#TRUSTED 9026b685dbf6e5aeb47607bcf613a9851b11cf645cdfafc1775cf57cf15d76fdc37af1f94a7fd8fdb98c952ce9ce37898169f072638e591f9d5bddbf6f709d4f6ee341227add83b1a459efc6a55030df25df8a8c31de9ec3527e612a0592da4b34f3d4fe23e5a217b47b1dd2842cbeab0ba469f6318c403b590dadebdcf94559274f0cb1db8f20b87b4b555c2c4751ab9319ba7a6367ad29082c1c38ba80ad8201a3138e90319833f9380b813d9224f8c47997a14adfb1dbdf84619c5a1def9fc1f3a5540d89139c628b2653ea82149f1c289f56006f9623bd7b339753671f45f48ccaca55ad617523e66ee9812ab49cdf90607ba1d32860c4e72b8f39ccbe0fd7f6bf418884098ba4a7aadbf991da0b226cb3e79748038652c47498de559109e0f49fd72cdbc7d6e0d74b13fd8b1ed6c4c0398aa3b07bd615cb0ce8df2ec17ce90c3c7d36a647eebe05596de51c6b3aebfb9a90b0e2204cf524bcad1db77700c9f097e5e5dc3687dd74e3a7c83d2bce19ca5d1d28f8d3b48a80f4bb4bec91da43db1d235dc58e005f245a456dff44fc82b30449567f0fe9a9d5b3fdaa06bf2306f6488607d8f788884b63595e1c1099f95a0cd6fdcdb9586ff2ed88e9b5fc674864f88d073548531c4a0681ff5cba83aff06908c8e826d239734c0c21f0217dfc55f28f5f8fc6941316983ae154f20452441ab950aea67b1db318a810d2fac1
#TRUST-RSA-SHA256 69023109e24dd4d27955a4875c5770e3cb8b6b510c3568abad3f4fd2e0ee4e5caac2fed0a6a7bc7528581fc676d84e69c56f10c2847ff2533a31ef22d4b6ba5c4061f1daedf6e95d032c0282e89cd24b7b2dafd9d8d6d07908251e4e93a5943845a3af6e51d6b40e00f1316b415b10da8114647103a684414e74a339df08100b34e309fb7b8989fbecf5e95fbaf1aa93895593f129496d78601e4f44d1c3076d50daf798f82017a1656183c1288dde59ebfbd7fad3cb3933a8b9f48f8bbe2a3f68d74aaf644f262c49c131774484de17705426de9ac1870d646826dbf5dc7edaff61c112dcaeca9786be2e8902efeb769790d8f68e5d63b70695520498c351e74d2336aa011c8370a41ac2ba8407b1030cd516fe81ba43d15afd48f59d5b2c23f42475013adbe1317282c837189a94c496145cffbbe3c59563c6bba757fead95a5d624751ac1b4442e731b21bfdeb339d16ddbb8219398487a4de98c7be080f68ca4f0128de871b430ecda4680a232fdddc2e454a5ccec95ea511b49d0503a753d92600864913b29e7e52cedd6c9abd3ad0d5ca264059601579f4ee138ca747442e20127b64c6a724e12f983ba14081711f303071471599cbb79136d995631eea358592c985057c186b488f264ae9e9d0fd4ef0e37baffb6601b62f74329d810756e33d1a8b8f962d4887fc99af67ff28589449d7a52085bb791f487a9a10039
#
# This script is Copyright (C) 2004-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.0 $
# $Date: 2023/03/07 $
#
# description : This document implements the security configuration as recommended by the
# CIS IBM AIX 7.2 Benchmark
#
#
#CIS IBM AIX 7.2 L1 v1.0.0
#
# CIS
# IBM AIX 7.2 L1
# 1.0.0
# https://workbench.cisecurity.org/files/4124
#
#unix,cis,aix,aix_7.1
#CCE,CSCv6,CSCv7,CSCv8,LEVEL
#
#
# BANNER_TEXT
# Unauthorized use of this system is prohibited.
# Banner Text
# This is the text for the warning a user receives when logging onto the system.
# STRING
#
#
# LOGIN_HERALD_TEXT
# Unauthorized use of this system is prohibited.
# Default Herald Text
# The default herald located in /etc/security/login.cfg
# STRING
#
#
# LOCAL_SYSLOG_FILE
# /var/log/syslog/inventory.log
# Local log file
# Local log file used to collect local1.info messages.
# UNIX_FILE_PATH
#
#
# PLATFORM_VERSION
# 7\.[0-9]+
# AIX Version
# AIX Version
# STRING
#
#
#
type : CMD_EXEC
description : "AIX Version 7, Release 2 or greater, found"
cmd : "/usr/bin/oslevel"
expect : "^[\\s]*@PLATFORM_VERSION@"
dont_echo_cmd : YES
description : "CIS_AIX_7.2_Benchmark_v1.0.0_Level_1.audit from CIS AIX 7.2 Benchmark v1.0.0 Level 1 Benchmark"
see_also : "https://workbench.cisecurity.org/files/4124"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "2.1 Collect system configuration regularly"
info : "Maintain a listing of the system configuration showing assets configured into the system.
Rationale:
The syslog facility local1 is chosen as this is also the facility that the Dynamic Resource Manager (DRM) reports to. The command logger simplifies appending command stdout to the syslogd.
Impact:
All changes to the system configuration should be logged so that the expected configuration is documented. Regular verification of the current configuration makes it possible to identify and correct undocumented system configuration changes."
solution : "This example shows how to setup a daily cronjob. The actual frequency you use might differ. The keyword in the recommendation is: regular.
This example also shows two syslog reporting lines: one to a system file, the second to a centralized syslog service.
The syslog facility local1 is used to keep these reports out of the standard syslog facilities. There is not meant to establish a requirement to use facility local1.
# mkdir -p /var/log/syslog
# touch /var/log/syslog/inventory.log
# print 'local1.info /var/log/syslog/inventory.log rotate 1m files 24 compress' >> /etc/syslog.conf
# print 'local1.info @rsyslog.domain' >> /etc/syslog.conf
# refresh -s syslogd || startsrc -s syslogd
# print '0 0 * * * /usr/sbin/lsconf -v | /usr/bin/logger -p local1.info -t Inventory' >> /var/spool/crontabs/root
# /usr/sbin/lsconf -v | /usr/bin/logger -p local1.info -t Inventory"
reference : "800-171|3.4.1,800-53|CM-8,800-53|CM-8(1),800-53|PM-5,800-53r5|CM-8,800-53r5|CM-8(1),800-53r5|PM-5,CN-L3|8.1.10.2(a),CN-L3|8.1.10.2(b),CSCv7|1.4,CSCv8|1.1,CSF|DE.CM-7,CSF|ID.AM-1,CSF|ID.AM-2,CSF|PR.DS-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ITSG-33|CM-8,ITSG-33|CM-8(1),LEVEL|1M,NESA|T1.2.1,NESA|T1.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/syslog.conf"
regex : "^[\\s]*local1.info"
expect : "^[\\s]*local1.info[\\s]*@LOCAL_SYSLOG_FILE@"
system : "AIX"
type : CMD_EXEC
description : "2.2 Scan for TROJAN aka Untrusted/Unauthorized Applications (Implement Allowlist)"
info : "This recommendation is find and report (audit) software on the system that has not been included in the TE (trusted execution) TSD (trusted signature database).
Rationale:
These entries establish a so-called AllowList. Software not included on this AllowList should be generating a syslog and/or audit record whenever it is executed.
Trusted Execution (TE) is an AIX security component that can be used to monitor unauthorized software in real time.
Unauthorized seems a clear definition, but how TE determines unauthorized may not be as clear. Simply put, the goal is that all software is on the AllowList. If not, the software is unauthorized. AIX uses the term TROJAN (see below) to determine that an application is unauthorized. Software that does not require any special kernel privileges to run is also authorized.
What is a Trojan?
For this benchmark we add the AIX concept of TROJAN as a definition of unauthorised. AIX defines Trojan any executable not in the TSD with one or more of the following characteristics:
uses either SUID or SGID
is linked to a command in the TSD (AllowList)
is in the privcmds (aka RBAC definition, ie, may have kernel privileges).
is linked to a command in the privcmds database.
Summary: On AIX the construct AllowList is implemented by the TSD. The clear advantage of an AllowList monitored by a system security component is that the system can enforce and/or report violations of AllowList in real-time.
This recommendation focuses on reporting violations of the AllowList. A later recommendation (update or new version of benchmark) will have a Level 2 recommendation including enforcing violations."
solution : "This will be a manual process. The remediation is to find and remove the offending file (currently the reported file might be the artifact of another error - most common is a symbolic link that points at a non-existent object).
The starting point is running the same command from the AUDIT section:
trustchk -i -n tree / 2>&1 >/dev/null | grep untrusted
Line by line, verify the root cause and act (one of):
remove the offending object
remove SUID/SGID settings
remove privcmds setting
add to TSD aka AllowList"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.4.8,800-53|CM-7,800-53|CM-7(1),800-53|CM-7(5),800-53|CM-10,800-53|SI-7,800-53|SI-7(1),800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-7(5),800-53r5|CM-10,800-53r5|SI-7,800-53r5|SI-7(1),CN-L3|7.1.3.5(b),CSCv7|2.1,CSCv7|2.3,CSCv7|2.6,CSCv7|2.7,CSCv8|2.5,CSCv8|2.6,CSCv8|2.7,CSF|DE.CM-3,CSF|PR.DS-6,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(c)(1),HIPAA|164.312(c)(2),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|SI-7,ITSG-33|SI-7(1),ITSG-33|SI-7a.,LEVEL|1M,NESA|T3.4.1,NESA|T7.3.2,NESA|T7.3.3,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|10.5.5,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|6.2,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/trustchk -i -n tree / 2>&1 >/dev/null | grep untrusted | /usr/bin/awk '{print} END {if (NR==0) print \"none\"}'"
expect : "^none$"
system : "AIX"
type : CMD_EXEC
description : "2.3 Allowlist Authorized Software and Report Violations - TE"
info : "At Level 1, utilize Trusted Execution (TE) to log execution of applications not yet whitelisted. This can be used to update the whitelist (TSD - /etc/security/tsd/tsd.dat) so that, at Profile Level 2, non-listed applications are actually prevented from executing.
Rationale:
Impact:
As long as the TE policies STOP_UNTRUSTED=OFF and STOP_ON_CHKFAIL=OFF the system will only log missing entries."
solution : "# trustchk -p TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=OFF
# mkdir -p /var/log/syslog
# touch /var/log/syslog/kernel.log
# print 'kern.info /var/log/syslog/kernel.log rotate 1m files 24 compress' >> /etc/syslog.conf
# print 'kern.info @rsyslog.domain' >> /etc/syslog.conf
# refresh -s syslogd || startsrc -s syslogd
Default Value:
TE=OFF"
reference : "800-171|3.4.8,800-53|CM-7(5),800-53|CM-10,800-53r5|CM-7(5),800-53r5|CM-10,CSCv7|2.7,CSCv8|2.5,CSF|DE.CM-3,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/trustchk -p TE"
expect : "^[\\s]*TE[\\s]*=[\\s]*[Oo][Nn]$"
system : "AIX"
type : CMD_EXEC
description : "2.3 Allowlist Authorized Software and Report Violations - CHKEXEC"
info : "At Level 1, utilize Trusted Execution (TE) to log execution of applications not yet whitelisted. This can be used to update the whitelist (TSD - /etc/security/tsd/tsd.dat) so that, at Profile Level 2, non-listed applications are actually prevented from executing.
Rationale:
Impact:
As long as the TE policies STOP_UNTRUSTED=OFF and STOP_ON_CHKFAIL=OFF the system will only log missing entries."
solution : "# trustchk -p TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=OFF
# mkdir -p /var/log/syslog
# touch /var/log/syslog/kernel.log
# print 'kern.info /var/log/syslog/kernel.log rotate 1m files 24 compress' >> /etc/syslog.conf
# print 'kern.info @rsyslog.domain' >> /etc/syslog.conf
# refresh -s syslogd || startsrc -s syslogd
Default Value:
TE=OFF"
reference : "800-171|3.4.8,800-53|CM-7(5),800-53|CM-10,800-53r5|CM-7(5),800-53r5|CM-10,CSCv7|2.7,CSCv8|2.5,CSF|DE.CM-3,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/trustchk -p CHKEXEC"
expect : "^[\\s]*CHKEXEC[\\s]*=[\\s]*[Oo][Nn][\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "2.3 Allowlist Authorized Software and Report Violations - kern.info"
info : "At Level 1, utilize Trusted Execution (TE) to log execution of applications not yet whitelisted. This can be used to update the whitelist (TSD - /etc/security/tsd/tsd.dat) so that, at Profile Level 2, non-listed applications are actually prevented from executing.
Rationale:
Impact:
As long as the TE policies STOP_UNTRUSTED=OFF and STOP_ON_CHKFAIL=OFF the system will only log missing entries."
solution : "# trustchk -p TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=OFF
# mkdir -p /var/log/syslog
# touch /var/log/syslog/kernel.log
# print 'kern.info /var/log/syslog/kernel.log rotate 1m files 24 compress' >> /etc/syslog.conf
# print 'kern.info @rsyslog.domain' >> /etc/syslog.conf
# refresh -s syslogd || startsrc -s syslogd
Default Value:
TE=OFF"
reference : "800-171|3.4.8,800-53|CM-7(5),800-53|CM-10,800-53r5|CM-7(5),800-53r5|CM-10,CSCv7|2.7,CSCv8|2.5,CSF|DE.CM-3,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/syslog.conf"
regex : "^[\\s]*kern\.info"
expect : "^[\\s]*kern\.info[\\s]+\/var\/log\/syslog\/kernel\.log[\\s]+rotate[\\s]+1m[\\s]+files[\\s]+24[\\s]+compress[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "2.4 Allowlist Authorized Libraries and Report Violations - TE"
info : "At Level 1, utilize Trusted Execution (TE) to log execution of applications not yet whitelisted. This can be used to update the whitelist (TSD - /etc/security/tsd/tsd.dat) so that, at Profile Level 2, non-listed libraries are actually prevented from executing.
Rationale:
Impact:
As long as the TE policies STOP_UNTRUSTED=OFF and STOP_ON_CHKFAIL=OFF the system will only log missing entries."
solution : "Default Value:
TE=OFF"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,800-53|CM-7(1),800-53r5|CM-7,800-53r5|CM-7(1),CSCv7|2.8,CSCv8|2.6,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|CM-7(1),LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/trustchk -p TE"
expect : "^[\\s]*TE[\\s]*=[\\s]*[Oo][Nn]$"
system : "AIX"
type : CMD_EXEC
description : "2.4 Allowlist Authorized Libraries and Report Violations - CHKSHLIB"
info : "At Level 1, utilize Trusted Execution (TE) to log execution of applications not yet whitelisted. This can be used to update the whitelist (TSD - /etc/security/tsd/tsd.dat) so that, at Profile Level 2, non-listed libraries are actually prevented from executing.
Rationale:
Impact:
As long as the TE policies STOP_UNTRUSTED=OFF and STOP_ON_CHKFAIL=OFF the system will only log missing entries."
solution : "Default Value:
TE=OFF"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,800-53|CM-7(1),800-53r5|CM-7,800-53r5|CM-7(1),CSCv7|2.8,CSCv8|2.6,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|CM-7(1),LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/trustchk -p CHKSHLIB"
expect : "^[\\s]*CHKSHLIB[\\s]*=[\\s]*[Oo][Nn]$"
system : "AIX"
type : CMD_EXEC
description : "2.4 Allowlist Authorized Libraries and Report Violations - CHKKERNEXT"
info : "At Level 1, utilize Trusted Execution (TE) to log execution of applications not yet whitelisted. This can be used to update the whitelist (TSD - /etc/security/tsd/tsd.dat) so that, at Profile Level 2, non-listed libraries are actually prevented from executing.
Rationale:
Impact:
As long as the TE policies STOP_UNTRUSTED=OFF and STOP_ON_CHKFAIL=OFF the system will only log missing entries."
solution : "Default Value:
TE=OFF"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,800-53|CM-7(1),800-53r5|CM-7,800-53r5|CM-7(1),CSCv7|2.8,CSCv8|2.6,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|CM-7(1),LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/trustchk -p CHKKERNEXT"
expect : "^[\\s]*CHKKERNEXT[\\s]*=[\\s]*[Oo][Nn]$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "2.4 Allowlist Authorized Libraries and Report Violations - kern.info"
info : "At Level 1, utilize Trusted Execution (TE) to log execution of applications not yet whitelisted. This can be used to update the whitelist (TSD - /etc/security/tsd/tsd.dat) so that, at Profile Level 2, non-listed libraries are actually prevented from executing.
Rationale:
Impact:
As long as the TE policies STOP_UNTRUSTED=OFF and STOP_ON_CHKFAIL=OFF the system will only log missing entries."
solution : "Default Value:
TE=OFF"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,800-53|CM-7(1),800-53r5|CM-7,800-53r5|CM-7(1),CSCv7|2.8,CSCv8|2.6,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|CM-7(1),LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/syslog.conf"
regex : "^kern\.info"
expect : "^kern\.info[\\s]+\/var\/log\/syslog\/kernel\.log[\\s]+rotate[\\s]+1m[\\s]+files[\\s]+24[\\s]+compress[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "2.5 Allowlist Authorized Scripts and Report Violations - CHKSCRIPT"
info : "At Level 1, utilize Trusted Execution (TE) to log execution of applications not yet whitelisted. This can be used to update the whitelist (TSD - /etc/security/tsd/tsd.dat) so that, at Profile Level 2, non-listed scripts are actually prevented from executing.
Rationale:
Impact:
As long as the TE policies STOP_UNTRUSTED=OFF and STOP_ON_CHKFAIL=OFF the system will only log missing entries."
solution : "Default Value:
TE=OFF"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,800-53|CM-7(1),800-53|SI-7,800-53|SI-7(1),800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|SI-7,800-53r5|SI-7(1),CN-L3|7.1.3.5(b),CSCv7|2.9,CSCv8|2.7,CSF|PR.DS-6,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(c)(1),HIPAA|164.312(c)(2),HIPAA|164.312(e)(2)(i),ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|SI-7,ITSG-33|SI-7(1),ITSG-33|SI-7a.,LEVEL|1A,NESA|T3.4.1,NESA|T7.3.2,NESA|T7.3.3,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|10.5.5,QCSC-v1|3.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|6.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/trustchk -p CHKSCRIPT"
expect : "^[\\s]*CHKSCRIPT[\\s]*=[\\s]*[Oo][Nn]$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "2.5 Allowlist Authorized Scripts and Report Violations - kern.info"
info : "At Level 1, utilize Trusted Execution (TE) to log execution of applications not yet whitelisted. This can be used to update the whitelist (TSD - /etc/security/tsd/tsd.dat) so that, at Profile Level 2, non-listed scripts are actually prevented from executing.
Rationale:
Impact:
As long as the TE policies STOP_UNTRUSTED=OFF and STOP_ON_CHKFAIL=OFF the system will only log missing entries."
solution : "Default Value:
TE=OFF"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7,800-53|CM-7(1),800-53|SI-7,800-53|SI-7(1),800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|SI-7,800-53r5|SI-7(1),CN-L3|7.1.3.5(b),CSCv7|2.9,CSCv8|2.7,CSF|PR.DS-6,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(c)(1),HIPAA|164.312(c)(2),HIPAA|164.312(e)(2)(i),ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|SI-7,ITSG-33|SI-7(1),ITSG-33|SI-7a.,LEVEL|1A,NESA|T3.4.1,NESA|T7.3.2,NESA|T7.3.3,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|10.5.5,QCSC-v1|3.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|6.2"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/syslog.conf"
regex : "^[\\s]*kern\.info"
expect : "^[\\s]*kern\.info[\\s]+\/var\/log\/syslog\/kernel\.log[\\s]+rotate[\\s]+1m[\\s]+files[\\s]+24[\\s]+compress[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "2.7 Remove Unused Symbolic Links"
info : "This recommendation finds and removes symbolic links whose targets are missing. Symbolic Links that do not have a valid target are a risk to system integrity.
The recommendation is to scan frequently (weekly or daily) for symbolic links without a valid target object and remove them.
Rationale:
Do not assume that anyone responsible for maintaining system integrity is (actively) monitoring unknown software.
Symbolic links - pointing at nothing - are, by definition, unauthorized and/or belong on a blocklist.
Impact:
Symbolic Links, used properly, are a tremendous asset - enhancing system usability (ease of use). However, when pointing to nothing (i.e., whatever they pointed at has been removed but not replaced) system integrity is at the mercy of whatever process replaces that filesystem location later.
To reduce risk to system integrity any symbolic link that points at a non-existent file-system object is to be removed.
Note: most symbolic links that point at no longer existent objects exist due to incomplete software removal procedures. When an authorized application is (re-)installed it's installation process will (or should) re-create the symbolic link."
solution : "The following command will remove all symbolic links that lack a valid target object:
find -L / \( -fstype jfs -o -fstype jfs2 \) -type l | xargs rm"
reference : "800-171|3.4.1,800-171|3.4.7,800-171|3.4.9,800-53|CM-7(2),800-53|CM-8(3),800-53|CM-10,800-53|CM-11,800-53r5|CM-7(2),800-53r5|CM-8(3),800-53r5|CM-10,800-53r5|CM-11,CN-L3|8.1.10.2(a),CN-L3|8.1.10.2(b),CSCv7|2.6,CSCv8|2.3,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7(2),ITSG-33|CM-8(3),LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/find -L / \( -fstype jfs -o -fstype jfs2 \) -type l -ls | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "3.4 Remove group write permission from default groups - exceptions must be in TSD and audit"
info : "The system is audited for group writable files.
Rationale:
An audit should be performed on the system to search for the presence of group writable files.
In an extreme case - where this permission is required - the file needs to be added to the TSD and audit configurations.
The preference is no group writeable files."
solution : "Review the currently mounted local filesystems using the following to find all group writable files on local JFS/JFS2 filesystems only:
find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -ls
Remedy any files in the list, e.g., chmod g-w {filename}
Document any files, and motivate why they are group writeable, and also add documentation re: when/why this exception ceases.
Default Value:
N/A
Additional Information:
The audit procedure does not verify remote file systems (e.g., NFS). The expectation is that these are being audited on the file (e.g., NFS) server - rather than on all clients."
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -ls | /usr/bin/awk '{print} END {if (NR==0) print \"none\"}'"
expect : "^none$"
system : "AIX"
description : "3.5 Application Data with requirement for world writable directories"
info : "The system is audited for world writable directories.
Rationale:
World writable directories are considered as a common application component - usually a location for temporary files.
An audit should be performed on the system to search for the presence of world writable directories. Directories should only be world writable when absolutely necessary, and only with the so-called SVTX bit set. This protects users files from being deleted or renamed.
Impact:
World writable directories exist on UNIX systems (e.g., /tmp, /var/tmp). These directories are needed for normal operations. To protect the files created in the directories the 'links to the inode' (ie, filename) need to be protected so that others may not accidentally, or maliciously - remove or modify the filename."
solution : "Review the local mounted JFS/JFS2 filesystems using the following command to find all world writable directories missing the SVTX bit:
find / \( -fstype jfs -o -fstype jfs2 \) -type d -perm -o+w ! ! -perm -1000 -ls
If a directory must retain world writable access, ensure that SVTX bit is set so that users can only remove the filenames they own:
chmod o+t ${dir}
NOTE: This will leave existing modes while adding the SVTX (also known as sticky bit) to the directory. The documented meaning of the flag for directories is:
Sets the link permission to directories.
Otherwise, remove world-write permission - without modifying the other mode bits:
chmod o-w ${dir}
Default Value:
N/A"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
name : "find_world_writeable_directories"
system : "AIX"
description : "3.6 Ensure there are no world writable files - exceptions must be in TSD and audit"
info : "The system is audited for world writable files.
Rationale:
An audit should be performed on the system to search for the presence of world writable files.
In an extreme case - where this permission is required - the file needs to be added to the TSD and audit configurations.
The preference is no world writeable files."
solution : "Review the currently mounted local filesystems using the following to find all world writable files on local JFS/JFS2 filesystems only:
find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -o+w -ls
Remedy any files in the list, e.g., chmod o-w {filename}
Document any files, and motivate why they are world writeable, and also add documentation re: when/why this exception ceases.
Default Value:
N/A
Additional Information:
The audit procedure does not verify remote file systems (e.g., NFS). The expectation is that these are being audited on the file (e.g., NFS) server - rather than on all clients."
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
name : "find_world_writeable_files"
system : "AIX"
type : CMD_EXEC
description : "3.7 Ensure there are no 'staff' writable files - exceptions must be in TSD and audit"
info : "The system is audited for group staff writable files.
Rationale:
An audit should be performed on the system to search for files that can be modified by members of the group staff. As staff is the default group for user accounts any file that is writable via group staff is comparable to being writable by other aka world writable.
In a case - where this permission is required - the recommendation is to create a new group and appoint a group administrator.
The goal is no group staff writable files.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Review the currently mounted local filesystems using the following to find all world writable files on local JFS/JFS2 filesystems only:
find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff -ls
Remedy any files in the list, e.g., chmod o-w {filename}
Document any files, and motivate why they are world writeable, and also add documentation re: when/why this exception ceases.
Default Value:
N/A
Additional Information:
The audit procedure does not verify remote file systems (e.g., NFS). The expectation is that these are being audited on the file (e.g., NFS) server - rather than on all clients."
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "PID=$$
CNT=$(find / \\( -fstype jfs -o -fstype jfs2 \\) -type f -perm -g+w -group staff | tee /tmp/cis-3.7.${PID} | wc -l)
if [ ${CNT} -ne 0 ]; then
# Need actions to report on actions, for now repeat find command to stdout
# TBD: read tmp file just created
# if file/directory is in TSD then continue
# else - present ls -lied of the object found
# For now, just repeat the find command and show all related objects.
find / \\( -fstype jfs -o -fstype jfs2 \\) -type f -perm -g+w -group staff -ls
fi
rm -f /tmp/cis-3.7.${PID}"
expect : "MANUAL_REVIEW"
severity : MEDIUM
system : "AIX"
description : "3.8 Ensure all files and directories are owned by a user (uid) and assigned to a group (gid)"
info : "When a user or group identifier is removed from the system verify that any data associated with the ID removed is either removed or re-assigned.
Rationale:
Worst case: a previously removed UID/GID is re-instated. Data left behind suddenly is owned and/or accessible to the new ID - gaining unintended access to data left-behind."
solution : "Review the currently mounted local filesystems:
find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls
Either assign UID/GID:
chown
chgrp
or remove the file/directory:
[[ -f ]] && rm -f
[[ -d ]] && rmdir
Repeat the audit
Default Value:
N/A"
reference : "800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|MP-6,800-53r5|MP-6,CSCv8|3.5,CSF|PR.DS-3,CSF|PR.IP-6,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.8.3.2,ITSG-33|MP-6,LEVEL|1A,NESA|T1.4.1,NESA|T1.4.2,NIAv2|MS5b,NIAv2|MS6,NIAv2|MS9,NIAv2|MS10a,NIAv2|MS10b,NIAv2|MS10c,NIAv2|MS10d,NIAv2|MS10e,NIAv2|MS10f,NIAv2|MS11a,NIAv2|MS11b,NIAv2|MS12a,NIAv2|MS12b,NIAv2|MS12c,NIAv2|MS13,NIAv2|MS14,NIAv2|MS17,NIAv2|MS18a,NIAv2|MS18b,NIAv2|MS18c,NIAv2|MS20,NIAv2|MS21,NIAv2|NS16,QCSC-v1|3.2,QCSC-v1|6.2"
see_also : "https://workbench.cisecurity.org/files/4124"
name : "find_orphan_files"
system : "AIX"
type : CMD_EXEC
description : "5.1.2 All accounts must have a hashed password"
info : "All (unlocked) accounts on the server must have a password.
For this recommendation we look at the so-called files registery - as we cannot reliably review the entries kept in a centralized authentication system such as LDAP or Kerberos.
Rationale:
An account password is a secret code word that must be entered to gain access to the account. If an account exists that has a blank password, multiple users may access the account without authentication and leave a weak audit trail. An attacker may gain unauthorized system access or perform malicious actions, which then cannot be attributed to any specific individual.
Impact:
If no password hash is available and a locked account gets unlocked then the account is available without any verification aka authentication."
solution : "Check for accounts with an empty password field. If any, lock the account and assign an impossible password hash, as well as flag admin change (ADMCHG) to the password record.
set $(/usr/bin/egrep -c -p 'password = +$' /etc/security/passwd)
if [[ $1 != '0' ]]; then
# get seconds since epoch
now=$(date +'%s')
# copy everything except entries without password
/usr/bin/egrep -v -p 'password = +$' /etc/security/passwd > /etc/security/passwd.cis
# create new entries with an impossible password hash and append to password.cis
/usr/bin/egrep -p 'password = +$' /etc/security/passwd | grep ':' | awk -F: '{ print $1 } ' | \
while read user; do
print 'Locking and giving account ${user} impossible password hash'
/usr/bin/chuser account_locked='true' expires=0101000070 ${user}
printf '%s:\n\tpassword = *\n' ${user} >> /etc/security/passwd.cis
printf '\tflags = ADMCHG\n\tlastupdate=%s\n\n' ${now} >> /etc/security/passwd.cis
done
cat /etc/security/passwd.cis > /etc/security/passwd
rm /etc/security/passwd.cis
fi
Default Value:
N/A"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/pwdck -n ALL 2>&1 | /usr/bin/awk '{print} END {if (NR==0) print \"none\"}'"
expect : "^none$"
system : "AIX"
description : "5.1.3 All usernames and UIDs must be unique"
info : "All users should have a unique UID. In particular the only user on the system to have a UID of 0 should be the root user. Likewise, usernames need to be verified as unique.
Rationale:
The only user with a UID of 0 on the system must be the root account. Any account (username) with a UID of 0 has super user privileges on the system and becomes root at login.
