{"stig":{"title":"IBM AIX 7.x Security Technical Implementation Guide","version":"3","release":"2"},"checks":[{"vulnId":"V-215169","ruleId":"SV-215169r958362_rule","severity":"medium","ruleTitle":"AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account.","description":"The \"/etc/security/mkuser.sys.custom\" is called by \"/etc/security/mkuser.sys\" to customize the new user account when a new user is created, or a user is logging into the system without a home directory. An improper \"/etc/security/mkuser.sys.custom\" script increases the risk that non-privileged users may obtain elevated privileges. It must not exist unless it is needed.","checkContent":"Check if the \"/etc/security/mkuser.sys.custom\" file exists:\n# ls /etc/security/mkuser.sys.custom\n\nIf the above command shows the file exists, this is a finding.","fixText":"Remove the \"/etc/security/mkuser.sys.custom\" file using the following command:\n\n# rm /etc/security/mkuser.sys.custom","ccis":["CCI-000015"]},{"vulnId":"V-215170","ruleId":"SV-215170r958364_rule","severity":"medium","ruleTitle":"AIX must automatically remove or disable temporary user accounts after 72 hours or sooner.","description":"If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.\n\nTemporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n\nIf temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.","checkContent":"From the command prompt, execute the following command:\n# lsuser -a expires tmp_user\n\nThe above command should yield the following output:\ntmp_user expires=0\nOr\ntmp_user expires=1215103116\n\nThe \"expires\" value is in \"MMDDhhmmyy\" form, or the value is \"0\".\n\nIf \"expires\" value is \"0\", or the expiration time is greater than \"72\" hours from the user creation time, this is a finding.","fixText":"From the command prompt, execute the following command to set the expiration time to 72 hours from now:\n# chuser expires=1218103116 tmp_user\n\nFrom the command prompt, execute the following command:\n# lsuser -a expires tmp_user\n\nThe above command should yield the following output:\ntmp_user expires=1218103116","ccis":["CCI-000016"]},{"vulnId":"V-215171","ruleId":"SV-215171r958388_rule","severity":"medium","ruleTitle":"AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128","checkContent":"From the command prompt, execute the following command to check the system default value for the maximum number of tries before the system will lock the account:\n# lssec -f /etc/security/user -s default -a loginretries\n\nThe above command should yield the following output:\ndefault loginretries=0\n\nIf the default value is \"0\" or greater than \"3\", this is a finding.\n\nFrom the command prompt, execute the following command to check all active accounts on the system for the maximum number of tries before the system will lock the account:\n# lsuser -a loginretries ALL | more\n\nThe above command should yield the following output:\nroot loginretries=3\nuser1 loginretries=2\n\nIf a user has values set to \"0\" or greater than \"3\", this is a finding.","fixText":"From the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for \"default:\" stanza in \"/etc/security/user\" file:\n# chsec -f /etc/security/user -s default -a loginretries=3 \n\nFrom the command prompt, execute the following command to configure the number of unsuccessful logins resulting in account lockout for all users who have loginretries values that are 0 or greater than 3:\n# chsec -f /etc/security/user -s [user_name] -a loginretries=3","ccis":["CCI-000044","CCI-002238"]},{"vulnId":"V-215172","ruleId":"SV-215172r958398_rule","severity":"medium","ruleTitle":"AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types.","description":"Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.","checkContent":"From the command prompt, execute the following command to display maxulogs values for all the user account:\n# lsuser -a maxulogs ALL\n\nThe above command should yield the following output:\nroot maxulogs=10\nuser_1 maxulogs=10\n \nIf the above command shows any user account that does not have the \"maxulogs\" attribute set, or its value is \"0\", or its value greater than \"10\", this is a finding.","fixText":"From the command prompt, execute the following command to set \"maxulogs=10\" for the \"default:\" stanza in the \"/etc/security/user\" file:\n# chsec -f /etc/security/user -s default -a maxulogs=10\n\nFor each user account whose \"maxulogs\" value is greater than \"10\", or their \"maxulogs\" value is not set, or the values are set to \"0\", execute the following command to set \"maxulogs=10\":\n# chuser maxulogs=10 [user_name]","ccis":["CCI-000054"]},{"vulnId":"V-215173","ruleId":"SV-215173r958448_rule","severity":"medium","ruleTitle":"If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.","description":"Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.","checkContent":"If LDAP authentication is not used on AIX, this is Not Applicable.\n\nNote: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd.\n\nCheck if the system is using LDAP authentication: \n\n# grep LDAP /etc/security/user \n\nIf no lines are returned, this requirement is not applicable. \n\nCheck if the useSSL option is enabled: \n\n# grep '^useSSL' /etc/security/ldap/ldap.cfg \nuseSSL:yes\n\nIf \"yes\" is not the returned value, this is a finding. \n\nVerify a certificate is used for client authentication to the server: \n\n# grep -i '^ldapsslkeyf' /etc/security/ldap/ldap.cfg \nldapsslkeyf:/tmp/key.kdb\n\nIf no line is found, this is a finding. \n\nIdentify the Key Database (KDB), and its password, by asking the ISSO/SA. If no Key Database exists on the system, this is a finding.\n\nList the certificate issuer with GSK command:\n\n# gsk8capicmd -cert -list CA -db -pw \n\nMake note of the client Key Label: \n\n# gsk8capicmd -cert -details -showOID -db -pw -label \n\nIf the certificate is not issued by DoD PKI or a DoD-approved external PKI, this is a finding\n\nThe IBM GSK Database should only have certificates for the client system and for the LDAP server. \n\nIf more certificates are in the key database than the LDAP server and the client, this is a finding.","fixText":"Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd.\n\nCreate a key database with DoD PKI or DoD-approved certificate using one of the following commands: \n# gsk8capicmd -keydb -create -db -pw -type cms -stash\n\nEdit \"/etc/security/ldap/ldap.cfg\" and add or edit the \"ldapsslkeyf\" setting to reference a KDB file containing a client certificate issued by DoD PKI or a DoD-approved external PKI. \n\nInstall a certificate signed by a DoD PKI or a DoD-approved external PKI using the following command: \n# gsk8capicmd -cert -add -db -pw -file -label \n\nRemove un-needed CA certificates using one of the following commands: \n# gsk8capicmd -cert -delete -db -pw -label \n\nRestart LDAP client using command:\n# /usr/sbin/restart-secldapclntd","ccis":["CCI-000185"]},{"vulnId":"V-215174","ruleId":"SV-215174r1009530_rule","severity":"high","ruleTitle":"If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"Examine the LDAP configuration file \"/etc/security/ldap/ldap.cfg\" for possible clear-text password for \"bindpwd\".\n\nFrom the command prompt, run the following command:\n# grep ^bindpwd: /etc/security/ldap/ldap.cfg\n\nThe above command should yield the following output:\nbindpwd:{DESv2}57AEE2BCED 764373462FC7B62736D9A\n\nIf the returned entry has an unencrypted password (the output line does not start with \"bindpwd:{DES\"), this is a finding. \n\nExamine the LDAP configuration file \"/etc/security/ldap/ldap.cfg\" for using stashed password for SSL key database (KDB).\n\nCheck for \"ldapsslkeypwd\" in LDAP config file using the follow command: \n# grep '^ldapsslkeypwd' /etc/security/ldap/ldap.cfg \n\nIf the command returned a line, this is a finding.","fixText":"To remove the clear-text password for \"bindpwd\", do the following two steps:\nEdit \"/etc/security/ldap/ldap.cfg\" to remove the \"bindpwd\" line and save the change; \n\nRe-config the LDAP client using the \"mksecldap\" command:\n# mksecldap -c -h -A -D -d -a -p -k -w \n\nNote: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: \"gsk8capicmd\" (used below), \"gsk8capicmd_64\" and \"gsk7cmd\".\n\nTo use the stashed password for SSL key database (KDB), do the following two steps:\nEdit \"/etc/security/ldap/ldap.cfg\" to remove the \"ldapsslkeypwd\" line and save the change;\n\nRun the \"gsk8capicmd\" to create a stashed password file for the SSL KDB:\n# gsk8capicmd -keydb -stashpw -db -pw ","ccis":["CCI-004062","CCI-000196"]},{"vulnId":"V-215175","ruleId":"SV-215175r958482_rule","severity":"high","ruleTitle":"All accounts on AIX system must have unique account names.","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"From the command prompt, run the following command to check that there are no duplicate account names:\n# usrck -n ALL\n\nIf any duplicate account names are found, this is a finding.","fixText":"Edit user accounts to provide unique name for each account by editing the following files:\n/etc/passwd\n/etc/security/passwd\n/etc/security/user\n/etc/group","ccis":["CCI-000764"]},{"vulnId":"V-215176","ruleId":"SV-215176r958482_rule","severity":"high","ruleTitle":"All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users).","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nLack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.