bin/crontab -l | /usr/bin/egrep -v '^#' | /usr/bin/awk '{print $6}' | /usr/bin/grep \"^/\" | /usr/bin/sort -u | while read DIR; do DIR=${DIR:-$(pwd)}; while [[ -a ${DIR} ]]; do [[ \"$(ls -ld ${DIR})\" = @(????????w? *) ]] && print \" WARNING ${DIR} is world writable\"; [[ \"$(ls -ld ${DIR})\" = @(?????w???? *) ]] && print \" WARNING ${DIR} is group writable\"; [[ \"$(ls -ld ${DIR} |awk '{print $3}')\" != @(root|bin) ]] && print \" WARNING ${DIR} is not owned by root or bin\"; DIR=${DIR%/*}; done; done | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'"
expect : "^none$"
##
## 4.1 - Non AIX Security Expert Recommendations - Configuring syslog
##
##
## 4.2 - Non AIX Security Expert Recommendations - Secure Remote Access
##
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.2 Configuring SSH - disabling direct root access"
info : "The recommendation is to edit the /etc/ssh/sshd_config file to disable direct root login. By default direct root login via SSH is enabled.
All root access should be facilitated through a local logon with a unique and identifiable user ID and then via the su command once locally authenticated. Direct root login is extremely insecure and offers little in the way of audit trailing for accountability."
solution : "Edit the /etc/ssh/sshd_config file and disable direct root login for SSH-
vi /etc/ssh/sshd_config
Replace-
#PermitRootLogin yes
With-
PermitRootLogin no
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-14,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*PermitRootLogin[\\s]+no[\\s]*$"
expect : "^[\\s]*PermitRootLogin[\\s]+no[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.3 Configuring SSH - server protocol 2"
info : "The recommendation is to edit the /etc/ssh/sshd_config file and allow the SSH2 protocol only. By default the SSH1 protocol is also available. This is the SSH server configuration file.
There are publicly known vulnerabilities in SSH1 protocol, because of which the SSH1 protocol was deprecated in early 2001. SSH2 is a complete re-write of SSH1 with additional security features. All SSH connections should communicate over the SSH2 protocol. There are numerous benefits of utilizing SSH2 over SSH1, these include- an enhanced and stronger crypto integrity check and support for RSA and DSA keys, rather than just RSA key support in SSH1. The recommendation is to edit the /etc/ssh/sshd_config file and allow the SSH2 protocol only."
solution : "Edit the/etc/ssh/sshd_config file and explicitly define the SSH2 protocol-
vi /etc/ssh/sshd_config
Replace-
#Protocol 2,1
With-
Protocol 2
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*Protocol[\\s]+2[\\s]*$"
expect : "^[\\s]*Protocol[\\s]+2[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.4 Configuring SSH - client protocol 2"
info : "The recommendation is to edit the /etc/ssh/ssh_config file and allow the SSH2 protocol only. By default the SSH1 protocol is also available. This is the SSH client configuration file.
There are publicly known vulnerabilities in SSH1 protocol, because of which the SSH1 protocol was deprecated in early 2001. SSH2 is a complete re-write of SSH1 with additional security features. All SSH connections should communicate over the SSH2 protocol. There are numerous benefits of utilizing SSH2 over SSH1, these include- an enhanced and stronger crypto integrity check and support for RSA and DSA keys, rather than just RSA key support in SSH1. The recommendation is to edit the /etc/ssh/ssh_config file and allow the SSH2 protocol only."
solution : "Edit the/etc/ssh/ssh_config file and explicitly define the SSH2 protocol-
vi /etc/ssh/sshd_config
Replace-
#Protocol 2,1
With-
Protocol 2
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/ssh/ssh_config"
regex : "^[\\s]*Protocol[\\s]+2[\\s]*$"
expect : "^[\\s]*Protocol[\\s]+2[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.6 Configuring SSH - ignore .shosts and .rhosts"
info : "The recommendation is to edit the /etc/ssh/sshd_config file and set the IgnoreRhosts parameter to ignore .shosts and.rhosts files.
A user can logon to a remote system without authenticating themselves if.rhosts or .shosts files exist in the remote home directory and if the client machine name and user name are present in these files. This method is fundamentally insecure as the local system can be exploited by IP, DNS (Domain Name Server) and routing spoofing attacks. Additionally, this authentication method relies on the integrity of the client machine. These weaknesses have been known and exploited for a long time. Since this authentication method is not secure, it must be disabled."
solution : "Edit the /etc/ssh/sshd_config file to disable the .shosts and .rhosts authentication parameter-
vi /etc/ssh/sshd_config
Replace-
#IgnoreRhosts yes
With-
IgnoreRhosts yes
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*IgnoreRhosts[\\s]+yes[\\s]*$"
expect : "^[\\s]*IgnoreRhosts[\\s]+yes[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.7 Configuring SSH - disable null passwords"
info : "The recommendation is to edit the /etc/ssh/sshd_config file to ensure that the SSH daemon does not authenticate users with a null password.
If password authentication is used and an account has an empty password, the SSH server must be configured to disallow access to the account. Permitting empty passwords could create an easy path of access for hackers to enter the system."
solution : "Edit the /etc/ssh/sshd_config file to disable the acceptance null passwords-
vi /etc/ssh/sshd_config
Replace-
#PermitEmptyPasswords no
With-
PermitEmptyPasswords no
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,HIPAA|164.312(d),800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*PermitEmptyPasswords[\\s]+no[\\s]*$"
expect : "^[\\s]*PermitEmptyPasswords[\\s]+no[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.2.9 Configuring SSH - set privilege separation"
info : "The recommendation is to edit the /etc/ssh/sshd_config file to ensure that privilege separation is enabled.
Setting privilege separation helps to secure remote ssh access. Once a user is authenticated the sshd daemon creates a child process which has the privileges of the authenticated user and this then handles incoming network traffic. The aim of this is to prevent privilege escalation through the initial root process."
solution : "Edit the /etc/ssh/sshd_config file to ensure that privilege separation is enabled-
vi /etc/ssh/sshd_config
Replace-
UsePrivilegeSeparation no
With-
UsePrivilegeSeparation yes
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*UsePrivilegeSeparation[\\s]+no[\\s]*$"
expect : "^[\\s]*UsePrivilegeSeparation[\\s]+no[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.12 Configuring SSH - set LogLevel to INFO"
info : "The INFO parameter specifices that record login and logout activity will be logged.
SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field."
solution : "Edit the /etc/ssh/sshd_config-
vi /etc/ssh/sshd_config
Set-
LogLevel INFO
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|AU-2,PCI|2.2.4,CSF|PR.PT-1"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*LogLevel[\\s]+"
expect : "^[\\s]*LogLevel[\\s]+(INFO|VERBOSE)[\\s]*$"
required : NO
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.13 Configuring SSH - set MaxAuthTries to 3 or Less"
info : "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure.
Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 3, it is set the number based on site policy."
solution : "Edit the/etc/ssh/sshd_config file-
vi /etc/ssh/sshd_config
Set-
MaxAuthTries 3
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|16-9,HIPAA|164.312(d),800-53|AC-7,PCI|8.1.6"
file : "/etc/ssh/sshd_config"
regex : "MaxAuthTries"
expect : "^MaxAuthTries[\\s]+[1-3][\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.14 Configuring SSH - set Idle Timeout Interval for User Login - ClientAliveCountMax"
info : "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time.
Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.
While the recommended setting is 900 seconds (15 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
solution : "Edit the/etc/ssh/sshd_config file-
vi /etc/ssh/sshd_config
Set-
ClientAliveCountMax 0
ClientAliveInterval 900
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|16-6,HIPAA|164.312(a)(2)(iii),800-53|AC-2,PCI|8.1.8"
file : "/etc/ssh/sshd_config"
regex : "ClientAliveCountMax"
expect : "^ClientAliveCountMax[\\s]+0[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.14 Configuring SSH - set Idle Timeout Interval for User Login - ClientAliveInterval"
info : "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time.
Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.
While the recommended setting is 900 seconds (15 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
solution : "Edit the/etc/ssh/sshd_config file-
vi /etc/ssh/sshd_config
Set-
ClientAliveCountMax 0
ClientAliveInterval 300
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|16-6,HIPAA|164.312(a)(2)(iii),800-53|AC-2,PCI|8.1.8"
file : "/etc/ssh/sshd_config"
regex : "ClientAliveInterval"
expect : "^ClientAliveInterval[\\s]+([0-9][0-9]|[1-8][0-9][0-9]|900)[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.15 Configuring SSH - restrict Cipher list"
info : "This variable limits the types of ciphers that SSH can use during communication.
Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use."
solution : "Edit the/etc/ssh/sshd_config file-
vi /etc/ssh/sshd_config
Set-
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd
For more information on the Counter mode algorithms, read RFC4344 at http://www.ietf.org/rfc/rfc4344.txt."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/ssh/sshd_config"
regex : "Ciphers"
expect : "^Ciphers[\\s]+aes128-ctr,aes192-ctr,aes256-ctr[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.16 Configuring SSH - ignore user-provided environment variables"
info : "The PermitUserEnvironment option allows users to present environment options to the ssh daemon.
Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
solution : "Edit the/etc/ssh/sshd_config file-
vi /etc/ssh/sshd_config
Set-
PermitUserEnvironment no
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SI-7,PCI|2.2.4,CSF|PR.DS-6"
file : "/etc/ssh/sshd_config"
regex : "PermitUserEnvironment"
expect : "^PermitUserEnvironment[\\s]+no[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.2.17 Configuring SSH - limit access via SSH"
info : "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged:
o AllowUsers - The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of comma separated user names. Numeric userIDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host.
o AllowGroups - The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of comma separated group names. Numeric groupIDs are not recognized with this variable.
o DenyUsers - The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of comma separated user names. Numeric userIDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host.
o DenyGroups - The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of comma separated group names. Numeric groupIDs are not recognized with this variable.
Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
solution : "Edit the /etc/ssh/sshd_config file-
vi /etc/ssh/sshd_config
Set one of the following-
AllowUsers
AllowGroups
DenyUsers
DenyGroups
Re-cycle the sshd daemon to pick up the configuration changes-
stopsrc -s sshd
startsrc -s sshd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-14,800-53|AC-3,PCI|2.2.4,CSF|PR.AC-4"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*(Allow|Deny)(Users|Groups)[\\s]+[A-Za-z0-9@][A-Za-z0-9@ ]+[\\s]*$"
expect : "^[\\s]*(Allow|Deny)(Users|Groups)[\\s]+[A-Za-z0-9@][A-Za-z0-9@ ]+[\\s]*$"
system : "AIX"
type : FILE_CHECK
description : "4.2.18 Configuring SSH - sshd_config permissions lockdown"
info : "The /etc/ssh/sshd_config file defines SSH server behavior.
The SSH daemon reads the configuration information from this file and includes the authentication mode and cryptographic levels to use during SSH communication. The recommended value is not to provide any access rights for any user, other than the owner of the file."
solution : "Change the permissions of the /etc/ssh/sshd_config file to ensure that only the owner can read and write to the file-
chmod u=rw,go= /etc/ssh/sshd_config"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/ssh/sshd_config"
mask : "177"
system : "AIX"
type : FILE_CHECK
description : "4.2.19 Configuring SSH - ssh_config permissions lockdown"
info : "The /etc/ssh/sshd_config file defines SSH client behavior.
The /etc/ssh/ssh_config file is the system-wide client configuration file for OpenSSH, which allows you to set options that modify the operation of the client programs. The recommended value is not to provide any writable access rights for any user, other than the owner of the file."
solution : "Change the permissions of the /etc/ssh/ssh_config file to ensure that only the owner can read and write to the file-
chmod u=rw,go=r /etc/ssh/ssh_config"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/ssh/ssh_config"
mask : "133"
##
## 4.3 - Non AIX Security Expert Recommendations - Sendmail Configuration
##
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.3.1 /etc/mail/sendmail.cf - SmtpGreetingMessage"
info : "The recommendation is to change the default sendmail greeting string to not display the sendmail version and other related information.
The sendmail deamon has a history of security vulnerabilities. The recommendation is to change the default sendmail greeting string so as not to display the sendmail version and other related information, which can be used by an attacker for fingerprinting purposes."
solution : "Create a backup copy of /etc/mail/sendmail.cf-
cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.pre_cis
Edit-
vi /etc/mail/sendmail.cf
Change-
O SmtpGreetingMessage=$j Sendmail $b
To-
O SmtpGreetingMessage=mailerready"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|AC-8"
file : "/etc/mail/sendmail.cf"
regex : "SmtpGreetingMessage"
expect : "^O[\\s]+SmtpGreetingMessage[\\s]*=[\\s]*mailerready[\\s]*$"
system : "AIX"
type : FILE_CHECK
description : "4.3.2 /etc/mail/sendmail.cf - permissions and ownership"
info : "The recommended permissions and ownership for /etc/mail/sendmail.cf are applied.
The /etc/mail/sendmail.cf file is used by the sendmail daemon to determine its default configuration. This file must be protected from unauthorized access and modifications."
solution : "Set the recommended permissions and ownership on /etc/mail/sendmail.cf-
chmod u=rw,g=r,o= /etc/mail/sendmail.cf
chown root /etc/mail/sendmail.cf"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/mail/sendmail.cf"
owner : "root"
mask : "137"
system : "AIX"
type : FILE_CHECK
description : "4.3.3 /var/spool/mqueue - permissions and ownership"
info : "The recommended permissions and ownership for the /var/spool/mqueue directory are applied.
The sendmail daemon generally stores its queued mail in the /var/spool/mqueue directory. Queued messages are the messages that have not yet reached their final destination. To ensure the integrity of the messages during storage, the mail queue directory must be secured from unauthorized access.
NOTE- It is possible to specify an alternate spool directory in the /etc/mail/sendmail.cf file via the QueueDirectory parameter."
solution : "Set the recommended permissions and ownership on /var/spool/mqueue-
chmod u=rwx,go= /var/spool/mqueue
chown root /var/spool/mqueue"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/var/spool/mqueue"
owner : "root"
mask : "077"
##
## 4.4 - Non AIX Security Expert Recommendations - Common Desktop Environment (CDE)
##
system : "AIX"
type : CMD_EXEC
description : "Verify CDE is installed."
cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE"
expect : "^[\\s]*X11\\.Dt\\."
system : "AIX"
type : FILE_CHECK
description : "4.4.3 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtaction"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root-bin or root-sys.
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root-bin or root-sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries-
chmod ug-s /usr/dt/bin/dtaction"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/usr/dt/bin/dtaction"
mask : "6000"
required : NO
system : "AIX"
type : FILE_CHECK
description : "4.4.3 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtappgather"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root-bin or root-sys.
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root-bin or root-sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries-
chmod ug-s /usr/dt/bin/dtappgather"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/usr/dt/bin/dtappgather"
mask : "6000"
required : NO
system : "AIX"
type : FILE_CHECK
description : "4.4.3 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtprintinfo"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root-bin or root-sys.
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root-bin or root-sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries-
chmod ug-s /usr/dt/bin/dtprintinfo"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/usr/dt/bin/dtprintinfo"
mask : "6000"
required : NO
system : "AIX"
type : FILE_CHECK
description : "4.4.3 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtsession"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root-bin or root-sys.
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root-bin or root-sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries-
chmod ug-s /usr/dt/bin/dtsession"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/usr/dt/bin/dtsession"
mask : "6000"
required : NO
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.4.5 CDE - screensaver lock - dtsession.saverTimeout"
info : "The default timeout is 15 minutes of keyboard and mouse inactivity before a password protected screensaver is invoked by the CDE session manager.
The default timeout of 30 minutes prior to a password protected screensaver being invoked is too long. The recommendation is to set this to 15 minutes to protect from unauthorized access on unattended systems."
solution : "Set the default timeout parameters dtsession.saverTimeout: and dtsession.lockTimeout:
for file in /usr/dt/config/*/sys.resources; do
dir=`dirname $file | sed -e s/usr/etc/`
mkdir -p $dir
echo 'dtsession.saverTimeout: 15' >> $dir/sys.resources
echo 'dtsession.lockTimeout: 15' >> $dir/sys.resources
done"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|16-6,800-53|AC-11,PCI|2.2.4"
file : "/etc/dt/config/*/sys.resources"
regex : "^[\\s]*dtsession[\\.]saverTimeout:"
expect : "^[\\s]*dtsession[\\.]saverTimeout:[\\s]+([1-9]|1[0-4]|15)[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.4.5 CDE - screensaver lock - dtsession.lockTimeout"
info : "The default timeout is 15 minutes of keyboard and mouse inactivity before a password protected screensaver is invoked by the CDE session manager.