Access to the root account should be via su, sudo or PKI fingerprint. Logging must include sufficient information such that each action taken with root authority can be accounted to a specific account.
All accounts (or users) must have a unique UID to ensure that file and directory security is not compromised.
Impact:
Identification is the basis of Access Control. What you can access is determined by who you are (uid), OR by a group you belong to (resource GID and your group list) OR access is permitted to all (i.e., your UID and group list) do not match the resoource UID and GID values."
solution : "Examine the user IDs of all configured accounts:
cut -d: -f 3 /etc/passwd | sort -n | uniq -d
If a number, or numbers are returned from the command above, these are UID values which are not unique within the /etc/passwd file. Determine the effected accounts/s:
cut -d: -f 1 /etc/passwd | sort -n | uniq -d | while read UID; do
cut -f '1 3' -d : /etc/passwd |grep ':${UID}'
done
Examine the usernames IDs of all configured accounts:
cut -d: -f 1 /etc/passwd | sort -n | uniq -d
If a username, or usernames are returned from the command above, these are username values which are not unique within the /etc/passwd file. Determine the effected accounts/s:
cut -d: -f 1 /etc/passwd | sort -n | uniq -d | while read username; do
cut -f '1 3' -d : /etc/passwd |grep '${username}:'
done
NOTE: Any account names returned should either be deleted or have the UID changed
To remove:
rmuser
To change the UID:
chuser id=
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-2,800-53r5|AC-2,CN-L3|7.1.3.2(d),CSCv7|16.6,CSCv8|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/4124"
name : "passwd_duplicate_uid"
system : "AIX"
description : "5.1.4 All group names and GIDs must be unique"
info : "All groups should have a unique GID on the system.
Rationale:
All groups should have an individual and unique GID. If GID numbers are shared this could lead to undesirable file and directory access."
solution : "Examine the group IDs (GID) of all locally configured accounts:
cut -d: -f 3 /etc/group |sort -n | uniq -d
If the command has output there is at least one duplicate GID number. Determine any duplicates within the /etc/group file:
cut -d: -f 1 /etc/group | sort -n | uniq -d | while read GID; do
cut -f '1 3 4' -d : /etc/group | /usr/bin/sort -t: -k2n | grep ':${GID}:'
done
Examine the names of all locally configured groups:
cut -d: -f 1 /etc/group |sort -n | uniq -d
If the command has output there is at least one duplicate group name. Determine any duplicates within the /etc/group file:
cut -d: -f 1 /etc/passwd | sort -n | uniq -d | while read groupname; do
cut -f '1 3 4' -d : /etc/group | /usr/bin/sort -t: -k2n | grep '${groupname}:'
done
NOTE: Any duplicates returned should either be deleted or have the GID changed. Be careful. We recommend you examine any accounts assigned to a duplicate and ensure the account is neither losing nor gaining authorized group access through any remedial action.
To remove:
rmgroup
To change the UID:
chgroup id=
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-2,800-53r5|AC-2,CN-L3|7.1.3.2(d),CSCv7|16.6,CSCv8|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/4124"
name : "group_duplicate_gid"
description : "5.1.5 Establish and Maintain an Inventory of Administrator accounts"
info : "AIX defines Administrator accounts with the with the attribute admin. When true the account is Administrator and when false the account is considered User.
Rationale:
An inventory of accounts with the attribute 'admin=true' allows verification that all accounts considered administrative are so labeled by the system.
Impact:
The impact of 'admin=true' is two-fold. a) a label for identifying accounts considered related to system administration b) providing additional controls for account management. On AIX, an account with the attribute 'admin=true' requires a security role of Senior Security Admin to make modifications to the account attributes.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "A printable report can be prepared using the following example:
cnt=0
printf '%4s%68s\n' 'AIX' 'Administator Accounts'
lsuser -R files -a admin ALL | while read usr adm; do
if [[ ${adm} = 'admin=true' ]] ; then
printf '%12s' ${usr}
let cnt=cnt+1
[[ $(expr ${cnt} % 6) == 0 ]] && print
fi
done
[[ $(expr ${cnt} % 6) != 0 ]] && print"
reference : "800-171|3.1.1,800-53|AC-2,800-53r5|AC-2,CN-L3|7.1.3.2(d),CSCv7|4.1,CSCv8|5.1,CSCv8|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1M,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "5.1.6 Establish and Maintain an Inventory of User Accounts"
info : "AIX defines Administrator accounts with the with the attribute admin. When true the account is Administrator and when false the account is considered User.
Rationale:
An inventory of accounts with the attribute 'admin=true' allows verification that all accounts considered administrative are so labeled by the system.
Impact:
The impact of 'admin=true' is two-fold. a) a label for identifying accounts considered related to system administration b) providing additional controls for account management. On AIX, an account with the attribute 'admin=true' requires a security role of Senior Security Admin to make modifications to the account attributes.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "A printable report can be prepared using the following example:
cnt=0
printf '%4s%68s\n' 'AIX' 'User Accounts'
lsuser -R files -a admin ALL | while read usr adm; do
if [[ ${adm} = 'admin=false' ]] ; then
printf '%12s' ${usr}
let cnt=cnt+1
[[ $(expr ${cnt} % 6) == 0 ]] && print
fi
done
[[ $(expr ${cnt} % 6) != 0 ]] && print"
reference : "800-171|3.1.1,800-53|AC-2,800-53r5|AC-2,CN-L3|7.1.3.2(d),CSCv8|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1M,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/4124"
system : "AIX"
type : CMD_EXEC
description : "5.1.1.1 histexpire"
info : "Defines the period of time in weeks that a user will not be able to reuse a password.
Rationale:
In setting the histexpire attribute, it ensures that a user cannot reuse a password within a set period of time."
solution : "In /etc/security/user, set the default user stanza histexpire attribute to be greater than or equal to 26:
chsec -f /etc/security/user -s default -a histexpire=52
This means that a user will not be able to reuse any password set in the last 52 weeks (one year).
Default Value:
Disabled"
reference : "800-171|3.1.1,800-53|AC-2,800-53r5|AC-2,CN-L3|7.1.3.2(d),CSCv8|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a histexpire"
expect : "^[\\s]*default[\\s]+histexpire[\\s]*=[\\s]*(5[2-9]|[6-9][0-9])[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.1.1.2 histsize"
info : "Defines the number of previous passwords that a user may not reuse.
Rationale:
In setting the histsize attribute, it enforces a minimum number of previous passwords a user cannot reuse.
Impact:
The recommendation is to not use this attribute. This attribute was traditionally used together with minage to prevent rapid reuse of old passwords. Instead _Unique Passwords' relies solely on the time-based histexpire attribute."
solution : "In /etc/security/user, set the default user stanza histsize attribute to be 0:
chsec -f /etc/security/user -s default -a histsize=0
This means that this setting is not being used for password management.
Default Value:
Disabled"
reference : "800-171|3.1.1,800-53|AC-2,800-53r5|AC-2,CN-L3|7.1.3.2(d),CSCv8|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a histsize"
expect : "^default[\\s]+histsize[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.2.1 Ensure new passwords are controlled by password attributes (disable NOCHECK)"
info : "Ensure new passwords are required to pass password attribute controls.
Rationale:
Impact:
When exceptions to the defaults are required - rather than disable all password checking - an account needs to have the attribute redefined per account.
SHA512 password encryption is recommended as the most secure."
solution : "In the file /etc/security/passwd clear the NOCHECK attribute from all users:
#!/usr/bin/ksh -e
# Copyright AIXTools, 2022
/usr/bin/grep -p NOCHECK /etc/security/passwd | /usr/bin/egrep ':$' | sed -e 's/://' | while read USER; do
/usr/bin/pwdadm -c $USER
done"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/grep NOCHECK /etc/security/passwd | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "5.2.4 Ensure password policy is enforced for all users"
info : "If the NOCHECK flag is set on a user account if bypasses the password restrictions for that user.
Rationale:
If password restrictions are not enforced for some accounts, those accounts represent a much greater risk of being compromised by an attacker as they may have weaker passwords vulnerable to brute force attack or provide an indefinite window of opportunity for the use of already compromised credentials if the same password has been used on multiple systems."
solution : "Obtain a list of any affected users:
grep -p NOCHECK /etc/security/passwd
Clear the NOCHECK flag from any account returned by executing the following command
pwdadm -c
Set the ADMCHG flag from any account returned to force the user to change their password on next login
pwdadm -f ADMCHG "
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/grep -p NOCHECK /etc/security/passwd | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.6.4 loginretries"
info : "Defines the number of attempts a user has to login to the system before their account is disabled.
Rationale:
In setting the loginretries attribute, this ensures that a user can have a pre-defined number of attempts to get their password right, prior to locking the account.
Impact:
The setting chosen here (5) is a group consensus as secure enough. However, a local site-policy may have a more strict requirement for all, or some systems.
While the audit and artifact currently test for exactly 5 - the actual recommendation is: greater than 0 (zero) AND (less than or equal to 5 (five) or greater than 0 (zero) AND not greater than 5 (five)"
solution : "In /etc/security/user, set the default stanza loginretries attribute to 5:
chsec -f /etc/security/user -s default -a loginretries=5
This means that a user will have 5 attempts to enter the correct password. This does not apply to the root user, which has its own stanza entry disabling this feature.
Default Value:
No limit"
reference : "800-171|3.1.8,800-171|3.1.18,800-53|AC-7,800-53|AC-19,800-53r5|AC-7,800-53r5|AC-19,CN-L3|8.1.4.1(b),CSCv8|4.10,CSF|PR.AC-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.6.2.1,ITSG-33|AC-7,ITSG-33|AC-19,LEVEL|1A,NIAv2|AM24,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|36.2.4,TBA-FIISB|45.1.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a loginretries"
expect : "^[\\s]*default[\\s]+loginretries[\\s]*=[\\s]*[1-5][\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.6 maxage"
info : "Defines the maximum number of weeks that a password is valid.
Rationale:
The maxage attribute enforces regular password changes. We recommend this to be 13 or less, but not 0 which disables this setting.
Impact:
Historically, this recommendation has been to set maxage=13. In recent years several communities (e.g., Windows, DoD) have concluded that too frequent forced password changes leads to both weaker passwords and weaker/bad password discipline.
An initial proposal to increase the maxage to 52 is not unnamimous within the AIX community - so the recommendation, for now, remains at 13.
Local Policy may decide to follow the other communities and set this value as 52.
Due to this lack of consensus this control is being set at Level 2.
The value chosen by an organization is to maintain overall password quality and secrecy."
solution : "In /etc/security/user, set the default user stanza maxage attribute to a number greater than 0 but less than or equal to 13:
chsec -f /etc/security/user -s default -a maxage=13
This means that a user password must be changed 13 weeks after being set. If 0 is set then this effectively disables password ageing.
Default Value:
maxage=0"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a maxage"
expect : "^[\\s]*default[\\s]+maxage[\\s]*=[\\s]*([1-9]|1[0-3])[\\s]*$"
## Changed 5.7 from 4 weeks to 0 to meet IRS Requirements
system : "AIX"
type : CMD_EXEC
description : "5.7 maxexpired"
info : "Defines the number of weeks after maxage, that a password can be reset by the user.
Rationale:
The maxexpired attribute limits the number of weeks after password expiry that a password may be changed by the user."
solution : "In /etc/security/user, set the default user stanza maxexpired attribute to 0:
chsec -f /etc/security/user -s default -a maxexpired=0
This means that a user can reset their password up to 0 weeks after it has expired. After this an administrative user would need to reset the password.
Default Value:
No limit"
reference : "800-171|3.1.1,800-53|AC-2(3),800-53r5|AC-2(3),CN-L3|7.1.3.2(e),CN-L3|8.1.4.2(c),CSCv8|5.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.2.6,ITSG-33|AC-2(3),LEVEL|1A,NIAv2|AM26,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a maxexpired"
expect : "^[\\s]*default[\\s]+maxexpired[\\s]*=[\\s]*([0])[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.2.9 maxrepeats"
info : "Defines the maximum number of times a character may appear in a password.
Rationale:
In setting the maxrepeats attribute, it enforces a maximum number of character repeats within a password."
solution : "In/etc/security/user, set the default user stanza maxrepeats attribute to 2:
chsec -f /etc/security/user -s default -a maxrepeats=4
This means that a user may not use the same character more than four (4) times in a password.
This value has been increased from two (2) - in parallel with the increase in minlen from eight (8) to fourteen (14).
Default Value:
maxrepeats=8"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a maxrepeats"
expect : "^[\\s]*default[\\s]+maxrepeats[\\s]*=[\\s]*([1-4])[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.1.1.3 minage"
info : "Defines the minimum number of weeks before a password can be changed.
Rationale:
The minage attribute prohibits users changing their password until a set number of weeks have passed.
Impact:
The AIX community prefers to rely on the AIX attribute histexpire rather than a historical minage value.
Historically, the minage attribute has been used to prevent a user from write a script to spool through histsize passwords, and then return to the same password as before. The attribute histexpire overrides histsize. Therefore, there is no need to force a user to request assistance from system administrators in order to reset a poorly chosen password, or in the case of special accounts that policy states passwords are meant for 'one time use'.
Again, since AIX has a different way to prevent scripted password re-cycling, the need for minage is not longer warranted."
solution : "In/etc/security/user, set the default user stanza minage attribute to 1:
chsec -f /etc/security/user -s default -a minage=1
This means that a user can only change their password after one week.
Default Value:
minage=0"
reference : "800-171|3.1.1,800-53|AC-2,800-53r5|AC-2,CN-L3|7.1.3.2(d),CSCv8|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minage"
expect : "^[\\s]*default[\\s]+minage[\\s]*=[\\s]*1[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.2.7 minalpha"
info : "Defines the minimum number of alphabetic characters in a password.
Rationale:
In setting the minalpha attribute, it ensures that passwords have a minimum number of alphabetic characters."
solution : "In /etc/security/user, set the default user stanza minalpha attribute to be greater than or equal to 3:
chsec -f /etc/security/user -s default -a minalpha=3
This means that there must be at least 3 alphabetic characters (upper or lowercase) within a password.
Default Value:
minalpha=0"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minalpha"
expect : "^[\\s]*default[\\s]+minalpha[\\s]*=[\\s]*([3-9]|[1-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.2.6 mindiff"
info : "Defines the minimum number of characters that are required in a new password which were not in the old password.
Rationale:
The mindiff attribute ensures that users are not able to reuse the same or similar passwords."
solution : "In /etc/security/user, set the default user stanza mindiff attribute to be greater than or equal to 4:
chsec -f /etc/security/user -s default -a mindiff=4
This means that when a user password is set it needs to comprise of at least 4 characters not present in the previous password.
Default Value:
mindiff=0"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a mindiff"
expect : "^[\\s]*default[\\s]+mindiff[\\s]*=[\\s]*([4-9]|[1-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.2.10 mindigit"
info : "Defines the minimum number of digits in a password.
Rationale:
In setting the mindigit attribute, the password must contain a digit when it is changed by the user."
solution : "In /etc/security/user, set the default user stanza mindigit attribute to 1:
chsec -f /etc/security/user -s default -a mindigit=1
This means that there must be at least 1 digit within a password.
Default Value:
default mindigit=0"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a mindigit"
expect : "^[\\s]*default[\\s]+mindigit[\\s]*=[\\s]*([1-9]|[1-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.2.5 minlen"
info : "Defines the minimum length of a password.
Rationale:
In setting the minlen attribute, it ensures that passwords meet the required length criteria."
solution : "In /etc/security/user, set the default user stanza minlen attribute to be greater than or equal to 14:
chsec -f /etc/security/user -s default -a minlen=14
This means that all user passwords must be at least 14 characters in length.
NOTE: To support a password length greater than 8 characters the default algorithm must be changed. If the command above returns an error (3004-692 Error changing 'minlen' to '14' : Value is invalid.) the recommendation 3.1.15 /etc/security/login.cfg - pwd_algorithm needs to be completed first.
Default Value:
default minlen=0"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minlen"
expect : "^[\\s]*default[\\s]+minlen[\\s]*=[\\s]*(1[4-9]|[2-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.2.11 minloweralpha"
info : "Defines the minimum number of lower case alphabetic characters in a password.
Rationale:
In setting the minloweralpha attribute, the password must contain a lower case alphabetic character when it is changed by the user."
solution : "In /etc/security/user, set the default user stanza minloweralpha attribute to 1:
chsec -f /etc/security/user -s default -a minloweralpha=1
This means that there must be at least 1 lower case alphabetic character within a password.
Default Value:
default minloweralpha=0"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minloweralpha"
expect : "^[\\s]*default[\\s]+minloweralpha[\\s]*=[\\s]*([1-9]|[1-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.2.8 minother"
info : "Defines the number of characters within a password which must be non-alphabetic.
Rationale:
In setting the minother attribute, it increases password complexity by enforcing the use of non-alphabetic characters in every user password."
solution : "In /etc/security/user, set the default user stanza minother attribute to be greater than or equal to 3:
chsec -f /etc/security/user -s default -a minother=3
This means that there must be at least 3 non-alphabetic characters within a password.
Default Value:
default minother=0"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minother"
expect : "^[\\s]*default[\\s]+minother[\\s]*=[\\s]*([3-9]|[1-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.2.13 minspecialchar"
info : "Defines the minimum number of special characters in a password.
Rationale:
In setting the minspecialchar attribute, the password must contain a special character when it is changed by the user."
solution : "In /etc/security/user, set the default user stanza minspecialchar attribute to 1:
chsec -f /etc/security/user -s default -a minspecialchar=1
This means that there must be at least 1 special character within a password.
Default Value:
default minspecialchar=0"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minspecialchar"
expect : "^[\\s]*default[\\s]+minspecialchar[\\s]*=[\\s]*([1-9]|[1-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.2.12 minupperalpha"
info : "Defines the minimum number of upper case alphabetic characters in a password.
Rationale:
In setting the minupperalpha attribute, the password must contain an upper case alphabetic character when it is changed by the user."
solution : "In /etc/security/user, set the default user stanza minupperalpha attribute to 1:
chsec -f /etc/security/user -s default -a minupperalpha=1
This means that there must be at least 1 upper case alphabetic character within a password.
Default Value:
default minupperalpha=0"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minupperalpha"
expect : "^[\\s]*default[\\s]+minupperalpha[\\s]*=[\\s]*([1-9]|[1-9][0-9]+)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.3.1 adm"
info : "This change locks and disables login access for the adm user account.
Rationale:
This change disables direct local and remote login to the adm user account. Do not set a password on this account to ensure that the only access is via su from the root account.
There should not be a requirement to log in as the adm user directly. All users should be given unique logon ids to ensure traceability and accountability."
solution : "Change the following user attributes to adm user:
chuser account_locked=true login=false rlogin=false adm
Default Value:
account_locked=false rlogin=true login=true"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a account_locked login rlogin adm"
expect : "^[\\s]*adm[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.3.2 bin"
info : "This change locks and disables login access for the bin user account.
Rationale:
This change disables direct local and remote login to the bin user account. Do not set a password on this account to ensure that the only access is via su from the root account.
There should not be a requirement to log in as the bin user directly. All users should be given unique logon ids to ensure traceability and accountability."
solution : "Change the login and remote login user flags to disable bin user access:
chuser account_locked=true login=false rlogin=false bin
Default Value:
account_locked=false rlogin=true login=true"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a account_locked login rlogin bin"
expect : "^[\\s]*bin[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.3.3 daemon"
info : "This change locks and disables login access for the daemon user account.
Rationale:
This change disables direct local and remote login to the daemon user account. Do not set a password on this account to ensure that the only access is via su from the root account.
There should not be a requirement to log in as the daemon user directly. All users should be given unique logon ids to ensure traceability and accountability."
solution : "Change the login and remote login user flags to disable daemon user access:
chuser account_locked=true login=false rlogin=false daemon
Default Value:
account_locked=false login=true rlogin=true"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a account_locked login rlogin daemon"
expect : "^[\\s]*daemon[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.3.4 guest"
info : "This change locks and disables login access for the guest user account.
Rationale:
This change disables direct local and remote login to the guest user account. Do not set a password on this account to ensure that the only access is via su from the root account.
There should not be a requirement to log in as the guest user directly. All users should be given unique logon ids to ensure traceability and accountability.
Impact:
Historically the guest user account was to provide access to unknown users, i.e., the user identity was not important.
Today the guest account should not be used. The numeric userid is reserved by the OS.
All authorized users should be given specific logon ids to ensure traceability and accountability."
solution : "Change the following user attributes to guest user:
chuser account_locked=true login=false rlogin=false adm
Default Value:
account_locked=false login=true rlogin=true"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a account_locked login rlogin guest"
expect : "^[\\s]*guest[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.3.5 lpd"
info : "This change locks and disables login access for the lpd user account.
Rationale:
This change disables direct local and remote login to the lpd user account. Do not set a password on this account to ensure that the only access is via su from the root account.
There should not be a requirement to log in as the lpd user directly. All users should be given unique logon ids to ensure traceability and accountability."
solution : "Change the following user attributes to lpd user:
chuser account_locked=true login=false rlogin=false lpd
Default Value:
account_locked=false login=true rlogin=true"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a account_locked login rlogin lpd"
expect : "^[\\s]*lpd[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.3.6 nobody"
info : "This change locks and disables login access for the nobody user account.
Rationale:
This change disables direct local and remote login to the nobody user account. Do not set a password on this account to ensure that the only access is via su from the root account.
There should not be a requirement to log in as the nobody user directly. All users should be given unique logon ids to ensure traceability and accountability."
solution : "Change the login and remote login user flags to disable nobody user access:
chuser account_locked=true login=false rlogin=false nobody
Default Value:
account_locked=false login=true rlogin=true"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a account_locked login rlogin nobody"
expect : "^[\\s]*nobody[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.3.7 nuucp"
info : "This change locks and disables login access for the nuucp user account.
Rationale:
This change disables direct local and remote login to the nuucp user account. Do not set a password on this account to ensure that the only access is via su from the root account.
There should not be a requirement to log in as the nuucp user directly. All users should be given unique logon ids to ensure traceability and accountability."
solution : "Change the following user attributes to nuucp user::
chuser account_locked=true login=false rlogin=false nuucp
Default Value:
account_locked=false login=true rlogin=true"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a account_locked login rlogin nuucp"
expect : "^[\\s]*nuucp[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.3.8 sys"
info : "This change locks and disables login access for the sys user account.
Rationale:
This change disables direct local and remote login to the sys user account. Do not set a password on this account to ensure that the only access is via su from the root account.
There should not be a requirement to log in as the sys user directly. All users should be given unique logon ids to ensure traceability and accountability."
solution : "Change the following user attributes to sys user:
chuser account_locked=true login=false rlogin=false sys
Default Value:
account_locked=false login=true rlogin=true"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a account_locked login rlogin sys"
expect : "^[\\s]*sys[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.31 uucp"
info : "This entry starts the uucp service when required. This service facilitates file copying between networked servers.
Rationale:
The uucp (UNIX to UNIX Copy Program), service allows users to copy files between networked machines. Unless an application or process requires UUCP this should be disabled."
solution : "Use chsubserver to disable this service in /etc/inetd.conf:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'uucp' -p 'tcp'
refresh -s inetd
Default Value:
Enabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]uucp\" | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.2.18 ip6forwarding"
info : "The ip6forwarding parameter determines whether or not the system forwards IPv6 TCP/IP packets.
Rationale:
The ip6forwarding parameter will be set to 0, to ensure that redirected packets do not reach remote networks. This should only be enabled if the system is performing the function of an IP router. This is typically handled by a dedicated network device."
solution : "In /etc/tunables/nextboot, add the ip6forwarding entry:
no -p -o ip6forwarding=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
0"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"ip6forwarding[[:blank:]]=[[:blank:]]0\""
expect : "^[\\s]*ip6forwarding[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.3.1 Ensure that IP Security is available - ipsec_v4"
info : "In order to configure IP Security, the kernel extension and devices must first be loaded
Rationale:
IP Security is not enabled out of the box on an AIX install, so must be enabled before further changes can be made
Impact:
Changing firewall settings while connected over the network can result in being locked out of the system."
solution : "Enable IP Security with default Rule Permit and activate IPsec logging to syslog
# Create the IPsec devices
mkdev -c ipsec -t 4
mkdev -c ipsec -t 6
# Activate with default rule Permit
mkfilt -v4 -z p
mkfilt -v6 -z p
# Start IPsec filtering
mkfilt -g start"
reference : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsdev -C -c ipsec | /usr/bin/grep ipsec_v4 | /usr/bin/awk '{print} END {if (NR == 0) print \"not found\"}'"
expect : "^[\\s]*ipsec_v4[\\s]+Available[\\s]+IP[\\s]+Version[\\s]+4[\\s]+Security[\\s]+Extension"
system : "AIX"
type : CMD_EXEC
description : "4.3.1 Ensure that IP Security is available - ipsec_v6"
info : "In order to configure IP Security, the kernel extension and devices must first be loaded
Rationale:
IP Security is not enabled out of the box on an AIX install, so must be enabled before further changes can be made
Impact:
Changing firewall settings while connected over the network can result in being locked out of the system."
solution : "Enable IP Security with default Rule Permit and activate IPsec logging to syslog
# Create the IPsec devices
mkdev -c ipsec -t 4
mkdev -c ipsec -t 6
# Activate with default rule Permit
mkfilt -v4 -z p
mkfilt -v6 -z p
# Start IPsec filtering
mkfilt -g start"
reference : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsdev -C -c ipsec | /usr/bin/grep ipsec_v6 | /usr/bin/awk '{print} END {if (NR == 0) print \"not found\"}'"
expect : "^[\\s]*ipsec_v6[\\s]+Available[\\s]+IP[\\s]+Version[\\s]+6[\\s]+Security[\\s]+Extension"
system : "AIX"
type : CMD_EXEC
description : "4.3.2 Ensure loopback traffic is blocked on external interfaces - v4"
info : "The loopback interface will accept traffic unconditionally. Configure all other interfaces to deny traffic to the loopback network.
Rationale:
Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
solution : "genfilt -v 4 -a D -s 127.0.0.0 -m 255.0.0.0 -l Y -i all
genfilt -v 6 -a D -s ::1 -m 128 -l Y -i all"
reference : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsfilt -v 4 -O | /usr/bin/grep 127.0.0.0 | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.3.2 Ensure loopback traffic is blocked on external interfaces - v6"
info : "The loopback interface will accept traffic unconditionally. Configure all other interfaces to deny traffic to the loopback network.
Rationale:
Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
solution : "genfilt -v 4 -a D -s 127.0.0.0 -m 255.0.0.0 -l Y -i all
genfilt -v 6 -a D -s ::1 -m 128 -l Y -i all"
reference : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsfilt -v 6 -O | /usr/bin/grep ::1 | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.3.3 Ensure that IPsec filters are active - v4"
info : "Rules added to the filter list are not enabled automatically. Filters need to be activated and/or updated after changes to the ODM filter database.
Rationale:
The filters must be active in order for IP Security to protect the system.
Impact:
Changing firewall settings while connected over network can result in being locked out of the system.
Ensure you have access to the console (e.g., via HMC) while developing and testing IPsec rule modifications."
solution : "mkfilt -u
mkfilt g start
Additional Information:
In the event that you are locked out of the system by firewall rules, run mkfilt -d from the console to deactivate all filters"
reference : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsfilt -v4 -O -a | /usr/bin/grep -q inactive && print IPv4 ipsec filtering inactive | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\"}'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.3.3 Ensure that IPsec filters are active - v6"
info : "Rules added to the filter list are not enabled automatically. Filters need to be activated and/or updated after changes to the ODM filter database.
Rationale:
The filters must be active in order for IP Security to protect the system.
Impact:
Changing firewall settings while connected over network can result in being locked out of the system.
Ensure you have access to the console (e.g., via HMC) while developing and testing IPsec rule modifications."
solution : "mkfilt -u
mkfilt g start
Additional Information:
In the event that you are locked out of the system by firewall rules, run mkfilt -d from the console to deactivate all filters"
reference : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsfilt -v6 -O -a | /usr/bin/grep -q inactive && print IPv4 ipsec filtering inactive | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\"}'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.5.1.1 CDE - de-installing CDE"
info : "The recommendation is to de-install CDE aka X11.Dt from the system, assuming that it is not required and is already installed.
Rationale:
CDE has a history of security problems and should be disabled.
NOTE: If CDE is required, it is vital to patch the software and consider TCP Wrappers to further enhance security."
solution : "Identity if CDE is already installed:
lslpp -L |grep -i X11.Dt
If there are CDE filesets installed - de-install them if CDE is not required. For each fileset preview the de-installation:
installp -up
Review the fileset removal preview output, paying particular attention to the other pre-requisites that will also be removed. Typically only X11.Dt filesets should be de-installed as pre-requisites. Once reviewed, de-install the fileset and pre-requisites:
installp -ug
NOTE: Repeat until all CDE related filesets are de-installed
Default Value:
N/A
Additional Information:
Reversion:
Re-install the CDE software from the AIX media."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|2.6,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i X11.Dt | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'"
expect : "^none$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.2.1 FTPD: Disable root access to ftpd"
info : "This change adds the root user to the /etc/ftpusers file, which disables ftp for root.
Rationale:
This change ensures that direct root ftp access is disabled. As detailed previously, ftp as a service should be disabled. If the service has to be enabled then this change must be implemented to ensure that remote root file transfer access is not enabled."
solution : "Add root to the /etc/ftpusers file:
echo 'root' >> /etc/ftpusers
Default Value:
N/A"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ftpusers"
regex : "^root$"
expect : "^root$"
type : CMD_EXEC
description : "Verify FTP is running"
cmd : "/usr/bin/lssrc -a | /usr/bin/grep -i ftpd"
expect : "active"
system : "AIX"
type : CMD_EXEC
description : "4.5.2.2 FTPD: Display acceptable usage policy during login"
info : "Set an ftpd login banner which displays the acceptable usage policy.
Rationale:
The message in banner.msg is displayed for FTP logins. Banners display necessary warnings to users trying to gain unauthorized access to the system and are required for legal purposes. The recommendation is to set the banner as:
'Authorized uses only. All activity will be monitored and reported'.