\n\nSatisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062","checkContent":"From the command prompt, run the following command to ensure there are no duplicate UIDs:\n\n# usrck -n ALL\n\nIf any duplicate UIDs are found, this is a finding.","fixText":"Edit user accounts to provide unique names and UIDs for each account by editing the following files:\n\n/etc/passwd\n/etc/group\n/etc/security/passwd\n/etc/security/user","ccis":["CCI-000764","CCI-000804"]},{"vulnId":"V-215177","ruleId":"SV-215177r958482_rule","severity":"high","ruleTitle":"The AIX SYSTEM attribute must not be set to NONE for any account.","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"Examine the \"SYSTEM\" attribute values for all users in the \"/etc/security/user\" file by running the following command: \n# lsuser -a SYSTEM ALL\n\nThe above command should yield the following output:\nroot SYSTEM=compat\ndaemon SYSTEM=compat\nbin SYSTEM=compat\nsys SYSTEM=compat\n\nIf the command displays SYSTEM=NONE for a user, this is a finding.","fixText":"For every user who has \"SYSTEM=NONE\", run the following command to set their \"SYSTEM\" value to \"compat\":\n\n# chuser SYSTEM=compat [user_name]","ccis":["CCI-000764"]},{"vulnId":"V-215178","ruleId":"SV-215178r1009531_rule","severity":"medium","ruleTitle":"Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts.","description":"Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability.","checkContent":"Obtain a list of Shared/Application/Default/Utility accounts from the ISSO/ISSM.\n\nShared/Application/Default/Utility accounts can have direct login disabled by setting the \"rlogin\" parameter to \"false\" in the user’s stanza of the \"/etc/security/user\" file. \n\nFrom the command prompt, run the following command to check if shared account has \"rlogin=true\":\n\n# lsuser -a rlogin [shared_account] \n rlogin=true\n\nIf a shared account is configured for \"rlogin=true\", this is a finding.","fixText":"Direct login to shared or application accounts can be prevented by setting the \"rlogin=false\" in the accounts stanza of the \"/etc/security/user\" file.\n\nFrom the command prompt, run the following command to set \"rlogin=false\" for a shared account:\n\n# chuser rlogin=false [shared_account]","ccis":["CCI-004045","CCI-000770"]},{"vulnId":"V-215179","ruleId":"SV-215179r1009532_rule","severity":"high","ruleTitle":"AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.","description":"A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials must not be vulnerable to a replay attack.\n\nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.\n\nA privileged account is any information system account with authorizations of a privileged user.\n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.\n\nSatisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058","checkContent":"Run the following command to check if SSH server package is installed:\n\n# lslpp -i |grep -i ssh\n openssh.base.server 6.0.0.6201\n\nIf package \"openssh.base.server\" is not installed, this is a finding.\n\nRun the following command to check if SSH daemon is running:\n\n# lssrc -s sshd\n\nThe above command should yield the following output:\nSubsystem Group PID Status \n sshd ssh 4325532 active\n\nIf the \"Status\" is not \"active\", this is a finding.","fixText":"If the SSH server package is not installed, install \"openssh.base.server\" package from AIX DVD Volume 1 using the following command (assuming that the DVD device is /dev/cd0):\n# installp -aXYgd /dev/cd0 -e /tmp/install.log openssh.base.server\n\nAfter the installation, set up the SSH server accordingly.\n\nIf the SSH daemon is not running, run the following command to start it:\n# startsrc -s sshd","ccis":["CCI-001941","CCI-001942"]},{"vulnId":"V-215180","ruleId":"SV-215180r958508_rule","severity":"medium","ruleTitle":"The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.","description":"Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. \n\nEmergency accounts are different from infrequently used accounts (i.e., local login accounts used by the organization's system administrators when network or normal login/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n\nTo address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.","checkContent":"Obtain a list of emergency accounts from the ISSO/ISSM and then run this command against each of the identified accounts:\n# lsuser -a expires \n\nThe above command should yield the following output:\n expires=0\nOr\n expires=1215103116\n\nThe \"expires\" value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire.\n\nIf \"expires\" value is \"0\", or the expiration time is greater than \"72\" hours from the user creation time, this is a finding.","fixText":"From the command prompt, run the following command to set the \"expires\" value to \"72\" hours from now:\n# chuser expires=1228093516 \n\nThe \"expires\" value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric.","ccis":["CCI-001682"]},{"vulnId":"V-215181","ruleId":"SV-215181r958362_rule","severity":"medium","ruleTitle":"The shipped /etc/security/mkuser.sys file on AIX must not be customized directly.","description":"The \"/etc/security/mkuser.sys\" script customizes the new user account when a new user is created, or a user is logging into the system without a home directory. An improper \"/etc/security/mkuser.sys\" script increases the risk that non-privileged users may obtain elevated privileges.","checkContent":"Use the \"cat\" command to show the content of \"/etc/security/mkuser.sys\" script:\n# cat /etc/security/mkuser.sys\n\nThe cat command should display the following:\n# This file is no longer user customizable. To have a customized mkuser.sys script\n# create a file /etc/security/mkuser.sys.custom and the /etc/security/mkuser.sys\n# will run this script instead of the original mkuser.sys script.\n\nexport PATH=/usr/bin:/usr/sbin:$PATH\n\n#\n# Check the number of arguments first\n#\nif [ $# -ne 4 ] \nthen\n exit 1\nfi\n\n#\n# If a customer mkuser.sys.custom script exists\n# then execute it instead and exit passing all arguments\n# and returning the return code from mkuser.sys.custom\n#\nif [ -x /etc/security/mkuser.sys.custom ]\nthen\n /etc/security/mkuser.sys.custom $*\n exit $?\nfi\n\n#\n# Create the named directory if it does not already exist\n# and set the file ownership and permission\n#\nif [ ! -d $1 ]\nthen\n last=$1\n \n while [ 1 ]\n do\n dir=`dirname $last`\n \n if [ -d $last ]\n then\n break\n elif [ -d $dir ]\n then\n mkdir -p $1\n chown -R bin:bin $last\n chmod -R 755 $last\n break\n else\n last=$dir\n fi\n done\n \n chgrp \"$3\" $1\n chown $2 $1\nfi\n\n#\n# Copy the user's default .profile if it does not already\n# exist and change the file ownership, etc.\n#\nif [ `basename $4` != \"csh\" ] && [ ! -f $1/.profile ]\nthen\n cp /etc/security/.profile $1/.profile\n chmod u+rwx,go-w $1/.profile\n chgrp \"$3\" $1/.profile\n chown $2 $1/.profile\n\nelse\n if [ `basename $4` = \"csh\" ] && [ ! -f $1/.login ] \n then\n echo \"#!/bin/csh\" > \"$1\"/.login\n echo \"set path = ( /usr/bin /etc /usr/sbin /usr/ucb \\$HOME/bin /usr/bin/X11 /sbin . )\" >> \"$1\"/.login\n echo \"setenv MAIL \\\"/var/spool/mail/\\$LOGNAME\\\"\" >> \"$1\"/.login\n echo \"setenv MAILMSG \\\"[YOU HAVE NEW MAIL]\\\"\" >> \"$1\"/.login\n echo \"if ( -f \\\"\\$MAIL\\\" && ! -z \\\"\\$MAIL\\\") then\" >> \"$1\"/.login\n echo \" echo \\\"\\$MAILMSG\\\"\" >> \"$1\"/.login\n echo \"endif\" >> \"$1\"/.login\n chmod u+rwx,go-w $1/.login\n chgrp \"$3\" $1/.login\n chown $2 $1/.login\n fi\nfi\n\nIf the \"cat\" command shows the script as different than the content listed above, this is a finding.","fixText":"Edit the script /etc/security/mkuser.sys to contain the following:\n# This file is no longer user customizable. To have a customized mkuser.sys script\n# create a file /etc/security/mkuser.sys.custom and the /etc/security/mkuser.sys\n# will run this script instead of the original mkuser.sys script.\n\nexport PATH=/usr/bin:/usr/sbin:$PATH\n\n#\n# Check the number of arguments first\n#\nif [ $# -ne 4 ] \nthen\n exit 1\nfi\n\n#\n# If a customer mkuser.sys.custom script exists\n# then execute it instead and exit passing all arguments\n# and returning the return code from mkuser.sys.custom\n#\nif [ -x /etc/security/mkuser.sys.custom ]\nthen\n /etc/security/mkuser.sys.custom $*\n exit $?\nfi\n\n#\n# Create the named directory if it does not already exist\n# and set the file ownership and permission\n#\nif [ ! -d $1 ]\nthen\n last=$1\n \n while [ 1 ]\n do\n dir=`dirname $last`\n \n if [ -d $last ]\n then\n break\n elif [ -d $dir ]\n then\n mkdir -p $1\n chown -R bin:bin $last\n chmod -R 755 $last\n break\n else\n last=$dir\n fi\n done\n \n chgrp \"$3\" $1\n chown $2 $1\nfi\n\n#\n# Copy the user's default .profile if it does not already\n# exist and change the file ownership, etc.\n#\nif [ `basename $4` != \"csh\" ] && [ ! -f $1/.profile ]\nthen\n cp /etc/security/.profile $1/.profile\n chmod u+rwx,go-w $1/.profile\n chgrp \"$3\" $1/.profile\n chown $2 $1/.profile\n\nelse\n if [ `basename $4` = \"csh\" ] && [ ! -f $1/.login ] \n then\n echo \"#!/bin/csh\" > \"$1\"/.login\n echo \"set path = ( /usr/bin /etc /usr/sbin /usr/ucb \\$HOME/bin /usr/bin/X11 /sbin . )\" >> \"$1\"/.login\n echo \"setenv MAIL \\\"/var/spool/mail/\\$LOGNAME\\\"\" >> \"$1\"/.login\n echo \"setenv MAILMSG \\\"[YOU HAVE NEW MAIL]\\\"\" >> \"$1\"/.login\n echo \"if ( -f \\\"\\$MAIL\\\" && ! -z \\\"\\$MAIL\\\") then\" >> \"$1\"/.login\n echo \" echo \\\"\\$MAILMSG\\\"\" >> \"$1\"/.login\n echo \"endif\" >> \"$1\"/.login\n chmod u+rwx,go-w $1/.login\n chgrp \"$3\" $1/.login\n chown $2 $1/.login\n fi\nfi","ccis":["CCI-000015"]},{"vulnId":"V-215182","ruleId":"SV-215182r958362_rule","severity":"medium","ruleTitle":"The regular users default primary group must be staff (or equivalent) on AIX.","description":"The /usr/lib/security/mkuser.default file contains the default primary groups for regular and admin users. Setting a system group as the regular users' primary group increases the risk that the regular users can access privileged resources.","checkContent":"Check the default primary group for regular users:\n# lssec -f /etc/security/mkuser.default -s user -a pgrp\n\nThe above command should yield the following output:\nuser pgrp=staff\n\nIf the above command shows that the primary group (pgrp) is not \"staff\", this is a finding.","fixText":"Set the default primary groups for regular to be \"staff\".