The default timeout of 30 minutes prior to a password protected screensaver being invoked is too long. The recommendation is to set this to 15 minutes to protect from unauthorized access on unattended systems."
solution : "Set the default timeout parameters dtsession.saverTimeout: and dtsession.lockTimeout:
for file in /usr/dt/config/*/sys.resources; do
dir=`dirname $file | sed -e s/usr/etc/`
mkdir -p $dir
echo 'dtsession.saverTimeout: 15' >> $dir/sys.resources
echo 'dtsession.lockTimeout: 15' >> $dir/sys.resources
done"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|16-6,800-53|AC-11,PCI|2.2.4"
file : "/etc/dt/config/*/sys.resources"
regex : "^[\\s]*dtsession[\\.]lockTimeout:"
expect : "^[\\s]*dtsession[\\.]lockTimeout:[\\s]+([1-9]|1[0-4]|15)[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.4.6 CDE - login screen hostname masking - dtlogin.greeting.labelString"
info : "The Dtlogin*greeting.labelString parameter is the message displayed in the first dialogue box on the CDE login screen. This is where the username is entered.
The Dtlogin.greeting.persLabelString is the message displayed in the second dialogue box on the CDE login screen. This is where the password is entered.
Potential hackers may gain access to valuable information such as the hostname and the version of the operating system from the default AIX login screen. This information would assist hackers in choosing the exploitation methods to break into the system. For security reasons, change the login screen default messages."
solution : "Copy the files from /usr/dt/config/*/Xresources to /etc/dt/config/*/Xresources and add the Dtlogin.greeting.labelString and Dtlogin.greeting.persLabelString parameters to all copied Xresources files-
for file in /usr/dt/config/*/Xresources; do
dir=`dirname $file | sed s/usr/etc/`
mkdir -p $dir
if [ ! -f $dir/Xresources ]; then
cp $file $dir/Xresources
fi
WARN='Authorized uses only. All activity may be monitored and reported.'
echo 'Dtlogin.greeting.labelString: $WARN' >>$dir/Xresources
echo 'Dtlogin.greeting.persLabelString: $WARN' >>$dir/Xresources
done"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|AC-8"
file : "/etc/dt/config/*/sys.resources"
regex : "^[\\s]*Dtsession[\\.]greeting[\\.]labelString:"
expect : "^[\\s]*Dtsession[\\.]greeting[\\.]labelString:[\\s]+Authorized[\\s]uses[\\s]only[\\.]s]All[\\s]activity[\\s]may[\\s]be[\\s]monitored[\\s]and[\\s]reported[\\.]s]*$"
system : "AIX"
type : FILE_CHECK
description : "4.4.7 CDE - /etc/dt/config/Xconfig permissions and ownership"
info : "The /etc/dt/config/Xconfig file is used to customize CDE DT login attributes. Ensure this file is owned by root-binand permissions prevent group and other from writing to the file.
The /etc/dt/config/Xconfig file can be used to customize CDE DT login attributes. The default file, /usr/dt/config/Xconfig, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Check to see if the /etc/dt/config/Xconfig exists-
ls -l /etc/dt/config/Xconfig
Apply the appropriate ownership and permissions to /etc/dt/config/Xconfig-
chown root:bin /etc/dt/config/Xconfig
chmod go-w /etc/dt/config/Xconfig"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/dt/config/Xconfig"
owner : "root"
group : "bin"
mask : "333"
system : "AIX"
type : FILE_CHECK
description : "4.4.8 CDE - /etc/dt/config/Xservers permissions and ownership - permissions and ownership"
info : "The /etc/dt/config/Xservers contains entries to start the Xserver on the local display.
Ensure this file is owned by root-bin and prevents group and other from writing to it. The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. The default file, /usr/dt/config/Xservers, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Check to see if the /etc/dt/config/Xservers exists-
ls -l /etc/dt/config/Xservers
If it exists ensure that it is explicitly defined in /etc/dt/config/Xconfig-
vi /etc/dt/config/Xconfig
Replace-
Dtlogin.servers: Xservers
With-
Dtlogin.servers: /etc/dt/config/Xservers
apply the appropriate ownership and permissions to /etc/dt/config/Xservers-
chown root:bin /etc/dt/config/Xservers
chmod go-w /etc/dt/config/Xservers"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/dt/config/Xservers"
owner : "root"
group : "bin"
mask : "333"
required : NO
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.4.8 CDE - /etc/dt/config/Xservers permissions and ownership - explicit definition"
info : "The /etc/dt/config/Xservers contains entries to start the Xserver on the local display.
Ensure this file is owned by root-bin and prevents group and other from writing to it. The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. The default file, /usr/dt/config/Xservers, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Check to see if the /etc/dt/config/Xservers exists-
ls -l /etc/dt/config/Xservers
If it exists ensure that it is explicitly defined in /etc/dt/config/Xconfig-
vi /etc/dt/config/Xconfig
Replace-
Dtlogin.servers: Xservers
With-
Dtlogin.servers: /etc/dt/config/Xservers"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/dt/config/Xconfig"
regex : "^[\\s]*Dtlogin[\\.]servers:"
expect : "^[\\s]*Dtlogin[\\.]servers:[\\s]+/etc/dt/config/Xservers[\\s]*$"
file_required : NO
system : "AIX"
type : FILE_CHECK
description : "4.4.9 CDE - /etc/dt/config/*/Xresources permissions and ownership"
info : "The /etc/dt/config/*/Xresources file contains appearance and behavior resources for the Dtlogin login screen.
The /etc/dt/config/*/Xresources file defines the customization of the Dtlogin screen. The default file, /usr/dt/config/*/Xresources, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Set the appropriate permissions and ownership on all Xresources files-
chown root:sys /etc/dt/config/*/Xresources
chmod u=rw,go=r /etc/dt/config/*/Xresources"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/dt/config/*/Xresources"
owner : "root"
group : "sys"
mask : "133"
description : "4.4.3 Common Desktop Environment (CDE) - not installed"
info : "CDE has a history of security problems and should remain disabled. However, if the server has a graphics adapter and CDE is used then the recommendations in this section should be followed to enhance security. If CDE is not required and the filesets are installed, is recommended that the filesets are de-installed to avoid exposure to potential security vulnerabilities."
description : "4.4.5 Common Desktop Environment (CDE) - not installed"
info : "CDE has a history of security problems and should remain disabled. However, if the server has a graphics adapter and CDE is used then the recommendations in this section should be followed to enhance security. If CDE is not required and the filesets are installed, is recommended that the filesets are de-installed to avoid exposure to potential security vulnerabilities."
description : "4.4.7 Common Desktop Environment (CDE) - not installed"
info : "CDE has a history of security problems and should remain disabled. However, if the server has a graphics adapter and CDE is used then the recommendations in this section should be followed to enhance security. If CDE is not required and the filesets are installed, is recommended that the filesets are de-installed to avoid exposure to potential security vulnerabilities."
description : "4.4.8 Common Desktop Environment (CDE) - not installed"
info : "CDE has a history of security problems and should remain disabled. However, if the server has a graphics adapter and CDE is used then the recommendations in this section should be followed to enhance security. If CDE is not required and the filesets are installed, is recommended that the filesets are de-installed to avoid exposure to potential security vulnerabilities."
description : "4.4.9 Common Desktop Environment (CDE) - not installed"
info : "CDE has a history of security problems and should remain disabled. However, if the server has a graphics adapter and CDE is used then the recommendations in this section should be followed to enhance security. If CDE is not required and the filesets are installed, is recommended that the filesets are de-installed to avoid exposure to potential security vulnerabilities."
##
## 4.5 - Non AIX Security Expert Recommendations - NFS
##
system : "AIX"
type : CMD_EXEC
description : "4.5.3 NFS - nosuid on NFS client mounts"
info : "Disable suid/sgid program execution within any mounted NFS filesystem.