The content may be changed to reflect any corporate AUP."
solution : "Ensure that the bos.msg.en_US.net.tcp.client fileset is installed:
lslpp -L 'bos.msg.en_US.net.tcp.client'
NOTE: If the fileset is not installed, install it from the AIX media or another software repository. The fileset should reflect the language used on the server.
Once installed set the ftp AUP banner:
dspcat -g /usr/lib/nls/msg/en_US/ftpd.cat > /tmp/ftpd.tmp
sed 's/\'\%s FTP server (\%s) ready.\'/\'\%s Authorized uses only. All activity may be monitored and reported\'/' /tmp/ftpd.tmp > /tmp/ftpd.msg
gencat /usr/lib/nls/msg/en_US/ftpd.cat /tmp/ftpd.msg
rm /tmp/ftpd.tmp /tmp/ftpd.msg
Default Value:
%s FTP server (%s) ready."
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/dspcat /usr/lib/nls/msg/en_US/ftpd.cat 1 9 | awk '{ print } END { if (NR==0) print \"blank\" }'"
expect : "^[\\s]*%s[\\s]+Authorized[\\s]+uses[\\s]+only[\\.][\\s]+All[\\s]+activity[\\s]+may[\\s]+be[\\s]+monitored[\\s]+and[\\s]+reported"
system : "AIX"
type : FILE_CHECK
description : "4.5.2.3 FTPD: Prevent world access and group write to files"
info : "The umask of the ftpd service should be set to at least 027 in order to prevent the FTP daemon process from creating world-accessable, group-writeable files by default.
Rationale:
The umask of the ftpd service should be set to at least 027 in order to prevent the FTP daemon process from creating world-accessable and group-writeable files by default. These files could then be transferred over the network which could result in compromise of the critical information."
solution : "Set the default umask of the ftp daemon:
[[ $(grep -c '^ftp[[:blank:]]' /etc/inetd.conf) -gt 0 ]] && chsubserver -c -v ftp -p tcp 'ftpd -l -u 027' && refresh -s inetd || RC=0'
NOTE: The umask above restricts write permissions for both group and other. All access for other is removed.
Default Value:
/usr/sbin/ftpd ftpd -l"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/usr/sbin/ftpd"
mask : "027"
system : "AIX"
type : CMD_EXEC
description : "5.3.10 Ensure System Accounts cannot access system using ftp."
info : "If ftp is active on the system, the file /etc/ftpusers is a deny list used by ftp daemon containing a list of users who are not allowed to access the system via ftp.
Rationale:
The /etc/ftpusers file contains a list of users who are not allowed to access the system via ftp. All users with a UID less than 200 should typically be added into the file.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "List all users with a UID less than 200 to the /etc/ftpusers file:
lsuser -c ALL | grep -v ^#name |grep -v root | cut -f1 -d: | while read NAME; do
if [ 'lsuser -f $NAME | grep id | cut -f2 -d=' -lt 200 ] > /dev/null 2>&1; then
echo 'Would add $NAME to /etc/ftpusers'
fi
done
NOTE: Review the list of users
Add all relevant users with a UID of less that 200 to the /etc/ftpusers file:
lsuser -c ALL | grep -v ^#name |grep -v root | cut -f1 -d: | while read NAME; do
if [ 'lsuser -f $NAME | grep id | cut -f2 -d=' -lt 200 ] > /dev/null 2>&1; then
echo $NAME >> /etc/ftpusers
fi
done
Default Value:
N/A
Additional Information:
Reversion:
Edit /etc/ftpusers and leave only the root entry:
vi /etc/ftpusers"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/cat /etc/ftpusers"
expect : "MANUAL_REVIEW"
severity : MEDIUM
description : "4.5.2.2 FTPD: Display acceptable usage policy during login"
info : "Set an ftpd login banner which displays the acceptable usage policy.
Rationale:
The message in banner.msg is displayed for FTP logins. Banners display necessary warnings to users trying to gain unauthorized access to the system and are required for legal purposes. The recommendation is to set the banner as:
'Authorized uses only. All activity will be monitored and reported'.
The content may be changed to reflect any corporate AUP."
solution : "Ensure that the bos.msg.en_US.net.tcp.client fileset is installed:
lslpp -L 'bos.msg.en_US.net.tcp.client'
NOTE: If the fileset is not installed, install it from the AIX media or another software repository. The fileset should reflect the language used on the server.
Once installed set the ftp AUP banner:
dspcat -g /usr/lib/nls/msg/en_US/ftpd.cat > /tmp/ftpd.tmp
sed 's/\'\%s FTP server (\%s) ready.\'/\'\%s Authorized uses only. All activity may be monitored and reported\'/' /tmp/ftpd.tmp > /tmp/ftpd.msg
gencat /usr/lib/nls/msg/en_US/ftpd.cat /tmp/ftpd.msg
rm /tmp/ftpd.tmp /tmp/ftpd.msg
Default Value:
%s FTP server (%s) ready."
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.2.3 FTPD: Prevent world access and group write to files"
info : "The umask of the ftpd service should be set to at least 027 in order to prevent the FTP daemon process from creating world-accessable, group-writeable files by default.
Rationale:
The umask of the ftpd service should be set to at least 027 in order to prevent the FTP daemon process from creating world-accessable and group-writeable files by default. These files could then be transferred over the network which could result in compromise of the critical information."
solution : "Set the default umask of the ftp daemon:
[[ $(grep -c '^ftp[[:blank:]]' /etc/inetd.conf) -gt 0 ]] && chsubserver -c -v ftp -p tcp 'ftpd -l -u 027' && refresh -s inetd || RC=0'
NOTE: The umask above restricts write permissions for both group and other. All access for other is removed.
Default Value:
/usr/sbin/ftpd ftpd -l"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "5.3.10 Ensure System Accounts cannot access system using ftp."
info : "If ftp is active on the system, the file /etc/ftpusers is a deny list used by ftp daemon containing a list of users who are not allowed to access the system via ftp.
Rationale:
The /etc/ftpusers file contains a list of users who are not allowed to access the system via ftp. All users with a UID less than 200 should typically be added into the file."
solution : "List all users with a UID less than 200 to the /etc/ftpusers file:
lsuser -c ALL | grep -v ^#name |grep -v root | cut -f1 -d: | while read NAME; do
if [ 'lsuser -f $NAME | grep id | cut -f2 -d=' -lt 200 ] > /dev/null 2>&1; then
echo 'Would add $NAME to /etc/ftpusers'
fi
done
NOTE: Review the list of users
Add all relevant users with a UID of less that 200 to the /etc/ftpusers file:
lsuser -c ALL | grep -v ^#name |grep -v root | cut -f1 -d: | while read NAME; do
if [ 'lsuser -f $NAME | grep id | cut -f2 -d=' -lt 200 ] > /dev/null 2>&1; then
echo $NAME >> /etc/ftpusers
fi
done
Default Value:
N/A
Additional Information:
Reversion:
Edit /etc/ftpusers and leave only the root entry:
vi /etc/ftpusers"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
system : "AIX"
type : CMD_EXEC
description : "4.5.3.1 OpenSSH: Minimum version is 8.1"
info : "OpenSSH is the expected program for remote command line access. It provides encrypted protocols such as SSH and SCP/SFTP.
Rationale:
The recommended mechanism for remote access is to use encrypted protocols such as OpenSSH that are designed to prevent the interception of communications. OpenSSH is the standard replacement for clear-text protocols, such as Telnet and FTP.
Clear-text protocols can be snooped and expose credentials and/or sensitive data to unauthorized parties. Additionally, servers that are configured with unique PKI keys can circumvent host impersonation and assure remote hosts/users that they are communicating with the intended device.
Impact:
OpenBSD maintains the OpenSSH project regularly updates OpenSSH. The Major/Minor numbers OpenBSD publishes may be higher than the Major/Minor numbers an OS platform uses - due to differences in how they manage packages.
The current OpenBSD release is: OpenSSH 8.6 released April 19, 2021. IBM's policy is to stay at a constant level (currently 8.1) and maintain a more stable set of configuration keywords or feature set. OpenBSD, never patches a release. Instead, OpenBSD releases a new version with the latest security fixes and/or feature changes. This means IBM does not automatically push OpenSSH feature changes - but does look at new OpenBSD releases and incorporates security fixes, if any.
The current OpenSSH version maintained by IBM is OpenSSH 8.1. The openssh fileset VRMF number should start with 8.1."
solution : "Install OpenSSH version 8.1 (or later), depending on package source.
The current version available from IBM via
AIX Web Download Pack Programs
is 8.1.102.2103."
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/test $(sshd -i
system : "AIX"
type : CMD_EXEC
description : "4.5.3.2 OpenSSH: Remove /etc/shosts.equiv and /etc/rhosts.equiv - /etc/shosts.equiv"
info : "The recommendation is to remove both the /etc/shosts.equiv and /etc/rhosts.equiv file. This is a consequence of the recommendation to not use HostbasedAuthentification.
Rationale:
The recommendation is to not use HostbasedAuthentification unless there is a documented need already exists the logical consequence is to remove these files, if they exist, to lower the risk of accidental activation.
In any case - the file /etc/rhosts.equiv should be removed - period. (Note: This is also recommended elsewhere.)
Impact:
The file /etc/shosts.equiv, in combination with the OpenSSH sshd_config: HostbasedAuthentication, can allow passwordless authentication between servers.
Without HostbasedAuthentication the file /etc/shosts.equiv has no purpose."
solution : "Print (for review) and then remove the content of the /etc/[rs]hosts.equiv files:
for file in /etc/[rs]hosts.equiv; do
print '+++ ${file} +++'
/usr/bin/cat -n ${file}
/usr/bin/rm -f ${file}
done
Default Value:
N/A
Additional Information:
Reversion:
The /etc/shosts.equiv file would need to be restored from a backup or from the remediation log.
The file /etc/rhosts.equiv should not be restored."
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/ls /etc/shosts.equiv | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.5.3.2 OpenSSH: Remove /etc/shosts.equiv and /etc/rhosts.equiv - /etc/rhosts.equiv"
info : "The recommendation is to remove both the /etc/shosts.equiv and /etc/rhosts.equiv file. This is a consequence of the recommendation to not use HostbasedAuthentification.
Rationale:
The recommendation is to not use HostbasedAuthentification unless there is a documented need already exists the logical consequence is to remove these files, if they exist, to lower the risk of accidental activation.
In any case - the file /etc/rhosts.equiv should be removed - period. (Note: This is also recommended elsewhere.)
Impact:
The file /etc/shosts.equiv, in combination with the OpenSSH sshd_config: HostbasedAuthentication, can allow passwordless authentication between servers.
Without HostbasedAuthentication the file /etc/shosts.equiv has no purpose."
solution : "Print (for review) and then remove the content of the /etc/[rs]hosts.equiv files:
for file in /etc/[rs]hosts.equiv; do
print '+++ ${file} +++'
/usr/bin/cat -n ${file}
/usr/bin/rm -f ${file}
done
Default Value:
N/A
Additional Information:
Reversion:
The /etc/shosts.equiv file would need to be restored from a backup or from the remediation log.
The file /etc/rhosts.equiv should not be restored."
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/ls /etc/rhosts.equiv | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.5.3.3 OpenSSH: Remove .shosts files"
info : "The recommendation is to remove any existing .shosts files from all user home directories.
Rationale:
The existence of .shosts files in a user home directory, combined with the correct SSH parameter can allow passwordless authentication between servers. As previous recommendations in this section disable this authentication method, these files, if they exist, should be removed."
solution : "List out all of the existing .shost files:
find / -name '.shosts' -print
Review the list of .shost files and remove them individually, or all at once:
Individually:
rm
All at once:
find / -name '.shosts' -exec rm {} \;
Default Value:
N/A
Additional Information:
Reversion:
Any deleted files would need to be restored from a backup."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6b.,800-53|CM-7b.,800-53r5|CM-6b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,ITSG-33|CM-7a.,LEVEL|1A,NESA|T3.2.1,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/find / -name \".shosts\" -print | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : BANNER_CHECK
description : "4.5.3.6 sshd_config: Banner exists and message contains 'Only authorized users allowed'"
info : "The recommendation is to edit the /etc/ssh/sshd_config file and configure a path to a login herald message.
The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed.
Rationale:
Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
solution : "Create an SSH banner file:
printf 'Unauthorized use of this system is prohibited.\n'' > /etc/ssh/ssh_banner
NOTE: The content of the banner file can reflect any internal acceptable usage policy standards
Edit the /etc/ssh/sshd_config file and customize the Banner parameter
vi /etc/ssh/sshd_config
Replace:
#Banner /some/path
With:
Banner /etc/ssh/ssh_banner
Re-cycle the sshd daemon to pick up the configuration changes:
stopsrc -s sshd
sleep 5
startsrc -s sshd
Default Value:
No banner is configured"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/ssh_banner"
content : "@BANNER_TEXT@"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.3.7 sshd_config: HostbasedAuthentication is 'no'"
info : "The recommendation is to ensure the sshd daemon is configured to prevent host-based authentication.
Rationale:
Host-based authentication is a method to authenticate users (rather than requiring password or key-based authentication method). Used at a system level by OpenSSH requires the file /etc/shosts.equiv to contain a list of so-called trusted hosts. When this method is active any user on a trusted host can login to the server as authenticated because the server identity the user imitates the connection from (aka the OpenSSH client) authentificatees the user as trusted.
Since this feature disables user-based authentication from some hosts - our recommendation is to disable host-based authentication."
solution : "Edit the /etc/ssh/sshd_config file to ensure that host based authentication is disallowed:
vi /etc/ssh/sshd_config
Replace:
#HostbasedAuthentication no
With:
HostbasedAuthentication no
Re-cycle the sshd daemon to pick up the configuration changes:
stopsrc -s sshd
startsrc -s sshd
Default Value:
HostbasedAuthentication no
Additional Information:
Reversion:
Revert to the default setting for the HostBasedAuthentication parameter:
vi /etc/ssh/sshd_config
Replace:
HostbasedAuthentication no
With:
# HostbasedAuthentication no
Re-cycle the sshd daemon to pick up the configuration changes:
stopsrc -s sshd
startsrc -s sshd"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-6,800-53|CM-7,800-53|MA-4,800-53r5|CM-6,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*HostbasedAuthentication[\\s]+no[\\s]*$"
expect : "^[\\s]*HostbasedAuthentication[\\s]+no[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.3.8 sshd_config: IgnoreRhosts is 'yes' or 'shosts-only'"
info : "The IgnoreRhosts parameter controls whether .rhosts and .shosts files will be used in RhostsRSAAuthentication or HostbasedAuthentication.
Rationale:
A user can logon to a remote system without authenticating themselves if .rhosts or .shosts files exist in the remote home directory and if the client machine name and user name are present in these files.
This method presents a risk as the system could be exploited by IP, DNS (Domain Name Server) and routing spoofing attacks. Additionally, this authentication method relies on the integrity of the client machine.
These weaknesses are well known and have been exploited. Since this authentication method entails a risk the primary recommendation is to disable the method (setting is yes). Only with documented cases - including steps to mitigate the accepted risk - may shosts mechanism be activated.
Impact:
The title of this recommendation implies acceptance of shosts-only. This is only expected for particular hosts.
Further, the addition of shosts-only requires OpenSSH 8.2 and later.
Since AIX is currently operating with OpenSSH 8.1 the audit and remediation paragraphs are written to implement the preferred setting - yes IgnoreRhosts in any form."
solution : "Edit the /etc/ssh/sshd_config file to disable the .shosts and .rhosts authentication parameter:
vi /etc/ssh/sshd_config
Replace:
#IgnoreRhosts yes
With:
IgnoreRhosts yes
Re-cycle the sshd daemon to pick up the configuration changes:
stopsrc -s sshd
startsrc -s sshd
Default Value:
IgnoreRhosts yes"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-6,800-53|CM-7,800-53|MA-4,800-53r5|CM-6,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*IgnoreRhosts[\\s]+yes[\\s]*$"
expect : "^[\\s]*IgnoreRhosts[\\s]+yes[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.3.9 sshd_config: PermitEmptyPasswords is 'no'"
info : "The recommendation is to edit the /etc/ssh/sshd_config file to ensure that the SSH daemon does not authenticate users with a null password.
Rationale:
If password authentication is used and an account has an empty password, the SSH server must be configured to disallow access to the account. Permitting empty passwords could create an easy path of access for hackers to enter the system."
solution : "Edit the /etc/ssh/sshd_config file to disable the acceptance null passwords:
vi /etc/ssh/sshd_config
Replace:
#PermitEmptyPasswords no
With:
PermitEmptyPasswords no
Re-cycle the sshd daemon to pick up the configuration changes:
stopsrc -s sshd
startsrc -s sshd
Default Value:
PermitEmptyPasswords no"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*PermitEmptyPasswords[\\s]+no[\\s]*$"
expect : "^[\\s]*PermitEmptyPasswords[\\s]+no[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.3.10 sshd_config: LogLevel is 'INFO' or 'VERBOSE'"
info : "The INFO parameter specifies that record login and logout activity will be logged. While this is the default setting for OpenSSH we believe it is better to explicity set the value in the configuration file.
Rationale:
SSH provides several logging levels with varying amounts of verbosity.
LogLevel
Gives the verbosity level that is used when logging
messages from sshd(8). The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1,
DEBUG2, and DEBUG3. The default is INFO. DEBUG and
DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
higher levels of debugging output. Logging with a
DEBUG level violates the privacy of users and is not
recommended.
DEBUG (and VERBOSE) is specifically not recommended other than strictly for debugging SSH communications. INFO level is the default level and records login/logout activity of SSH users. Login information includes the fingerprint of their SSH keys, when used.
In situations, such as Incident Response, an SSH fingerprint may be important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
Note: the default action of OpenSSH is to propagate this key for every ssh login."
solution : "Edit the /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Set:
LogLevel INFO
Re-cycle the sshd daemon to pick up the configuration changes:
stopsrc -s sshd
sleep 2
startsrc -s sshd
Default Value:
#LogLevel INFO"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*LogLevel[\\s]+"
expect : "^[\\s]*LogLevel[\\s]+(INFO|VERBOSE)[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.3.11 sshd_config: sftp-server arguments include '-u 027 -f AUTH -l INFO'"
info : "The sftp-server is started by the sshd server after authentication has been completed successfully. The process runs with the euid of the authenticated user.
Rationale:
SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
Like sshd (see Recommendation: OpenSSH: LogLevel) the sftp-server needs to be configured with syslog information. Additionally, the umask value needs specification."
solution : "Edit the /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Set:
Subsystem sftp /usr/sbin/sftp-server -u 027 -f AUTH -l VERBOSE
or
Subsystem sftp /usr/sbin/sftp-server -u 027 -f AUTH -l DEBUG
Re-cycle the sshd daemon to pick up the configuration changes:
stopsrc -s sshd
sleep 5
startsrc -s sshd"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*Subsystem[\\s]+sftp[\\s]+\/usr\/sbin\/sftp-server[\\s]+-u[\\s]+027[\\s]+-f[\\s]+AUTH[\\s]+-l[\\s]+(INFO|DEBUG)[\\s]*$"
expect : "^[\\s]*Subsystem[\\s]+sftp[\\s]+\/usr\/sbin\/sftp-server[\\s]+-u[\\s]+027[\\s]+-f[\\s]+AUTH[\\s]+-l[\\s]+(INFO|DEBUG)[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.3.12 sshd_config: MaxAuthTries is '4'"
info : "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure.
Rationale:
Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
solution : "Edit the/etc/ssh/sshd_config file to set the parameter as follows::
MaxAuthTries 4
Re-cycle the sshd daemon to pick up the configuration changes:
stopsrc -s sshd
startsrc -s sshd"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*MaxAuthTries"
expect : "^[\\s]*MaxAuthTries[\\s]+[1-4][\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.3.13 sshd_config: PermitUserEnvironment is 'no'"
info : "The PermitUserEnvironment option allows users to present environment options to the ssh daemon.
Rationale:
Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs).
Impact:
The general condition is to specify no while the recommendation leaves room for specific User(s) or Group(s) to use this feature in controlled ways."
solution : "Edit the/etc/ssh/sshd_config file:
vi /etc/ssh/sshd_config
Set:
PermitUserEnvironment no
Re-cycle the sshd daemon to pick up the configuration changes:
stopsrc -s sshd
startsrc -s sshd"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*PermitUserEnvironment[\\s]+no[\\s]*$"
expect : "^[\\s]*PermitUserEnvironment[\\s]+no[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.5.3.15 sshd_config, ssh_config: KexAlgorithms"
info : "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received
Notes:
Kex algorithms have a higher preference the earlier they appear in the list
Some organizations may have stricter requirements for approved Key exchange algorithms
Ensure that Key exchange algorithms used are in compliance with site policy
The only Key Exchange Algorithms currently FIPS 140-2 approved are: - ecdh-sha2-nistp256 - ecdh-sha2-nistp384 - ecdh-sha2-nistp521 - diffie-hellman-group-exchange-sha256 - diffie-hellman-group16-sha512 - diffie-hellman-group18-sha512 - diffie-hellman-group14-sha256
The Key Exchange algorithms supported by OpenSSH 8.2 are:
curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
sntrup4591761x25519-sha512@tinyssh.org
Rationale:
Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks
Impact:
Weak clients no longer connect."
solution : "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms
Example:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Default Value:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"
reference : "800-171|3.1.13,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-171|3.7.5,800-171|3.13.8,800-53|AC-17(2),800-53|CM-7,800-53|IA-5,800-53|IA-5(1),800-53|MA-4,800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|CM-7,800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|MA-4,800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|9.2,CSCv7|16.4,CSCv8|3.10,CSCv8|4.6,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|CM-7,ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|MA-4,ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1A,NESA|T2.3.4,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T5.4.4,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS15a,NIAv2|SS24,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*[Kk]ex[Aa]lgorithms[\\s]+"
expect : "^[\\s]*[Kk]ex[Aa]lgorithms[\\s]+.*?(diffie-hellman-group1-sha1,?|diffie-hellman-group14-sha1,?|diffie-hellman-group-exchange-sha1,?).*$"
system : "Linux"
type : FILE_CONTENT_CHECK_NOT
description : "4.5.3.16 sshd_config, ssh_config: Ciphers"
info : "This variable limits the ciphers that SSH can use during communication.
Notes:
Some organizations may have stricter requirements for approved ciphers
Ensure that ciphers used are in compliance with site policy
The only 'strong' ciphers currently FIPS 140-2 compliant are: - aes256-ctr - aes192-ctr - aes128-ctr
Supported ciphers in OpenSSH 8.2:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
Rationale:
Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised
Research conducted at various institutions determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use.
The Triple DES ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, aka a 'Sweet32' attack
Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors"
solution : "Edit the /etc/ssh/sshd_config file and add/modify the Ciphers line to contain a comma separated list of the site approved ciphers.
Example
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
Re-cycle the sshd daemon to pick up the configuration changes:
stopsrc -s sshd
startsrc -s sshd
Default Value:
AIX with OpenSSH 8.1
ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*[Cc]iphers[\\s]+"
expect : "^[\\s]*[Cc]iphers[\\s]+.*?(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator\\.liu\\.se).*$"
system : "Linux"
type : FILE_CONTENT_CHECK_NOT
description : "4.5.3.17 sshd_config, ssh_config: MACs - Message Authtification Codes"
info : "This variable limits the types of MAC algorithms that SSH can use during communication.
Notes:
Some organizations may have stricter requirements for approved MACs
Ensure that MACs used are in compliance with site policy
The only 'strong' MACs currently FIPS 140-2 approved are:
hmac-sha2-256
hmac-sha2-512
The Supported MACs are:
hmac-md5
hmac-md5-96
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
umac-64@openssh.com
umac-128@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
Rationale:
Clients that expect the weak MACs will often use/expect weak encryption keys as well.
Like CipherKeys the sshd MACs need to be configured to exclude weak message authentication codes.
MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploit-ability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM (man in the middle) position to decrypt the SSH tunnel and capture credentials and information
Impact:
Weak clients will not connect and/or lose the ability to connect."
solution : "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs
Example:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
Default Value:
MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1"
reference : "800-171|3.1.13,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-171|3.7.5,800-171|3.13.8,800-53|AC-17(2),800-53|CM-7,800-53|IA-5,800-53|IA-5(1),800-53|MA-4,800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|CM-7,800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|MA-4,800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|9.2,CSCv7|14.4,CSCv7|16.5,CSCv7|18.4,CSCv7|18.5,CSCv8|3.10,CSCv8|4.6,CSCv8|16.5,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|CM-7,ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|MA-4,ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1A,NESA|T2.3.4,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T5.4.4,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS15a,NIAv2|SS24,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*[Mm][Aa][Cc][Ss][\\s]+"
expect : "^[\\s]*[Mm][Aa][Cc][Ss][\\s]+.*?(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh\\.com|umac-128@openssh\\.com|hmac-md5-etm@openssh\\.com|hmac-md5-96-etm@openssh\\.com|hmac-ripemd160-etm@openssh\\.com|hmac-sha1-etm@openssh\\.com|hmac-sha1-96-etm@openssh\\.com|umac-64-etm@openssh\\.com|umac-128-etm@openssh\\.com).*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.3.18 sshd_config, ssh_config: ReKeyLimit"
info : "This variable specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed by a maximum amount of time that may pass before the session key is renegotiated.
Rationale:
This recommendation is based on the guidelines outlined in Chapter 9 in [RFC4253], i.e. the recommendation is to release/renew Session keys after one hour or after the transfer of one gigabyte (depending on whichever comes first)."
solution : "Edit the /etc/ssh/sshd_config file to set the parameter as follows:
RekeyLimit 1G 3600
Default Value:
RekeyLimit default None"
reference : "800-171|3.1.13,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-171|3.7.5,800-171|3.13.8,800-53|AC-17(2),800-53|CM-7,800-53|IA-5,800-53|IA-5(1),800-53|MA-4,800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|CM-7,800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|MA-4,800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|9.2,CSCv7|14.4,CSCv8|3.10,CSCv8|4.6,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|CM-7,ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|MA-4,ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1A,NESA|T2.3.4,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T5.4.4,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS15a,NIAv2|SS24,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1,TBA-FIISB|45.2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
regex : "^[\\s]*rekeylimit"
expect : "^[\\s]*rekeylimit[\\s]+1G[\\s]+3600[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.4.1 /etc/mail/sendmail.cf - Hide sendmail version information - SmtpGreetingMessage"
info : "The recommendation is to change both the default sendmail greeting and HELP output to not display the sendmail version.
Rationale:
The sendmail deamon has a history of security vulnerabilities. The recommendation is to change the default sendmail settings that display the sendmail version and other related information. Sendmail version information can be used by an attacker for fingerprinting purposes."
solution : "Create a backup copy of /etc/mail/sendmail.cf:
cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.pre_cis
Edit:
vi /etc/mail/sendmail.cf
Replace:
O SmtpGreetingMessage=$j Sendmail $b
With:
O SmtpGreetingMessage=mailerready
Ensure Sendmail helpfile exists
test -e /etc/mail/helpfile || touch /etc/mail/helpfile
Default Value:
SmtpGreetingMessage=$j Sendmail $b
Additional Information:
Reversion:
Copy back the original /etc/sendmail.cf file:
cp -p /etc/mail/sendmail.cf.pre_cis /etc/mail/sendmail.cf"
reference : "800-171|3.1.7,800-53|AC-6(10),800-53r5|AC-6(10),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-6,LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/mail/sendmail.cf"
regex : "SmtpGreetingMessage"
expect : "^[\\s]*O[\\s]+SmtpGreetingMessage[\\s]*=[\\s]*mailerready[\\s]*$"
system : "AIX"
type : FILE_CHECK
description : "4.5.4.1 /etc/mail/sendmail.cf - Hide sendmail version information - helpfile"
info : "The recommendation is to change both the default sendmail greeting and HELP output to not display the sendmail version.
Rationale:
The sendmail deamon has a history of security vulnerabilities. The recommendation is to change the default sendmail settings that display the sendmail version and other related information. Sendmail version information can be used by an attacker for fingerprinting purposes."
solution : "Create a backup copy of /etc/mail/sendmail.cf:
cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.pre_cis
Edit:
vi /etc/mail/sendmail.cf
Replace:
O SmtpGreetingMessage=$j Sendmail $b
With:
O SmtpGreetingMessage=mailerready
Ensure Sendmail helpfile exists
test -e /etc/mail/helpfile || touch /etc/mail/helpfile
Default Value:
SmtpGreetingMessage=$j Sendmail $b
Additional Information:
Reversion:
Copy back the original /etc/sendmail.cf file:
cp -p /etc/mail/sendmail.cf.pre_cis /etc/mail/sendmail.cf"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/mail/helpfile"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.4.2 /etc/mail/sendmail.cf - PrivacyOptions"
info : "The recommendation is to ensure that PrivacyOptions includes at least three settings:
authwarnings (a default)
novrfy
noexpn
Rationale:
The sendmail deamon has a history of security vulnerabilities. The recommendation is to modify default sendmail settings that otherwise may provide information that can be used by an attacker.
novrfy: No Verify: do not verify valid email addresses. This can be used by attackers, e.g., phishing attacks.
noexpn: no expansion: do not verify/expand email list addresses - providing attackers with a list of valid email addresses."
solution : "Create a backup copy of /etc/mail/sendmail.cf:
cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.pre_cis
Edit:
vi /etc/mail/sendmail.cf
Replace:
O PrivacyOptions=authwarnings
With:
O PrivacyOptions=authwarnings,noexpn,novrfy
Or - append
noexpn,novrfy
at then end of the current PrivacyOptions settings (assuming authwarnings is already included).