\n# chsec -f /etc/security/mkuser.default -s user -a pgrp=staff","ccis":["CCI-000015"]},{"vulnId":"V-215183","ruleId":"SV-215183r991560_rule","severity":"medium","ruleTitle":"All system files, programs, and directories must be owned by a system account.","description":"Restricting permissions will protect the files from unauthorized modification.","checkContent":"Check the ownership of system files, programs, and directories by running the following command: \n# ls -lLa /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin \n\nIf any of the system files, programs, or directories are not owned by a system account, this is a finding. \n\nNote: For this check, the system-provided \"ipsec\" user is considered to be a system account.","fixText":"Change the owner of public directories to \"root\" or an application account using the following command: \n# chown root \n\nNote: Replace \"root\" with an application user as necessary.","ccis":["CCI-001499"]},{"vulnId":"V-215184","ruleId":"SV-215184r991560_rule","severity":"medium","ruleTitle":"AIX device files and directories must only be writable by users with a system account or as configured by the vendor.","description":"System device files in writable directories could be modified, removed, or used by an unprivileged user to control system hardware.","checkContent":"Find all device files existing anywhere on the system using commands:\n# find / -type b -print | xargs ls -l > devicelistB\n# find / -type c -print | xargs ls -l > devicelistC \n\nLook at devicelistB and devicelistC files to check the permissions on the device files and directories above the subdirectories containing device files.\n\nIf any of the device files or their parent directories are world-writable, excepting device files specifically intended to be world-writable, such as \"/dev/null\", this is a finding.","fixText":"Remove the world-writable permission from the device file(s) using command:\n# chmod o-w ","ccis":["CCI-001499"]},{"vulnId":"V-215186","ruleId":"SV-215186r958498_rule","severity":"medium","ruleTitle":"AIX must configure the ttys value for all interactive users.","description":"A user's \"ttys\" attribute controls from which device(s) the user can authenticate and log in. If the \"ttys\" attribute is not specified, all terminals can access the user account.","checkContent":"Verify that the default \"ttys\" value is set for all users:\n\n# lssec -f /etc/security/user -s default -a ttys\ndefault ttys=ALL\n\nIf the value returned is not \"ttys=ALL\", this is a finding.\n\nFrom the command prompt, run the following command to check \"ttys\" attribute value for all accounts:\n# lsuser -a ttys ALL\n\nThe above command should yield the following output:\nroot ttys=ALL\nuser1 ttys=ALL\nuser2 ttys=ALL\nuser3 ttys=ALL\n\nIf any interactive user account does not have \"ttys=ALL\", this is a finding.","fixText":"From the command prompt, run the following command to set \"ttys=ALL\" for the default stanza in \"/etc/security/user\":\n# chsec -f /etc/security/user -s default -a ttys=ALL\n\nRun the following command to recheck \"ttys\" values for all users:\n# lsuser -a ttys ALL\n\nFor each interactive user who does not have \"ttys=ALL\", set the value of \"ttys\" to \"ALL\" by running the following command from command prompt:\n# chsec -f /etc/security/user -s [user_name] -a ttys=ALL","ccis":["CCI-000778"]},{"vulnId":"V-215187","ruleId":"SV-215187r958400_rule","severity":"medium","ruleTitle":"AIX must provide the lock command to let users retain their session lock until users are reauthenticated.","description":"All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard. \n\nTo lock the terminal, use the lock command.","checkContent":"Check the system to determine if \"bos.rte.security\" is installed: \n\n# lslpp -L bos.rte.security\nFileset Level State Type Description (Uninstaller)\n ----------------------------------------------------------------------------\n bos.rte.security 7.2.1.1 C F Base Security Function\n\nIf the \"bos.rte.security\" fileset is not installed, this is a finding. \n\nCheck if lock command exist using the following command:\n# ls /usr/bin/lock\n\nThe above command should display the following:\n/usr/bin/lock\n\nIf the above command does not show that \"/usr/bin/lock\" exists, this is a finding.","fixText":"Install \"bos.rte.security\" fileset from the AIX DVD Volume 1 using the following command (assuming that the DVD device is mounted to /dev/cd0):\n\n# installp -aXYgd /dev/cd0 -e /tmp/install.log bos.rte.security","ccis":["CCI-000056"]},{"vulnId":"V-215188","ruleId":"SV-215188r958400_rule","severity":"medium","ruleTitle":"AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated.","description":"All systems are vulnerable if terminals are left logged in and unattended. Leaving system terminals unsecure poses a potential security hazard.\n\nIf the interface is AIXwindows (CDE), use the xlock command to lock the sessions.","checkContent":"If AIX CDE (X11) is not used, this is Not Applicable.\n\nCheck the system to determine if \"X11.apps.clients\" is installed: \n# lslpp -L X11.apps.clients\n\nIf the \"X11.apps.clients\" fileset is not installed, this is a finding. \n\nCheck if \"xlock\" command exists using the following command:\n# ls /usr/bin/X11/xlock\n\nThe above command should display the following:\n/usr/bin/X11/xlock\n\nIf the above command does not show that \"/usr/bin/X11/xlock\" exists, this is a finding.","fixText":"Install \"X11.apps.clients\" fileset from the AIX DVD Volume 1 using the following command (assuming that the DVD is mounted to/dev/cd0):\n\n# installp -aXYgd /dev/cd0 -e /tmp/install.log X11.apps.clients","ccis":["CCI-000056"]},{"vulnId":"V-215189","ruleId":"SV-215189r991589_rule","severity":"medium","ruleTitle":"AIX system must prevent the root account from directly logging in except from the system console.","description":"Limiting the root account direct logins to only system consoles protects the root account from direct unauthorized access from a non-console device.\n\nA common attack method of potential hackers is to obtain the root password.\n\nTo avoid this type of attack, disable direct access to the root ID and then require system administrators to obtain root privileges by using the su - command. In addition to permitting removal of the root user as a point of attack, restricting direct root access permits monitoring which users gained root access, as well as the time of their action. Do this by viewing the /var/adm/sulog file. Another alternative is to enable system auditing, which will report this type of activity.\n\nTo disable remote login access for the root user, edit the /etc/security/user file. Specify False as the rlogin value on the entry for root.","checkContent":"Check the remote login ability of the root account using command: \n# lsuser -a rlogin root \nroot rlogin=false\n\nIf the \"rlogin\" value is not \"false\", this is a finding.","fixText":"From the command prompt, run the following command to set \"rlogin=false\" for the root stanza in \"/etc/security/user\":\n# chsec -f /etc/security/user -s root -a rlogin=false","ccis":["CCI-000366"]},{"vulnId":"V-215190","ruleId":"SV-215190r991589_rule","severity":"medium","ruleTitle":"All AIX public directories must be owned by root or an application account.","description":"If a public directory has the sticky bit set and is not owned by a privileged UID, unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.","checkContent":"Check the ownership of all public directories using command: \n# find / -type d -perm -1002 -exec ls -ld {} \\; \n\nIf any public directory is not owned by \"root\" or an application user, this is a finding.","fixText":"Use the following command to change the owner to \"root\" for public directories:\n# chown root [public_dir]","ccis":["CCI-000366"]},{"vulnId":"V-215191","ruleId":"SV-215191r991589_rule","severity":"medium","ruleTitle":"AIX administrative accounts must not run a web browser, except as needed for local service administration.","description":"If a web browser flaw is exploited while running as a privileged user, the entire system could be compromised. \n\nSpecific exceptions for local service administration should be documented in site-defined policy. These exceptions may include HTTP(S)-based tools used for the administration of the local system, services, or attached devices. Examples of possible exceptions are HP’s System Management Homepage (SMH), the CUPS administrative interface, and Sun's StorageTek Common Array Manager (CAM) when these services are running on the local system.","checkContent":"Inspect the root account home directory for a \".netscape\" or a \".mozilla\" directory using the following commands: \n# find /root -name .netscape\n# find /root -name .mozilla\n\nIf none exists, this is not a finding. \n\nIf a file exists, verify with the root users and the ISSO the intent of the browsing.