Setting the nosuid option means that on the NFS server the root user cannot make an suid- root program within an exported filesystem. Then log onto an NFS client as a standard user and use the suid-root program to effectively become root on that client."
solution : "For each NFS mount, disable suid programs. List the current NFS mounts-
mount |grep 'nfs'
For each NFS filesystem add the nosuid option, this change should be made via an edit to the /etc/filesystems file. Create a copy of /etc/filesystems-
cp -p /etc/filesystems /etc/filesystems.pre_cis
For each NFS mount edit the options line to reflect the nosuid option-
vi /etc/filesystems
Reflect in each NFS options line-
options = rw,bg,hard,intr,nosuid,sec=sys
NOTE- The above options line is an example, the nosuid should be added to the existing options.
The NFS mount needs to be re-mounted to reflect this change."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
cmd : "/usr/bin/mount | /usr/bin/grep \"nfs\" | /usr/bin/grep -v \"nosuid\" | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'"
expect : "^none$"
system : "AIX"
type : FILE_CHECK
description : "Verify if /etc/exports exists"
file : "/etc/exports"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.5.4 NFS - localhost removal"
info : "Remove any reference to localhost or localhost aliases from /etc/exports.
If the RPC portmapper has proxy forwarding enabled, which is a default setting in many vendor versions. You must not export your local filesytems back to the localhost, either by name or to the alias localhost, and you must not export to any netgroups of which your host is a member. If proxy forwarding is enabled, an attacker may carefully craft NFS packets and send them to the portmapper, which in turn, forwards them to the NFS server. As the packets come from the portmapper process, which runs as root, they appear to be coming from a trusted system. This configuration may allow anyone to alter and delete files at will."
solution : "Remove any reference to localhost or localhost aliases in /etc/exports- Review the content of /etc/exports and check for localhost or localhost aliases-
cat /etc/exports
NOTE- If instances of localhost or localhost aliases are found, edit the file and remove them. Create a copy of /etc/exports-
cp -p /etc/exports /etc/exports.pre_cis
Edit the file-
vi /etc/exports
Edit the relevant NFS exports to remove the localhost access, for example-
/nfsexport sec=sys,rw,access=localhost-testserver
If /etc/exports is updated, as localhost references have been removed, update the current NFS export options-
exportfs -a"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
file : "/etc/exports"
regex : "localhost"
expect : "localhost"
file_required : NO
system : "AIX"
type : CMD_EXEC
description : "4.5.6 NFS - no_root_squash option"
info : "For each NFS export, ensure that the root_squash option is set to -2 or -1.
Each NFS export on the server should have the anon=-2 option set. Without this, an NFS export could be at risk, where the remote root user effectively has root access on the NFS mount. By setting the export option anon=-2 , when the client attempts to access (read, write, or delete) the NFS mount, the server substitutes the UID to the server's nobody account, which is -2. This means that the root user on the client cannot access or change files that only root on the server can access or change. It is therefore recommended that root_squash is set on all exported filesystems.
The default value of any exported filesystem or directory is -2, another value has to be explicitly set.
As a more secure option you can set the option to anon=-1, which disables anonymous access. By default, secure NFS accepts non-secure requests as anonymous.
NOTE- The root user on the client can still use su to become any other user and access and change that users files, assuming that the same user exists on the NFS server and owns files and/or directories in the NFS export."
solution : "Use smitty to change/validate this value for all NFS exported filesystems-
smitty chnfsexp
For each filesystem, as defined in the F4 list, set the following option-
Anonymous UID [-2]
NOTE- Press enter to accept the change
Once all exported filesystems have been successfully validated or changed, re-export the filesystems and directories to activate the new options-
exportfs -a"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
cmd : "/usr/bin/sed -e 's/#.*$//' /etc/exports | /usr/bin/grep \"anon=\" | /usr/bin/awk -v RS='' '{ print } END { if (NR==0) print \"none\" }'"
expect : "^none$"
description : "4.5.4 Exports - NFS not in use"
info : "Not Applicable - NFS exports not in use"
description : "4.5.6 Exports - NFS not in use"
info : "Not Applicable - NFS exports not in use"
##
## 4.6 - Non AIX Security Expert Recommendations - NIS
##
##
## 4.7 - Non AIX Security Expert Recommendations - SNMP
##
system : "AIX"
type : FILE_CHECK
description : "Verify SNMP configuration file exists."
file : "/etc/snmpd.conf"
description : "4.7 SNMP - configuration file not found"
info : "The Simple Network Management Protocol (SNMP) is a commonly used service that provides network management and monitoring capabilities. SNMP offers the capability to poll networked devices and monitor data such as utilization and errors from various subsystems on the host. SNMP is also capable of changing the configurations on the host, allowing remote management of the system. The protocol uses a community string for authentication from the SNMP client to the SNMP agent on the managed device.
In AIX, two SNMP community names, private and system, are enabled with read/write privileges, but only allow access from localhost connections. Nevertheless, a local user may install an SNMP client and modify sensitive variables. If SNMP is required, the community strings must be greater than six characters and include a combination of letters, numbers, and special characters to avoid a brute force attack."
##
## 4.8 - Non AIX Security Expert Recommendations - Securing inetd
##
##
## 4.9 - Non AIX Security Expert Recommendations - Portmap Lockdown
##
##
## 4.10 - Non AIX Security Expert Recommendations - TCP Wrappers
##
system : "AIX"
type : FILE_CHECK
description : "4.10.2 TCP Wrappers - creating a hosts.deny file - file exists"
info : "Once TCP Wrappers are installed a /etc/hosts.deny file should be created and be configured.
The /etc/hosts.deny file describes the names of the hosts which are not allowed to access the local inetd services, as decided by the /usr/sbin/tcpd server. All access should be denied by default unless explicitly authorized.Access is granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file. Access is denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file. However, access is granted if matching entry does not exist in both the files. This is why, by default, all access must be denied."
solution : "Create a /etc/hosts.deny file-
touch /etc/hosts.deny
chown root:system /etc/hosts.deny
chmod u=rw,go= /etc/hosts.deny"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,HIPAA|164.312(e)(1),800-53|CM-7,PCI|7.2,CSF|PR.PT-3"
file : "/etc/hosts.deny"
owner : "root"
group : "system"
mask : "177"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.10.2 TCP Wrappers - creating a hosts.deny file - ALL denied"
info : "Once TCP Wrappers are installed a /etc/hosts.deny file should be created and be configured.
The /etc/hosts.deny file describes the names of the hosts which are not allowed to access the local inetd services, as decided by the /usr/sbin/tcpd server. All access should be denied by default unless explicitly authorized.Access is granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file. Access is denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file. However, access is granted if matching entry does not exist in both the files. This is why, by default, all access must be denied."
solution : "Create a /etc/hosts.deny file-
touch /etc/hosts.deny
chown root:system /etc/hosts.deny
chmod u=rw,go= /etc/hosts.deny
Deny all traffic by default, explicit access will be defined in the /etc/hosts.allow file-
vi /etc/hosts.deny
Add-
ALL: ALL"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,HIPAA|164.312(e)(1),800-53|CM-7,PCI|7.2,CSF|PR.PT-3"
file : "/etc/hosts.deny"
regex : "^[\\s]*ALL:[\\s]+ALL[\\s]*$"
expect : "^[\\s]*ALL:[\\s]+ALL[\\s]*$"
system : "AIX"
type : FILE_CHECK
description : "4.10.3 TCP Wrappers - creating a hosts.allow file"
info : "Once TCP Wrappers are installed a /etc/hosts.allow file should be created and be configured.
This file describes the names of the hosts which are allowed to access the local inetd services as decided by the /usr/sbin/tcpd server. Access is granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file. Access is denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file. However, access is granted if matching entry does not exist in both the files."
solution : "Create a /etc/hosts.allow file-
touch /etc/hosts.allow
chown root:system /etc/hosts.allow
chmod u=rw,go= /etc/hosts.allow
Define explicit access to the local inetd services-
vi /etc/hosts.allow
An example configuration-
ALL- LOCAL @some_netgroup
ALL- .foobar.edu EXCEPT terminalserver.foobar.edu"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,HIPAA|164.312(e)(1),800-53|AC-6,PCI|7.2,CSF|PR.AC-4"
file : "/etc/hosts.allow"
owner : "root"
group : "system"
mask : "177"
##
## 4.11 - Non AIX Security Expert Recommendations - Permissions and Ownership
##
system : "AIX"
type : FILE_CHECK
description : "4.11.1 Permissions and Ownership - /etc/security"
info : "This /etc/security directory contains the user and group configuration files and the encrypted passwords.