Default Value:
SmtpGreetingMessage=$j Sendmail $b
Additional Information:
Reversion:
Copy back the original /etc/sendmail.cf file:
cp -p /etc/mail/sendmail.cf.pre_cis /etc/mail/sendmail.cf"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/mail/sendmail.cf"
regex : "^[\\s]*O[\\s]PrivacyOptions[\\s]*="
expect : "^[\\s]*O[\\s]PrivacyOptions[\\s]*=[\\s]*(authwarnings,?|noexpn,?|novrfy,?)$"
system : "Linux"
type : FILE_CONTENT_CHECK
description : "4.5.4.3 /etc/mail/sendmail.cf - DaemonPortOptions"
info : "The recommendation is to enable running sendmail in MTA mode to support local applications that require legacy MTA (i.e., connection via port 25) support.
Recall the preferred recommendation is to not run sendmail locally.
Rationale:"
solution : "Create a backup copy of /etc/mail/sendmail.cf:
cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.pre_cis
Edit:
vi /etc/mail/sendmail.cf
Replace: (assuming the default configuration)
O DaemonPortOptions=Name=MTA
with
O DaemonPortOptions=Name=MTA,Addr=localhost
Additional Information:
Reversion:
Copy back the original /etc/sendmail.cf file:
cp -p /etc/mail/sendmail.cf.pre_cis /etc/mail/sendmail.cf"
reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/mail/sendmail.cf"
regex : "^O[\\s]*DaemonPortOptions[\\s]*="
expect : "^O[\\s]*DaemonPortOptions[\\s]*=[\\s]*Name=MTA[\\s]*,[\\s]*Addr=localhost[\\s]*$"
system : "AIX"
type : FILE_CHECK
description : "4.5.4.4 /etc/mail/sendmail.cf - access control"
info : "The access controls for /etc/mail/sendmail.cf are applied.
Rationale:
The /etc/mail/sendmail.cf file is used by the sendmail daemon to determine its default configuration. This file must be protected from unauthorized access and modifications."
solution : "Set the recommended permissions and ownership on /etc/mail/sendmail.cf:
chmod u=rw,g=r,o= /etc/mail/sendmail.cf
chown root.system /etc/mail/sendmail.cf
trustchk -u /etc/mail/sendmail.cf mode owner group
Default Value:
-rw-r--r-- root system sendmail.cf"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/mail/sendmail.cf"
owner : "root"
mask : "137"
system : "AIX"
type : FILE_CHECK
description : "4.5.4.5 /var/spool/clientmqueue - access control"
info : "The recommended DAC (discretionary access control) settings for the /var/spool/clientmqueue directory are applied.
Rationale:
Queued messages are the messages that have not yet reached their final destination. To ensure the integrity of the messages during storage, the mail queue directory must be secured from unauthorized access. The clientmqueue (/var/spool/clientmqueue) is the mail queue for handling locally generated outbound emails. This queue is used when mail is submitted to sendmail as an MSP rather than as an MTA.
NOTE: It is possible to specify an alternate spool directory in the /etc/mail/submit.cf file via the QueueDirectory parameter. When this is used that directory name needs identical DAC settings."
solution : "Set the recommended permissions and ownership on /var/spool/mqueue:
chmod ug=rwx,o= /var/spool/clientmqueue
chown smmsp.smmsp /var/spool/clientmqueue
Default Value:
drwxrwx--- smmsp smmsp /var/spool/clientmqueue"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/spool/clientmqueue"
owner : "root"
mask : "007"
system : "AIX"
type : FILE_CHECK
description : "4.5.4.6 /var/spool/mqueue - access control"
info : "The recommended DAC (discretionary access control) settings for the /var/spool/mqueue directory are applied.
Rationale:
The sendmail daemon stores its queued mail in the /var/spool/mqueue directory. Queued messages are the messages that have not yet reached their final destination. To ensure the integrity of the messages during storage, the mail queue directory must be secured from unauthorized access.
NOTE: It is possible to specify an alternate spool directory in the /etc/mail/sendmail.cf file via the QueueDirectory parameter. When this is used that directory name needs identical DAC settings."
solution : "Set the recommended permissions and ownership on /var/spool/mqueue:
chmod u=rwx,go= /var/spool/mqueue
chown root /var/spool/mqueue
Default Value:
drwxrwx--- root system /var/spool/mqueue"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/spool/mqueue"
owner : "root"
mask : "077"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.5.6 Uninstall snmp"
info : "On AIX 7.2 and later, unless otherwise needed - uninstall snmp and snmpd support.
Rationale:
Impact:
If not installed, the rest of the recommendations in this section titled SNMP Configuration may be ignored."
solution : "Execute the following command:
typeset -i SNMP
SNMP=$(lslpp -Lcq | grep bos.net.tcp.snmp | wc -l)
if [[ $SNMP -ne 0 ]]; then
installp -ug bos.net.tcp.snmp bos.net.tcp.snmpd
fi"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/snmpd"
expect : "^[\\s]*start[\\s]+/usr/sbin/snmpd"
system : "AIX"
type : CMD_EXEC
description : "4.5.7 Uninstall/Disable sendmail"
info : "On AIX, unless otherwise needed - uninstall or disable sendmail support.
ALSO: if the version installed does not display support for SASLv2 - remove sendmail on AIX 7.2 and chmod to 0 (zero) otherwise.
Rationale:
Maintaining a secure sendmail MTA (mail transfer agent) is a complex process. While, historically, *NIX systems have run a (localhost) MTA (mail transmission agent) or MSP (mail submission program) - there is no real need these days for every system to have this software installed.
Note: Historically, the AIX sendmail build has not supported the AUTH feature. Since AIX 7.2 TL4 a new packaging of sendmail (still as version 8.15.2, so version number is not the way to verify suitability) allows AUTH support indirectly via the SASLv2 (Simple Authentication and Security Layer) API interface. Our recommendation is to disable/remove sendmail programs that do not provide SASLv2 support.
Impact:
If not installed, the rest of the recommendations in this section titled Sendmail Configuration may be ignored.
Applications configured to speak to a localhost MTA or MSP may fail to send mail. These applications should be (re-)configured to use STARTTLS or SSL and send their mail messages via a hardened MTA host."
solution : "Execute the following command:
(lslpp -Lcq bos.net.tcp.sendmail >/dev/null && installp -u bos.net.tcp.sendmail) || \
echo bos.net.tcp.sendmail is not installed
# If AIX 7.1 or thirdparty software, i.e., fileset bos.net.tcp.sendmail does not exist but sendmail does ...
if test -e /usr/sbin/sendmail ; then
(/usr/sbin/sendmail -d0 /dev/null) || \
chmod a= /usr/sbin/sendmail
trustchk -u /usr/sbin/sendmail mode
fi"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lslpp -Lcq | /usr/bin/grep -i 'sendmail' | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "none"
system : "AIX"
type : CMD_EXEC
description : "4.7.1.1 Home directory must exist"
info : "All accounts must have a trusted started point - a HOME directory.
Rationale:
A missing home directory on many systems places the account in a default directory. Examples include: / and /home/guest.
This recommendation is specifically about locally administered accounts (in AIX terms, -R files). If an account exists in the local registry it must have a home directory that is accessible. This is to ensure it is not an invalid account (e.g., restored via a backup accidentally). If a valid account - it still needs a home directory.
As the difference between: valid account but missing a HOME directory and invalid account but missing a HOME directory cannot be made by a script - the recommendation is to lock the account.
Impact:
A valid user can open a ticket and get a HOME directory created or restored.
The risk of an invalid user gaining access via an old username is reduced."
solution : "Lock local accounts with UID >= 200 when HOME directory does not exist:
#!/usr/bin/ksh -e
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest;
do
uid=$(echo ${ids} | cut -f2 -d =)
if [[ ${uid} -ge 200 ]]; then
home=$(echo ${homes} | cut -f2 -d =)
locked=$(echo ${locks} | cut -f2 -d =)
if [[ ${locked} == 'true' ]]; then
continue
elif [[ ! -d ${home} ]]; then
/usr/bin/printf 'Locked Account [%s]: Missing \${HOME} at: %-32s\n' ${name} ${home}
/usr/bin/chuser -R files account_locked=true ${name}
fi
fi
done"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1M,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/bin/cat /etc/passwd | /bin/egrep -v '^(root|halt|sync|shutdown)' | /usr/bin/awk -F: '($7 != \"/usr/sbin/nologin\" && $7 != \"/bin/false\") { print $1 \" \" $6 }' | while read user dir; do if [ ! -d \"$dir\" ]; then /bin/echo \"The home directory ($dir) of user $user does not exist.\"; fi; done | /usr/bin/awk '{ print } END { if(NR==0) { print \"No results found\" } }'"
expect : "^No results found$"
system : "AIX"
type : CMD_EXEC
description : "4.7.1.2 Home directory must be owned by account, or special account"
info : "All user home directories must have a suitable owner UID.
Rationale:
Manipulating home directories may enable malicious users to steal or modify data, or to gain other user's system privileges. The UID (or owner) of the HOME directory needs to be either the account or a special account defined for this purpose.
When the account is the owner - the security policy must specify that (some) accounts may have DAC authorization to modify HOME directory contents. Security policy may also specify a special UID used to own HOME directories to prevent accounts from modifying the layout and/or content of the HOME directory.
The assumption of this recommendation is that security policy has not specified either. The recommendation is to lock accounts when the HOME directory is not owned by the user or by root.
Impact:
*Locally administered accounts with HOME directories owned by a random userid will be locked.
Valid users can open a ticket to get the UID of their HOME directory corrected.
The risk of a malicious user modifying an accounts HOME directory is reduced."
solution : "For all local accounts with UID >= 200:
#!/usr/bin/ksh -e
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest;
do
uid=$(echo ${ids} | cut -f2 -d =)
if [[ ${uid} -ge 200 ]]; then
home=$(echo ${homes} | cut -f2 -d =)
locked=$(echo ${locks} | cut -f2 -d =)
if [[ ${home} == '/dev/null' || ${locked} == 'true' ]]; then
continue
elif [[ ! -d ${home} ]]; then
/usr/bin/printf '%-32s does not exist; Run appropriate CIS remediation\n' ${home} ${name}
continue
else
/usr/bin/perl -e '
$user=$ARGV[0]; $hd=$ARGV[1]; $uid=$ARGV[2]; $huid=((stat $hd)[4]);
if ($huid != $uid && $huid != 0) {
printf('Locked Account: %s does not own %s.\n', ${user},${hd});
exit(1); # triggers command after OR (||)
}' ${name} ${home} ${uid} || \
/usr/bin/chuser -R files account_locked=true $name
fi
fi
done"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1M,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/bin/egrep -v '^(halt|sync|shutdown)' /etc/passwd | /bin/egrep -v '((/usr)?/sbin/nologin|/bin/false)' | /bin/awk -F: '{ print $1 \" \" $6 }' | while read user dir; do if [ ! -d \"$dir\" ]; then echo \"The home directory ($dir) of user $user does not exist.\"; else owner=$(stat -L -c \"%U\" \"$dir\"); if [ \"$owner\" != \"$user\" ]; then echo \"The home directory ($dir) of user $user is owned by $owner.\"; fi; fi; done | /bin/awk '{ print } END { if (NR==0) print \"All home directories have proper owners\"}'"
expect : "All home directories have proper owners"
system : "AIX"
type : CMD_EXEC
description : "4.7.1.3 Home directory: write access restricted to 'owner'"
info : "Home directories must be writeable only by the owner. This recommendation audits (or removes) any write permission given via traditional file mode permissions (using chmod). Neither should a home directory have any permissions managed (whether permit or deny) via ACL's.
Rationale:
HOME directories with group or world write access enable malicious users to add files or directories, or even remove them if the directory 'T' (SVTX) bit is not also set. While this does not necessarily allow access to data - existing data might be destroyed (unlink()) or replaced (new file added with same name). These modifications could be used, e.g., to use the users authorizations to gain other system privileges.
Disabling read and execute access for world and/or group might be part of a company security policy - and the audit and remediation scripts will need to be modified to reflect this addition.
The use of ACL's is discouraged because their effect is not immediately visible using standard tools. They must be identified (locating inodes with permission bit 0200000000 set) as active and read using aclget before the actual permissions granted or denied are known. Better is to deny outside access to home (ie, user) related data. When data must be shared create an area outside of ${HOME}.
Impact:
There should be no impact - at least as far a world permissions are concerned. There is a potential that all members in the group staff or system might see minimal impact - if their systems have, or had, a default umask of 002 when their accounts were created.
Accounts created with a default umask of 022 or stricter will not be impacted, unless a user account modified their HOME directory mode bits to permit group and/or other write access."
solution : "For all local accounts with UID >= 200:
Remove write permission from home directories that have group or world write access:
#!/usr/bin/ksh -e
# home_mode_acl: 4.8.1.3
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
typeset -i UIDCK=$1
typeset -i ret=0
if test $UIDCK == 0; then
UIDCK=200
fi
lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest;
do
uid_check=$(echo ${ids} | cut -f2 -d =)
if [[ ${uid_check} -ge ${UIDCK} ]]; then
home=$(echo ${homes} | cut -f2 -d =)
locked=$(echo ${locks} | cut -f2 -d =)
if [[ ${home} == '/dev/null' || ${locked} == 'true' ]]; then
continue
elif [[ ! -d ${home} ]]; then
/usr/bin/printf '%-32s does not exist; locking account named [%s]\n' ${home} ${name}
chuser -R files account_locked=true $name
else [[ ${home} != '/' && ${home} != '/dev/null' ]]
perl -e '$f=$ARGV[0]; $m=(stat $f)[2];\
exit (($m & 022) + 1) if ($m & 0200000000);\
exit($m & 022);' $home
# exit($m&022 +1) if ($m & 0200000000) else exit ($m &022); ' $home
ret=$?
[[ $ret == 0 ]] && continue
if (( $ret & 022 )); then
printf '%s: had group or world write mode\n' $home
chmod og-w ${home}
fi
if (($ret & 1)); then
printf '%s: had ACL defined and enabled\n' $home
rm -rf /tmp/$$/${home}
mkdir -p /tmp/$$/${home}
aclget /tmp/$$/${home} | aclput ${home}
rm -rf /tmp/$$/${home}
fi
fi
fi
done
NOTE: The permission change is automatically applied to all accounts with a user ID (uid) greater or equal to 200. Also, if the HOME directory has already been defined to something special (here, /dev/null) no change is made to the account attributes.
To automate the process for new users see Additional Information below.
Default Value:
drwxr-wr-w (or Directory, 755)
Additional Information:
To automate this during account creation (mkuser) a customized mkuser.sys script named /etc/security/mkuser.sys.custom must be created and ensure that chmod is called with either
chmod u=rwx,g=rx,o= $1
or
chmod og=-w $1
Likely the command will look something like:
mkdir -p $1 && chmod og-w $1"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/bin/cat /etc/passwd | /usr/bin/awk -F: '($7 != \"/sbin/nologin\" && $7 != \"/bin/false\") { print $1 \" \" $6 }' | while read user dir; do if [ ! -d \"$dir\" ]; then /usr/bin/echo \"The home directory ($dir) of user $user does not exist.\"; else for file in $dir/.[A-Za-z0-9]*; do if [ ! -h \"$file\" -a -f \"$file\" ]; then fileperm=`ls -ld $file | cut -f1 -d\" \"`; if [ `/usr/bin/echo $fileperm | cut -c6` != \"-\" ]; then /usr/bin/echo \"Group Write permission set on file $file\"; fi; if [ `/usr/bin/echo $fileperm | cut -c9` != \"-\" ]; then /usr/bin/echo \"Other Write permission set on file $file\"; fi; fi; done; fi; done | /usr/bin/awk '{print} END {if (NR == 0) print \"Pass - No home configuration files found with group or other permissions\"; else print}'"
expect : "Pass - No home configuration files found with group or other permissions"
system : "AIX"
type : FILE_CHECK
description : "4.7.1.4 AUDIT subsystem: /audit and /etc/security/audit - /audit"
info : "The /audit directory is the default location for output produced from the audit subsystem. The audit subsystem configuration files are in /etc/security/audit.
Rationale:
The /etc/security/audit and /audit directories stores the audit configuration and output files. Access controls must prevent unauthorized access."
solution : "Ensure correct ownership and permissions are in place for /etc/security/audit and /audit.
#!/usr/bin/ksh -e
# audit_subsys:4.8.1.4
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
for AUDITDIR in /etc/security/audit /audit; do
find ${AUDITDIR} | grep -v 'lost+found' | xargs chown root:audit
find ${AUDITDIR} -type d | grep -v 'lost+found' | xargs chmod u=rwx,g=rs,o=
find ${AUDITDIR} ! -type d | grep -v 'lost+found' | xargs chmod -R u=rw,g=r,o=
done
Default Value:
N/A"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/audit"
owner : "root"
mask : "027"
group : "audit"
system : "AIX"
type : FILE_CHECK
description : "4.7.1.4 AUDIT subsystem: /audit and /etc/security/audit - /etc/security/audit"
info : "The /audit directory is the default location for output produced from the audit subsystem. The audit subsystem configuration files are in /etc/security/audit.
Rationale:
The /etc/security/audit and /audit directories stores the audit configuration and output files. Access controls must prevent unauthorized access."
solution : "Ensure correct ownership and permissions are in place for /etc/security/audit and /audit.
#!/usr/bin/ksh -e
# audit_subsys:4.8.1.4
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
for AUDITDIR in /etc/security/audit /audit; do
find ${AUDITDIR} | grep -v 'lost+found' | xargs chown root:audit
find ${AUDITDIR} -type d | grep -v 'lost+found' | xargs chmod u=rwx,g=rs,o=
find ${AUDITDIR} ! -type d | grep -v 'lost+found' | xargs chmod -R u=rw,g=r,o=
done
Default Value:
N/A"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/security/audit"
owner : "root"
mask : "027"
group : "audit"
system : "AIX"
type : FILE_CHECK
description : "4.7.1.5 SECURITY Subsystems: /etc/security"
info : "This /etc/security directory contains multiple files and directories used to keep the targeted AIX system secure. Most subsystems are owned by root:security (UID:GID). However, additional systems such as AUDIT and AIXPERT have there own permissions (and recommendations).
Traditionally, /etc/security has been identified as USER administration - including the shadow password file. But there is much more under /etc/security. Normal installations also have configuration files for security subsystems including: aixpert, tsd, ice, ldap, rbac, audit, ipsec, fpm, and trusted computing (tscd).
While these subsystems may not be enabled - their files need to be secured to ensure no unauthorized access.
Rationale:
The /etc/security directory contains sensitive files for multiple security systems. For the USER subsystem there are files such as /etc/security/passwd, /etc/security/user that must be secured from unauthorized access and modification."
solution : "Ensure correct access control settings for security subsystem configuration files installed in /etc/security:
#!/usr/bin/ksh -e
# security_subsys:4.8.1.5
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
EXCLUDE='security/(aixpert|audit|ice)'
find /etc/security -type d | \
/usr/bin/egrep -v ${EXCLUDE} | \
/usr/bin/sort | xargs ls -led | \
/usr/bin/awk '{print $1 ' ' $3 ' ' $4 ' ' $9}' | \
/usr/bin/grep -v drwxr-s---- | \
awk '{print $NF}' | while read SECDIR; do
find ${SECDIR} | grep -v ${EXCLUDE} | xargs chown root:security
find ${SECDIR} -type d | grep -v ${EXCLUDE} | xargs chmod u=rwx,g=rxs,o=
find ${SECDIR} -type f | grep -v ${EXCLUDE} | xargs chmod -R u=rw,g=r,o=
done
Default Value:
N/A"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/security"
owner : "root"
mask : "027"
group : "security"
system : "AIX"
type : FILE_CHECK
description : "4.7.1.10 Ensure root user has a dedicated home directory"
info : "The root user must have a dedicated home directory and not use / as their home directory.
Rationale:
By default, the home directory for the root user on AIX is /. This means that all configuration files and directories it creates are visible to all users and may be accessible if the root user has a weak umask setting.
Moving these files to a dedicated home directory and setting appropriate file permissions allows for appropriate use of discretionary access control to these files."
solution : "Create a new home directory for the root user
mkdir /root
Set ownership and permissions on this directory
chown root:system /root
chmod 0700 /root
Update the home directory for the root user
chuser home=/root root
Move any necessary configuration files or directories to this new directory"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/root"
mask : "7077"
system : "AIX"
type : FILE_CHECK
description : "4.7.2.1 New configuration file for sendmail /etc/mail/submit.cf"
info : "From 7.2.4, sendmail is updated to version 8.15.2, there is a new configuration file /etc/mail/submit.cf. Need the permission changed to 640?
Rationale:
Privileged access to make changes to this configuration file /etc/mail/submit.cf.
Impact:
It will not impact the usability of application or system."
solution : "chmod 640 /etc/mail/submit.cf"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|SC-7,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|7.8,CSCv8|9.5,CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1M,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/mail/submit.cf"
mask : "137"
system : "AIX"
description : "4.7.2.2 Verify Trust of suid, sgid, acl, and trusted-bit files and programs"
info : "The system is audited for both suid and sgid files and programs.
Rationale:
An audit should be performed on the system to search for the presence of both suid and sgid files and programs. In order to prevent these files from being potentially exploited the suid and sgid permissions should be removed wherever possible.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Review the currently mounted filesystems:
mount
Un-mount all non-local filesystems and cdrom media:
unmount
If there are non-local filesystems which cannot be un-mounted, use the following to find all suid and sgid files on local JFS/JFS2 filesystems only:
find / \( -fstype jfs -o -fstype jfs2 \) \( -perm -04000 -o -perm -02000 \) -type f -ls
If all non-local filesystems have been un-mounted:
find / \( -perm -04000 -o -perm -02000 \) -type f -ls
Review the files and where possible, use the chmod command to remove the appropriate suid or sgid bits:
chmod u-s
chmod g-s
Default Value:
N/A
Additional Information:
Reversion:
Use the chmod command to re-instate the suid and sgid bits to the relevant files:
chmod u+s
chmod g+s "
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1M,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
name : "find_suid_sgid_files"
basedir : "/"
severity : MEDIUM
system : "AIX"
type : CMD_EXEC
description : "6.4 Adding authorized users in at.allow"
info : "The /var/adm/cron/at.allow file defines which users on the system are able to schedule jobs via at.
Rationale:
The /var/adm/cron/at.allow file defines which users are able to schedule jobs via at. Review the current at files and add any relevant users to the /var/adm/cron/at.allow file.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Review the current at files:
ls -l /var/spool/cron/atjobs
cat /var/spool/cron/atjobs/*
NOTE: Review the list of at schedules and remove any files which should not be there, or have no content
Add the recommended system users to the at.allow list:
echo 'adm' >> /var/adm/cron/at.allow
echo 'sys' >> /var/adm/cron/at.allow
Add any other users who require permissions to use the at scheduler:
echo >> /var/adm/cron/at.allow
NOTE: Where is the username.
Default Value:
N/A"
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv8|5.4,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1M,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/cat /var/adm/cron/at.allow"
expect : "MANUAL_REVIEW"
severity : MEDIUM
system : "AIX"
type : CMD_EXEC
description : "6.6 Adding authorised users in cron.allow"
info : "The /var/adm/cron/cron.allow file defines which users on the system are able to schedule jobs via cron.
Rationale:
The /var/adm/cron/cron.allow file defines which users are able to schedule jobs via cron. Review the current cron files and add any relevant users to the /var/adm/cron/cron.allow file.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Review the current cron files:
ls -l /var/spool/cron/crontabs/
cat /var/spool/cron/crontabs/*
NOTE: Review the list of cron schedules and remove any files which should not be there, or have no content.
Add the recommended system users to the cron.allow list:
echo 'sys' >> /var/adm/cron/cron.allow
echo 'adm' >> /var/adm/cron/cron.allow
Add any other users who require permissions to use the cron scheduler:
echo >> /var/adm/cron/cron.allow
NOTE: Where is the username.
Default Value:
N/A"
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv8|5.4,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/cat /var/adm/cron/cron.allow"
expect : "MANUAL_REVIEW"
severity : MEDIUM
system : "AIX"
type : CMD_EXEC
description : "4.1.1.1 Disable writesrv"
info : "The recommendation is to disable writesrv. This allows users to chat using the system write facility on a terminal.
Rationale:
writesrv allows users to chat using the system write facility on a terminal. The recommendation is that this service must be disabled."
solution : "Identify if writesrv is enabled:
lsitab writesrv | wc -l
If the command output != '0' stop the service and remove the entry from /etc/inittab
rmitab writesrv
stopsrc -s writesrv
Default Value:
N/A
Additional Information:
Reversion:
Re-add the writesrv startup line to /etc/inittab:
mkitab 'writesrv:2:wait:/usr/bin/startsrc -swritesrv'"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s writesrv | /usr/bin/grep -v inoperative | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.1.1.5 qdaemon"
info : "This is the printing scheduling daemon that manages the submission of print jobs to piobe.
Rationale:
If there is not a requirement to support local or remote printing, remove the qdaemon entry from/etc/inittab."
solution : "In /etc/inittab, remove the qdaemon entry:
rmitab qdaemon
Default Value:
Enabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsitab qdaemon | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.1.1.7 cas_agent"
info : "The /etc/inittab entry labeled cas_agent starts an agent that communicates with FSM and/or IBM Director. The agent is started by the SRC subsystem and is installed by the fileset cas.agent.
Rationale:
The products this agent communicates with are depreciated - no longer supported by IBM as POWER platform systems management software. While harmless when running the agent may trigger a security alert due to the way it initializes with FSM (System Director)."
solution : "The following command will deinstall the cas.agent fileset and also any filesets installed that depend on cas.agent (e.g., if artex.base.agent is also installed):
lslpp -L cas.agent >/dev/null 2>&1 && installp -ug cas.agent
Default Value:
:on: if agent is installed."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lslpp -L cas.agent"
expect : "cas.agent[\\s]*not[\\s]*installed."
system : "AIX"
type : CMD_EXEC
description : "4.1.1.2 Disable ntalk/talk"
info : "The recommendation is to block chat via talk or ntalk. These services enable users to chat within terminal sessions.
Rationale:
These services use unsecured TCP and UDP protocols and can be snooped via the network."
solution : "Disable talk and write.
rmitab writesrv
chmod a-rwx /usr/sbin/writesrv
trustchk -u /usr/sbin/writesrv mode
Default Value:
ntalk is enabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep -c talk"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.1.3 dt"
info : "This entry executes the CDE startup script which starts the AIX Common Desktop Environment.
Rationale:
If there is not an lft connected to the system and there are no other X11 clients that require CDE, remove the dt entry."
solution : "In /etc/inittab, remove the dt entry:
rmitab dt
Default Value:
Uncommented (if an lft is present)"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsitab dt | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.1.1.4 piobe"
info : "The piobe daemon is the I/O back end for the printing process, handling the job scheduling and spooling.
Rationale:
If there is not a requirement for the system to support either local or remote printing, remove the piobe entry."
solution : "In /etc/inittab, remove the piobe entry:
rmitab piobe
Default Value:
Uncommented"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsitab piobe | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.1.1.6 rc.nfs"
info : "The rcnfs entry starts the NFS, NIS and automount daemons during system boot. Additionally, it automounts filesystems with the attribute vfs = nfs.
Rationale:
NFS is a service with numerous historical vulnerabilities and should not be enabled unless there is no alternative."
solution : "Use the rmitab command to remove the NFS start-up script from /etc/inittab:
rmitab rcnfs
Also, to be certain NFS related services have been discounted - execute the following script:
/etc/nfs.clean
Default Value:
Uncommented
Additional Information:
If NFS related services are required, then read-only exports and mounts are recommended. NFS mounts should include the options nodev and nosuid to prevent unauthorized access. Further no filesystem or directory should be exported with root access.
Remember, Unless otherwise required the NFS related services should be disabled."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsitab rcnfs | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.1.2.1 inetd - aka Super Daemon - aka Super Daemon"
info : "When none of the services run and managed by inetd are required then disable the inetd daemon itself.
This is the preferred state.
Rationale:
When no inetd managed services are required there is no need to start the daemon at boot time.
An administrator can manually start the inetd service post-IPL, should any of the inetd supported services are/become required.
Impact:
When an inetd service is required this service is permitted. Be sure to review the section 4.1.5 Inetd (aka Super Daemon) Services later in the document."
solution : "Review any active inetd services:
refresh -s inetd
lssrc -ls inetd
NOTE: If there are active services and the services are required, do not disable inetd. Skip to the next section and consider the implementation of TCP Wrappers to secure access to these active services. If the active services are not required disable them via the chsubserver command.
Disable inetd if there are no active services:
chrctcp -d inetd
stopsrc -s inetd
Default Value:
Enabled
Additional Information:
Reversion:
Comment in inetd startup in /etc/rc.tcpip:
chrctcp -a inetd"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[#]+start[\\s]+\/usr\/sbin\/inetd[\\s]*\"\\$src_running\"[\\s]*$"
expect : "^[#]+start[\\s]+\/usr\/sbin\/inetd[\\s]*\"\\$src_running\"[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.2 aixmibd"
info : "This entry starts the aixmibd daemon on system startup. This is a dpi2 sub-agent that may be required if the server runs SNMP.
Rationale:
The aixmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. The recommendation is to disable aixmibd Unless snmpd is required."
solution : "On AIX 7.1 and earlier comment out the aixmibd entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d aixmibd
stopsrc -s aixmibd
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.snmpd
Default Value:
Uncommented
Additional Information:
The aixmibd collects data from an AIX specific MIB. Further details relating to this MIB can be found in the URL below:
https://www.ibm.com/docs/en/aix/7.1?topic=aixmibd-daemon"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/aixmibd"
expect : "^[\\s]*start[\\s]+/usr/sbin/aixmibd"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.3 dhcpcd"
info : "This entry starts the dhcpcd daemon on system startup. The dhcpcd deamon receives address and configuration information from the DHCP server.
Rationale:
The dhcpcd daemon is the DHCP client that receives address and configuration information from the DHCP server. This must be disabled if DHCP is not used to serve IP address to the local system."
solution : "On AIX 7.1 and earlier comment out the dhcpcd entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d dhcpcd
stopsrc -s dhcpcd
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.dhcpd
Default Value:
Commented out"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/dhcpcd"
expect : "^[\\s]*start[\\s]+/usr/sbin/dhcpcd"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.4 dhcprd"
info : "This entry starts the dhcprd daemon on system startup. The dhcprd daemon listens for broadcast packets, receives them, and forwards them to the appropriate server.