\n\nIf a file exists and use of a web browser has not been authorized, this is a finding.","fixText":"Enforce policy requiring administrative accounts use web browsers only for local service administration.","ccis":["CCI-000366"]},{"vulnId":"V-215192","ruleId":"SV-215192r991589_rule","severity":"medium","ruleTitle":"AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.","description":"To centralize the management of privileged account crontabs, of the default system accounts, only root may have a crontab.","checkContent":"Check the \"cron.allow\" and \"cron.deny\" files for the system using commands:\n# more /var/adm/cron/cron.allow \n# more /var/adm/cron/cron.deny \n\nIf the \"cron.allow\" file exists and is empty, this is a finding.\n\nIf a default system account (such as bin, sys, adm, or lpd) is listed in the \"cron.allow\" file, or not listed in the \"cron.deny\" file, this is a finding.","fixText":"Remove default system accounts (such as bin, sys, adm, or lpd) from the \"cron.allow\" file, or add those accounts to the \"cron.deny\" file.","ccis":["CCI-000366"]},{"vulnId":"V-215193","ruleId":"SV-215193r991589_rule","severity":"medium","ruleTitle":"The AIX root account must not have world-writable directories in its executable search path.","description":"If the root search path contains a world-writable directory, malicious software could be placed in the path by intruders and/or malicious users and inadvertently run by root with all of root's privileges.","checkContent":"Check for world-writable permissions on all directories in the root user's executable search path:\n\n# ls -ld `echo $PATH | sed \"s/:/ /g\"` \ndrwxr-xr-x 33 root system 8192 Nov 29 14:45 /etc\ndrwxr-xr-x 3 bin bin 256 Aug 11 2017 /sbin\ndrwxr-xr-x 4 bin bin 45056 Oct 31 12:59 /usr/bin\ndrwxr-xr-x 1 bin bin 16 Aug 11 2017 /usr/bin/X11\ndrwxr-xr-x 2 bin bin 4096 Aug 11 2017 /usr/java7_64/bin\ndrwxr-xr-x 4 bin bin 4096 Feb 17 2017 /usr/java7_64/jre/bin\ndrwxr-xr-x 8 bin bin 49152 Oct 31 12:59 /usr/sbin\ndrwxrwxr-x 2 bin bin 4096 Aug 11 2017 /usr/ucb\n\nIf any of the directories in the \"PATH\" variable are world-writable, this is a finding.","fixText":"For each world-writable path in root's executable search path, perform one of the following. \n\nRemove the world-writable permission on the directory. \n\nRun command: \n# chmod o-w \n\n-OR-\nRemove the world-writable directory from the executable search path. Identify and edit the initialization file referencing the world-writable directory and remove it from the PATH variable.","ccis":["CCI-000366"]},{"vulnId":"V-215194","ruleId":"SV-215194r991589_rule","severity":"medium","ruleTitle":"The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID.","description":"Reserved GIDs are typically used by system software packages. If non-system groups have GIDs in this range, they may conflict with system software, possibly leading to the group having permissions to modify system files.","checkContent":"From the command prompt, run the following command:\n\n# more /etc/passwd \nroot:!:0:0::/root:/usr/bin/ksh\ndaemon:!:1:1::/etc:\nbin:!:2:2::/bin:\nsys:!:3:3::/usr/sys:\nadm:!:4:4::/var/adm:\nnobody:!:4294967294:4294967294::/:\ninvscout:*:6:12::/var/adm/invscout:/usr/bin/ksh\nsrvproxy:*:203:0:Service Proxy Daemon:/home/srvproxy:/usr/bin/ksh\nesaadmin:*:7:0::/var/esa:/usr/bin/ksh\nsshd:*:212:203::/var/empty:/usr/bin/ksh\ndoejohn:*:704:1776::/home/doej:/usr/bin/ksh\n\nConfirm all accounts with a primary GID of 99 and below are used by a system account. \n\nIf a GID reserved for system accounts, 0 - 99, is used by a non-system account, this is a finding.","fixText":"Change the primary GID for non-system accounts that have reserved GIDs as their primary GIDs using the following command:\n# chuser pgrp= ","ccis":["CCI-000366"]},{"vulnId":"V-215195","ruleId":"SV-215195r991589_rule","severity":"medium","ruleTitle":"UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems.","description":"Reserved UIDs are typically used by system software packages. If non-system accounts have UIDs in this range, they may conflict with system software, possibly leading to the user having permissions to modify system files.","checkContent":"Check the UID assignments of all accounts using: \n\n# more /etc/passwd \nroot:!:0:0::/root:/usr/bin/ksh\ndaemon:!:1:1::/etc:\nbin:!:2:2::/bin:\nsys:!:3:3::/usr/sys:\nadm:!:4:4::/var/adm:\nnobody:!:4294967294:4294967294::/:\ninvscout:*:6:12::/var/adm/invscout:/usr/bin/ksh\nsrvproxy:*:203:0:Service Proxy Daemon:/home/srvproxy:/usr/bin/ksh\nesaadmin:*:7:0::/var/esa:/usr/bin/ksh\nsshd:*:212:203::/var/empty:/usr/bin/ksh\ndoej:*:704:1776::/home/doej:/usr/bin/ksh\n\nConfirm all accounts with a UID of 128 and below are used by a system account. \n\nIf a UID reserved for system accounts (0-128) is used by a non-system account, this is a finding.","fixText":"Using the \"usermod\" command, change the UID numbers for non-system accounts with reserved UIDs (those less or equal to 128): \n# usermod -u [user_name]","ccis":["CCI-000366"]},{"vulnId":"V-215196","ruleId":"SV-215196r991589_rule","severity":"medium","ruleTitle":"The AIX root accounts list of preloaded libraries must be empty.","description":"The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded.","checkContent":"Verify the \"LDR_PRELOAD\" environment variable is empty or not defined for the \"root\" user using command: \n# env | grep LDR_PRELOAD \n\nIf a path is returned, this is a finding.","fixText":"Edit the \"root\" user's initialization files and remove any definition of \"LDR_PRELOAD\".","ccis":["CCI-000366"]},{"vulnId":"V-215197","ruleId":"SV-215197r991591_rule","severity":"high","ruleTitle":"AIX must not have accounts configured with blank or null passwords.","description":"If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured without a password, the entire system may be compromised. For user accounts not using password authentication, the account must be configured with a password lock value instead of a blank or null value.","checkContent":"Verify no interactive accounts have blank passwords by running the following command: \n# pwdck -n ALL \n\nIf any interactive account with a blank password is found, this is a finding.","fixText":"Configure a password for any interactive account with a blank password by running the following command:\n# passwd [user_name]","ccis":["CCI-000366"]},{"vulnId":"V-215198","ruleId":"SV-215198r991592_rule","severity":"medium","ruleTitle":"The AIX root accounts home directory (other than /) must have mode 0700.","description":"Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.","checkContent":"Check the mode of the root home directory by running the following commands:\n# ls -ld `grep \"^root\" /etc/passwd | awk -F\":\" '{print $6}'`\n\nThe above command should yield the following output:\ndrwx------ 22 root system 4096 Sep 06 18:00 /root\n\nIf the mode of the directory is not equal to \"0700\", this is a finding.","fixText":"Use the following command to change protections for the root home directory: \n# chmod 0700 /root.","ccis":["CCI-000366"]},{"vulnId":"V-215199","ruleId":"SV-215199r991592_rule","severity":"medium","ruleTitle":"The AIX root accounts home directory must not have an extended ACL.","description":"Excessive permissions on root home directories allow unauthorized access to root user files.","checkContent":"Verify the \"root\" account's home directory has no extended ACL using command:\n\n# aclget ~root \n*\n* ACL_type AIXC\n*\nattributes:\nbase permissions\n owner(root): rwx\n group(system): ---\n others: ---\nextended permissions\n disabled\n\nIf extended permissions are enabled, the directory has an extended ACL, and this is a finding.","fixText":"Remove the extended ACL from the \"root\" account's home directory using command:\n# acledit ~root \n\nChange extended attributes to disabled.","ccis":["CCI-000366"]},{"vulnId":"V-215200","ruleId":"SV-215200r958390_rule","severity":"medium","ruleTitle":"AIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","checkContent":"Check the herald is set to have the Standard Mandatory DoD Notice and Consent Banner:\n# lssec -f /etc/security/login.cfg -s default -a herald\n\nThe above command should display the herald setting like this:\ndefault herald=\"You are accessing a U.S. Government (USG) Information System (IS) that\\n\\ris provided for USG-authorized use only.\\n\\r\\n\\rBy using this IS (which includes any device attached to this IS), you\\n\\rconsent to the following conditions: \\n\\r\\n\\r-The USG routinely intercepts and monitors communications on this IS\\n\\rfor purposes including, but not limited to, penetration testing, COMSEC\\n\\rmonitoring, network operations and defense, personnel misconduct (PM),\\n\\rlaw enforcement (LE), and counterintelligence (CI) investigations. \\n\\r\\n\\r-At any time, the USG may inspect and seize data stored on this IS. \\n\\r\\n\\r-Communications using, or data stored on, this IS are not private, are\\n\\rsubject to routine monitoring, interception, and search, and may be\\n\\rdisclosed or used for any USG-authorized purpose. \\n\\r\\n\\r-This IS includes security measures (e.g., authentication and access\\n\\rcontrols) to protect USG interests--not for your personal benefit or\\n\\rprivacy. \\n\\r\\n\\r-Notwithstanding the above, using this IS does not constitute consent\\n\\rto PM, LE or CI investigative searching or monitoring of the content\\n\\rof privileged communications, or work product, related to personal\\n\\rrepresentation or services by attorneys, psychotherapists, or clergy,\\n\\rand their assistants. Such communications and work product are private\\n\\rand confidential. See User Agreement for details.