The /etc/security directory contains sensitive files such as /etc/security/passwd, /etc/security/group. It must be secured from unauthorized access and modifications."
solution : "Remove world read, write and execute access and group write access from /etc/security-
chown -R root:security /etc/security
chmod u=rwx,g=rx,o= /etc/security
chmod -R go-w,o-rx /etc/security"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/etc/security"
owner : "root"
group : "security"
mask : "027"
system : "AIX"
type : FILE_CHECK
description : "4.11.2 Permissions and Ownership - /etc/group"
info : "The /etc/group file contains a list of the groups defined within the system.
The /etc/group file defines basic group attributes. Since the file contains sensitive information, it must be properly secured."
solution : "Ensure correct ownership and permissions are in place for /etc/group-
chown root:security /etc/group
chmod u=rw,go=r /etc/group"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/etc/group"
owner : "root"
group : "security"
mask : "133"
system : "AIX"
type : FILE_CHECK
description : "4.11.3 Permissions and Ownership - /etc/passwd"
info : "The /etc/passwd file contains a list of the users defined within the system.
The /etc/passwd file defines all users within the system. Since the file contains sensitive information, it must be properly secured."
solution : "Ensure correct ownership and permissions are in place for /etc/passwd-
chown root:security /etc/passwd
chmod u=rw,go=r /etc/passwd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/etc/passwd"
owner : "root"
group : "security"
mask : "133"
system : "AIX"
type : FILE_CHECK
description : "4.11.4 Permissions and Ownership - /etc/security/audit"
info : "The /etc/security/audit directory contains the system audit configuration files.
The /etc/security/audit directory stores the audit configuration files. This directory must have adequate access controls to prevent unauthorized access."
solution : "Ensure correct ownership and permissions are in place for /etc/security/audit-
chown -R root:audit /etc/security/audit
chmod u=rwx,g=rx,o= /etc/security/audit
chmod -R u=rw,g=r,o= /etc/security/audit/*"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/etc/security/audit"
owner : "root"
group : "audit"
mask : "027"
system : "AIX"
type : FILE_CHECK
description : "4.11.5 Permissions and Ownership - /audit"
info : "The /audit directory holds the output produced from the audit subsystem.
The /audit directory stores the audit output files. This directory must have adequate access controls to prevent unauthorized access."
solution : "Ensure correct ownership and permissions are in place for /audit-
chown root:audit /audit
chmod u=rwx,g=rx,o= /audit
chmod -R u=rw,g=r,o= /audit/*"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/audit"
owner : "root"
group : "audit"
mask : "027"
system : "AIX"
type : FILE_CHECK
description : "4.11.6 Permissions and Ownership - /smit.log"
info : "The /smit.log file maintains a history of all smit commands run as root.
The /smit.log file may contain sensitive information regarding system configuration, which may be of interest to an attacker. This log file must be secured from unauthorized access and modifications."
solution : "Remove world read and write access to /smit.log-
chmod o-rw /smit.log"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/smit.log"
mask : "006"
system : "AIX"
type : FILE_CHECK
description : "4.11.7 Permissions and Ownership - /var/adm/cron/log"
info : "The /var/adm/cron/log file contains a log of all cron jobs run on the system.
The /var/adm/cron/log, records all cron jobs run on the system. The file permissions must ensure that it is accessible only to its owner and group."
solution : "Remove world read and write access to /var/adm/cron/log-
chmod o-rw /var/adm/cron/log"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/var/adm/cron/log"
mask : "006"
system : "AIX"
type : FILE_CHECK
description : "4.11.8 Permissions and Ownership - /var/spool/cron/crontabs - directory"
info : "The /var/spool/cron/crontabs directory contains all of the crontabs for the users on the system.
The /var/spool/cron/crontabs directory contains all of the crontabs for the users on the system. Crontab files present a security problem because they are run by the cron daemon, which runs with super user rights. Allowing other users to have read/write permissions on these files may allow them to escalate their privileges. To negate this risk, the directory and all the files that it contains must be secured."
solution : "Apply the appropriate permissions to /var/spool/cron/crontabs-
chmod -R o= /var/spool/cron/crontabs
chmod ug=rwx,o= /var/spool/cron/crontabs
chgrp -R cron /var/spool/cron/crontabs"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/var/spool/cron/crontabs"
group : "cron"
mask : "007"
system : "AIX"
type : FILE_CHECK
description : "4.11.8 Permissions and Ownership - /var/spool/cron/crontabs - files"
info : "The /var/spool/cron/crontabs directory contains all of the crontabs for the users on the system.
The /var/spool/cron/crontabs directory contains all of the crontabs for the users on the system. Crontab files present a security problem because they are run by the cron daemon, which runs with super user rights. Allowing other users to have read/write permissions on these files may allow them to escalate their privileges. To negate this risk, the directory and all the files that it contains must be secured."
solution : "Apply the appropriate permissions to /var/spool/cron/crontabs-
chmod -R o= /var/spool/cron/crontabs
chmod ug=rwx,o= /var/spool/cron/crontabs
chgrp -R cron /var/spool/cron/crontabs"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/var/spool/cron/crontabs/*"
group : "cron"
mask : "007"
system : "AIX"
type : FILE_CHECK
description : "4.11.9 Permissions and Ownership - /var/adm/cron/at.allow"
info : "The /var/adm/cron/at.allow file contains a list of users who can schedule jobs via the at command.
The /var/adm/cron/at.allow file controls which users can schedule jobs via the at command. Only the root user should have permissions to create, edit, or delete this file."
solution : "Apply the appropriate permissions to /var/adm/cron/at.allow-
chown root:sys /var/adm/cron/at.allow
chmod u=r,go= /var/adm/cron/at.allow"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/var/adm/cron/at.allow"
owner : "root"
group : "sys"
mask : "377"
file_required : NO
system : "AIX"
type : FILE_CHECK
description : "4.11.10 Permissions and Ownership - /var/adm/cron/cron.allow"
info : "The /var/adm/cron/cron.allow file contains a list of users who can schedule jobs via the cron command.
The /var/adm/cron/cron.allow file controls which users can schedule jobs via cron. Only the root user should have permissions to create, edit, or delete this file."
solution : "Apply the appropriate permissions to /var/adm/cron/cron.allow-
chown root:sys /var/adm/cron/cron.allow
chmod u=r,go= /var/adm/cron/cron.allow"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/var/adm/cron/cron.allow"
owner : "root"
group : "sys"
mask : "377"
system : "AIX"
type : FILE_CHECK
description : "4.11.11 Permissions and Ownership - /etc/motd"
info : "The /etc/motd file contains the message of the day, shown after successful initial login.
The /etc/motd file contains the message of the day, shown after successful initial login. The file should only be editable by its owner."
solution : "Apply the appropriate permissions to /etc/motd-
chown bin:bin /etc/motd
chmod u=rw,go=r /etc/motd"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/etc/motd"
owner : "bin"
group : "bin"
mask : "133"
system : "AIX"
type : FILE_CHECK
description : "4.11.12 Permissions and Ownership - /var/adm/ras"
info : "The /var/adm/ras directory contains log files which contain sensitive information such as login times and IP addresses.
The log files in the /var/adm/ras directory can contain sensitive information such as login times and IP addresses, which may be altered by an attacker when removing traces of system access. All files in this directory must be secured from unauthorized access and modifications."
solution : "Remove world read and write access from all files in /var/adm/ras-
chmod o-rw /var/adm/ras/*"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/var/adm/ras/*"
mask : "006"
system : "AIX"
type : FILE_CHECK
description : "4.11.13 Permissions and Ownership - /var/ct/RMstart.log"
info : "The /var/ct/RMstart.log is the logfile used by RMC and can contain sensitive data that must be secured.
RMC provides a single monitoring and management infrastructure for both RSCT peer domains and management domains. Its generalized framework is used by cluster management tools to monitor, query, modify, and control cluster resources, /var/ct/RMstart.log is the logfile used by RMC and can contain sensitive data that must be secured."
solution : "Remove world read and write from /var/ct/RMstart.log-
chmod o-rw /var/ct/RMstart.log"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/var/ct/RMstart.log"
mask : "006"
system : "AIX"
type : FILE_CHECK
description : "4.11.14 Permissions and Ownership - /var/tmp/dpid2.log"
info : "The /var/tmp/dpid2.log is the logfile used by dpid2 daemon, and contains SNMP information.