Rationale:
The dhcprd daemon is the DHCP relay deamon that forwards the DHCP and BOOTP packets in the network. You must disable this service if DHCP is not enabled in the network."
solution : "On AIX 7.1 and earlier comment out the dhcprd entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d dhcprd
stopsrc -s dhcprd
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.dhcpd
Default Value:
Commented out"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/dhcprd"
expect : "^[\\s]*start[\\s]+/usr/sbin/dhcprd"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.5 dhcpsd"
info : "This entry starts the dhcpsd daemon on system startup. The dhcpsd deamon is the DHCP server that serves addresses and configuration information to DHCP clients in the network.
Rationale:
The dhcpsd daemon is the DHCP server that serves addresses and configuration information to DHCP clients in the network. You must disable this service if the server is not a DHCP server."
solution : "On AIX 7.1 and earlier comment out the dhcpsd entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d dhcpsd
stopsrc -s dhcpsd
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.dhcpd
Default Value:
Commented out"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/dhcpsd"
expect : "^[\\s]*start[\\s]+/usr/sbin/dhcpsd"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.6 dpid2"
info : "This entry starts the dpid2 daemon on system startup. The dpid2 daemon acts as a protocol converter, which enables DPI (SNMP v2) sub-agents, such as hostmibd, to talk to a SNMP v1 agent that follows SNMP MUX protocol.
Rationale:
The dpid2 daemon acts as a protocol converter, which enables DPI sub-agents, such as hostmibd, to talk to a SNMP v1 agent that follows SNMP MUX protocol. Unless the server hosts an SNMP agent, it is recommended that dpid2 is disabled."
solution : "On AIX 7.1 and earlier comment out the dpid2 entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d dpid2
stopsrc -s dpid2
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.snmpd
Default Value:
Commented out"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/dpid2"
expect : "^[\\s]*start[\\s]+/usr/sbin/dpid2"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.7 gated"
info : "This entry starts the gated daemon on system startup. This daemon provides gateway routing functions for protocols such as RIP OSPF and BGP.
Rationale:
The gated daemon provides gateway routing functions for protocols such as RIP, OSPF and BGP. The recommendation is that this daemon is disabled unless the server is acting as a network router, e.g., to support VIPA."
solution : "Choose one of the following:
On AIX 7.1 and earlier comment out the gated entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d gated
stopsrc -s gated
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.gated
Default Value:
Commented out"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/gated"
expect : "^[\\s]*start[\\s]+/usr/sbin/gated"
system : "AIX"
type : CMD_EXEC
description : "4.1.2.8 hostmibd"
info : "This entry starts the hostmibd daemon on system startup. This is a dpi2 sub-agent that may be required if the server runs SNMP.
Rationale:
The hostmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. If snmpd is not required, it is recommended that it is disabled.
The specific MIB variables which are managed by hostmibd are defined by RFC 2790. Details relating to these MIBS can be found in: https://www.ibm.com/docs/en/aix/7.1?topic=h-hostmibd-daemon"
solution : "On AIX 7.1 and earlier comment out the hostmibd entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d hostmibd
stopsrc -s hostmibd
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.snmpd
Default Value:
Enabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -g tcpip | /usr/bin/grep hostmibd | /usr/bin/grep active | /usr/bin/wc -l"
expect : "0"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.10 named"
info : "This entry starts the named daemon on system startup. This is the server for the DNS protocol and controls domain name resolution for its clients.
Rationale:
The named daemon is the server for the DNS protocol and controls domain name resolution for its clients. It is recommended that this daemon is disabled, unless the server is functioning as a DNS server.This entry starts the named daemon at system startup. This is the server for the DNS protocol and controls domain name resolution for its clients."
solution : "On AIX 7.1 and earlier comment out the named entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d named
stopsrc -s named
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.bind
Default Value:
disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/named"
expect : "^[\\s]*start[\\s]+/usr/sbin/named"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.11 portmap"
info : "If all RPC services are disabled, disable the portmap daemon itself.
The portmap daemon is required for the RPC service. It converts the RPC program numbers into Internet port numbers. The daemon may be disabled if the server is not:
An NFS server
A NIS (YP) or NIS+ server
Running the CDE GUI
Running a third-party software application that relies on RPC support
Rationale:
If no RPC services are required then there is no need to start the portmap daemon at boot time.
A start of portmap can be done either manually, or scripted, should RPC port-mapping support be needed post-IPL."
solution : "Review any active RPC services:
rpcinfo -p localhost
Run the program above (in Audit) with the argument fix
check exit status (should be 0)
Default Value:
Enabled
Additional Information:
Reversion:
Restore in portmap startup in /etc/rc.tcpip:
chrctcp -a portmap
startsrc -s portmap"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/portmap"
expect : "^[\\s]*start[\\s]+/usr/sbin/portmap"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.12 routed"
info : "This entry starts the routed daemon on system startup. The routed daemon manages the network routing tables in the kernel.
Rationale:
The routed daemon manages the network routing tables in the kernel. This daemon should not be used as it only supports RIP1. If the AIX server must communicate with routers use gated instead.
Impact:
Like mrouted this daemon is part of bos.net.tcp.server_core (AIX 7.2 and later) so it cannot be removed from the system.
Unlike mrouted this daemon should not be used. Should the AIX server need to communicate directly with routers (i.e., there is no default route but routes are managed by software) - the gated should be used."
solution : "In /etc/rc.tcpip, comment out the routed entry:
chrctcp -d routed
stopsrc -s routed
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/routed"
expect : "^[\\s]*start[\\s]+/usr/sbin/routed"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.13 rwhod"
info : "This entry starts the rwhod daemon on system startup. This is the remote WHO service.
Rationale:
The rwhod daemon is the remote WHO service, which collects and broadcasts status information to peer servers on the same network. It is recommended that this daemon is disabled, unless it is required."
solution : "On AIX 7.1 and earlier comment out the rwhod entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d rwhod
stopsrc -s rwhod
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.rcmd_server
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/rwhod"
expect : "^[\\s]*start[\\s]+/usr/sbin/rwhod"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.14 sendmail"
info : "This entry starts the sendmail daemon on system startup. This means that the system can operate as a mail server.
Rationale:
sendmail is a service with many historical vulnerabilities and where possible should be disabled. If the system is not required to operate as a mail server i.e. sending, receiving or processing e-mail, comment out the sendmail entry."
solution : "On AIX 7.1 and earlier comment out the sendmail entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d sendmail
stopsrc -s sendmail
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.sendmail
Default Value:
Enabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/lib/sendmail"
expect : "^[\\s]*start[\\s]+/usr/lib/sendmail"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.15 snmpd"
info : "This entry starts the snmpd daemon on system startup. This allows remote monitoring of network and server configuration.
Rationale:
The snmpd daemon is used by many 3rd party applications to monitor the health of the system. If snmpd is not required, it is recommended that it is disabled."
solution : "On AIX 7.1 and earlier comment out the snmpd entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d snmpd
stopsrc -s snmpd
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.snmpd
Default Value:
Uncommented"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/snmpd"
expect : "^[\\s]*start[\\s]+/usr/sbin/snmpd"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.2.16 snmpmibd"
info : "This entry starts the snmpmibd daemon on system startup. This is a dpi2 sub-agent that may be required if the server runs SNMP.
Rationale:
The snmpmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. If snmpd is not required, it is recommended that it is disabled.
The specific MIB variables which are managed by snmpmibd are defined by numerous RFCs. Further details relating to these MIBS can be found in the URL below:
https://www.ibm.com/docs/en/aix/7.1?topic=s-snmpmibd-daemon"
solution : "On AIX 7.1 and earlier comment out the snmpmibd entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d snmpmibd
stopsrc -s snmpmibd
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.snmpd
Default Value:
Enabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/snmpmibd"
expect : "^[\\s]*start[\\s]+/usr/sbin/snmpmibd"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.1.2.17 timed"
info : "This entry starts the timed daemon on system startup. This is the old and obsolete UNIX time service.
Rationale:
The timed daemon is the old UNIX time service. Disable this service.
If time synchronization is required in your environment use xntp."
solution : "On AIX 7.1 and earlier comment out the timed entry in /etc/rc.tcpip and ensure service is stopped:
chrctcp -d timed
stopsrc -s timed
On AIX 7.2 and later remove the software:
installp -u bos.net.tcp.timed
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[#]+start[\\s]+\/usr\/sbin\/timed[\\s]*\"\\$src_running\"[\\s]*$"
expect : "^[#]+start[\\s]+\/usr\/sbin\/timed[\\s]*\"\\$src_running\"[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.3.1 autoconf6"
info : "This entry starts autoconf6 on system startup. This is to automatically configure IPv6 interfaces at boot time.
Rationale:
autoconf6 is used to automatically configure IPv6 interfaces at boot time. Running this service may allow other hosts on the same physical subnet to connect via IPv6, even when the network does not support it. You must disable this unless you utilize IPv6 on the server."
solution : "In /etc/rc.tcpip, comment out the autoconf6 entry:
chrctcp -d autoconf6
Default Value:
Commented out"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|9.2,CSCv8|4.2,CSCv8|4.8,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,LEVEL|2A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/autoconf6"
expect : "^[\\s]*start[\\s]+/usr/sbin/autoconf6"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.3.2 ndpd-host"
info : "This entry starts ndpd-host on system startup. This is the Neighbor Discovery Protocol (NDP) daemon.
The ndpd-host command handles the default route, which includes the default router, the default interface, and the default interface address. However, the ndpd-host command does not overwrite the static default routes that are set on the host. When the daemon is stopped, the daemon cleans up the prefix addresses and the routes that are created during its lifetime.
Rationale:
The ndpd-host performs the client function of the NDP protocol.
Unless the server utilizes (dynamic) IPv6 this utility is not required and should be disabled.
Ipv6 static configuration is not affected by ndpd-host.
Impact:
When IPv6 is active and NDP is used to get a non-link-local IPv6 address (link-local addresses begin with fe80::) it is also likely that the MTU size of the interface will change from 1500 to 1492. Additionally, it may add default route to the IPv6 router it received it's address from. For example:
BEFORE NDP
netstat -ni
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
...
en0 1500 192.168.129 192.168.129.71 105156791 0 49249083 1 0
en0 1500 fe80::dead:beef:fef7:6204 105156791 0 49249083 1 0
netstat -rn
Routing tables
Destination Gateway Flags Refs Use If Exp Groups
Route tree for Protocol Family 2 (Internet):
default 192.168.129.1 UG 23 35660110 en0 - -
127/8 127.0.0.1 U 2 22988 lo0 - -
192.168.129.0 192.168.129.71 UHSb 0 0 en0 - - =>
192.168.129/24 192.168.129.71 U 12 13578475 en0 - -
192.168.129.71 127.0.0.1 UGHS 0 21471 lo0 - -
192.168.129.255 192.168.129.71 UHSb 0 0 en0 - -
Route tree for Protocol Family 24 (Internet v6):
default link#2 UC 0 0 en0 - -
::1%1 ::1%1 UH 0 19154 lo0 - -
...
After NDP
netstat -ni
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
...
en0 1492 192.168.129 192.168.129.71 105190883 0 49267729 1 0
en0 1492 BEEF:980:a9ea:1:deed:beef:fef7:6204 105190883 0 49267729 1 0
en0 1492 fe80::deed:beef:fef7:6204 105190883 0 49267729 1 0
netstat -nr
Routing tables
Destination Gateway Flags Refs Use If Exp Groups
Route tree for Protocol Family 2 (Internet):
default 192.168.129.1 UG 17 35724295 en0 - -
127/8 127.0.0.1 U 2 23044 lo0 - -
192.168.129.0 192.168.129.71 UHSb 0 0 en0 - - =>
192.168.129/24 192.168.129.71 U 14 13622746 en0 - -
192.168.129.71 127.0.0.1 UGHS 0 21576 lo0 - -
192.168.129.255 192.168.129.71 UHSb 0 0 en0 - -
Route tree for Protocol Family 24 (Internet v6):
default fe80::dead:beef:fefa:4bfe UG 0 0 en0 - -
::1%1 ::1%1 UH 0 19198 lo0 - -
Note: the IPv6 destination address is the link-local (fe80::) address of the IPv6 router."
solution : "In /etc/rc.tcpip, comment out the ndpd-host entry:
chrctcp -d ndpd-host
Default Value:
Commented out"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|9.2,CSCv8|4.2,CSCv8|4.8,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,LEVEL|2A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/ndpd-host"
expect : "^[\\s]*start[\\s]+/usr/sbin/ndpd-host"
system : "AIX"
type : FILE_CONTENT_CHECK_NOT
description : "4.1.3.3 ndpd-router"
info : "This entry starts ndpd-router on system startup. This manages the Neighbor Discovery Protocol (NDP) for non kernel activities.
It receives Router Solicitations and sends Router Advertisements. It can also exchange routing information using the RIPng protocol.
Rationale:
The ndpd-router manages NDP for non-kernel activities. Unless the server utilizes IPv6, this is not required and should be disabled.
Impact:
This service is not needed unless the AIX host is actively exchanging routing information with IPv6 routers.
See: manpage AIX 7.1 ndpd-router Daemon"
solution : "In /etc/rc.tcpip, comment out the ndpd-router entry:
chrctcp -d ndpd-router
Default Value:
Disabled"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|9.2,CSCv8|4.2,CSCv8|4.8,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,LEVEL|2A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/rc.tcpip"
regex : "^[\\s]*start[\\s]+/usr/sbin/ndpd-router"
expect : "^[\\s]*start[\\s]+/usr/sbin/ndpd-router"
system : "AIX"
type : CMD_EXEC
description : "4.1.4.1 NFS - de-install NFS client"
info : "De-install NFS client if the server does not remotely mount NFS shares.
Rationale:
NFS is frequently exploited to gain unauthorized access to file and directories. Unless the server needs to act as an NFS server or client, the filesets should be de-installed."
solution : "Ensure that there are no current NFS client mounts:
mount |grep 'nfs'
cat /etc/filesystems |grep 'nfs'
The above commands should yield no output.
De-install the NFS client software:
installp -u bos.net.nfs.client
Default Value:
N/A
Additional Information:
Reversion:
Re-install the software from the product DVD's"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lslpp -L | /usr/bin/grep bos.net.nfs.client | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'"
expect : "^none$"
system : "AIX"
type : CMD_EXEC
description : "4.1.4.6 NFS - no_root_squash option"
info : "For each NFS export, ensure that the anon aka root_squash option is set to -2 or -1.
Rationale:
Each NFS export on the server should have the anon=-2 option set. With this (default) value root (euid==0') is seen as the account nobody. When anon=0 the remote root user has root access on the NFS mount.
By ensuring the export option anon=-2 when a client process with euid==0 attempts to access (read, write, or delete) the NFS mount the server substitutes the UID to the server's nobody account. This means that the root user on the client cannot access or change files that only root on the server can access or change.
Many NFS servers call this root_squash. On AIX is is called anon. To be consistent with other benchmark terminalogy CIS recommends that root_squash is set on all exported filesystems.
On AIX the default value of any exported filesystem or directory for anon is -2. Thus, when anon is not set it's effective value is -2. Any other value has to be explicitly set.
As a more secure option you can set the option to anon=-1. This setting is accepted because it disables anonymous access. By default, secure NFS accepts non-secure requests as anonymous.
NOTE: The root user on the client can still use su to become any other user (change the euid) and access and change that users files, assuming that the same user exists on the NFS server and owns files and/or directories in the NFS export."
solution : "To change this value for all failing NFS exported filesystems:
lsnfsexp | grep -v 'anon=-1' | grep anon= | while read fs rest; do
chnfsexp -d ${fs} -a -2
done
The command chnfsexp re-exports the file or directory with the new settings active.
Default Value:
(blank) which is seen as -2 (nobody) effective setting root_squash by default."
reference : "800-171|3.1.5,800-53|AC-6,800-53r5|AC-6,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSF|PR.AC-4,CSF|PR.DS-5,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-6,LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsnfsexp -l | /usr/bin/egrep -v \"anon=-1\" | /usr/bin/grep \"anon=\" | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.1 bootps"
info : "This entry starts the command /usr/sbin/bootpd when required. This service is used to provide boot partition data for a network boot. It uses the same UDP port as DHCP server dhcpsd.
The recommendation is to disable this service UNLESS you are operating a NIM server. When using NIM bootps as a service is accepted, but the preference would be to configure a DHCP server with the equivalent information.
Rationale:
The bootpd command implements an Internet Boot Protocol server."
solution : "In /etc/inetd.conf, comment out the bootps entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'daytime' -p udp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep bootps | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.2 chargen"
info : "This entry starts the chargen service when required. This service is used to test the integrity of TCP/IP packets arriving at the destination.
Rationale:
This chargen service is a character generator service and is used for testing the integrity of TCP/IP packets arriving at the destination. An attacker may spoof packets between machines running the chargen service and thus provide an opportunity for DoS attacks. You must disable this service unless you are testing your network."
solution : "In /etc/inetd.conf, comment out the chargen entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'chargen' -p udp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep chargen | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.3 comsat"
info : "This entry starts the comsat service.
The comsat daemon receives messages on a datagram port associated with the biff service specification.
The recommendation is to leave this service disabled.
Rationale:
The comsat daemon is the server that receives reports of incoming mail and notifies users if they have enabled this service with the biff command. Started by the inetd daemon, the comsat daemon is not meant to be used at the command line."
solution : "In /etc/inetd.conf, comment out the comsat entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'comsat' -p udp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep comsat | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.4 daytime"
info : "The service should be disabled as it can leave the system vulnerable to DoS ping attacks.
This entry starts the daytime service when required. This provides the current date and time to other servers on a network.
Rationale:
This daytime service is a defunct time service, typically used for testing purposes only."
solution : "In /etc/inetd.conf, comment out the daytime entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'daytime' -p tcp
chsubserver -r inetd -C /etc/inetd.conf -d -v 'daytime' -p udp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep daytime | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.5 discard"
info : "This entry starts the discard service when required. This service is used as a debugging tool by setting up a listening socket which ignores the data it receives.
Rationale:
The discard service is used as a debugging and measurement tool. It sets up a listening socket and ignores data that it receives. This is a /dev/null service and is obsolete. This can be used in DoS attacks and therefore, must be disabled."
solution : "In /etc/inetd.conf, comment out the discard entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'discard' -p udp
lssrc -s inetd && refresh -s inetd
Default Value:
Commented out"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep discard | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.6 echo"
info : "This entry starts the echo service when required. This service sends back data received by it on a specified port.
Rationale:
The echo service sends back data received by it on a specified port. This can be misused by an attacker to launch DoS attacks or Smurf attacks by initiating a data storm and causing network congestion. The service is used for testing purposes and therefore must be disabled if not required."
solution : "In /etc/inetd.conf, comment out the echo entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'echo' -p tcp
chsubserver -r inetd -C /etc/inetd.conf -d -v 'echo' -p udp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep echo | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.7 exec"
info : "The recommendation is that rexecd is disabled. This service can be performed securely using OpenSSH.
This entry starts the rexecd daemon when required. This daemon executes a command from a remote system once the connection has been authenticated.
Rationale:
The exec service is used to execute a command sent from a remote server. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the rexecd daemon will be disabled. This function, if required, should be facilitated through SSH."
solution : "In /etc/inetd.conf, comment out the exec entry:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'exec' -p 'tcp6'
refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep exec | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.8 finger"
info : "This entry starts the fingerd daemon.
Rationale:
The fingerd daemon provides the server function for the finger command. This allows users to view real-time pertinent user login information on other remote systems. This service should be disabled as it may provide an attacker with a valid user list to target."
solution : "In /etc/inetd.conf, comment out the finger entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'finger' -p tcp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep finger | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.9 ftp"
info : "This entry starts the ftpd daemon when required. This service is used for transferring files from/to a remote machine.
The recommendation is that ftp is disabled and sftp is used as a replacement file and directory copying mechanism.
Rationale:
This ftp service is used to transfer files from or to a remote machine. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the ftpd daemon should be disabled."
solution : "In /etc/inetd.conf, comment out the ftp entry:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'ftp' -p 'tcp6'
refresh -s inetd
Default Value:
Uncommented"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep ftp | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.10 imap2"
info : "This entry starts the imap2 service when required.
Rationale:
The imap2 service orInternet Message Access Protocol (IMAP) supports the IMAP4 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not required."
solution : "In /etc/inetd.conf, comment out the imap2 entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'imap2' -p tcp
lssrc -s inetd && refresh -s inetd
Default Value:
Commented out"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep imap2 | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.11 instsrv"
info : "This entry starts the instsrv service when required. This service should be disabled.
Rationale:
The instsrv service is part of the Network Installation Tools, used for servicing servers running AIX 3.2."
solution : "In /etc/inetd.conf, comment out the instsrv entry:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'instsrv' -p 'tcp'
refresh -s inetd
Default Value:
Commented out"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep instsrv | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.12 klogin"
info : "This entry starts the klogin service when required. This is a kerberized login service, which provides a higher degree of security over traditional rlogin and telnet.
Rationale:
The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text password exchanges on the network. However, it is still not as secure as SSH, which encrypts all traffic. If you use klogin to login to a system, the password is not sent in clear text; however, if you su to another user, that password exchange is open to detection from network-sniffing programs. The recommendation is to utilize SSH wherever possible instead of klogin.
If the klogin service is used, you must use the latest kerberos version available and make sure that all the latest patches are installed."
solution : "In /etc/inetd.conf, comment out the klogin entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'klogin' -p tcp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep klogin | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.13 kshell"
info : "This entry starts the kshell service when required. This is a kerberized remote shell service, which provides a higher degree of security over traditional rsh.
Rationale:
The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted communications. The recommendation is to utilize SSH wherever possible instead of kshell.
If the kshell service is used, you should use the latest kerberos version available and must make sure that all the latest patches are installed."
solution : "In /etc/inetd.conf, comment out the kshell entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'kshell' -p tcp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep kshell | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.14 login"
info : "This entry starts the rlogin daemon when required. This service authenticates remote user logins.
Rationale:
This login service is used to authenticate a remote user connection when logging in via the rlogin command. The username and password are passed over the network in clear text and therefore insecurely. Unless required the rlogin daemon will be disabled. This function, if required, should be facilitated through SSH."
solution : "In /etc/inetd.conf, comment out the rlogin entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'rlogin' -p tcp6
lssrc -s inetd && refresh -s inetd
Default Value:
Uncommented"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep rlogin | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.15 netstat"
info : "This entry executes the command netstat -f inet. This service is displays active IP connections on a server.
The recommendation is to leave this disabled.
Rationale:
The netstat command symbolically displays the contents of various network-related data structures for active connections.
This interface requests a report of statistics or address control blocks to those items specified by the inet aka AF_INET (ipv4) address family."
solution : "In /etc/inetd.conf, comment out the netstat entry:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'netstat' -p 'tcp'
refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep netstat | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.16 ntalk"
info : "This entry starts the talkd daemon when required. This service establishes a two-way communication link between two users, either locally or remotely.
Rationale:
This ntalk service is used to establish an interactive two-way communication link between two UNIX users. It is unlikely that there would be a requirement to run this type of service on a UNIX system. Unless required the ntalk service will be disabled."
solution : "In /etc/inetd.conf, comment out the ntalk entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'ntalk' -p udp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep ntalk | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.17 pcnfsd"
info : "This entry starts the pcnfsd daemon when required. This service is an authentication and printing program, which uses NFS to provide file transfer services.
Rationale:
The pcnfsd service is an authentication and printing program, which uses NFS to provide file transfer services. This service is vulnerable and exploitable and permits the machine to be compromised both locally and remotely. If PC NFS clients are required within the environment, Samba is recommended as an alternative software solution. The pcnfsd daemon predates Microsoft's release of SMB specifications. This service should therefore be disabled."
solution : "In /etc/inetd.conf, comment out the pcnfsd entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'pcnfsd' -p udp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep pcnfsd | wc -l"
expect : "0"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.1.5.18 pop3"
info : "This entry starts the pop3 service when required.
Rationale:
The pop3 service provides a pop3 server. It supports the pop3 remote mail access protocol. It works with sendmail and bellmail. This service should be disabled if it is not required."
solution : "In /etc/inetd.conf, comment out the pop3 entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'pop3' -p tcp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/inetd.conf"
regex : "^[#]+pop3[\\s]+stream[\\s]+tcp[\\s]+nowait[\\s]+root[\\s]+\/usr\/sbin\/pop3d[\\s]+pop3d[\\s]*$"
expect : "^[#]+pop3[\\s]+stream[\\s]+tcp[\\s]+nowait[\\s]+root[\\s]+\/usr\/sbin\/pop3d[\\s]+pop3d[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.19 rexd"
info : "This entry starts the rxed service when required.
This service should be disabled if it is not required.
Rationale:
The rexd daemon executes programs for remote machines when a client issues a request to execute a program on a remote machine. The inetd daemon starts the rexd daemon from the /etc/inetd.conf file.
Non-interactive programs use standard file descriptors connected directly to TCP connections. Interactive programs use pseudo-terminals, similar to the login sessions provided by the rlogin command. The rexd daemon can use the network file system (NFS) to mount the file systems specified in the remote execution request. Diagnostic messages are normally printed on the console and returned to the requester."
solution : "Use chsubserver to disable this service in /etc/inetd.conf:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'rexd' -p 'tcp'
refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]rexd\" | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.20 rquotad"
info : "This entry starts the rquotad service when required. This allows NFS clients to enforce disk quotas on locally mounted filesystems.
Rationale:
The rquotad service allows NFS clients to enforce disk quotas on file systems that are mounted on the local system. This service should be disabled if it is not required."
solution : "Use chsubserver to disable this service in /etc/inetd.conf and if running, refresh inetd:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'rquotad' -p 'udp'
refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]rquotad\" | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.21 rstatd"
info : "This entry starts the rstatd daemon. This service is used to provide kernel statistics and other monitorable parameters such as CPU usage, system uptime, network usage etc.
This service should be disabled if not explicitly required by performance monitoring software to collect statistics.
Rationale:
The rstatd service is used to provide kernel statistics and other monitorable parameters pertinent to the system such as: CPU usage, system uptime, network usage etc.
An attacker may use this information in a DoS attack."
solution : "In /etc/inetd.conf, comment out the rstatd entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'rstatd' -p udp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep rstatd | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.22 rusersd"
info : "This entry starts the rsusersd daemon when required. This service provides a list of current users active on a system.
Rationale:
The rusersd service runs as root and provides a list of current users active on a system. An attacker may use this service to learn valid account names on the system. This is not an essential service and should be disabled."
solution : "Use chsubserver to disable this service in /etc/inetd.conf:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'rusersd' -p 'udp'
refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]rusersd\" | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.23 rwalld"
info : "This entry starts the rwalld daemon when required. This service allows remote users to broadcast system wide messages.
Rationale:
The rwalld service allows remote users to broadcast system wide messages. The service runs as root and should be disabled unless absolutely necessary."
solution : "Use chsubserver to disable this service in /etc/inetd.conf:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'rwalld' -p 'udp'
refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]rwalld\" | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.24 shell"
info : "This entry starts the rshd daemon when required. This daemon executes a command from a remote system.
Rationale:
This shell service is used to execute a command from a remote server. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the rshd daemon will be disabled. This function, if required, should be facilitated through SSH."
solution : "Use chsubserver to disable this service in /etc/inetd.conf:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'shell' -p 'tcp6'
refresh -s inetd
Default Value:
Enabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]shell\" | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.25 sprayd"
info : "This entry starts the sprayd daemon when required. This service is used as a tool to generate UDP packets for testing and diagnosing network problems.
Rationale:
The sprayd service is used as a tool to generate UDP packets for testing and diagnosing network problems.
The service must be disabled if not explicitly required for network performance testing purposes as it can be used as a (Distributed) Denial of Service ((D)DoS) attack."
solution : "In /etc/inetd.conf, comment out the sprayd entry and refresh the inetd process:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'sprayd' -p udp
lssrc -s inetd && refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep sprayd | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.26 xmquery"
info : "This entry starts the xmquery daemon when required.
Rationale:
This xmquery service provides near real-time network-based data monitoring and local recording from a given node."
solution : "Use chsubserver to disable this service in /etc/inetd.conf:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'xmquery' -p 'udp'
refresh -s inetd
Default Value:
Enabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]xmquery\" | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.27 talk"
info : "This entry starts the talkd daemon when required. This service establishes a two-way communication link between two users, either locally or remotely.
Rationale:
This talk service is used to establish an interactive two-way communication link between two UNIX users. It is unlikely that there would be a requirement to run this type of service on a UNIX system. Unless required the talk service will be disabled"
solution : "Use chsubserver to disable this service in /etc/inetd.conf:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'talk' -p 'udp'
refresh -s inetd
Default Value:
Enabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]talk\" | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.28 telnet"
info : "The recommendation is that telnet is disabled and OpenSSH is used as a replacement mechanism.
This entry starts the telnetd daemon when required. This provides a protocol for command line access from a remote machine.
Rationale:
The telnet protocol passes username and password in clear text over the network in clear text and therefore insecurely.
This telnet service is used to service remote user connections. Historically, telnet was the most commonly used remote access method for UNIX servers. This has been replaced by OpenSSH (or no remote CLI access).
Unless required the telnetd daemon should be disabled.
Impact:
When OpenSSH is not available other steps should be examined, e.g., a bastion hosted environment where OpenSSH is used to get to the bastion host and then telnet from bastion to telnet-only server."
solution : "In /etc/inetd.conf, comment out the telnet entry:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'telnet' -p 'tcp6'
refresh -s inetd
Default Value:
Enabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep telnet | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.29 tftp"
info : "This entry starts the tftp service when required.