\\n\\r\\n\\rlogin:\"\n\nIf the herald string is not set, or it does not contain the Standard Mandatory DoD Notice and Consent Banner listed above, this is a finding.","fixText":"From the command prompt, run the following command to set the DoD banner to herald for the default stanza in the \"/etc/security/login.cfg\" file:\n# chsec -f /etc/security/login.cfg -s default -a herald=\"You are accessing a U.S. Government (USG) Information System (IS) that\\n\\ris provided for USG-authorized use only.\\n\\r\\n\\rBy using this IS (which includes any device attached to this IS), you\\n\\rconsent to the following conditions: \\n\\r\\n\\r-The USG routinely intercepts and monitors communications on this IS\\n\\rfor purposes including, but not limited to, penetration testing, COMSEC\\n\\rmonitoring, network operations and defense, personnel misconduct (PM),\\n\\rlaw enforcement (LE), and counterintelligence (CI) investigations. \\n\\r\\n\\r-At any time, the USG may inspect and seize data stored on this IS. \\n\\r\\n\\r-Communications using, or data stored on, this IS are not private, are\\n\\rsubject to routine monitoring, interception, and search, and may be\\n\\rdisclosed or used for any USG-authorized purpose. \\n\\r\\n\\r-This IS includes security measures (e.g., authentication and access\\n\\rcontrols) to protect USG interests--not for your personal benefit or\\n\\rprivacy. \\n\\r\\n\\r-Notwithstanding the above, using this IS does not constitute consent\\n\\rto PM, LE or CI investigative searching or monitoring of the content\\n\\rof privileged communications, or work product, related to personal\\n\\rrepresentation or services by attorneys, psychotherapists, or clergy,\\n\\rand their assistants. Such communications and work product are private\\n\\rand confidential. See User Agreement for details.\\n\\r\\n\\rlogin:\"","ccis":["CCI-000048"]},{"vulnId":"V-215201","ruleId":"SV-215201r958390_rule","severity":"medium","ruleTitle":"The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts on AIX.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","checkContent":"If AIX CDE (X11) is not used, this is Not Applicable.\n\nCheck if file \"/etc/dt/config/en_US/Xresources\" exists:\n# ls /etc/dt/config/en_US/Xresources \n\nIf the file does not exist, this is a finding.\n\nCheck if the \"Dtlogin*greeting.labelString\" is set to the Standard Mandatory DoD Notice and Consent Banner:\n# grep \"Dtlogin*greeting.labelString\" /etc/dt/config/en_US/Xresources\n\nThe above command should display the following:\nDtlogin*greeting.labelString: You are accessing a U.S. Government (USG) Information System (IS) that\\nis provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you\\nconsent to the following conditions: \\n\\n-The USG routinely intercepts and monitors communications on this IS\\nfor purposes including, but not limited to, penetration testing, COMSEC\\nmonitoring, network operations and defense, personnel misconduct (PM),\\nlaw enforcement (LE), and counterintelligence (CI) investigations. \\n\\n-At any time, the USG may inspect and seize data stored on this IS. \\n\\n-Communications using, or data stored on, this IS are not private, are\\nsubject to routine monitoring, interception, and search, and may be\\ndisclosed or used for any USG-authorized purpose. \\n\\n-This IS includes security measures (e.g., authentication and access\\ncontrols) to protect USG interests--not for your personal benefit or\\nprivacy. \\n\\n-Notwithstanding the above, using this IS does not constitute consent\\nto PM, LE or CI investigative searching or monitoring of the content\\nof privileged communications, or work product, related to personal\\nrepresentation or services by attorneys, psychotherapists, or clergy,\\nand their assistants. Such communications and work product are private\\nand confidential. See User Agreement for details. \n\nIf the \"Dtlogin*greeting.labelString\" variable is not set, or the label string does not contain the Standard Mandatory DoD Notice and Consent Banner, this is a finding.","fixText":"Edit the \"Xresources\" file to configure the system to display one of the DoD login banners (based on the character limitations imposed by the system) prior to, or as part of, the graphical desktop environment login process. \n\nFor \"Dtlogin\", change the variable \"Dtlogin*greeting.labelString:\" in \"Xresources\" file. \n\n# cp /usr/dt/config/C/Xresources /etc/dt/config/en_US/Xresources \n\n# vi /etc/dt/config/en_US/Xresources\n\nSet variable \"Dtlogin*greeting.labelString\" as the following:\nDtlogin*greeting.labelString: You are accessing a U.S. Government (USG) Information System (IS) that\\nis provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you\\nconsent to the following conditions: \\n\\n-The USG routinely intercepts and monitors communications on this IS\\nfor purposes including, but not limited to, penetration testing, COMSEC\\nmonitoring, network operations and defense, personnel misconduct (PM),\\nlaw enforcement (LE), and counterintelligence (CI) investigations. \\n\\n-At any time, the USG may inspect and seize data stored on this IS. \\n\\n-Communications using, or data stored on, this IS are not private, are\\nsubject to routine monitoring, interception, and search, and may be\\ndisclosed or used for any USG-authorized purpose. \\n\\n-This IS includes security measures (e.g., authentication and access\\ncontrols) to protect USG interests--not for your personal benefit or\\nprivacy. \\n\\n-Notwithstanding the above, using this IS does not constitute consent\\nto PM, LE or CI investigative searching or monitoring of the content\\nof privileged communications, or work product, related to personal\\nrepresentation or services by attorneys, psychotherapists, or clergy,\\nand their assistants. Such communications and work product are private\\nand confidential. See User Agreement for details. \n\nSave the above change to \"Xresources\" file.","ccis":["CCI-000048"]},{"vulnId":"V-215202","ruleId":"SV-215202r958390_rule","severity":"medium","ruleTitle":"The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","checkContent":"Check if file \"/etc/motd.ssh\" exists:\n# ls /etc/motd.ssh\n\nIf the file does not exist, this is a finding.\n\nCheck if \"/etc/motd.ssh\" contains The Standard Mandatory DoD Notice and Consent Banner:\n# cat /etc/motd.ssh\n\nThe above command should display the following Standard Mandatory DoD Notice and Consent Banner:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. \n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions: \n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \n\n-At any time, the USG may inspect and seize data stored on this IS. \n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. \n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. \n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\" \n\nIf the Standard Mandatory DoD Notice and Consent Banner is not displayed by the \"cat\" command, this is a finding.\n\nCheck if /etc/motd.ssh is used as banner file in SSH config file:\n# grep -i \"Banner /etc/motd.ssh\" /etc/motd.ssh\n\nIf the above grep command does not find \"Banner /etc/motd.ssh\" in the \"/etc/motd.ssh\" file, this is a finding.","fixText":"Create file \"/etc/motd.ssh\" to contain the following:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nModify \"/etc/ssh/sshd_config\" to contain the following line:\nBanner /etc/motd.ssh\n\nRestart the SSH daemon by running the following commands:\n# stopsrc -s sshd\n# startsrc -s sshd","ccis":["CCI-000048"]},{"vulnId":"V-215203","ruleId":"SV-215203r958586_rule","severity":"medium","ruleTitle":"Any publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.","description":"Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","checkContent":"Check the herald is set to have the Standard Mandatory DoD Notice and Consent Banner:\n# lssec -f /etc/security/login.cfg -s default -a herald\n\nThe above command should display the herald setting like this:\ndefault herald=\"You are accessing a U.S. Government (USG) Information System (IS) that\\n\\ris provided for USG-authorized use only.\\n\\r\\n\\rBy using this IS (which includes any device attached to this IS), you\\n\\rconsent to the following conditions: \\n\\r\\n\\r-The USG routinely intercepts and monitors communications on this IS\\n\\rfor purposes including, but not limited to, penetration testing, COMSEC\\n\\rmonitoring, network operations and defense, personnel misconduct (PM),\\n\\rlaw enforcement (LE), and counterintelligence (CI) investigations. \\n\\r\\n\\r-At any time, the USG may inspect and seize data stored on this IS. \\n\\r\\n\\r-Communications using, or data stored on, this IS are not private, are\\n\\rsubject to routine monitoring, interception, and search, and may be\\n\\rdisclosed or used for any USG-authorized purpose. \\n\\r\\n\\r-This IS includes security measures (e.g., authentication and access\\n\\rcontrols) to protect USG interests--not for your personal benefit or\\n\\rprivacy. \\n\\r\\n\\r-Notwithstanding the above, using this IS does not constitute consent\\n\\rto PM, LE or CI investigative searching or monitoring of the content\\n\\rof privileged communications, or work product, related to personal\\n\\rrepresentation or services by attorneys, psychotherapists, or clergy,\\n\\rand their assistants. Such communications and work product are private\\n\\rand confidential. See User Agreement for details.\\n\\r\\n\\rlogin:\"\n\nIf the herald string is not set, or it does not contain the Standard Mandatory DoD Notice and Consent Banner listed above, this is a finding.","fixText":"From the command prompt, run the following command to set the DoD banner to herald for the default stanza in /etc/security/login.cfg:\n\n# chsec -f /etc/security/login.cfg -s default -a herald=\"You are accessing a U.S. Government (USG) Information System (IS) that\\n\\ris provided for USG-authorized use only.