The /var/tmp/dpid2.log logfile is used by the dpid2 daemon and can contain sensitive SNMP information. This file must be secured from unauthorized access and modifications."
solution : "Remove world read and write from /var/tmp/dpid2.log-
chmod o-rw /var/tmp/dpid2.log"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/var/tmp/dpid2.log"
mask : "006"
system : "AIX"
type : FILE_CHECK
description : "4.11.15 Permissions and Ownership - /var/tmp/hostmibd.log"
info : "The /var/tmp/hostmibd.log is the logfile used by hostmibd daemon, and contains network and machine related information.
The /var/tmp/hostmibd.log log file can contain network and machine related statistics logged by the daemon. This file must be secured from unauthorized access and modifications."
solution : "Remove world read and write from /var/tmp/hostmibd.log-
chmod o-rw /var/tmp/hostmibd.log"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/var/tmp/hostmibd.log"
mask : "006"
system : "AIX"
type : FILE_CHECK
description : "4.11.16 Permissions and Ownership - /var/tmp/snmpd.log"
info : "The /var/tmp/snmpd.log is the logfile used by snmpd daemon, and contains network and machine related information.
The /var/tmp/snmpd.log logfile contains sensitive information through which an attacker can find out about the SNMP deployment architecture in your network. This log file must be secured from unauthorized access."
solution : "Remove world read and write from /var/tmp/snmpd.log-
chmod o-rw /var/tmp/snmpd.log"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/var/tmp/snmpd.log"
mask : "006"
system : "AIX"
type : FILE_CHECK
description : "4.11.17 Permissions and Ownership - /var/adm/sa"
info : "The /var/adm/sa directory holds the performance data produced by the sar utility.
The /var/adm/sa directory contains the report files produced by the sar utility. This directory must be secured from unauthorized access."
solution : "Set the recommended ownership and permissions on /var/adm/sa-
chown adm:adm /var/adm/sa
chmod u=rwx,go=rx /var/adm/sa"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/var/adm/sa"
owner : "adm"
group : "adm"
mask : "022"
system : "AIX"
type : CMD_EXEC
description : "4.11.18 Permissions and Ownership - home directory configuration files"
info : "The user configuration files in each home directory e.g. $HOME/.profile, must not be group or world writable.
Group or world-writable user configuration files may enable malicious users to steal or modify other user's data, or to gain elevated privileges."
solution : "Search and remediate any user configuration files which have group or world writable access-
lsuser -a home ALL |cut -f2 -d= | while read HOMEDIR; do
echo 'Examining $HOMEDIR'
if [ -d $HOMEDIR ]; then
ls -a $HOMEDIR | grep -Ev '^.$|^..$' | \
while read FILE; do
if [ -f $FILE ]; then
ls -l $FILE
chmod go-w $FILE
fi
done
else
echo 'No home dir for $HOMEDIR'
fi
done
NOTE- The permission change is automatically applied."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
cmd : "/usr/sbin/lsuser -a home ALL | /usr/bin/awk -F= '{ print \"ls -ld \"$2\"/.?*\" }' | /usr/bin/sort -u | /usr/bin/sh | /usr/bin/egrep \"^-....(w...|...w). \" | /usr/bin/awk '{print} END {if (NR==0) print \"none\"}'"
expect : "^none$"
-
system : "AIX"
name : "accounts_bad_home_permissions"
description : "4.11.19 Permissions and Ownership - home directory permissions - existing home directories"
info : "All user home directories must not have group write or world writable access.
Group or world-writable user home directories may enable malicious users to steal or modify data, or to gain other user's system privileges. Disabling read and execute access for users, who are not members of the same group, allows for appropriate use of discretionary access control by each user."
solution : "Change any home directories which have group or world writable access-
NEW_PERMS=750 lsuser -c ALL | grep -v ^#name | cut -f1 -d- | while read NAME; do
if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -ge 200 ]; then
HOME=`lsuser -a home $NAME | cut -f 2 -d =`
echo 'Changing $NAME homedir $HOME'
chmod $NEW_PERMS $HOME
fi
done
NOTE- The permission change is automatically applied to all user directories with a user ID over 200."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
mask : "027"
uid_ge : "200"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.11.19 Permissions and Ownership - home directory permissions - new home directories"
info : "All user home directories must not have group write or world writable access.
Group or world-writable user home directories may enable malicious users to steal or modify data, or to gain other user's system privileges. Disabling read and execute access for users, who are not members of the same group, allows for appropriate use of discretionary access control by each user."
solution : "Modify /usr/lib/security/mkuser.sys to ensure that all new user home directories will be created with a default permission of 750-
vi /usr/lib/security/mkuser.sys
Replace-
mkdir $1
With-
mkdir $1 && chmod u=rwx,g=rx,o= $1"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/usr/lib/security/mkuser.sys"
regex : "mkdir"
expect : "chmod[\\s]+u=rwx,g=rx,o=[\\s]+\\$1[\\s]*$"
-
system : "AIX"
name : "writeable_dirs_in_root_path_variable"
description : "4.11.20 Permissions and Ownership - world/group writable directory in root PATH"
info : "To secure the root users executable PATH, all directories must not be group and world writable.
There should not be group or world writable directories in the root user's executable path. This may allow an attacker to gain super user access by forcing an administrator operating as root to execute a Trojan horse program."
solution : "Search and report on group or world writable directories in root's PATH. The command must be run as the root user. The script below traverses up each individual directory PATH, ensuring that all directories are not group/world writable and that they are owned by root or the bin user-
echo '/-${PATH}' | tr '-' '
' | grep '^/' | sort -u | while read DIR do
DIR=${DIR--$(pwd)}
print 'Checking ${DIR}'
while [[ -d ${DIR} ]]
do
[[ '$(ls -ld ${DIR})' = @(d???????w? *) ]] && print ' WARNING ${DIR} is world writable' || print ' ${DIR} is not world writable'
[[ '$(ls -ld ${DIR})' = @(d????w???? *) ]] && print ' WARNING ${DIR} is group writable' || print ' ${DIR} is not group writable'
[[ '$(ls -ld ${DIR} |awk '{print $3}')' != @(root|bin) ]] && print ' WARNING ${DIR} is not owned by root or bin'
DIR=${DIR%/*}
done
done
NOTE- Review the output and manually change the directories, if possible. Directories which are group and/or world writable are marked with 'WARNING'.
To manually change permissions on the directories- o To remove group writable access-chmod g-w
o To remove world writable access-chmod o-w
o To remove both group and world writable access-chmod go-w
o To change the owner of a directory-chown
To fully automate the PATH directory permission changes execute the following code as the root user-
echo '/-${PATH}' | tr '-' '
' | grep '^/' | sort -u | while read DIR
do
DIR=${DIR--$(pwd)}
while [[ -d ${DIR} ]]
do
[[ '$(ls -ld ${DIR})' = @(d???????w? *) ]] && chmod o-w ${DIR} && print 'Removing world write from ${DIR}'
[[ '$(ls -ld ${DIR})' = @(d????w???? *) ]] && chmod g-w ${DIR} && print 'Removing group write from ${DIR}'
DIR=${DIR%/*}
done
done"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
mask : "022"
##
## 4.12 - Non AIX Security Expert Recommendations - Miscellaneous Configuration Changes
##
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.12.10 Miscellaneous Config - ftp umask"
info : "The umask of the ftp service should be set to at least 027 in order to prevent the FTP daemon process from creating world-writable files by default.
The umask of the ftp service should be set to at least 027 in order to prevent the FTP daemon process from creating world-writable files by default. These files could then be transferred over the network which could result in compromise of the critical information."
solution : "Set the default umask of the ftp daemon-
[[ $(grep -c '^ftp[[-blank-]]' /etc/inetd.conf) -gt 0 ]] && chsubserver -c -v
ftp -p tcp 'ftpd -l -u077' && refresh -s inetd || RC=0
NOTE- The umask above restricts read/write permissions for both group and other."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|SC-4,PCI|2.2.4,CSF|PR.DS-1"
file : "/etc/inetd.conf"
regex : "^ftp[\\s]+"
expect : "[\\s]-u0[2-7]7[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.12.11 Miscellaneous Config - ftp banner"
info : "Set an ftp login banner which displays the acceptable usage policy.
The message in banner.msg is displayed for FTP logins. Banners display necessary warnings to users trying to gain unauthorized access to the system and are required for legal purposes. The recommendation is to set the banner as-'Authorized uses only. All activity will be monitored and reported'.