Rationale:
The tftp service allows remote systems to download or upload files to the tftp server without any authentication. It is therefore a service that should not run, unless needed. One of the main reasons for requiring this service to be activated is if the host is a NIM master. However, the service can be enabled and then disabled once a NIM operation has completed, rather than left running permanently."
solution : "Use chsubserver to disable this service in /etc/inetd.conf:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'tftp' -p 'udp6'
refresh -s inetd
Default Value:
Disabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]tftp\" | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "4.1.5.30 time"
info : "This entry starts the time service when required. This service can be used to synchronize system clocks.
Rationale:
The time service is an obsolete process used to synchronize system clocks at boot time. This has been superseded by NTP, which should be use if time synchronization is necessary. Unless required the time service will be disabled."
solution : "Use chsubserver to disable this service in /etc/inetd.conf:
chsubserver -r inetd -C /etc/inetd.conf -d -v 'time' -p 'tcp'
chsubserver -r inetd -C /etc/inetd.conf -d -v 'time' -p 'udp'
refresh -s inetd
Default Value:
Enabled"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]time\" | wc -l"
expect : "0"
system : "AIX"
type : CMD_EXEC
description : "5.3.9 uucp"
info : "This change locks and disables login access for the uucp user account.
Rationale:
This change disables direct local and remote login to the uucp user account. Do not set a password on this account to ensure that the only access is via su from the root account.
There should not be a requirement to log in as the uucp user directly. All users should be given unique logon ids to ensure traceability and accountability."
solution : "Change the following user attributes to uucp user:
chuser account_locked=true login=false rlogin=false uucp
Default Value:
account_locked=false login=true rlogin=true"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a account_locked login rlogin uucp"
expect : "^[\\s]*uucp[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.1.4.3 NFS - enable both nosuid and nodev options on NFS client mounts - nosuid"
info : "Disable suid/sgid program execution and/or access to system devices via permissions set on any mounted NFS filesystem.
Rationale:
Setting the nosuid and nodev options means that files on the NFS server cannot be used to gain privileged access on the client.
This hampers a malicious user from creating an attack vector on the server and then log onto an NFS client as a standard user and use the suid/sgid program to effectively become another user (especially root) on that client.
The nodev options blocks malicious/accidental (raw) access to system devices (e.g., /dev/kmem, /dev/rhdisk0). Access to devices is not exclusive to the /dev directory. Device access is so-called special-files that are defined as a Major, Minor device id's."
solution : "For each NFS mount, disable suid programs and device access. List the current NFS mounts:
lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nosuid' | while read remote local host rest; do
chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z
done
lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nodev' | while read remote local host rest; do
chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z
done
NOTE: The NFS mount needs is re-mounted automatically by chnfsmnt.
NOTE: The second loop might not do anything as both loops set both nosuid (-y) and nodev (-z)
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsnfsmnt -l | /usr/bin/egrep -v \"^Name\" | /usr/bin/grep -v \"nosuid\" | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.1.4.3 NFS - enable both nosuid and nodev options on NFS client mounts - nodev"
info : "Disable suid/sgid program execution and/or access to system devices via permissions set on any mounted NFS filesystem.
Rationale:
Setting the nosuid and nodev options means that files on the NFS server cannot be used to gain privileged access on the client.
This hampers a malicious user from creating an attack vector on the server and then log onto an NFS client as a standard user and use the suid/sgid program to effectively become another user (especially root) on that client.
The nodev options blocks malicious/accidental (raw) access to system devices (e.g., /dev/kmem, /dev/rhdisk0). Access to devices is not exclusive to the /dev directory. Device access is so-called special-files that are defined as a Major, Minor device id's."
solution : "For each NFS mount, disable suid programs and device access. List the current NFS mounts:
lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nosuid' | while read remote local host rest; do
chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z
done
lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nodev' | while read remote local host rest; do
chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z
done
NOTE: The NFS mount needs is re-mounted automatically by chnfsmnt.
NOTE: The second loop might not do anything as both loops set both nosuid (-y) and nodev (-z)
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsnfsmnt -l | /usr/bin/egrep -v \"^Name\" | /usr/bin/grep -v \"nodev\" | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : CMD_EXEC
description : "4.1.4.4 NFS - localhost removal - localhost removal"
info : "Remove any reference to localhost or localhost aliases from /etc/exports.
Rationale:
If the RPC portmapper has proxy forwarding enabled, which is a default setting in many vendor versions. You must not export your local filesytems back to the localhost, either by name or to the alias localhost, and you must not export to any netgroups of which your host is a member. If proxy forwarding is enabled, an attacker may carefully craft NFS packets and send them to the portmapper, which in turn, forwards them to the NFS server. As the packets come from the portmapper process, which runs as root, they appear to be coming from a trusted system. This configuration may allow anyone to alter and delete files at will.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Remove any reference to localhost or localhost aliases in /etc/exports: Review the content of /etc/exports and check for localhost or localhost aliases:
cat /etc/exports
NOTE: If instances of localhost or localhost aliases are found, edit the file and remove them. Create a copy of /etc/exports:
cp -p /etc/exports /etc/exports.pre_cis
Edit the file:
vi /etc/exports
Edit the relevant NFS exports to remove the localhost access, for example:
/nfsexport sec=sys,rw,access=localhost:testserver
If /etc/exports is updated, as localhost references have been removed, update the current NFS export options:
exportfs -a
Default Value:
N/A"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/cat /etc/exports"
expect : "MANUAL_REVIEW"
severity : MEDIUM
system : "AIX"
type : CMD_EXEC
description : "4.2.2 bcastping"
info : "The bcastping parameter determines whether the system responds to ICMP echo packets sent to the broadcast address.
Rationale:
The bcastping parameter will be set to 0. This means that the system will not respond to ICMP packets sent to the broadcast address. By default, when this is enabled the system is susceptible to smurf attacks, where a hacker utilizes this tool to send a small number of ICMP echo packets. These packets can generate huge numbers of ICMP echo replies and seriously affect the performance of the targeted host and network. This parameter will be disabled to ensure protection from this type of attack."
solution : "In /etc/tunables/nextboot, add the bcastping entry:
no -p -o bcastping=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
1"
reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"bcastping\""
expect : "^[\\s]*bcastping[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.1 clean_partial_conns"
info : "The clean_partial_conns parameter determines whether or not the system is open to SYN attacks. This parameter, when enabled, clears down connections in the SYN RECEIVED state after a set period of time. This attempts to stop DoS attacks when a hacker may flood a system with SYN flag set packets.
Rationale:
The clean_partial_conns parameter will be set to 1, to clear down pending SYN received connections after a set period of time."
solution : "In /etc/tunables/nextboot, add the clean_partial_conns entry:
no -p -o clean_partial_conns=1
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
0"
reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"clean_partial_conns\""
expect : "^[\\s]*clean_partial_conns[\\s]*=[\\s]*1[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.3 directed_broadcast"
info : "The directed_broadcast parameter determines whether or not the system allows a directed broadcast to a network gateway.
Rationale:
The directed_broadcast parameter will be set to 0, to prevent directed broadcasts being sent network gateways. This would prevent a redirected packet from reaching a remote network."
solution : "In /etc/tunables/nextboot, add the directed_broadcast entry:
no -p -o directed_broadcast=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
1"
reference : "800-171|3.13.1,800-53|SC-7(9),800-53r5|SC-7(9),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(9),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"directed_broadcast\""
expect : "^[\\s]*directed_broadcast[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.4 icmpaddressmask"
info : "The icmpaddressmask parameter determines whether the system responds to an ICMP address mask ping.
Rationale:
The icmpaddressmask parameter will be set to 0, This means that the system will not respond to ICMP address mask request pings. By default, when this is enabled the system is susceptible to source routing attacks. This is typically a feature performed by a device such as a network router and should not be enabled within the operating system."
solution : "In /etc/tunables/nextboot, add the icmpaddressmask entry:
no -p -o icmpaddressmask=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
1"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|SC-7,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"icmpaddressmask\""
expect : "^[\\s]*icmpaddressmask[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.5 ipforwarding"
info : "The ipforwarding parameter determines whether or not the system forwards TCP/IP packets.
Rationale:
The ipforwarding parameter will be set to 0, to ensure that redirected packets do not reach remote networks. This should only be enabled if the system is performing the function of an IP router. This is typically handled by a dedicated network device."
solution : "In /etc/tunables/nextboot, add the ipforwarding entry:
no -p -o ipforwarding=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
0"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"ipforwarding\""
expect : "^[\\s]*ipforwarding[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.6 ipignoreredirects"
info : "The ipignoreredirects parameter determines whether or not the system will process IP redirects.
Rationale:
The ipignoreredirects will be set to 1, to prevent IP re-directs being processed by the system."
solution : "In /etc/tunables/nextboot, add the ipignoreredirects entry:
no -p -o ipignoreredirects=1
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
0"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"ipignoreredirects\""
expect : "^[\\s]*ipignoreredirects[\\s]*=[\\s]*1[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.7 ipsendredirects"
info : "The ipsendredirects parameter determines whether or not the system forwards re-directed TCP/IP packets.
Rationale:
The ipsendredirects parameter will be set to 0, to ensure that redirected packets do not reach remote networks."
solution : "In /etc/tunables/nextboot, add the ipsendredirects entry:
no -p -o ipsendredirects=0
This makes the change permanent by adding the entry into/etc/tunables/nextboot
Default Value:
1"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"ipsendredirects\""
expect : "^[\\s]*ipsendredirects[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.8 ipsrcrouteforward"
info : "The ipsrcrouteforward parameter determines whether or not the system forwards IPV4 source-routed packets.
Rationale:
The ipsrcrouteforward will be set to 0, to prevent source-routed packets being forwarded by the system. This would prevent a hacker from using source-routed packets to bridge an external facing server to an internal LAN, possibly even through a firewall."
solution : "In /etc/tunables/nextboot, add the ipsrcrouteforward entry:
no -p -o ipsrcrouteforward=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
1"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"ipsrcrouteforward\""
expect : "^[\\s]*ipsrcrouteforward[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.9 ipsrcrouterecv"
info : "The ipsrcrouterecv parameter determines whether the system accepts source routed packets.
Rationale:
The ipsrcrouterecv parameter will be set to 0, This means that the system will not accept source routed packets. By default, when this is enabled the system is susceptible to source routing attacks."
solution : "In /etc/tunables/nextboot, add the ipsrcrouterecv entry:
no -p -o ipsrcrouterecv=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
1"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"ipsrcrouterecv\""
expect : "^[\\s]*ipsrcrouterecv[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.10 ipsrcroutesend"
info : "The ipsrcroutesend parameter determines whether or not the system can send source-routed packets.
Rationale:
The ipsrcroutesend parameter will be set to 0, to ensure that any local applications cannot send source routed packets."
solution : "In /etc/tunables/nextboot, add the ipsrcroutesend entry:
no -p -o ipsrcroutesend=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
1"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"ipsrcroutesend\""
expect : "^[\\s]*ipsrcroutesend[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.11 ip6srcrouteforward"
info : "The ip6srcrouteforward parameter determines whether or not the system forwards IPV6 source-routed packets.
Rationale:
The ip6srcrouteforward parameter will be set to 0, to prevent source-routed packets being forwarded by the system. This would prevent a hacker from using source-routed packets to bridge an external facing server to an internal LAN, possibly even through a firewall."
solution : "In /etc/tunables/nextboot, add the ip6srcrouteforward entry:
no -p -o ip6srcrouteforward=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
1"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"ip6srcrouteforward\""
expect : "^[\\s]*ip6srcrouteforward[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.12 nfs_use_reserved_ports - portcheck"
info : "The portcheck and nfs_use_reserved_ports parameters force the NFS server process on the local system to ignore NFS client requests that do not originate from the privileged ports range (ports less than 1024).
Rationale:
The portcheck and nfs_use_reserved_ports parameters will both be set to 1. This value means that NFS client requests that do not originate from the privileged ports range (ports less than 1024) will be ignored by the local system."
solution : "In /etc/tunables/nextboot, add the portcheck and nfs_use_reserved_ports entries:
nfso -p -o portcheck=1
nfso -p -o nfs_use_reserved_ports=1
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
0"
reference : "800-171|3.4.2,800-53|CM-6,800-53r5|CM-6,CSF|PR.IP-1,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,LEVEL|1A,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/nfso -a | /usr/bin/grep \"portcheck\""
expect : "^[\\s]*portcheck[\\s]*=[\\s]*1[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.12 nfs_use_reserved_ports - nfs_use_reserved_ports"
info : "The portcheck and nfs_use_reserved_ports parameters force the NFS server process on the local system to ignore NFS client requests that do not originate from the privileged ports range (ports less than 1024).
Rationale:
The portcheck and nfs_use_reserved_ports parameters will both be set to 1. This value means that NFS client requests that do not originate from the privileged ports range (ports less than 1024) will be ignored by the local system."
solution : "In /etc/tunables/nextboot, add the portcheck and nfs_use_reserved_ports entries:
nfso -p -o portcheck=1
nfso -p -o nfs_use_reserved_ports=1
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
0"
reference : "800-171|3.4.2,800-53|CM-6,800-53r5|CM-6,CSF|PR.IP-1,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,LEVEL|1A,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/nfso -a | /usr/bin/grep \"nfs_use_reserved_ports\""
expect : "^[\\s]*nfs_use_reserved_ports[\\s]*=[\\s]*1[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.13 nonlocsrcroute"
info : "The nonlocsrcroute parameter determines whether the system allows source routed packets to be addressed to hosts outside of the LAN.
Rationale:
The nonlocsrcroute parameter will be set to 0. This means that the system will not allow source routed packets to be addressed to hosts outside of the LAN. By default, when this is enabled the system is susceptible to source routing attacks."
solution : "In /etc/tunables/nextboot, add the nonlocsrcroute entry:
no -p -o nonlocsrcroute=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
1"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"nonlocsrcroute\""
expect : "^[\\s]*nonlocsrcroute[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.14 sockthresh"
info : "The sockthresh parameter value determines what percentage of the total memory allocated to networking, set via thewall, can be used for sockets.
Rationale:
The sockthresh parameterwill be set to 60. This means that 60% of network memory can be used to service new socket connections, the remaining 40% is reserved for existing sockets. This ensures a quality of service for existing connections."
solution : "In /etc/tunables/nextboot, add the sockthresh entry:
no -p -o sockthresh=60
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
N/A"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"sockthresh\""
expect : "^[\\s]*sockthresh[\\s]*=[\\s]*60[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.15 tcp_pmtu_discover"
info : "The tcp_pmtu_discover parameter controls whether TCP MTU discovery is enabled.
Rationale:
The tcp_pmtu_discover parameter will be set to 0. The idea of MTU discovery is to avoid packet fragmentation between remote networks. This is achieved by discovering the network route and utilizing the smallest MTU size within that path when transmitting packets. When tcp_pmtu_discover is enabled, it leaves the system vulnerable to source routing attacks."
solution : "In /etc/tunables/nextboot, add the tcp_pmtu_discover entry:
no -p -o tcp_pmtu_discover=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
1"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"tcp_pmtu_discover\""
expect : "^[\\s]*tcp_pmtu_discover[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.16 tcp_tcpsecure"
info : "The tcp_tcpsecure parameter value determines if the system is protected from three specific TCP vulnerabilities: The values are ORed together. If all three values are to be set the value to set is: 1|2|4 (or 7).
Fake SYN - This is used to terminate an established connection. A tcp_tcpsecure bit-value of 1 protects the system from this vulnerability.
Fake RST - As above, this is used to terminate an established connection. A tcp_tcpsecure bit-value of 2 protects the system from this vulnerability.
Fake data - A hacker may inject fake data into an established connection. A tcp_tcpsecure bit-value of 4 protects the system from this vulnerability.
Rationale:
The tcp_tcpsecure parameter should be set to 7. This means that the system will be protected from TCP connection reset and data integrity attacks."
solution : "In /etc/tunables/nextboot, add the tcp_tcpsecure entry:
no -p -o tcp_tcpsecure=7
This makes the change permanent by adding the entry into /etc/tunables/nextboot.
Default Value:
tcp_tcpsecure = 0"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -o tcp_tcpsecure"
expect : "^[\\s]*tcp_tcpsecure[\\s]*=[\\s]*7[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.2.17 udp_pmtu_discover"
info : "The udp_pmtu_discover parameter controls whether MTU discovery is enabled.
Rationale:
The udp_pmtu_discover parameter will be set to 0. The idea of MTU discovery is to avoid packet fragmentation between remote networks. This is achieved by discovering the network route and utilizing the smallest MTU size within that path when transmitting packets. When udp_pmtu_discover is enabled, it leaves the system vulnerable to source routing attacks."
solution : "In /etc/tunables/nextboot, add the udp_pmtu_discover entry:
no -p -o udp_pmtu_discover=0
This makes the change permanent by adding the entry into /etc/tunables/nextboot
Default Value:
1"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/no -a | /usr/bin/grep \"udp_pmtu_discover\""
expect : "^[\\s]*udp_pmtu_discover[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "3.3 Ensure default user umask is 027 or more restrictive"
info : "The user file-creation mode mask (umask) is used to determine the file permission for newly created directories and files. In AIX, the default permissions for any newly created directory is 0755 (rwxr-xr-x), and for any newly created file it is 0644 (rw-r--r--). The umask modifies the default AIX permissions by restricting (masking) these permissions. The umask is not simply subtracted, but is processed bitwise. Bits set in the umask are cleared in the resulting file mode.
Rationale:
Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
solution : "Add the umask attribute to the default user stanza in /etc/security/user:
chsec -f /etc/security/user -s default -a umask=027
Default Value:
umask=022"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/user -s default -a umask"
expect : "^[\\s]*default[\\s]+umask[\\s]*=[\\s]*[0-2][0-7][\\s]*$"
type : CMD_EXEC
description : "Verify CDE is installed."
cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE"
expect : "^[\\s]*X11\\.Dt\\."
system : "AIX"
type : FILE_CHECK
description : "4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtaction"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys.
Rationale:
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries:
chmod ug-s /usr/dt/bin/dtaction
chmod ug-s /usr/dt/bin/dtappgather
chmod ug-s /usr/dt/bin/dtprintinfo
chmod ug-s /usr/dt/bin/dtsession
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/usr/dt/bin/dtaction"
mask : "6000"
required : NO
system : "AIX"
type : FILE_CHECK
description : "4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtappgather"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys.
Rationale:
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries:
chmod ug-s /usr/dt/bin/dtaction
chmod ug-s /usr/dt/bin/dtappgather
chmod ug-s /usr/dt/bin/dtprintinfo
chmod ug-s /usr/dt/bin/dtsession
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/usr/dt/bin/dtappgather"
mask : "6000"
required : NO
system : "AIX"
type : FILE_CHECK
description : "4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtprintinfo"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys.
Rationale:
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries:
chmod ug-s /usr/dt/bin/dtaction
chmod ug-s /usr/dt/bin/dtappgather
chmod ug-s /usr/dt/bin/dtprintinfo
chmod ug-s /usr/dt/bin/dtsession
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/usr/dt/bin/dtprintinfo"
mask : "6000"
required : NO
system : "AIX"
type : FILE_CHECK
description : "4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtsession"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys.
Rationale:
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries:
chmod ug-s /usr/dt/bin/dtaction
chmod ug-s /usr/dt/bin/dtappgather
chmod ug-s /usr/dt/bin/dtprintinfo
chmod ug-s /usr/dt/bin/dtsession
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/usr/dt/bin/dtsession"
mask : "6000"
required : NO
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.1.7 CDE - screensaver lock - dtsession*saverTimeout"
info : "The default timeout is 30 minutes of keyboard and mouse inactivity before a password protected screensaver is invoked by the CDE session manager.
Rationale:
The default timeout of 30 minutes prior to a password protected screensaver being invoked is too long. The recommendation is to set this to 10 minutes to protect from unauthorized access on unattended systems."
solution : "Set the default timeout parameters dtsession*saverTimeout: and dtsession*lockTimeout:
for file in /usr/dt/config/*/sys.resources; do
dir='dirname $file | sed -e s/usr/etc/'
mkdir -p $dir
echo 'dtsession*saverTimeout: 10' >> $dir/sys.resources
echo 'dtsession*lockTimeout: 10' >> $dir/sys.resources
done
Default Value:
N/A"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/dt/config/*/sys.resources"
regex : "^[\\s]*dtsession[\\*]saverTimeout:"
expect : "^[\\s]*dtsession[\\*]saverTimeout:[\\s]+([1-9]|10)[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.1.7 CDE - screensaver lock - dtsession*lockTimeout"
info : "The default timeout is 30 minutes of keyboard and mouse inactivity before a password protected screensaver is invoked by the CDE session manager.
Rationale:
The default timeout of 30 minutes prior to a password protected screensaver being invoked is too long. The recommendation is to set this to 10 minutes to protect from unauthorized access on unattended systems."
solution : "Set the default timeout parameters dtsession*saverTimeout: and dtsession*lockTimeout:
for file in /usr/dt/config/*/sys.resources; do
dir='dirname $file | sed -e s/usr/etc/'
mkdir -p $dir
echo 'dtsession*saverTimeout: 10' >> $dir/sys.resources
echo 'dtsession*lockTimeout: 10' >> $dir/sys.resources
done
Default Value:
N/A"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/dt/config/*/sys.resources"
regex : "^[\\s]*dtsession[\\*]lockTimeout:"
expect : "^[\\s]*dtsession[\\*]lockTimeout:[\\s]+([1-9]|10)[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.1.8 CDE - login screen hostname masking - dtlogin.greeting.labelString"
info : "The Dtlogin*greeting.labelString parameter is the message displayed in the first dialogue box on the CDE login screen. This is where the username is entered.
The Dtlogin*greeting.persLabelString is the message displayed in the second dialogue box on the CDE login screen. This is where the password is entered.
Rationale:
Potential hackers may gain access to valuable information such as the hostname and the version of the operating system from the default AIX login screen. This information would assist hackers in choosing the exploitation methods to break into the system. For security reasons, change the login screen default messages."
solution : "Copy the files from /usr/dt/config/*/Xresources to /etc/dt/config/*/Xresources and add the Dtlogin*greeting.labelString and Dtlogin*greeting.persLabelString parameters to all copied Xresources files:
for file in /usr/dt/config/*/Xresources; do
dir='dirname $file | sed s/usr/etc/'
mkdir -p $dir
if [ ! -f $dir/Xresources ]; then
cp $file $dir/Xresources
fi
WARN='Authorized uses only. All activity may be monitored and reported.'
echo 'Dtlogin*greeting.labelString: $WARN' >> $dir/Xresources
echo 'Dtlogin*greeting.persLabelString: $WARN' >> $dir/Xresources
done
Default Value:
N/A"
reference : "800-171|3.1.9,800-53|AC-8a.,800-53r5|AC-8a.,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AC-8a.,LEVEL|1A,NESA|M5.2.5,NESA|T5.5.1,NIAv2|AM10a,NIAv2|AM10b,NIAv2|AM10c,NIAv2|AM10d,NIAv2|AM10e,TBA-FIISB|45.2.4"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/dt/config/*/sys.resources"
regex : "^[\\s]*Dtlogin[\\*]greeting[\\.]labelString:"
expect : "^[\\s]*Dtlogin[\\*]greeting[\\.]labelString:[\\s]+Authorized[\\s]+uses[\\s]+only[\\.][\\s]+All[\\s]+activity[\\s]+may[\\s]+be[\\s]+monitored[\\s]+and[\\s]+reported[\\.][\\s]*$"
file_required : YES
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.1.8 CDE - login screen hostname masking - dtlogin.greeting.persLabelString"
info : "The Dtlogin*greeting.labelString parameter is the message displayed in the first dialogue box on the CDE login screen. This is where the username is entered.
The Dtlogin*greeting.persLabelString is the message displayed in the second dialogue box on the CDE login screen. This is where the password is entered.
Rationale:
Potential hackers may gain access to valuable information such as the hostname and the version of the operating system from the default AIX login screen. This information would assist hackers in choosing the exploitation methods to break into the system. For security reasons, change the login screen default messages."
solution : "Copy the files from /usr/dt/config/*/Xresources to /etc/dt/config/*/Xresources and add the Dtlogin*greeting.labelString and Dtlogin*greeting.persLabelString parameters to all copied Xresources files:
for file in /usr/dt/config/*/Xresources; do
dir='dirname $file | sed s/usr/etc/'
mkdir -p $dir
if [ ! -f $dir/Xresources ]; then
cp $file $dir/Xresources
fi
WARN='Authorized uses only. All activity may be monitored and reported.'
echo 'Dtlogin*greeting.labelString: $WARN' >> $dir/Xresources
echo 'Dtlogin*greeting.persLabelString: $WARN' >> $dir/Xresources
done
Default Value:
N/A"
reference : "800-171|3.1.9,800-53|AC-8a.,800-53r5|AC-8a.,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AC-8a.,LEVEL|1A,NESA|M5.2.5,NESA|T5.5.1,NIAv2|AM10a,NIAv2|AM10b,NIAv2|AM10c,NIAv2|AM10d,NIAv2|AM10e,TBA-FIISB|45.2.4"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/dt/config/*/sys.resources"
regex : "^[\\s]*Dtlogin[\\*]greeting[\\.]persLabelString:"
expect : "^[\\s]*Dtlogin[\\*]greeting[\\.]persLabelString:[\\s]+Authorized[\\s]+uses[\\s]+only[\\.][\\s]+All[\\s]+activity[\\s]+may[\\s]+be[\\s]+monitored[\\s]+and[\\s]+reported[\\.][\\s]*$"
file_required : YES
system : "AIX"
type : FILE_CHECK
description : "4.5.1.9 CDE - /etc/dt/config/Xconfig permissions and ownership - /etc/dt/config/Xconfig permissions and ownership"
info : "The /etc/dt/config/Xconfig file is used to customize CDE DT login attributes. Ensure this file is owned by root:bin and permissions prevent group and other from writing to the file.
Rationale:
The /etc/dt/config/Xconfig file can be used to customize CDE DT login attributes. The default file, /usr/dt/config/Xconfig, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Check to see if the /etc/dt/config/Xconfig exists:
ls -l /etc/dt/config/Xconfig
Apply the appropriate ownership and permissions to /etc/dt/config/Xconfig:
chown root:bin /etc/dt/config/Xconfig
chmod go-w /etc/dt/config/Xconfig
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/dt/config/Xconfig"
owner : "root"
mask : "333"
group : "bin"
system : "AIX"
type : FILE_CHECK
description : "4.5.1.10 CDE - /etc/dt/config/Xservers permissions and ownership - permissions and ownership"
info : "The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. Ensure this file is owned by root:bin and prevents group and other from writing to it.
Rationale:
The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. The default file, /usr/dt/config/Xservers, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Check to see if the /etc/dt/config/Xservers exists:
ls -l /etc/dt/config/Xservers
If it exists ensure that it is explicitly defined in /etc/dt/config/Xconfig:
vi /etc/dt/config/Xconfig
Replace:
Dtlogin*servers: Xservers
With:
Dtlogin*servers: /etc/dt/config/Xservers
Apply the appropriate ownership and permissions to /etc/dt/config/Xservers:
chown root:bin /etc/dt/config/Xservers
chmod go-w /etc/dt/config/Xservers
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/dt/config/Xservers"
owner : "root"
mask : "133"
required : NO
group : "bin"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.5.1.10 CDE - /etc/dt/config/Xservers permissions and ownership - explicit definition"
info : "The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. Ensure this file is owned by root:bin and prevents group and other from writing to it.
Rationale:
The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. The default file, /usr/dt/config/Xservers, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Check to see if the /etc/dt/config/Xservers exists:
ls -l /etc/dt/config/Xservers
If it exists ensure that it is explicitly defined in /etc/dt/config/Xconfig:
vi /etc/dt/config/Xconfig
Replace:
Dtlogin*servers: Xservers
With:
Dtlogin*servers: /etc/dt/config/Xservers
Apply the appropriate ownership and permissions to /etc/dt/config/Xservers:
chown root:bin /etc/dt/config/Xservers
chmod go-w /etc/dt/config/Xservers
Default Value:
N/A"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/dt/config/Xconfig"
regex : "^[\\s]*Dtlogin[\\.]servers:"
expect : "^[\\s]*Dtlogin[\\.]servers:[\\s]+/etc/dt/config/Xservers[\\s]*$"
file_required : NO
system : "AIX"
type : FILE_CHECK
description : "4.5.1.11 CDE - /etc/dt/config/*/Xresources permissions and ownership - /etc/dt/config/*/Xresources permissions and ownership"
info : "The /etc/dt/config/*/Xresources file contains appearance and behavior resources for the Dtlogin login screen.
Rationale:
The /etc/dt/config/*/Xresources file defines the customization of the Dtlogin screen. The default file, /usr/dt/config/*/Xresources, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Set the appropriate permissions and ownership on all Xresources files:
chown root:sys /etc/dt/config/*/Xresources
chmod u=rw,go=r /etc/dt/config/*/Xresources
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/dt/config/*/Xresources"
owner : "root"
mask : "133"
group : "sys"
description : "4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtaction"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys.
Rationale:
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries:
chmod ug-s /usr/dt/bin/dtaction
chmod ug-s /usr/dt/bin/dtappgather
chmod ug-s /usr/dt/bin/dtprintinfo
chmod ug-s /usr/dt/bin/dtsession
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtappgather"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys.
Rationale:
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries:
chmod ug-s /usr/dt/bin/dtaction
chmod ug-s /usr/dt/bin/dtappgather
chmod ug-s /usr/dt/bin/dtprintinfo
chmod ug-s /usr/dt/bin/dtsession
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtprintinfo"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys.
Rationale:
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries:
chmod ug-s /usr/dt/bin/dtaction
chmod ug-s /usr/dt/bin/dtappgather
chmod ug-s /usr/dt/bin/dtprintinfo
chmod ug-s /usr/dt/bin/dtsession
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtsession"
info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys.