\\n\\r\\n\\rBy using this IS (which includes any device attached to this IS), you\\n\\rconsent to the following conditions: \\n\\r\\n\\r-The USG routinely intercepts and monitors communications on this IS\\n\\rfor purposes including, but not limited to, penetration testing, COMSEC\\n\\rmonitoring, network operations and defense, personnel misconduct (PM),\\n\\rlaw enforcement (LE), and counterintelligence (CI) investigations. \\n\\r\\n\\r-At any time, the USG may inspect and seize data stored on this IS. \\n\\r\\n\\r-Communications using, or data stored on, this IS are not private, are\\n\\rsubject to routine monitoring, interception, and search, and may be\\n\\rdisclosed or used for any USG-authorized purpose. \\n\\r\\n\\r-This IS includes security measures (e.g., authentication and access\\n\\rcontrols) to protect USG interests--not for your personal benefit or\\n\\rprivacy. \\n\\r\\n\\r-Notwithstanding the above, using this IS does not constitute consent\\n\\rto PM, LE or CI investigative searching or monitoring of the content\\n\\rof privileged communications, or work product, related to personal\\n\\rrepresentation or services by attorneys, psychotherapists, or clergy,\\n\\rand their assistants. Such communications and work product are private\\n\\rand confidential. See User Agreement for details.\\n\\r\\n\\rlogin:\"","ccis":["CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"]},{"vulnId":"V-215204","ruleId":"SV-215204r987796_rule","severity":"high","ruleTitle":"IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server.","description":"While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentication. SSL must be used in this case.","checkContent":"Run the following command to check if \"authtype\" is \"ldap_auth\":\n# grep -iE \"^authtype:[[:blank:]]*ldap_auth\" /etc/security/ldap/ldap.cfg\n\nThe above command should yield the following output:\nauthtype:ldap_auth\n\nRun the following command to check if SSL is not used in the \"/etc/security/ldap/ldap.cfg\" file:\n# grep -iE \"^useSSL:[[:blank:]]*yes\" /etc/security/ldap/ldap.cfg\n\nThe above command should yield the following output:\nuseSSL:yes\n\nIf the first command displays \"authtype:ldap_auth\" but the second command does not display \"useSSL:yes\", this is a finding.","fixText":"Edit the \"/etc/security/ldap/ldap.cfg\" file to have the following line:\nuseSSL:yes\n\nConfigure the LDAP server and LDAP client to use the SSL according to AIX LDAP documentation.\n\nRestart the client daemon:\n# restart-secldapclntd","ccis":["CCI-000197"]},{"vulnId":"V-215205","ruleId":"SV-215205r958828_rule","severity":"medium","ruleTitle":"If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day.","description":"If cached authentication information is out-of-date, the validity of the authentication information may be questionable.","checkContent":"If LDAP authentication is not required, this is Not Applicable.\n\nVerify the \"/etc/security/ldap/ldap.cfg\" file to see if the following two keywords have a value that is greater than \"900\" seconds:\n\n# grep -i usercachetimeout /etc/security/ldap/ldap.cfg\nusercachetimeout: 900\n\n# grep -i groupcachetimeout /etc/security/ldap/ldap.cfg\ngroupcachetimeout: 900\n\nIf any of the above keywords does not exist, is commented out, or any value of the above keywords are greater than \"900\", this is a finding.","fixText":"Edit the \"/etc/security/ldap/ldap.cfg\" file to set the following two keywords to have value of \"900\":\nusercachetimeout\ngroupcachetimeout\n\nRestart LDAP client using command:\n# /usr/sbin/restart-secldapclntd","ccis":["CCI-002007"]},{"vulnId":"V-215206","ruleId":"SV-215206r991589_rule","severity":"medium","ruleTitle":"The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups.","description":"A plus (+) in system accounts files causes the system to lookup the specified entry using NIS. If the system is not using NIS, no such entries should exist.","checkContent":"Check system configuration files for plus (+) entries using the following commands:\n\n# cat /etc/passwd | grep -v \"^#\" | grep \"\\+\" \n\n# cat /etc/security/passwd | grep -v \"^#\" | grep \"\\+\" \n\n# cat /etc/group | grep -v \"^#\" | grep \"\\+\" \n\nIf the \"/etc/passwd\", \"/etc/security/passwd\", and/or \"/etc/group\" files contain a plus (+) and do not define entries for NIS+ netgroups or LDAP netgroups, this is a finding.","fixText":"Edit \"/etc/passwd\", \"/etc/security/passwd\", and/or \"/etc/group\" files and remove entries containing a plus (+).","ccis":["CCI-000366"]},{"vulnId":"V-215207","ruleId":"SV-215207r958552_rule","severity":"medium","ruleTitle":"AIX must protect the confidentiality and integrity of all information at rest.","description":"Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system.\n\nThis requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.","checkContent":"If the organization does not require to encrypt the data at rest this is Not Applicable.\n\nCheck if the \"clic.rte\" fileset is installed:\n# lslpp -l |grep clic\n\nThe above command should yield the following output:\n clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel\n clic.rte.lib 4.10.0.1 COMMITTED CryptoLite for C Library\n clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel\n\nIf the \"clic.rte\" fileset is not installed, this is a finding.\n\nTo check if a JFS2 file system (mounted as /fs2_mnt) is EFS-enabled, use the following command:\n\n# lsfs -q /fs2_mnt\n\nName Nodename Mount Pt VFS Size Options Auto Accounting\n/dev/fslv00 -- /fs2_mnt jfs2 262144 -- no no \n (lv size: 262144, fs size: 262144, block size: 4096, sparse files: yes, inline log: no, inline log size: 0, EAformat: v2, Quota: no, DMAPI: no, VIX: yes, EFS: no, ISNAPSHOT: no, MAXEXT: 0, MountGuard: no)\n\nIf the above command shows \"EFS: no\", this is a finding.","fixText":"Install \"clic.rte\" fileset if it is not installed using command:\n# installp -aXYqg -d /dev/cd0 clic.rte\n\nRun the follow command to initialize and enable EFS on the system:\n# efsenable -a\n\nTo create a new EFS-enabled JFS2 file system and mount the file system, using the following commands:\n# crfs -v jfs2 -g rootvg -m /fs2 -a size=100M -a efs=yes\n# mount /fs2\n\nTo enable EFS on a JFS2 file system (like, /fs3), run the following command:\nchfs -a efs=yes /fs3","ccis":["CCI-001199"]},{"vulnId":"V-215208","ruleId":"SV-215208r1038944_rule","severity":"medium","ruleTitle":"AIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours.","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).\n\nSatisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144","checkContent":"Check if time synchronization application \"ntpd\" is running using the command:\n\n# lssrc -s xntpd\nSubsystem Group PID Status \n xntpd tcpip 4784536 active\n\nIf \"ntpd\" is showing \"inoperative\", this is a finding.\n\nCheck that \"ntp\" server is configured using command: \n\n# grep server /etc/ntp.conf\nserver 10.110.20.10\n\nIf the command returns no output, this is a finding.\n\nCheck the poll interval is less than 24 hours using command:\n\n# grep maxpoll /etc/ntp.conf\nmaxpoll=16\n\nIf \"maxpoll\" is set to larger than \"16\" (2^16 seconds ~= 18hr), this is a finding.","fixText":"Edit /etc/ntp.conf\n\nConfigure ntp server by adding the following line:\nserver server_ipaddr\n\nSet maxpoll to <=16 by adding the maxpoll .\n\nRestart the ntp daemon.\n\n# stopsrc -s xntpd\n# startsrc -s xntpd","ccis":["CCI-004923","CCI-004926","CCI-001891","CCI-002046"]},{"vulnId":"V-215209","ruleId":"SV-215209r991589_rule","severity":"medium","ruleTitle":"All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions.","description":"When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and GID should be chosen from the system to provide the appropriate level of non-privileged access.","checkContent":"Check if the \"anon\" option is set correctly for exported file systems. \n\nList exported file systems using command: \n\n# exportfs -v \n/home/doej rw,anon=-1,access=doej\n\nNote: Each of the exported file systems should include an entry for the \"anon=\" option set to \"-1\" or an equivalent (60001, 60002, 65534, or 65535). \n\nIf an appropriate \"anon=\" setting is not present for an exported file system, this is a finding.","fixText":"Edit \"/etc/exports\" and set the \"anon=-1\" option for all exported file systems without it. \n\nRe-export the file systems using command: \n# exportfs -a","ccis":["CCI-000366"]},{"vulnId":"V-215210","ruleId":"SV-215210r991589_rule","severity":"medium","ruleTitle":"AIX nosuid option must be enabled on all NFS client mounts.","description":"Enabling the nosuid mount option prevents the system from granting owner or group-owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users with unprivileged access to the local system may be able to acquire privileged access by executing suid or sgid files located on the mounted NFS file system.","checkContent":"Check the system for NFS mounts not using the \"nosuid\" option using command: \n\n# lsfs -v nfs \nName Nodename Mount Pt VFS Size Options Auto Accounting\n/home/doej -- /mount/doej nfs 786432 -- yes no\n\nIf the \"mounted\" file systems do not have the \"nosuid option\", this is a finding.","fixText":"Edit \"/etc/filesystems\" and add the \"nosuid\" option for all NFS file systems. \n\nRemount the NFS file systems to make the change take effect.","ccis":["CCI-000366"]},{"vulnId":"V-215211","ruleId":"SV-215211r1009534_rule","severity":"medium","ruleTitle":"AIX must be configured to allow users to directly initiate a session lock for all connection types.","description":"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.","checkContent":"Check if the \"lock\" command exists by using the following command:\n# ls /usr/bin/lock\n\nThe above command should display the following:\n/usr/bin/lock\n\nIf the above command does not show that \"/usr/bin/lock\" exists, this is a finding.