The content may be changed to reflect any corporate AUP."
solution : "Ensure that the bos.msg.en_US.net.tcp.client fileset is installed-
lslpp -L 'bos.msg.en_US.net.tcp.client'
NOTE- If the fileset is not installed, install it from the AIX media or another software repository. The fileset should reflect the language used on the server.
Once installed set the ftp AUP banner-
dspcat -g /usr/lib/nls/msg/en_US/ftpd.cat > /tmp/ftpd.tmp
sed 's/\'\%s FTP server (\%s) ready.\'/\'\%s Authorized uses only. All activity may be monitored and reported\'/' /tmp/ftpd.tmp > /tmp/ftpd.msg
gencat /usr/lib/nls/msg/en_US/ftpd.cat /tmp/ftpd.msg
rm /tmp/ftpd.tmp /tmp/ftpd.msg"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|AC-8"
cmd : "dspcat -g /usr/lib/nls/msg/en_US/ftpd.cat | grep \"^9[[:blank:]]\""
expect : "^9[\\s]+\"%s[\\s]+Authorized[\\s]uses[\\s]only[\\.][\\s]+All[\\s]activity[\\s]may[\\s]be[\\s]monitored[\\s]and[\\s]reported\""
system : "AIX"
type : FILE_CHECK
description : "4.12.12 Miscellaneous Config - /etc/motd"
info : "Create a /etc/motd file which displays, post initial logon, a statutory warning message.
The creation of a /etc/motd file which contains a statutory warning message could aid in the prosecution of offenders guilty of unauthorized system access. The /etc/motd is displayed after successful logins from the console, SSH and other system access protocols."
solution : "Create a /etc/motd file-
touch /etc/motd
chmod u=rw,go=r /etc/motd
chown bin:bin /etc/motd
Below is a sample banner-
NOTICE TO USERS
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only. Users
(authorized or unauthorized) have no explicit or implicit expectation of
privacy. Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and disclosed
to your employer, to authorized site, government, and law enforcement
personnel, as well as authorized officials of government agencies, both
domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the discretion
of such personnel or officials. Unauthorized or improper use of this system
may result in civil and criminal penalties and administrative or disciplinary
action, as appropriate. By continuing to use this system you indicate your
awareness of and consent to these terms and conditions of use. LOG OFF
IMMEDIATELY if you do not agree to the conditions stated in this warning.
*
NOTE- Replace 'its owner' with the relevant company name."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|AC-8"
file : "/etc/motd"
owner : "bin"
group : "bin"
mask : "133"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.12.13 Miscellaneous Config - authorized users in at.allow - adm"
info : "The /var/adm/cron/at.allow file defines which users on the system are able to schedule jobs via at.
The /var/adm/cron/at.allow file defines which users are able to schedule jobs via at. Review the current at files and add any relevant users to the /var/adm/cron/at.allow file."
solution : "Review the current at files-
ls -l /var/spool/cron/atjobs
cat /var/spool/cron/atjobs/*
NOTE- Review the list of at schedules and remove any files which should not be there, or have no content.
Add the recommended system users to the at.allow list-
echo 'adm' >>/var/adm/cron/at.allow
echo 'sys' >> /var/adm/cron/at.allow
Add any other users who require permissions to use the at scheduler-
echo >> /var/adm/cron/at.allow
NOTE- Where is the username."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|7.2,CSF|PR.PT-3"
file : "/var/adm/cron/at.allow"
regex : "."
expect : "^adm$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.12.13 Miscellaneous Config - authorized users in at.allow - sys"
info : "The /var/adm/cron/at.allow file defines which users on the system are able to schedule jobs via at.
The /var/adm/cron/at.allow file defines which users are able to schedule jobs via at. Review the current at files and add any relevant users to the /var/adm/cron/at.allow file."
solution : "Review the current at files-
ls -l /var/spool/cron/atjobs
cat /var/spool/cron/atjobs/*
NOTE- Review the list of at schedules and remove any files which should not be there, or have no content.
Add the recommended system users to the at.allow list-
echo 'adm' >>/var/adm/cron/at.allow
echo 'sys' >> /var/adm/cron/at.allow
Add any other users who require permissions to use the at scheduler-
echo >> /var/adm/cron/at.allow
NOTE- Where is the username."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|7.2,CSF|PR.PT-3"
file : "/var/adm/cron/at.allow"
regex : "."
expect : "^sys$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.12.14 Miscellaneous Config - authorized users in cron.allow - adm"
info : "The /var/adm/cron/cron.allow file defines which users on the system are able to schedule jobs via cron.
The /var/adm/cron/cron.allow file defines which users are able to schedule jobs via cron. Review the current cron files and add any relevant users to the /var/adm/cron/cron.allow file."
solution : "Review the current cron files-
ls -l /var/spool/cron/crontabs
cat /var/spool/cron/crontabs/*
NOTE- Review the list of cron schedules and remove any files which should not be there, or have no content.
Add the recommended system users to the cron.allow list-
echo 'sys' >> /var/adm/cron/cron.allow
echo 'adm' >> /var/adm/cron/cron.allow
Add any other users who require permissions to use the cron scheduler-
echo >> /var/adm/cron/cron.allow
NOTE- Where is the username."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|7.2,CSF|PR.PT-3"
file : "/var/adm/cron/cron.allow"
regex : "."
expect : "^adm$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.12.14 Miscellaneous Config - authorized users in cron.allow - sys"
info : "The /var/adm/cron/cron.allow file defines which users on the system are able to schedule jobs via cron.
The /var/adm/cron/cron.allow file defines which users are able to schedule jobs via cron. Review the current cron files and add any relevant users to the /var/adm/cron/cron.allow file."
solution : "Review the current cron files-
ls -l /var/spool/cron/crontabs
cat /var/spool/cron/crontabs/*
NOTE- Review the list of cron schedules and remove any files which should not be there, or have no content.
Add the recommended system users to the cron.allow list-
echo 'sys' >> /var/adm/cron/cron.allow
echo 'adm' >> /var/adm/cron/cron.allow
Add any other users who require permissions to use the cron scheduler-
echo >> /var/adm/cron/cron.allow
NOTE- Where is the username."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|7.2,CSF|PR.PT-3"
file : "/var/adm/cron/cron.allow"
regex : "."
expect : "^sys$"
system : "AIX"
type : CMD_EXEC
description : "4.12.15 Miscellaneous Config - all unlocked accounts must have a password"
info : "All unlocked accounts on the server must have a password.
An account password is a secret code word that must be entered to gain access to the account. If an account exists that has a blank password, multiple users may access the account without authentication and leave a weak audit trail. An attacker may gain unauthorized system access or perform malicious actions, which then cannot be attributed to any specific individual."
solution : "Check for empty passwords-
pwdck -n ALL
If the command above yields output, set up a password on the account-
passwd "
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-4,HIPAA|164.312(d),800-53|AC-3,PCI|2.1,CSF|PR.AC-4"
cmd : "/usr/bin/pwdck -n ALL | /usr/bin/awk '{print} END {if (NR==0) print \"none\"}'"
expect : "^none$"
-
system : "AIX"
name : "passwd_duplicate_uid"
description : "4.12.16 Miscellaneous Config - all user id must be unique"
info : "All users should have a unique UID. In particular the only user on the system to have a UID of 0 should be the root user.
The only user with a UID of 0 on the system must be the root user. Any account with a UID of 0 has super user privileges on the system and is effectively root. All access to the root account should be via su or sudo to provide an audit trail. All other users must also have a unique UID to ensure that file and directory security is not compromised."
solution : "Examine the user IDs of all configured users-
cut -d- -f 3 /etc/passwd |sort -n |uniq -d
If a number, or numbers are returned from the command above, these are UID which are not unique within the /etc/passwd file. Determine the effected username/s-
cut -f '1 3' -d - /etc/passwd | grep '-$'
NOTE- Any user names returned should either be deleted or have the UID changed.
To remove-
rmuser
To change the UID-
chuser id= "
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-1,HIPAA|164.312(a)(2)(i),800-53|IA-2,PCI|8.1.1,CSF|PR.AC-1"
-
system : "AIX"
name : "group_duplicate_gid"
description : "4.12.17 Miscellaneous Config - all group id must be unique"
info : "All groups should have a unique GID on the system.