Rationale:
CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid/sgid programs owned by root:bin or root:sys. It is recommended that the CDE binaries have the suid/sgid removed."
solution : "Remove the suid/sgid from the following CDE binaries:
chmod ug-s /usr/dt/bin/dtaction
chmod ug-s /usr/dt/bin/dtappgather
chmod ug-s /usr/dt/bin/dtprintinfo
chmod ug-s /usr/dt/bin/dtsession
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.1.7 CDE - screensaver lock - dtsession*saverTimeout"
info : "The default timeout is 30 minutes of keyboard and mouse inactivity before a password protected screensaver is invoked by the CDE session manager.
Rationale:
The default timeout of 30 minutes prior to a password protected screensaver being invoked is too long. The recommendation is to set this to 10 minutes to protect from unauthorized access on unattended systems."
solution : "Set the default timeout parameters dtsession*saverTimeout: and dtsession*lockTimeout:
for file in /usr/dt/config/*/sys.resources; do
dir='dirname $file | sed -e s/usr/etc/'
mkdir -p $dir
echo 'dtsession*saverTimeout: 10' >> $dir/sys.resources
echo 'dtsession*lockTimeout: 10' >> $dir/sys.resources
done
Default Value:
N/A"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.1.7 CDE - screensaver lock - dtsession*lockTimeout"
info : "The default timeout is 30 minutes of keyboard and mouse inactivity before a password protected screensaver is invoked by the CDE session manager.
Rationale:
The default timeout of 30 minutes prior to a password protected screensaver being invoked is too long. The recommendation is to set this to 10 minutes to protect from unauthorized access on unattended systems."
solution : "Set the default timeout parameters dtsession*saverTimeout: and dtsession*lockTimeout:
for file in /usr/dt/config/*/sys.resources; do
dir='dirname $file | sed -e s/usr/etc/'
mkdir -p $dir
echo 'dtsession*saverTimeout: 10' >> $dir/sys.resources
echo 'dtsession*lockTimeout: 10' >> $dir/sys.resources
done
Default Value:
N/A"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.1.8 CDE - login screen hostname masking - dtlogin.greeting.labelString"
info : "The Dtlogin*greeting.labelString parameter is the message displayed in the first dialogue box on the CDE login screen. This is where the username is entered.
The Dtlogin*greeting.persLabelString is the message displayed in the second dialogue box on the CDE login screen. This is where the password is entered.
Rationale:
Potential hackers may gain access to valuable information such as the hostname and the version of the operating system from the default AIX login screen. This information would assist hackers in choosing the exploitation methods to break into the system. For security reasons, change the login screen default messages."
solution : "Copy the files from /usr/dt/config/*/Xresources to /etc/dt/config/*/Xresources and add the Dtlogin*greeting.labelString and Dtlogin*greeting.persLabelString parameters to all copied Xresources files:
for file in /usr/dt/config/*/Xresources; do
dir='dirname $file | sed s/usr/etc/'
mkdir -p $dir
if [ ! -f $dir/Xresources ]; then
cp $file $dir/Xresources
fi
WARN='Authorized uses only. All activity may be monitored and reported.'
echo 'Dtlogin*greeting.labelString: $WARN' >> $dir/Xresources
echo 'Dtlogin*greeting.persLabelString: $WARN' >> $dir/Xresources
done
Default Value:
N/A"
reference : "800-171|3.1.9,800-53|AC-8a.,800-53r5|AC-8a.,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AC-8a.,LEVEL|1A,NESA|M5.2.5,NESA|T5.5.1,NIAv2|AM10a,NIAv2|AM10b,NIAv2|AM10c,NIAv2|AM10d,NIAv2|AM10e,TBA-FIISB|45.2.4"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.1.8 CDE - login screen hostname masking - dtlogin.greeting.persLabelString"
info : "The Dtlogin*greeting.labelString parameter is the message displayed in the first dialogue box on the CDE login screen. This is where the username is entered.
The Dtlogin*greeting.persLabelString is the message displayed in the second dialogue box on the CDE login screen. This is where the password is entered.
Rationale:
Potential hackers may gain access to valuable information such as the hostname and the version of the operating system from the default AIX login screen. This information would assist hackers in choosing the exploitation methods to break into the system. For security reasons, change the login screen default messages."
solution : "Copy the files from /usr/dt/config/*/Xresources to /etc/dt/config/*/Xresources and add the Dtlogin*greeting.labelString and Dtlogin*greeting.persLabelString parameters to all copied Xresources files:
for file in /usr/dt/config/*/Xresources; do
dir='dirname $file | sed s/usr/etc/'
mkdir -p $dir
if [ ! -f $dir/Xresources ]; then
cp $file $dir/Xresources
fi
WARN='Authorized uses only. All activity may be monitored and reported.'
echo 'Dtlogin*greeting.labelString: $WARN' >> $dir/Xresources
echo 'Dtlogin*greeting.persLabelString: $WARN' >> $dir/Xresources
done
Default Value:
N/A"
reference : "800-171|3.1.9,800-53|AC-8a.,800-53r5|AC-8a.,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AC-8a.,LEVEL|1A,NESA|M5.2.5,NESA|T5.5.1,NIAv2|AM10a,NIAv2|AM10b,NIAv2|AM10c,NIAv2|AM10d,NIAv2|AM10e,TBA-FIISB|45.2.4"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.1.9 CDE - /etc/dt/config/Xconfig permissions and ownership - /etc/dt/config/Xconfig permissions and ownership"
info : "The /etc/dt/config/Xconfig file is used to customize CDE DT login attributes. Ensure this file is owned by root:bin and permissions prevent group and other from writing to the file.
Rationale:
The /etc/dt/config/Xconfig file can be used to customize CDE DT login attributes. The default file, /usr/dt/config/Xconfig, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Check to see if the /etc/dt/config/Xconfig exists:
ls -l /etc/dt/config/Xconfig
Apply the appropriate ownership and permissions to /etc/dt/config/Xconfig:
chown root:bin /etc/dt/config/Xconfig
chmod go-w /etc/dt/config/Xconfig
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.1.10 CDE - /etc/dt/config/Xservers permissions and ownership - permissions and ownership"
info : "The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. Ensure this file is owned by root:bin and prevents group and other from writing to it.
Rationale:
The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. The default file, /usr/dt/config/Xservers, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Check to see if the /etc/dt/config/Xservers exists:
ls -l /etc/dt/config/Xservers
If it exists ensure that it is explicitly defined in /etc/dt/config/Xconfig:
vi /etc/dt/config/Xconfig
Replace:
Dtlogin*servers: Xservers
With:
Dtlogin*servers: /etc/dt/config/Xservers
Apply the appropriate ownership and permissions to /etc/dt/config/Xservers:
chown root:bin /etc/dt/config/Xservers
chmod go-w /etc/dt/config/Xservers
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.1.10 CDE - /etc/dt/config/Xservers permissions and ownership - explicit definition"
info : "The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. Ensure this file is owned by root:bin and prevents group and other from writing to it.
Rationale:
The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. The default file, /usr/dt/config/Xservers, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Check to see if the /etc/dt/config/Xservers exists:
ls -l /etc/dt/config/Xservers
If it exists ensure that it is explicitly defined in /etc/dt/config/Xconfig:
vi /etc/dt/config/Xconfig
Replace:
Dtlogin*servers: Xservers
With:
Dtlogin*servers: /etc/dt/config/Xservers
Apply the appropriate ownership and permissions to /etc/dt/config/Xservers:
chown root:bin /etc/dt/config/Xservers
chmod go-w /etc/dt/config/Xservers
Default Value:
N/A"
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
description : "4.5.1.11 CDE - /etc/dt/config/*/Xresources permissions and ownership - /etc/dt/config/*/Xresources permissions and ownership"
info : "The /etc/dt/config/*/Xresources file contains appearance and behavior resources for the Dtlogin login screen.
Rationale:
The /etc/dt/config/*/Xresources file defines the customization of the Dtlogin screen. The default file, /usr/dt/config/*/Xresources, is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file."
solution : "Set the appropriate permissions and ownership on all Xresources files:
chown root:sys /etc/dt/config/*/Xresources
chmod u=rw,go=r /etc/dt/config/*/Xresources
Default Value:
N/A"
reference : "800-171|3.1.1,800-53|AC-3,800-53r5|AC-3,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/4124"
system : "AIX"
type : CMD_EXEC
description : "4.6.1 /etc/security/login.cfg - logintimeout - logintimeout"
info : "Defines the number of seconds during which the password must be typed at login.
Rationale:
In setting the logintimeout attribute, a password must be entered within a specified time period."
solution : "In /etc/security/login.cfg, set the usw stanza logintimeout attribute to 30 or less:
chsec -f /etc/security/login.cfg -s usw -a logintimeout=30
This means that a user will have 30 seconds, from prompting, in which to type in their password.
Default Value:
60"
reference : "800-171|3.1.11,800-53|AC-12,800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(iii),ITSG-33|AC-12,LEVEL|1A,NIAv2|NS49"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/login.cfg -s usw -a logintimeout"
expect : "^usw[\\s]+logintimeout[\\s]*=[\\s]*([1-9]|[12][0-9]|30)[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.6.2 /etc/security/login.cfg - logindelay - logindelay"
info : "Defines the number of seconds delay between each failed login attempt. This works as a multiplier, so if the parameter is set to 10, after the first failed login it would delay for 10 seconds, after the second failed login 20 seconds etc.
Rationale:
In setting the logindelay attribute, this implements a delay multiplier in-between unsuccessful login attempts."
solution : "In /etc/security/login.cfg, set the default stanza logindelay attribute to 10 or greater:
chsec -f /etc/security/login.cfg -s default -a logindelay=10
This means that a user will have to wait 10 seconds before being able to re-enter their password. During subsequent attempts this delay will increase as a multiplier of (the number of failed login attempts * logindelay)
Default Value:
No limit"
reference : "800-171|3.1.8,800-53|AC-7b.,800-53r5|AC-7b.,CN-L3|7.1.2.7(f),CN-L3|7.1.3.1(c),GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AC-7b.,LEVEL|1A,NESA|T5.5.1,NIAv2|AM24,PCI-DSSv3.2.1|8.1.7,PCI-DSSv4.0|8.3.4,TBA-FIISB|36.2.4,TBA-FIISB|45.1.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/login.cfg -s default -a logindelay"
expect : "^default[\\s]+logindelay[\\s]*=[\\s]*[1-9][0-9]+[\\s]*$"
system : "AIX"
type : BANNER_CHECK
description : "4.6.3 herald (logon message) - logon message"
info : "This change adds a default herald to /etc/security/login.cfg.
Rationale:
This change puts into place a suggested login herald to replace the default entry. A herald should not provide any information about the operating system or version. Instead, it should detail a company standard acceptable use policy.
This suggestion for a herald should be tailored to reflect your corporate standard policy."
solution : "Add a default login herald to /etc/security/login.cfg:
chsec -f /etc/security/login.cfg -s default -a herald='Unauthorized use of this system is prohibited.\\nlogin:'
Default Value:
N/A"
reference : "800-171|3.1.9,800-53|AC-8,800-53r5|AC-8,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AC-8,LEVEL|1A,NESA|M1.3.6,TBA-FIISB|45.2.4"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/security/login.cfg"
content : "@LOGIN_HERALD_TEXT@"
is_substring : YES
system : "AIX"
type : CMD_EXEC
description : "5.2.2 pwd_algorithm - pwd_algorithm"
info : "Defines the loadable password algorithm used when storing user passwords.
Rationale:
A development since AIX 5.1 was the ability to use different password algorithms as defined in /etc/security/pwdalg.cfg. The traditional UNIX password algorithm is crypt, which is a one-way hash function supporting only 8 character passwords. The use of brute force password guessing attacks means that crypt no longer provides an appropriate level of security and so other encryption mechanisms are recommended.
The recommendation of this benchmark is to set the password algorithm to ssha512. This algorithm supports long passwords, up to 255 characters in length and allows passphrases including the use of the extended ASCII table and the space character. Any passwords already set using crypt will be recognized. When the password is reset the new password hash algorithm will be used to encrypt the password.
Impact:
A password algorithm other than crypt is required to support a password minlen greater than 8 (eight) characters.
SHA512 password encryption is recommended as the most secure."
solution : "In the file /etc/security/login.cfg set the usw stanza attribute pwd_algorithm to ssha512:
#!/usr/bin/ksh -e
# chk_algorithm:5.2.1
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
EXPECT='usw pwd_algorithm=ssha512'
CMD='lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm'
TST=$(${CMD})
[[ ${TST} == ${EXPECT} ]] && exit 0
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512
exit $?
Default Value:
crypt
Additional Information:
Consider looking for passwords encrypted using crypt and set the ADMCHG flag to initiate a password change at next login."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv7|16.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm"
expect : "^usw[\\s]+pwd_algorithm[\\s]*=[\\s]*ssha512[\\s]*$"
system : "AIX"
description : "4.7.1.9 Ensure all directories in root PATH deny write access to all"
info : "To secure the root users executable PATH, all directories must not be group and world writable.
Rationale:
There should not be group or world writable directories in the root user's executable path. This may allow an attacker to gain super user access by forcing an administrator operating as root to execute a Trojan horse program."
solution : "Search and report on group or world writable directories in root's PATH. The command must be run as the root user. The script below traverses up each individual directory PATH, ensuring that all directories are not group/world writable and that they are owned by root or the bin user:
echo '/:${PATH}' | tr ':' '\n' | grep '^/' | sort -u | while read DIR
do
DIR=${DIR:-$(pwd)}
print 'Checking ${DIR}'
while [[ -d ${DIR} ]]
do
[[ '$(ls -ld ${DIR})' = @(d???????w? *) ]] && print ' WARNING ${DIR} is world writable' || print ' ${DIR} is not world writable'
[[ '$(ls -ld ${DIR})' = @(d????w???? *) ]] && print ' WARNING ${DIR} is group writable' || print ' ${DIR} is not group writable'
[[ '$(ls -ld ${DIR} |awk '{print $3}')' != @(root|bin) ]] && print ' WARNING ${DIR} is not owned by root or bin'
DIR=${DIR%/*}
done
done
NOTE: Review the output and manually change the directories, if possible. Directories which are group and/or world writable are marked with 'WARNING'
To manually change permissions on the directories:
To remove group writable access:
chmod g-w
To remove world writable access:
chmod o-w
To remove both group and world writable access:
chmod go-w
To change the owner of a directory:
chown
To fully automate the PATH directory permission changes execute the following code as the root user:
echo '/:${PATH}' | tr ':' '\n' | grep '^/' | sort -u | while read DIR
do
DIR=${DIR:-$(pwd)}
while [[ -d ${DIR} ]]
do
[[ '$(ls -ld ${DIR})' = @(d???????w? *) ]] && chmod o-w ${DIR} && print 'Removing world write from ${DIR}'
[[ '$(ls -ld ${DIR})' = @(d????w???? *) ]] && chmod g-w ${DIR} && print 'Removing group write from ${DIR}'
DIR=${DIR%/*}
done
done
Default Value:
N/A"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
name : "writeable_dirs_in_root_path_variable"
mask : "022"
system : "AIX"
type : FILE_CHECK
description : "4.7.1.11 /etc/security/audit"
info : "The /etc/security/audit directory contains the system audit configuration files.
Rationale:
The /etc/security/audit directory stores the audit configuration files. This directory must have adequate access controls to prevent unauthorized access."
solution : "Ensure correct ownership and permissions are in place for /etc/security/audit:
chown -R root:audit /etc/security/audit
chmod u=rwx,g=rx,o= /etc/security/audit
chmod -R u=rw,g=r,o= /etc/security/audit/*
Default Value:
N/A"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/security/audit"
owner : "root"
mask : "027"
group : "audit"
system : "AIX"
type : CMD_EXEC
description : "4.7.1.6 /var/adm/ras"
info : "The /var/adm/ras directory contains log files which contain sensitive information such as login times and IP addresses.
Rationale:
The log files in the /var/adm/ras directory can contain sensitive information such as login times and IP addresses, which may be altered by an attacker when removing traces of system access. All files in this directory must be secured from unauthorized access and modifications."
solution : "Remove world read and write access from all files in /var/adm/ras:
chmod o-rw /var/adm/ras/*
Default Value:
N/A"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/find /var/adm/ras/* -type f -perm -0004 -depth -print | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'"
expect : "^none$"
system : "AIX"
type : FILE_CHECK
description : "4.7.1.7 /var/adm/sa"
info : "The /var/adm/sa directory holds the performance data produced by the sar utility.
Rationale:
The /var/adm/sa directory contains the report files produced by the sar utility. This directory must be secured from unauthorized access."
solution : "Set the recommended ownership and permissions on /var/adm/sa:
chown adm:adm /var/adm/sa
chmod u=rwx,go=rx /var/adm/sa
Default Value:
N/A"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/adm/sa"
owner : "adm"
mask : "022"
group : "adm"
system : "AIX"
type : FILE_CHECK
description : "4.7.1.8 /var/spool/cron/crontabs"
info : "The /var/spool/cron/crontabs directory contains all of the crontabs for the users on the system.
Rationale:
The /var/spool/cron/crontabs directory contains all of the crontabs for the users on the system. Crontab files present a security problem because they are run by the cron daemon, which runs with super user rights. Allowing other users to have read/write permissions on these files may allow them to escalate their privileges. To negate this risk, the directory and all the files that it contains must be secured."
solution : "Apply the appropriate permissions to /var/spool/cron/crontabs:
chmod -R o= /var/spool/cron/crontabs
chmod ug=rwx,o= /var/spool/cron/crontabs
chgrp -R cron /var/spool/cron/crontabs
Default Value:
N/A"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/spool/cron/crontabs"
mask : "007"
group : "cron"
system : "AIX"
type : CMD_EXEC
description : "4.7.2.3 crontab entries - owned by userid - owned by userid"
info : "This script checks the permissions of all the root crontab entries, to ensure that they are owned and writable by the root user only.
Rationale:
All root crontab entries must be owned and writable by the root user only. If a script had group or world writable access, it could be replaced or edited with malicious content, which would then subsequently run on the system with root authority."
solution : "Ensure that all root crontab entries are owned and writable by root only.
The script below traverses up each individual directory path, ensuring that all directories are not group/world writable and that they are owned by the root or bin user:
crontab -l |egrep -v '^#' |awk '{print $6}' |grep '^/' |sort -u | while read DIR
do
DIR=${DIR:-$(pwd)}
while [[ -a ${DIR} ]]
do
[[ '$(ls -ld ${DIR})' = @(????????w? *) ]] && print ' WARNING ${DIR} is world writable'
[[ '$(ls -ld ${DIR})' = @(?????w???? *) ]] && print ' WARNING ${DIR} is group writable'
[[ '$(ls -ld ${DIR} |awk '{print $3}')' != @(root|bin) ]] && print ' WARNING ${DIR} is not owned by root or bin'
DIR=${DIR%/*}
done
done
NOTE: Review the output and manually change the directories, if possible. Directories which are group and/or world writable or not owned by root are marked with 'WARNING'
To manually change permissions on the files or directories:
To remove group writable access:
chmod g-w
To remove world writable access:
chmod o-w
To remove both group and world writable access:
chmod go-w
To change the owner of a file or directory:
chown
Default Value:
N/A
Additional Information:
Default AIX Security Expert policy values:
High Level policy Permissions checked
Medium Level policy Permissions checked
Low Level policy Permissions checked"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/crontab -l | /usr/bin/egrep -v '^#' | /usr/bin/awk '{print $6}' | /usr/bin/grep \"^/\" | /usr/bin/sort -u | while read DIR; do DIR=${DIR:-$(pwd)}; while [[ -a ${DIR} ]]; do [[ \"$(ls -ld ${DIR})\" = @(????????w? *) ]] && print \" WARNING ${DIR} is world writable\"; [[ \"$(ls -ld ${DIR})\" = @(?????w???? *) ]] && print \" WARNING ${DIR} is group writable\"; [[ \"$(ls -ld ${DIR} |awk '{print $3}')\" != @(root|bin) ]] && print \" WARNING ${DIR} is not owned by root or bin\"; DIR=${DIR%/*}; done; done | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'"
expect : "^none$"
system : "AIX"
type : CMD_EXEC
description : "4.7.2.4 Home directory configuration files"
info : "The user configuration files in each home directory e.g. $HOME/.profile, must not be group or world writable.
Rationale:
Group or world-writable user configuration files may enable malicious users to steal or modify other user's data, or to gain elevated privileges."
solution : "Search and remediate any user configuration files which have group or world writable access:
lsuser -a home ALL |cut -f2 -d= |egrep -v '^/$|/etc|/bin|/var|/usr|/usr/sys' |while read homedir;
do
if [[ -d ${homedir} ]];
then
echo 'Removing 'go-w' from all user confguration files in '${homedir}''
ls -a ${homedir} |egrep '^\.[a-z]' |while read file;
do
if [[ -f '${homedir}/${file}' ]];
then
echo 'Running 'chmod go-w' on '${homedir}/${file}''
chmod go-w '${homedir}/${file}'
fi
done
else
echo 'ERROR - no home directory for '${homedir}''
fi
done
NOTE: The permission change is automatically applied
Default Value:
N/A"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/bin/cat /etc/passwd | /usr/bin/awk -F: '($7 != \"/sbin/nologin\" && $7 != \"/bin/false\") { print $1 \" \" $6 }' | while read user dir; do if [ ! -d \"$dir\" ]; then /usr/bin/echo \"The home directory ($dir) of user $user does not exist.\"; else for file in $dir/.[A-Za-z0-9]*; do if [ ! -h \"$file\" -a -f \"$file\" ]; then fileperm=`ls -ld $file | cut -f1 -d\" \"`; if [ `/usr/bin/echo $fileperm | cut -c6` != \"-\" ]; then /usr/bin/echo \"Group Write permission set on file $file\"; fi; if [ `/usr/bin/echo $fileperm | cut -c9` != \"-\" ]; then /usr/bin/echo \"Other Write permission set on file $file\"; fi; fi; done; fi; done | /usr/bin/awk '{print} END {if (NR == 0) print \"Pass - No home configuration files found with group or other permissions\"; else print}'"
expect : "Pass - No home configuration files found with group or other permissions"
system : "AIX"
type : FILE_CHECK
description : "4.7.2.5 /smit.log"
info : "The /smit.log file maintains a history of all smit commands run as root.
Rationale:
The /smit.log file may contain sensitive information regarding system configuration, which may be of interest to an attacker. This log file must be secured from unauthorized access and modifications."
solution : "Remove world read and write access to /smit.log:
chmod o-rw /smit.log
Default Value:
644"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/smit.log"
mask : "117"
file_required : NO
system : "AIX"
type : FILE_CHECK
description : "4.7.2.6 /etc/group"
info : "The /etc/group file contains a list of the groups defined within the system.
Rationale:
The /etc/group file defines basic group attributes. Since the file contains sensitive information, it must be properly secured."
solution : "Ensure correct ownership and permissions are in place for /etc/group:
chown root:security /etc/group
chmod u=rw,go=r /etc/group
Default Value:
644"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/group"
owner : "root"
mask : "133"
group : "security"
system : "AIX"
type : FILE_CHECK
description : "4.7.2.7 /etc/inetd.conf"
info : "The recommended permissions and ownership for /etc/inetd.conf are applied.
Rationale:
The/etc/inetd.conf file contains the list of services that inetd controls and determines their current status i.e. active or disabled. This file must be protected from unauthorized access and modifications to ensure that the services disabled in this benchmark remain locked down."
solution : "Set the recommended permissions and ownership to /etc/inetd.conf:
chmod u=rw,go=r /etc/inetd.conf
chown root:system /etc/inetd.conf
trustchk -u /etc/inetd.conf mode=644
Default Value:
664, root:system"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/inetd.conf"
owner : "root"
mask : "133"
group : "system"
system : "AIX"
type : FILE_CHECK
description : "4.7.2.8 /etc/motd"
info : "The /etc/motd file contains the message of the day, shown after successful initial login.
Rationale:
The /etc/motd file contains the message of the day, shown after successful initial login. The file should only be editable by its owner."
solution : "Apply the appropriate permissions to /etc/motd:
chown bin:bin /etc/motd
chmod u=rw,go=r /etc/motd
Default Value:
644"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/motd"
owner : "bin"
mask : "133"
group : "bin"
system : "AIX"
type : FILE_CHECK
description : "4.7.2.9 /etc/passwd"
info : "The /etc/passwd file contains a list of the users defined within the system.
Rationale:
The /etc/passwd file defines all users within the system. Since the file contains sensitive information, it must be properly secured."
solution : "Ensure correct ownership and permissions are in place for /etc/passwd:
chown root:security /etc/passwd
chmod u=rw,go=r /etc/passwd
Default Value:
644"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/passwd"
owner : "root"
mask : "133"
group : "security"
system : "AIX"
type : FILE_CHECK
description : "4.7.2.10 /etc/ssh/ssh_config"
info : "The /etc/ssh/ssh_config file defines SSH client behavior.
Rationale:
The /etc/ssh/ssh_config file is the system-wide client configuration file for OpenSSH, which allows you to set options that modify the operation of the client programs. The recommended value is not to provide any writable access rights for any user other than root."
solution : "Change the permissions of the /etc/ssh/ssh_config file to ensure that only the owner can read and write to the file:
chmod 644 /etc/ssh/ssh_config
Default Value:
640
Additional Information:
Using the octal mode to (re)set the mode will also disable any ACL's that might have been set."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/ssh_config"
mask : "133"
system : "AIX"
type : FILE_CHECK
description : "4.7.2.11 /etc/ssh/sshd_config"
info : "The /etc/ssh/sshd_config file defines SSH server behavior.
Rationale:
The SSH daemon reads the configuration information from this file and includes the authentication mode and cryptographic levels to use during SSH communication.
Impact:
Some organizations feel all configuration information for OpenSSH server must be confidential - and many other benchmarks recommend exclusive root access to the file /etc/ssh/sshd_config. This configuration will work UNLESS sftp access is required by non-root users.
Non-root users (when mode is octal 0600) cannot load_server_config and the connection closes even though authentication succeeded.
Jun 25 14:42:45 x071 auth|security:info sshd[12255378]: Accepted password for michael from 192.168.129.65 port 32810 ssh2
Jun 25 14:42:45 x071 auth|security:info sftp-server[7077962]: session opened for local user michael from [192.168.129.65]
Jun 25 14:42:45 x071 auth|security:debug sftp-server[7077962]: debug2: load_server_config: filename /etc/ssh/sshd_config
Jun 25 14:42:45 x071 auth|security:info sshd[8847468]: Received disconnect from 192.168.129.65 port 32810:11: disconnected by user
Jun 25 14:42:45 x071 auth|security:info sshd[8847468]: Disconnected from user michael 192.168.129.65 port 32810
This is what is needed for the sftp-server to start:
Jun 25 14:45:10 x071 auth|security:info sshd[7077994]: Accepted password for michael from 192.168.129.65 port 32812 ssh2
Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: session opened for local user michael from [192.168.129.65]
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: load_server_config: filename /etc/ssh/sshd_config
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: load_server_config: done config len = 288
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: parse_server_config: config /etc/ssh/sshd_config len 288
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:34 setting SyslogFacility AUTH
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:36 setting LogLevel INFO
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:114 setting Banner /etc/banner
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:117 setting Subsystem sftp\t/usr/sbin/sftp-server -l DEBUG3 -f AUTH
Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: received client version 3
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: request 0: realpath
Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: realpath '.'
Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug1: request 0: sent names count 1
The recommendation is to stay with the default file mode (octal 0644) unless site policy requires octal 0600 AND it is acceptable that sftp will not function.
Choosing octal 0600 is considered a Level 2 recommendation"
solution : "Change the permissions of the /etc/ssh/sshd_config file to ensure all accounts can read the file but only the owner (root) can modify it:
chmod u=rw,go=r /etc/ssh/sshd_config
Default Value:
644"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/ssh/sshd_config"
mask : "133"
system : "AIX"
type : FILE_CHECK
description : "4.7.2.12 /var/adm/cron/at.allow"
info : "The /var/adm/cron/at.allow file contains a list of users who can schedule jobs via the at command.
Rationale:
The /var/adm/cron/at.allow file controls which users can schedule jobs via the at command. Only the root user should have permissions to create, edit, or delete this file."
solution : "Apply the appropriate permissions to /var/adm/cron/at.allow:
chown root:sys /var/adm/cron/at.allow
chmod u=r,go= /var/adm/cron/at.allow
Default Value:
N/A"
reference : "800-171|3.1.7,800-53|AC-6(10),800-53r5|AC-6(10),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-6,LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/adm/cron/at.allow"
owner : "root"
mask : "377"
required : YES
group : "sys"
system : "AIX"
type : FILE_CHECK
description : "4.7.2.13 /var/adm/cron/cron.allow"
info : "The /var/adm/cron/cron.allow file contains a list of users who can schedule jobs via the cron command.
Rationale:
The /var/adm/cron/cron.allow file controls which users can schedule jobs via cron. Only the root user should have permissions to create, edit, or delete this file."
solution : "Apply the appropriate permissions to /var/adm/cron/cron.allow:
chown root:sys /var/adm/cron/cron.allow
chmod u=r,go= /var/adm/cron/cron.allow
Default Value:
N/A"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/adm/cron/cron.allow"
owner : "root"
mask : "377"
required : YES
group : "sys"
system : "AIX"
type : FILE_CHECK
description : "4.7.2.14 /var/ct/RMstart.log"
info : "The /var/ct/RMstart.log is the logfile used by RMC and can contain sensitive data that must be secured.
Rationale:
RMC provides a single monitoring and management infrastructure for both RSCT peer domains and management domains. Its generalized framework is used by cluster management tools to monitor, query, modify, and control cluster resources, /var/ct/RMstart.log is the logfile used by RMC and can contain sensitive data that must be secured."
solution : "Remove world read and write from /var/ct/RMstart.log:
chmod o-rw /var/ct/RMstart.log
Default Value:
644"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/ct/RMstart.log"
mask : "137"
file_required : NO
system : "AIX"
type : FILE_CHECK
description : "4.7.2.15 /var/adm/cron/log"
info : "The /var/adm/cron/log file contains a log of all cron jobs run on the system.