\n\nCheck if the \"xlock\" command exists by using the following command:\n# ls /usr/bin/X11/xlock\n\nThe above command should display the following:\n/usr/bin/X11/xlock\n\nIf the above command does not show that \"/usr/bin/xlock\" exists, this is a finding.","fixText":"Install, or re-install, bos.rte.security fileset from the AIX DVD Volume 1 using the following command (assuming that the DVD device is /dev/cd0):\n# installp -aXYgd /dev/cd0 -e /tmp/install.log bos.rte.security","ccis":["CCI-000057","CCI-000058"]},{"vulnId":"V-215212","ruleId":"SV-215212r958404_rule","severity":"medium","ruleTitle":"AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image.","description":"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed.\n\nPublicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.","checkContent":"If CDE (X11) is not used on AIX, this is Not Applicable.\n\nEnsure that the screen saver and session timeout are not disabled.\n\nFrom the command prompt, run the following script:\n\n# AIX7-00-001101_Check.sh\n\nNote: This script is included in the STIG package.\n\nThe above script should yield the following output:\n\nChecking config file /etc/dt/config/C/sys.resources...\nMissing config file /etc/dt/config/C/sys.resources\n\nChecking config file /etc/dt/config/POSIX/sys.resources...\ndtsession*saverTimeout: 15\ndtsession*lockTimeout: 30\n\nChecking config file /etc/dt/config/en_US/sys.resources...\ndtsession*saverTimeout: 15\ndtsession*lockTimeout: 25\n\nIf the result of the script shows any config file missing, or any of the \"dtsession*saverTimeout\" or \"dtsession*lockTimeout\" values is greater than \"15\", this is a finding.","fixText":"From the command prompt, run the following script to set the default timeout parameters \"dtsession*saverTimeout:\" and \"dtsession*lockTimeout:\" as \"15\" minutes: \n\n# AIX7-00-001101_Fix.sh\n\nNote: This script is included in the STIG package.","ccis":["CCI-000060"]},{"vulnId":"V-215213","ruleId":"SV-215213r958510_rule","severity":"high","ruleTitle":"AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.","description":"If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data.\n\nSome maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system.\n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.","checkContent":"From the command prompt, execute the following to check if \"telnetd\" is enabled.\n# lssrc -t telnet | grep active\n\nIf the above command returns output, this is a finding.","fixText":"Disable telnet by executing the following command:\n# stopsrc -t telnet","ccis":["CCI-000877"]},{"vulnId":"V-215214","ruleId":"SV-215214r991554_rule","severity":"medium","ruleTitle":"If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.","description":"If LDAP authentication is used, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.","checkContent":"Run the following command to check if ldap_auth is used:\n\n# grep -iE \"^authtype:[[:blank:]]*ldap_auth\" /etc/security/ldap/ldap.cfg\n\nIf the command has no output, this is Not Applicable.\n\nRun the following command to check if SSL is used:\n\n# grep -iE \"^useSSL:[[:blank:]]*yes\" /etc/security/ldap/ldap.cfg\nuseSSL:yes\n\nIf the command has no output, this is a finding.","fixText":"Configure the LDAP client on AIX to use the SSL.\n\nEdit /etc/security/ldap/ldap.cfg to have the following line:\nuseSSL:yes\n\nRestart the client daemon:\n# secldapclntd.","ccis":["CCI-001453"]},{"vulnId":"V-215215","ruleId":"SV-215215r958868_rule","severity":"medium","ruleTitle":"AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.","checkContent":"Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd.\n\nCheck if the system is using LDAP authentication: \n\n# grep LDAP /etc/security/user \n\nIf no lines are returned, this requirement is not applicable. \n\nCheck if the useSSL option is enabled: \n\n# grep '^useSSL' /etc/security/ldap/ldap.cfg \nuseSSL:yes\n\nIf \"yes\" is not the returned value, this is a finding. \n\nVerify a certificate is used for client authentication to the server: \n\n# grep -i '^ldapsslkeyf' /etc/security/ldap/ldap.cfg \nldapsslkeyf:/tmp/key.kdb\n\nIf no line is found, this is a finding. \n\nIdentify the Key Database (KDB), and its password, by asking the ISSO/SA). \n\nIf no Key Database exists on the system, this is a finding.\n\nList the certificate issuer with IBM GSK:\n\n# gsk8capicmd -cert -list CA -db -pw \n\nMake note of the client Key Label: \n\n# gsk8capicmd -cert -details -showOID -db -pw -label \n\nIf the certificate is not issued by DoD PKI or a DoD-approved external PKI, this is a finding.\n\nThe IBM GSK Database should only have certificates for the client system and for the LDAP server. \n\nIf more certificates are in the key database than the LDAP server and the client, this is a finding.","fixText":"Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: gsk8capicmd (used below), gsk8capicmd_64 and gsk7cmd.\n\nCreate a key database with DoD PKI or DoD-approved certificate using one of the following commands: \n# gsk8capicmd -keydb -create -db -pw -type cms -stash\n\nEdit \"/etc/security/ldap/ldap.cfg\" and add or edit the \"ldapsslkeyf\" setting to reference a KDB file containing a client certificate issued by DoD PKI or a DoD-approved external PKI. \n\nInstall a certificate signed by a DoD PKI or a DoD-approved external PKI using the following command: \n# gsk8capicmd -cert -add -db -pw -file -label \n\nRemove un-needed CA certificates using one of the following commands: \n# gsk8capicmd -cert -delete -db -pw -label \n\nRestart LDAP client using command:\n# /usr/sbin/restart-secldapclntd","ccis":["CCI-002470"]},{"vulnId":"V-215216","ruleId":"SV-215216r971535_rule","severity":"medium","ruleTitle":"AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","description":"FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.\n\nUse of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. AIX must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nOpenSSL FIPS object module is a cryptographic module that is designed to meet the requirements for FIPS 140-2 validation by CMVP and is compatible with OpenSSL libraries. The 2.0.13 FIPS object module version has been FIPS validated and certified by CMVP for multiple AIX versions on Power 7 and Power 8 platforms under certificate #2398.\n\nIBM has released a FIPS capable OpenSSL (Fileset VRMF: 20.13.102.1000), which is OpenSSL 1.0.2j version with 2.0.13 object module. The fileset is available in Web Download Pack.\n\n\nSatisfies: SRG-OS-000120-GPOS-00061, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176","checkContent":"Run the following command to determine the version of OpenSSL that is installed:\n\n# lslpp -l | grep -i openssl\n openssl.base 20.13.704.1776 COMMITTED Open Secure Socket Layer\n\nIf the OpenSSL version is older than \"20.13.102.1000\", this is a finding.","fixText":"Use the following command to uninstall the old version of OpenSSL that is not FIPS 140-2 certified, then install OpenSSL VRMF 20.13.102.1000:\n# smitty install","ccis":["CCI-000803","CCI-002450"]},{"vulnId":"V-215217","ruleId":"SV-215217r1009535_rule","severity":"high","ruleTitle":"AIX must enforce password complexity by requiring that at least one upper-case character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"From the command prompt, run the following command to check the system default \"minupperalpha\" attribute value:\n# lssec -f /etc/security/user -s default -a minupperalpha\n\nThe above command should yield the following output:\ndefault minupperalpha=1\n\nIf the default \"minupperalpha\" value is not set, or its value is less than \"1\", this is a finding.\n\nFrom the command prompt, run the following command to check \"minupperalpha\" attribute value for all accounts:\n# lsuser -a minupperalpha ALL\n\nThe above command should yield the following output:\nroot minupperalpha=2\nuser2 minupperalpha=2\nuser3 minupperalpha=1\n\nIf any user's \"minupperalpha\" value is less than \"1\", this is a finding.","fixText":"From the command prompt, run the following command to set \"minupperalpha=1\" for the default stanza in \"/etc/security/user\":\n# chsec -f /etc/security/user -s default -a minupperalpha=1\n\nFor each user who has \"minupperalpha=0\", set its \"minupperalpha\" to \"1\" by running the following command from command prompt:\n# chsec -f /etc/security/user -s [user_name] -a minupperalpha=1","ccis":["CCI-004066","CCI-000192"]},{"vulnId":"V-215218","ruleId":"SV-215218r1009536_rule","severity":"high","ruleTitle":"AIX must enforce password complexity by requiring that at least one lower-case character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"From the command prompt, run the following command to check the system default \"minloweralpha\" attribute value:\n# lssec -f /etc/security/user -s default -a minloweralpha\ndefault minloweralpha=1\n\nIf the \"default minloweralpha\" value is not set, or its value is less than \"1\", this is a finding.