All groups should have an individual and unique GID. If GID numbers are shared this could lead to undesirable file and directory access."
solution : "Ensure that all group IDs are unique-
cut -d- -f 3 /etc/group |sort -n | uniq -d
If a number, or numbers are returned from the command above, these are GID which are not unique within the /etc/group file. Determine the effected group names-
cut -f '1 3' -d - /etc/group |grep '-$'
NOTE- Any group names returned should either be deleted or have the UID changed.
To remove-
rmgroup
To change the UID-
chgroup id= "
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-1,HIPAA|164.312(a)(2)(i),800-53|IA-2,PCI|8.1.1,CSF|PR.AC-1"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.12.18 Miscellaneous Config - unnecessary user and group removal - /etc/passwd - uucp"
info : "Remove unnecessary administrative user accounts to further enhance security.
Remove unnecessary administrative user accounts and groups, if possible. Generic administrative user accounts are targeted by hackers in an attempt to gain unauthorized access to a server."
solution : "Remove the uucp, nuucp, lpd, and printq user accounts and respective groups, if possible-
# Remove users
LIST='uucp nuucp lpd printq'
for USERS in $LIST; do
rmuser -p $USERS
done
NOTE-- Other users and groups can be added to the list if required."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-4,HIPAA|164.312(d),800-53|CM-7,PCI|2.1,CSF|PR.PT-3"
regex : "^[\\s]*uucp:"
expect : "^[\\s]*uucp:"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.12.18 Miscellaneous Config - unnecessary user and group removal - /etc/passwd - nuucp"
info : "Remove unnecessary administrative user accounts to further enhance security.
Remove unnecessary administrative user accounts and groups, if possible. Generic administrative user accounts are targeted by hackers in an attempt to gain unauthorized access to a server."
solution : "Remove the uucp, nuucp, lpd, and printq user accounts and respective groups, if possible-
# Remove users
LIST='uucp nuucp lpd printq'
for USERS in $LIST; do
rmuser -p $USERS
done
NOTE-- Other users and groups can be added to the list if required."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-4,HIPAA|164.312(d),800-53|CM-7,PCI|2.1,CSF|PR.PT-3"
regex : "^[\\s]*nuucp:"
expect : "^[\\s]*nuucp:"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.12.18 Miscellaneous Config - unnecessary user and group removal - /etc/passwd - lpd"
info : "Remove unnecessary administrative user accounts to further enhance security.
Remove unnecessary administrative user accounts and groups, if possible. Generic administrative user accounts are targeted by hackers in an attempt to gain unauthorized access to a server."
solution : "Remove the uucp, nuucp, lpd, and printq user accounts and respective groups, if possible-
# Remove users
LIST='uucp nuucp lpd printq'
for USERS in $LIST; do
rmuser -p $USERS
done
NOTE-- Other users and groups can be added to the list if required."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-4,HIPAA|164.312(d),800-53|CM-7,PCI|2.1,CSF|PR.PT-3"
regex : "^[\\s]*lpd:"
expect : "^[\\s]*lpd:"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.12.18 Miscellaneous Config - unnecessary user and group removal - /etc/passwd - printq"
info : "Remove unnecessary administrative user accounts to further enhance security.
Remove unnecessary administrative user accounts and groups, if possible. Generic administrative user accounts are targeted by hackers in an attempt to gain unauthorized access to a server."
solution : "Remove the uucp, nuucp, lpd, and printq user accounts and respective groups, if possible-
# Remove users
LIST='uucp nuucp lpd printq'
for USERS in $LIST; do
rmuser -p $USERS
done
NOTE-- Other users and groups can be added to the list if required."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-4,HIPAA|164.312(d),800-53|CM-7,PCI|2.1,CSF|PR.PT-3"
regex : "^[\\s]*printq:"
expect : "^[\\s]*printq:"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.12.18 Miscellaneous Config - unnecessary user and group removal - /etc/group - uucp"
info : "Remove unnecessary administrative user accounts to further enhance security.
Remove unnecessary administrative user accounts and groups, if possible. Generic administrative user accounts are targeted by hackers in an attempt to gain unauthorized access to a server."
solution : "Remove the uucp, nuucp, lpd, and printq user accounts and respective groups, if possible-
# Remove groups
LIST='uucp printq'
for GROUPS in $LIST; do
rmgroup $GROUPS
done
NOTE-- Other users and groups can be added to the list if required."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-4,HIPAA|164.312(d),800-53|CM-7,PCI|2.1,CSF|PR.PT-3"
regex : "^[\\s]*uucp:"
expect : "^[\\s]*uucp:"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.12.18 Miscellaneous Config - unnecessary user and group removal - /etc/group - printq"
info : "Remove unnecessary administrative user accounts to further enhance security.
Remove unnecessary administrative user accounts and groups, if possible. Generic administrative user accounts are targeted by hackers in an attempt to gain unauthorized access to a server."
solution : "Remove the uucp, nuucp, lpd, and printq user accounts and respective groups, if possible-
# Remove groups
LIST='uucp printq'
for GROUPS in $LIST; do
rmgroup $GROUPS
done
NOTE-- Other users and groups can be added to the list if required."
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,SANS_CSC|12-4,HIPAA|164.312(d),800-53|CM-7,PCI|2.1,CSF|PR.PT-3"
regex : "^[\\s]*printq:"
expect : "^[\\s]*printq:"
-
system : "AIX"
name : "dot_in_root_path_variable"
description : "4.12.19 Miscellaneous Config - removing current working directory from root's PATH"
info : "This change removes any '.' or '::' entries from the root PATH. If a '.' or '::' is present the current working directory is included in the search path.
Any '.' and '::' will be removed from the root PATH. This means that any harmful programs placed in common PATH locations, would never be automatically executed. All directories must be explicitly defined within the PATH variable."
solution : "Examine root's PATH to see if it contains any '.' or '::' entries-
su - root -c 'echo ${PATH}' |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[ \t]*:)|(^.:)|(:.$)|(:.:))/'
If the command above yields output, remove the '.' and '::' entries from the relevant initialization files. The files to examine are dependant on the root users shell definition in /etc/passwd. Once the file or files have been identified remove the '.' and '::' from the PATH variable0
vi "
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
system : "AIX"
type : CMD_EXEC
description : "4.12.20 Miscellaneous Config - removing current working directory from default /etc/environment PATH"
info : "This change removes any '.' or '::' entries from /etc/environment. If a '.' or '::' is present the current working directory is included in the default search path.
Any '.' and '::' will be removed from /etc/environment. This means that any harmful programs placed in common PATH locations, would never be automatically executed. All directories must be explicitly defined within the PATH variable."
solution : "Examine PATH in /etc/environment to see if it contains any '.' or '::' entries-
grep '^PATH=' /etc/environment |awk '/((-[ \t]*-)|(-[ \t]*$)|(^[ \t]*-)|(^.-)|(-.$)|(-.-))/'
If the command above yields output, remove the '.' and '::' entries from-
vi /etc/environment"
see_also : "https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf"
#reference : "Level|1S,800-53|CM-7,PCI|2.2.4,CSF|PR.PT-3"
cmd : "/usr/bin/grep \"^PATH=\" /etc/environment | awk 'BEGIN { f=0 } /((:[ \t]*:)|(:[ \t]*$)|(^[ \t]*:)|(^.:)|(:.$)|(:.:))/ { f=1; print } END { if (f==0) print \"none\" }'"
expect : "^none$"
##
## 4.13 - Non AIX Security Expert Recommendations - Encrypted obÌåÓýsystems (EFS)
##
##
## 4.14 - Non AIX Security Expert Recommendations - Privileged Command Management
##
##
## 4.15 - Non AIX Security Expert Recommendations - Trusted Execution (TE)
##
##
## 4.16 - Non AIX Security Expert Recommendations - General Permissions Management
##
description : "IBM AIX Version 7 Release 1 or greater"
info : "IBM AIX Version 7 Release 1 or greater has not been identified.
https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf
This audit checks the testable level 1 guidance in the CIS IBM AIX 7.1 Benchmark document.
Level-I Benchmark recommendations are intended to:
o be practical and prudent,
o provide a clear security benefit
o do not inhibit the utility of the technology beyond acceptable means.
NOTE : Please read the .audit header before running a compliance scan. Please review the header notes as some queries may not behave as anticipated due to unique environmental variables that may be present on your system(s).
Thank you.
Tenable Network Security, Inc."