Rationale:
The /var/adm/cron/log, records all cron jobs run on the system. The file permissions must ensure that it is accessible only to its owner and group."
solution : "Specify exact permissions and user.group ids to /var/adm/cron/log:
chmod ug=rw /var/adm/cron/log
chown bin.cron /var/adm/cron/log
Default Value:
660"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/adm/cron/log"
mask : "117"
file_required : NO
system : "AIX"
type : FILE_CHECK
description : "4.7.2.16 /var/tmp/dpid2.log"
info : "The /var/tmp/dpid2.log is the logfile used by dpid2 daemon, and contains SNMP information.
Rationale:
The /var/tmp/dpid2.log logfile is used by the dpid2 daemon and can contain sensitive SNMP information. This file must be secured from unauthorized access and modifications."
solution : "Remove world read and write from /var/tmp/dpid2.log:
chmod o-rw /var/tmp/dpid2.log
Default Value:
644"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/tmp/dpid2.log"
mask : "137"
file_required : NO
system : "AIX"
type : FILE_CHECK
description : "4.7.2.17 /var/tmp/hostmibd.log"
info : "The /var/tmp/hostmibd.log is the logfile used by hostmibd daemon, and contains network and machine related information.
Rationale:
The /var/tmp/hostmibd.log log file can contain network and machine related statistics logged by the daemon. This file must be secured from unauthorized access and modifications."
solution : "Remove world read and write from /var/tmp/hostmibd.log:
chmod o-rw /var/tmp/hostmibd.log
Default Value:
644"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/tmp/hostmibd.log"
mask : "137"
file_required : NO
system : "AIX"
type : FILE_CHECK
description : "4.7.2.18 /var/tmp/snmpd.log"
info : "The /var/tmp/snmpd.log is the logfile used by snmpd daemon, and contains network and machine related information.
Rationale:
The /var/tmp/snmpd.log logfile contains sensitive information through which an attacker can find out about the SNMP deployment architecture in your network. This log file must be secured from unauthorized access."
solution : "Remove world read and write from /var/tmp/snmpd.log:
chmod o-rw /var/tmp/snmpd.log
Default Value:
644"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/tmp/snmpd.log"
mask : "137"
file_required : NO
system : "AIX"
type : CMD_EXEC
description : "4.9 Ensure root access is controlled - rlogin"
info : "Restricts access to root via su to members of a specific group. Direct login via console and/or remote login via telnet is blocked.
Rationale:
For accountability, no direct access to root is allowed.
The attributes here control access to root for programs other than OpenSSH.
Setting the sugroups attribute to SUADMIN ensures that only members of the this group are able to su root. This makes it more difficult for an attacker to use a stolen root password as the attacker first has to get access to a system user ID.
Access via a console (e.g., /dev/vty0 or /dev/tty0) is only permitted when there are external controls managing accountability of access to the console. For example, HMC access must not be via the account hscroot; a physical console is accessible only after a hard-copy log has been entered and verified before physical access is granted to the (data center) console terminal.
The group system is not recommended as it is not uncommon for other accounts to be included in this OS-provided group (gid==0).
Impact:
In this recommendation we specify the group SAADMIN. This is same group name applied during installation of the security profile known as BAS - Base AIX Security.
When scoring - the attribute login may be true as long as access to the HMC is not via the account name hscroot.
In any case, sugroups should not equal ALL."
solution : "In /etc/security/user, set the root stanza sugroups attribute to SUADMIN and ensure the login and rlogin attributes are set to false:
lsgroup SUADMIN >/dev/null || mkgroup -a SUADMIN
chuser login=false rlogin=false sugroups=SUADMIN
NOTE: For the remediation the setting of su is irrelevant.
Default Value:
root login=true rlogin=true sugroups=ALL su=true"
reference : "800-171|3.1.5,800-171|3.1.6,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-171|3.13.1,800-171|3.13.2,800-53|AC-6(2),800-53|AC-6(5),800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|IA-5,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-6(2),800-53r5|AC-6(5),800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|IA-5,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.1,CSCv7|5.1,CSCv8|4.1,CSCv8|4.7,CSCv8|5.4,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|IA-5,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.2.3,NESA|T5.6.1,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS13c,NIAv2|SS15a,NIAv2|SS15c,NIAv2|SS16,NIAv2|VL2,NIAv2|VL3a,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|7.2,QCSC-v1|13.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a login rlogin su root"
expect : "^[\\s]*root[\\s]+login[\\s]*=[\\s]*true[\\s]+rlogin[\\s]*=[\\s]*false[\\s]+su[\\s]*=[\\s]*true[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.9 Ensure root access is controlled - sugroups"
info : "Restricts access to root via su to members of a specific group. Direct login via console and/or remote login via telnet is blocked.
Rationale:
For accountability, no direct access to root is allowed.
The attributes here control access to root for programs other than OpenSSH.
Setting the sugroups attribute to SUADMIN ensures that only members of the this group are able to su root. This makes it more difficult for an attacker to use a stolen root password as the attacker first has to get access to a system user ID.
Access via a console (e.g., /dev/vty0 or /dev/tty0) is only permitted when there are external controls managing accountability of access to the console. For example, HMC access must not be via the account hscroot; a physical console is accessible only after a hard-copy log has been entered and verified before physical access is granted to the (data center) console terminal.
The group system is not recommended as it is not uncommon for other accounts to be included in this OS-provided group (gid==0).
Impact:
In this recommendation we specify the group SAADMIN. This is same group name applied during installation of the security profile known as BAS - Base AIX Security.
When scoring - the attribute login may be true as long as access to the HMC is not via the account name hscroot.
In any case, sugroups should not equal ALL."
solution : "In /etc/security/user, set the root stanza sugroups attribute to SUADMIN and ensure the login and rlogin attributes are set to false:
lsgroup SUADMIN >/dev/null || mkgroup -a SUADMIN
chuser login=false rlogin=false sugroups=SUADMIN
NOTE: For the remediation the setting of su is irrelevant.
Default Value:
root login=true rlogin=true sugroups=ALL su=true"
reference : "800-171|3.1.5,800-171|3.1.6,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-171|3.13.1,800-171|3.13.2,800-53|AC-6(2),800-53|AC-6(5),800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|IA-5,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-6(2),800-53r5|AC-6(5),800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|IA-5,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.1,CSCv7|5.1,CSCv8|4.1,CSCv8|4.7,CSCv8|5.4,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|IA-5,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.2.3,NESA|T5.6.1,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS13c,NIAv2|SS15a,NIAv2|SS15c,NIAv2|SS16,NIAv2|VL2,NIAv2|VL3a,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|7.2,QCSC-v1|13.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a sugroups root"
expect : "^[\\s]*root[\\s]+sugroups[\\s]*=[\\s]*system[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.10 Disable core dumps - lssec"
info : "This change disables core dumps in the default user stanza of /etc/security/limits and also ensures the fullcore kernel parameter is set to false.
Rationale:
The creation of core dumps can reveal pertinent system information, potentially even passwords, within the core file. The ability to create a core dump is also a vulnerability to be exploited by a hacker.
The commands below disable core dumps by default, but they may be specifically enabled for a particular user in /etc/security/limits."
solution : "Change the default user stanza attributes core and core_hard in /etc/security/limits and then set the fullcore kernel parameter to false:
chsec -f /etc/security/limits -s default -a core=0 -a core_hard=0
chdev -l sys0 -a fullcore=false
Default Value:
Core dumps enabled"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/lssec -f /etc/security/limits -s default -a core -a core_hard"
expect : "^[\\s]*default[\\s]+core[\\s]*=[\\s]*0[\\s]+core_hard[\\s]*=[\\s]*0[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.10 Disable core dumps - lsattr"
info : "This change disables core dumps in the default user stanza of /etc/security/limits and also ensures the fullcore kernel parameter is set to false.
Rationale:
The creation of core dumps can reveal pertinent system information, potentially even passwords, within the core file. The ability to create a core dump is also a vulnerability to be exploited by a hacker.
The commands below disable core dumps by default, but they may be specifically enabled for a particular user in /etc/security/limits."
solution : "Change the default user stanza attributes core and core_hard in /etc/security/limits and then set the fullcore kernel parameter to false:
chsec -f /etc/security/limits -s default -a core=0 -a core_hard=0
chdev -l sys0 -a fullcore=false
Default Value:
Core dumps enabled"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsattr -El sys0 -a fullcore"
expect : "^[\\s]*fullcore[\\s]+false[\\s]+Enable[\\s]+full[\\s]+CORE[\\s]+dump[\\s]+True[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "4.11 Remove current working directory from default /etc/environment PATH"
info : "This change removes any '.' or '::' entries from /etc/environment. If a '.' or '::' is present the current working directory is included in the default search path.
Rationale:
Any '.' and '::' will be removed from /etc/environment. This means that any harmful programs placed in common PATH locations, would never be automatically executed. All directories must be explicitly defined within the PATH variable."
solution : "Examine PATH in /etc/environment to see if it contains any '.' or '::' entries:
grep '^PATH=' /etc/environment |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/'
If the command above yields output, remove the '.' and '::' entries from:
vi /etc/environment
Default Value:
Dot present"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/grep \"^PATH=\" /etc/environment | /usr/bin/awk '/((:[ \\t]*:)|(:[ \\t]*$)|(^[ \\t]*:)|(^.:)|(:.$)|(:.:))/' | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
description : "4.13 Remove current working directory from root's PATH"
info : "This change removes any '.' or '::' entries from the root PATH. If a '.' or '::' is present the current working directory is included in the search path.
Rationale:
Any '.' and '::' will be removed from the root PATH. This means that any harmful programs placed in common PATH locations, would never be automatically executed. All directories must be explicitly defined within the PATH variable."
solution : "Examine root's PATH to see if it contains any '.' or '::' entries:
su - root -c 'echo ${PATH}' |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[ \t]*:)|(^.:)|(:.$)|(:.:))/'
If the command above yields output, remove the '.' and '::' entries from the relevant initialization files. The files to examine are dependant on the root users shell definition in /etc/passwd. Once the file or files have been identified remove the '.' and '::' from the PATH variable
vi
Default Value:
Dot not present"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
name : "dot_in_root_path_variable"
system : "AIX"
type : CMD_EXEC
description : "4.12 Lock historical users"
info : "Lock OS administrative accounts to further enhance security.
Rationale:
Lock administrative user accounts. Generic OS administrative user accounts are targeted by hackers in an attempt to gain unauthorized access to a server."
solution : "Lock standard accounts using chuser:
ACCOUNTS=daemon,bin,sys,adm,uucp,nobody,lpd,lp,invscout,ipsec,nuucp,sshd
lsuser -a account_locked ${ACCOUNTS} | grep -v account_locked=true | while read account attributes; do
chuser account_locked=true ${account}
done
Default Value:
N/A"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv7|16.8,CSCv7|16.9,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/sbin/lsuser -a account_locked daemon,bin,sys,adm,uucp,nobody,lpd,lp,invscout,ipsec,nuucp,sshd | /usr/bin/grep -v account_locked=true | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'"
expect : "pass"
system : "AIX"
type : FILE_CHECK
description : "4.14 Configuration: /etc/motd"
info : "Create a /etc/motd file which displays, post initial logon, a statutory warning message.
Rationale:
The creation of a /etc/motd file which contains a statutory warning message could aid in the prosecution of offenders guilty of unauthorized system access. The /etc/motd is displayed after successful logins from the console, SSH and other system access protocols."
solution : "Create a /etc/motd file:
touch /etc/motd
chmod u=rw,go=r /etc/motd
chown bin:bin /etc/motd
Below is a sample banner:
'
NOTICE TO USERS
This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring,recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
*
NOTE: Replace 'its owner' with the relevant company name
Default Value:
N/A"
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/motd"
owner : "bin"
mask : "133"
group : "bin"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.6.5 Unattended terminal session timeout is 900 seconds (or less) - TMOUT"
info : "TMOUT and TIMEOUT are environmental setting that activate the timeout of a shell. The value is in seconds.
TMOUT=n - Sets the shell timeout to n seconds. A setting of TMOUT=0, or unset TMOUT disables the automatic session timeout.
readonly TMOUT- Both export and lock TMOUT environmental variable to it's present value, preventing unwanted modification during run-time.
Rationale:
All systems are vulnerable if terminals are left logged in and unattended. The most serious problem occurs when a system manager leaves a terminal unattended that has been enabled with root authority. In general, users should log out anytime they leave their terminals.
You can force a terminal to log out after a period of inactivity by setting the TMOUT and TIMEOUT parameters in the /etc/profile file. The TMOUT parameter works in the ksh (Korn) shell, and the TIMEOUT parameter works in the bsh (Bourne) shell.
Impact:
This recommendation is set at Level 2 (using readonly).
The recommendation - at Level 1, would use export instead."
solution : "Review /etc/profile to verify that TMOUT is configured to:
include a timeout of no more than 900 seconds
to be readonly
verify readonly statement is the last statement
/usr/bin/egrep -n -e 'TMOUT|TIMEOUT' /etc/profile
This should return something similar to:
40:# TMOUT=120
41:TMOUT=900
42:TIMEOUT=900
43:readonly TMOUT TIMEOUT
If either setting is missing, and/or the readonly statement, add these to /etc/profile.
Default Value:
TMOUT=0"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1M,LEVEL|2M,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/profile"
regex : "^[\\s]*TMOUT"
expect : "^[\\s]*TMOUT[\\s]*=[\\s]*([1-9]|[1-9][0-9]|[1-8][0-9]{2}|900)[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.6.5 Unattended terminal session timeout is 900 seconds (or less) - TIMEOUT"
info : "TMOUT and TIMEOUT are environmental setting that activate the timeout of a shell. The value is in seconds.
TMOUT=n - Sets the shell timeout to n seconds. A setting of TMOUT=0, or unset TMOUT disables the automatic session timeout.
readonly TMOUT- Both export and lock TMOUT environmental variable to it's present value, preventing unwanted modification during run-time.
Rationale:
All systems are vulnerable if terminals are left logged in and unattended. The most serious problem occurs when a system manager leaves a terminal unattended that has been enabled with root authority. In general, users should log out anytime they leave their terminals.
You can force a terminal to log out after a period of inactivity by setting the TMOUT and TIMEOUT parameters in the /etc/profile file. The TMOUT parameter works in the ksh (Korn) shell, and the TIMEOUT parameter works in the bsh (Bourne) shell.
Impact:
This recommendation is set at Level 2 (using readonly).
The recommendation - at Level 1, would use export instead."
solution : "Review /etc/profile to verify that TMOUT is configured to:
include a timeout of no more than 900 seconds
to be readonly
verify readonly statement is the last statement
/usr/bin/egrep -n -e 'TMOUT|TIMEOUT' /etc/profile
This should return something similar to:
40:# TMOUT=120
41:TMOUT=900
42:TIMEOUT=900
43:readonly TMOUT TIMEOUT
If either setting is missing, and/or the readonly statement, add these to /etc/profile.
Default Value:
TMOUT=0"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1M,LEVEL|2M,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/profile"
regex : "^[\\s]*TIMEOUT"
expect : "^[\\s]*TIMEOUT[\\s]*=[\\s]*([1-9]|[1-9][0-9]|[1-8][0-9]{2}|900)[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "4.6.5 Unattended terminal session timeout is 900 seconds (or less) - readonly"
info : "TMOUT and TIMEOUT are environmental setting that activate the timeout of a shell. The value is in seconds.
TMOUT=n - Sets the shell timeout to n seconds. A setting of TMOUT=0, or unset TMOUT disables the automatic session timeout.
readonly TMOUT- Both export and lock TMOUT environmental variable to it's present value, preventing unwanted modification during run-time.
Rationale:
All systems are vulnerable if terminals are left logged in and unattended. The most serious problem occurs when a system manager leaves a terminal unattended that has been enabled with root authority. In general, users should log out anytime they leave their terminals.
You can force a terminal to log out after a period of inactivity by setting the TMOUT and TIMEOUT parameters in the /etc/profile file. The TMOUT parameter works in the ksh (Korn) shell, and the TIMEOUT parameter works in the bsh (Bourne) shell.
Impact:
This recommendation is set at Level 2 (using readonly).
The recommendation - at Level 1, would use export instead."
solution : "Review /etc/profile to verify that TMOUT is configured to:
include a timeout of no more than 900 seconds
to be readonly
verify readonly statement is the last statement
/usr/bin/egrep -n -e 'TMOUT|TIMEOUT' /etc/profile
This should return something similar to:
40:# TMOUT=120
41:TMOUT=900
42:TIMEOUT=900
43:readonly TMOUT TIMEOUT
If either setting is missing, and/or the readonly statement, add these to /etc/profile.
Default Value:
TMOUT=0"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1M,LEVEL|2M,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/profile"
regex : "^[\\s]*readonly[\\s]+TMOUT[\\s]+TIMEOUT[\\s]*$"
expect : "^[\\s]*readonly[\\s]+TMOUT[\\s]+TIMEOUT[\\s]*$"
system : "AIX"
type : CMD_EXEC
description : "5.2.3 Ensure passwords are not hashed using 'crypt'"
info : "The recommendation is to change the default password hash algorithm to ssha512 (see paragraph 5.2.1). However, changing the default algorithm away from crypt is not enough. The user must supply a new passowrd before a new hashed version of the password is stored in the shadow password file /etc/security/password.
Rationale:
The hash algorithm crypt is known by all *nix versions - so it has provided portability. And in the '70's processor power was weak enough that the mere 56 bits protection against brute-force attacks was reasonable to sufficient. Fifty (50) years later - this is not the case.
Impact:
The audit looks for hashed passwords that are 14 (fourteen) characters long. That is the length of the crypt hash. The remediation neither changes the password nor locks the account. However, it does clear (if present) and password flags (noteably NOCHECK needs to be removed) and sets the flag ADMCHG so that the account will be required to reset their password during the next login."
solution : "Execute the following command to enable an administrative requirement to update password on next login - when current password is still hashed using the crypt algorithm.
#!/usr/bin/ksh -e
# hash_chk:5.2.12
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
#SystemAccounts are skipped, root is treated a regular account
#pconsole is no longer a system account - being deprecated/removed
SACTS1='(adm|bin|daemon|invscout|ipsec|lp|lpd|nobody|nuucp|sshd|sys|uucp)'
SACTS2='(esa|srvproxy|imnadm|anonymou|ftp)'
grep 'password[[:blank:]]= .............$' /etc/security/passwd | \
while read pass equals cryptedhash; do
user=$(/usr/bin/grep -p $cryptedhash /etc/security/passwd |\
/usr/bin/egrep -vp '${SACTS1}:$' |\
/usr/bin/egrep -vp '${SACTS2}:$' |\
/usr/bin/egrep '[a-zA-z0-9]+:$' | sed -e s/:$//)
print ${user}: needs to update passwd
set -x
/usr/bin/pwdadm -c ${user}
/usr/bin/pwdadm -f ADMCHG ${user}
set +x
done"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv7|16.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/files/4124"
cmd : "/usr/bin/grep 'password[[:blank:]]= .............$' /etc/security/passwd | \
while read pass equals cryptedhash; do
user=$(/usr/bin/grep -p $cryptedhash /etc/security/passwd | /usr/bin/egrep '[a-zA-z0-9]+:$' | sed -e s/:$//)
/usr/bin/echo ${user}: needs to update passwd
done | /usr/bin/awk '{ print } END { if (NR==0) print \"none found\" }'"
expect : "none found"
description : "7.2 Use FLRTVC regularly"
info : "The Fix Level Recommendation Tool Vulnerability Checker Script (FLRTVC) provides security and HIPER (High Impact PERvasive) reports based on the inventory of your system.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "To download, click the download link below and save to a folder. It is packaged as a ZIP file with the FLRTVC.ksh script and LICENSE.txt file.
Download: FLRTVC (v0.8.1)
Note:The script requires ksh93 to use. If you are receiving errors when running the script, you may execute the script using 'ksh93 flrtvc.ksh'. As of v0.7, only non-fixed vulnerabilities will be shown by default. Use -a to show all.
Default Value:
Not installed"
reference : "800-171|3.11.2,800-171|3.11.3,800-53|RA-5,800-53r5|RA-5,CSCv7|3.1,CSCv8|7.5,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.7.1,PCI-DSSv3.2.1|6.1,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/files/4124"
system : "AIX"
type : FILE_CHECK
description : "8.1.1 Configuring syslog - local logging - /var/adm/authlog"
info : "This recommendation implements a local syslog configuration.
Rationale:
Establishing a logging process via syslog provides system and security administrators with pertinent information relating to: login, mail, daemon, user and kernel activity. The recommendation is to enable local syslog logging, with a weekly rotation policy in a four weekly cycle. The log rotation isolates historical data which can be reviewed retrospectively if an issue is uncovered at a later date.
Impact:
This recommendation is manual because there are likely local requirements that surpass the basic recommendation here."
solution : "Explicitly define a log file for the auth.info output in /etc/syslog.conf:
printf 'auth.info\t\t/var/adm/authlog rotate time 1w files 4\n' >> /etc/syslog.conf
NOTE: This ensures that remote login, sudo or su attempts are logged separately
Create the authlog file and make it readable by root only:
touch /var/adm/authlog
chown root:system /var/adm/authlog
chmod u=rw,go= /var/adm/authlog
Create an entry in /etc/syslog.conf to capture all other output of level info or higher, excluding authentication information, as this is to be captured within /var/adm/authlog:
printf '*.info;auth.none\t/var/adm/syslog rotate time 1w files 4\n' >> /etc/syslog.conf
Create the syslog file:
touch /var/adm/syslog
chmod u=rw,g=r,o= /var/adm/syslog
Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:
refresh -s syslogd
Default Value:
Not configured
Additional Information:
Reversion:
Edit /etc/syslog.conf and remove the authlog and syslog entries:
vi /etc/syslog.conf
Remove:
auth.info /var/adm/authlog rotate time 1w files 4
*.info;auth.none /var/adm/syslog rotate time 1w files 4
Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:
refresh -s syslogd
Delete the authlog and syslog files:
rm /var/adm/authlog /var/adm/syslog"
reference : "800-171|3.3.8,800-53|AU-9(2),800-53r5|AU-9(2),CN-L3|8.1.3.5(d),CN-L3|8.1.4.3(c),CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9(2),LEVEL|1M,NESA|M5.2.3,NESA|M5.5.2,NIAv2|SS13e,PCI-DSSv3.2.1|10.5.3,PCI-DSSv3.2.1|10.5.4,PCI-DSSv4.0|10.3.3,QCSC-v1|8.2.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/adm/authlog"
owner : "root"
mask : "177"
group : "system"
system : "AIX"
type : FILE_CHECK
description : "8.1.1 Configuring syslog - local logging - /var/adm/syslog"
info : "This recommendation implements a local syslog configuration.
Rationale:
Establishing a logging process via syslog provides system and security administrators with pertinent information relating to: login, mail, daemon, user and kernel activity. The recommendation is to enable local syslog logging, with a weekly rotation policy in a four weekly cycle. The log rotation isolates historical data which can be reviewed retrospectively if an issue is uncovered at a later date.
Impact:
This recommendation is manual because there are likely local requirements that surpass the basic recommendation here."
solution : "Explicitly define a log file for the auth.info output in /etc/syslog.conf:
printf 'auth.info\t\t/var/adm/authlog rotate time 1w files 4\n' >> /etc/syslog.conf
NOTE: This ensures that remote login, sudo or su attempts are logged separately
Create the authlog file and make it readable by root only:
touch /var/adm/authlog
chown root:system /var/adm/authlog
chmod u=rw,go= /var/adm/authlog
Create an entry in /etc/syslog.conf to capture all other output of level info or higher, excluding authentication information, as this is to be captured within /var/adm/authlog:
printf '*.info;auth.none\t/var/adm/syslog rotate time 1w files 4\n' >> /etc/syslog.conf
Create the syslog file:
touch /var/adm/syslog
chmod u=rw,g=r,o= /var/adm/syslog
Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:
refresh -s syslogd
Default Value:
Not configured
Additional Information:
Reversion:
Edit /etc/syslog.conf and remove the authlog and syslog entries:
vi /etc/syslog.conf
Remove:
auth.info /var/adm/authlog rotate time 1w files 4
*.info;auth.none /var/adm/syslog rotate time 1w files 4
Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:
refresh -s syslogd
Delete the authlog and syslog files:
rm /var/adm/authlog /var/adm/syslog"
reference : "800-171|3.3.8,800-53|AU-9(2),800-53r5|AU-9(2),CN-L3|8.1.3.5(d),CN-L3|8.1.4.3(c),CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9(2),LEVEL|1M,NESA|M5.2.3,NESA|M5.5.2,NIAv2|SS13e,PCI-DSSv3.2.1|10.5.3,PCI-DSSv3.2.1|10.5.4,PCI-DSSv4.0|10.3.3,QCSC-v1|8.2.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/var/adm/syslog"
mask : "137"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "8.1.1 Configuring syslog - local logging - auth.info in /etc/syslog.conf"
info : "This recommendation implements a local syslog configuration.
Rationale:
Establishing a logging process via syslog provides system and security administrators with pertinent information relating to: login, mail, daemon, user and kernel activity. The recommendation is to enable local syslog logging, with a weekly rotation policy in a four weekly cycle. The log rotation isolates historical data which can be reviewed retrospectively if an issue is uncovered at a later date.
Impact:
This recommendation is manual because there are likely local requirements that surpass the basic recommendation here."
solution : "Explicitly define a log file for the auth.info output in /etc/syslog.conf:
printf 'auth.info\t\t/var/adm/authlog rotate time 1w files 4\n' >> /etc/syslog.conf
NOTE: This ensures that remote login, sudo or su attempts are logged separately
Create the authlog file and make it readable by root only:
touch /var/adm/authlog
chown root:system /var/adm/authlog
chmod u=rw,go= /var/adm/authlog
Create an entry in /etc/syslog.conf to capture all other output of level info or higher, excluding authentication information, as this is to be captured within /var/adm/authlog:
printf '*.info;auth.none\t/var/adm/syslog rotate time 1w files 4\n' >> /etc/syslog.conf
Create the syslog file:
touch /var/adm/syslog
chmod u=rw,g=r,o= /var/adm/syslog
Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:
refresh -s syslogd
Default Value:
Not configured
Additional Information:
Reversion:
Edit /etc/syslog.conf and remove the authlog and syslog entries:
vi /etc/syslog.conf
Remove:
auth.info /var/adm/authlog rotate time 1w files 4
*.info;auth.none /var/adm/syslog rotate time 1w files 4
Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:
refresh -s syslogd
Delete the authlog and syslog files:
rm /var/adm/authlog /var/adm/syslog"
reference : "800-171|3.3.8,800-53|AU-9(2),800-53r5|AU-9(2),CN-L3|8.1.3.5(d),CN-L3|8.1.4.3(c),CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9(2),LEVEL|1M,NESA|M5.2.3,NESA|M5.5.2,NIAv2|SS13e,PCI-DSSv3.2.1|10.5.3,PCI-DSSv3.2.1|10.5.4,PCI-DSSv4.0|10.3.3,QCSC-v1|8.2.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/syslog.conf"
regex : "^auth[\\.]info "
expect : "^auth[\\.]info +/var/adm/authlog[\\s]+rotate[\\s]+time[\\s]+1w[\\s]+files[\\s]+4[\\s]*$"
system : "AIX"
type : FILE_CONTENT_CHECK
description : "8.1.1 Configuring syslog - local logging - *.info/auth.none in /etc/syslog.conf"
info : "This recommendation implements a local syslog configuration.
Rationale:
Establishing a logging process via syslog provides system and security administrators with pertinent information relating to: login, mail, daemon, user and kernel activity. The recommendation is to enable local syslog logging, with a weekly rotation policy in a four weekly cycle. The log rotation isolates historical data which can be reviewed retrospectively if an issue is uncovered at a later date.
Impact:
This recommendation is manual because there are likely local requirements that surpass the basic recommendation here."
solution : "Explicitly define a log file for the auth.info output in /etc/syslog.conf:
printf 'auth.info\t\t/var/adm/authlog rotate time 1w files 4\n' >> /etc/syslog.conf
NOTE: This ensures that remote login, sudo or su attempts are logged separately
Create the authlog file and make it readable by root only:
touch /var/adm/authlog
chown root:system /var/adm/authlog
chmod u=rw,go= /var/adm/authlog
Create an entry in /etc/syslog.conf to capture all other output of level info or higher, excluding authentication information, as this is to be captured within /var/adm/authlog:
printf '*.info;auth.none\t/var/adm/syslog rotate time 1w files 4\n' >> /etc/syslog.conf
Create the syslog file:
touch /var/adm/syslog
chmod u=rw,g=r,o= /var/adm/syslog
Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:
refresh -s syslogd
Default Value:
Not configured
Additional Information:
Reversion:
Edit /etc/syslog.conf and remove the authlog and syslog entries:
vi /etc/syslog.conf
Remove:
auth.info /var/adm/authlog rotate time 1w files 4
*.info;auth.none /var/adm/syslog rotate time 1w files 4
Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:
refresh -s syslogd
Delete the authlog and syslog files:
rm /var/adm/authlog /var/adm/syslog"
reference : "800-171|3.3.8,800-53|AU-9(2),800-53r5|AU-9(2),CN-L3|8.1.3.5(d),CN-L3|8.1.4.3(c),CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9(2),LEVEL|1M,NESA|M5.2.3,NESA|M5.5.2,NIAv2|SS13e,PCI-DSSv3.2.1|10.5.3,PCI-DSSv3.2.1|10.5.4,PCI-DSSv4.0|10.3.3,QCSC-v1|8.2.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/4124"
file : "/etc/syslog.conf"
regex : "^[\\*][\\.]info;auth[\\.]none "
expect : "^[\\*][\\.]info;auth[\\.]none +/var/adm/syslog[\\s]+rotate[\\s]+time[\\s]+1w[\\s]+files[\\s]+4[\\s]*$"
description : "CIS_AIX_7.2_Benchmark_v1.0.0_Level_1.audit from CIS AIX 7.2 Benchmark v1.0.0 Level 1 Benchmark"
info : "NOTE: Nessus has not identified that the chosen audit applies to the target device."
see_also : "https://workbench.cisecurity.org/files/4124"