\n\nFrom the command prompt, run the following command to check \"minloweralpha\" attribute value for all accounts:\n# lsuser -a minloweralpha ALL\nroot minloweralpha=1\nuser2 minloweralpha=2\nuser3 minloweralpha=1\n\nIf any user's \"minloweralpha\" value is less than \"1\", this is a finding.","fixText":"From the command prompt, run the following command to set \"minloweralpha=1\" for the default stanza in \"/etc/security/user\":\n# chsec -f /etc/security/user -s default -a minloweralpha=1\n\nFor each user who has \"minloweralpha=0\" set its \"minloweralpha\" to \"1\" by running the following command from command prompt:\n# chsec -f /etc/security/user -s [user_name] -a minloweralpha=1","ccis":["CCI-004066","CCI-000193"]},{"vulnId":"V-215219","ruleId":"SV-215219r1009537_rule","severity":"high","ruleTitle":"AIX must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"From the command prompt, run the following command to check the system default \"mindigit\" attribute value:\n# lssec -f /etc/security/user -s default -a mindigit\ndefault mindigit=1\n\nIf the default \"mindigit\" value is not set, or its value is less than \"1\", this is a finding.\n\nFrom the command prompt, run the following command to check mindigit attribute value for all accounts:\n# lsuser -a mindigit ALL\nroot mindigit=1\nuser2 mindigit=2\n\nIf any user's \"mindigit\" value is less than \"1\", this is a finding.","fixText":"From the command prompt, run the following command to set \"mindigit=1\" for the default stanza in \"/etc/security/user\":\n# chsec -f /etc/security/user -s default -a mindigit=1\n\nFor each user who has \"mindigit=0\" set its \"mindigit\" to \"1\" by running the following command from command prompt:\n# chsec -f /etc/security/user -s [user_name] -a mindigit=1","ccis":["CCI-004066","CCI-000194"]},{"vulnId":"V-215220","ruleId":"SV-215220r1009538_rule","severity":"high","ruleTitle":"AIX must require the change of at least 50% of the total number of characters when passwords are changed.","description":"If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.\n\nIf the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters.","checkContent":"From the command prompt, run the following command to check the system default \"mindiff\" attribute value:\n# lssec -f /etc/security/user -s default -a mindiff\ndefault mindiff=8\n\nIf the default \"mindiff\" value is not set, or its value is less than \"8\", this is a finding.\n\nFrom the command prompt, run the following command to check \"mindiff\" attribute value for all accounts:\n# lsuser -a mindiff ALL\nroot mindiff=9\nuser1 mindiff=8\nuser2 mindiff=8\nuser3 mindiff=10\n\nIf any user's \"mindiff\" value is less than \"8\", this is a finding.","fixText":"From the command prompt, run the following command to set \"mindiff=8\" (assume that the password is at least 15-character long) for the default stanza in \"/etc/security/user\":\n# chsec -f /etc/security/user -s default -a mindiff=8\n\nFor each user who has \"mindiff\" value less than \"8\", set its \"mindiff\" value to \"8\" by running the following command from command prompt:\n# chsec -f /etc/security/user -s [user_name] -a mindiff=8","ccis":["CCI-004066","CCI-000195"]},{"vulnId":"V-215221","ruleId":"SV-215221r987796_rule","severity":"high","ruleTitle":"AIX root passwords must never be passed over a network in clear text form.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"Determine if root has logged in over an unencrypted network connection: \n\n# last | grep \"root \" | egrep -v \"reboot|console\" | more \nroot pts/1 10.74.17.76 Jul 4 16:44 - 17:39 (00:54)\n\nNext, determine if the SSH daemon is running: \n\n# ps -ef |grep sshd \nroot 3670408 6029762 0 Jan 24 - 0:00 /usr/sbin/sshd\n\nIf root has logged in over the network and SSHD is not running, this is a finding.","fixText":"If OpenSSH server is not installed, install it from the from AIX DVD Volume 1 using the following command (assuming that the DVD device is /dev/cd0):\n# installp -aXYgd /dev/cd0 -e /tmp/install.log openssh.base.server\n\nStart SSH server if it is not started:\n# startsrc -s sshd\n\nEnable SSH on the system and use it for all remote connections used to attain root access. \n\nDisable direct root remote login:\n# chsec -f /etc/security/user -s root -a rlogin=false","ccis":["CCI-000197"]},{"vulnId":"V-215222","ruleId":"SV-215222r1009539_rule","severity":"medium","ruleTitle":"AIX Operating systems must enforce 24 hours/1 day as the minimum password lifetime.","description":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.","checkContent":"From the command prompt, run the following command to check the system default \"minage\" attribute value:\n# lssec -f /etc/security/user -s default -a minage\ndefault minage=1\n\nIf the default \"minage\" value is not set, or its value is less than \"1\", this is a finding.\n\nFrom the command prompt, run the following command to check \"minage\" attribute value for all accounts:\n# lsuser -a minage ALL\nroot minage=1\nuser1 minage=1\nuser2 minage=2\n\nIf any user's \"minage\" value is less than \"1\", this is a finding.","fixText":"From the command prompt, run the following command to set \"minage=1\" for the default stanza in \"/etc/security/user\":\n# chsec -f /etc/security/user -s default -a minage=1\n\nFor each user who has \"minage=0\" set its \"minage\" to \"1\" by running the following command from command prompt:\n# chsec -f /etc/security/user -s [user_name] -a minage=1","ccis":["CCI-004066","CCI-000198"]},{"vulnId":"V-215223","ruleId":"SV-215223r1038967_rule","severity":"medium","ruleTitle":"AIX Operating systems must enforce a 60-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.","checkContent":"From the command prompt, run the following command to check the system default \"maxage\" attribute value:\n# lssec -f /etc/security/user -s default -a maxage\ndefault maxage=8\n\nIf the default \"maxage\" value is not set, or its value is great than \"8\", or its value is set to \"0\", this is a finding.\n\nFrom the command prompt, run the following command to check \"maxage\" attribute value for all accounts:\n# lsuser -a maxage ALL\nroot maxage=8\nuser1 maxage=8\nuser2 maxage=8\n\nIf any user does not have \"maxage\" set, or its \"maxage\" value is greater than \"8\", or its value is set to \"0\", this is a finding.","fixText":"From the command prompt, run the following command to set \"maxage=8\" (56 days) for the default stanza in \"/etc/security/user\":\n# chsec -f /etc/security/user -s default -a maxage=8\n\nFor each user who has \"maxage\" value great than \"8\", set its \"maxage\" to \"8\" by running the following command from command prompt:\n# chsec -f /etc/security/user -s [user_name] -a maxage=8","ccis":["CCI-004066","CCI-000199"]},{"vulnId":"V-215225","ruleId":"SV-215225r1009541_rule","severity":"high","ruleTitle":"AIX must use Loadable Password Algorithm (LPA) password hashing algorithm.","description":"The default legacy password hashing algorithm, crypt(), uses only the first 8 characters from the password string, meaning the user's password is truncated to eight characters. If the password is shorter than 8 characters, it is padded with zero bits on the right.\n\nThe crypt() is a modified DES algorithm that is vulnerable to brute force password guessing attacks and also to cracking the DES-hashing algorithm by using techniques such as pre-computation. \n\nWith the Loadable Password Algorithm (LPA) framework release, AIX implemented a set of LPAs using MD5, SHA2, and Blowfish algorithms. These IBM proprietary password algorithms support a password longer than 8 characters and Unicode characters in passwords.","checkContent":"From the command prompt, run the following command to check system wide password algorithm:\n\n# lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm\nusw pwd_algorithm=ssha512\n\nIf the \"pwd_algorithm\" is not set to \"ssha512\", or \"ssha256\", this is a finding.","fixText":"From the command prompt, run the following command to set system wide password algorithm to \"ssha512\" so that it supports passwords longer than 8-character:\n# chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512\n\nFor each users who have hashed passwords in \"/etc/security/passwd\" file that does not start with \"{ssha512}\", run passwd commands to reset the users' passwords so that they have to change their passwords in the next login:\n# passwd [user_name]","ccis":["CCI-004066","CCI-000205"]},{"vulnId":"V-215226","ruleId":"SV-215226r1009542_rule","severity":"high","ruleTitle":"AIX must enforce a minimum 15-character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"From the command prompt, run the following command to check the system default \"minlen\" attribute value:\n# lssec -f /etc/security/user -s default -a minlen\ndefault minlen=15\n\nIf the default \"minlen\" value is not set, or its value is less than \"15\", this is a finding.\n\nFrom the command prompt, run the following command to check \"minlen\" attribute value for all accounts:\n# lsuser -a minlen ALL\nroot minlen=15\nuser1 minlen=20\nuser2 minlen=15\nuser3 minlen=15\n\nIf any users have \"minlen\" value less than \"15\", this is a finding.","fixText":"From the command prompt, run the following command to set \"minlen=15\" for the default stanza in \"/etc/security/user\":\n# chsec -f /etc/security/user -s default -a minlen=15\n\nFor each user who has \"minlen\" value less than \"15\", set its \"minlen\" to \"15\" by running the following command from command prompt:\n# chsec -f /etc/security/user -s [user_name] -a minlen=15","ccis":["CCI-004066","CCI-000205"]},{"vulnId":"V-215227","ruleId":"SV-215227r1009543_rule","severity":"medium","ruleTitle":"AIX must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.","checkContent":"Run the following command to check the system default value for \"minspecialchar\" attribute:\n# lssec -f /etc/security/user -s default -a minspecialchar\n\nThe above command should yield the following output:\ndefault minspecialchar=1\n\nIf the default value is \"0\", or the default value is empty, this is a finding.\n\nFrom the command prompt, run the following command to check \"minspecialchar\" attribute value for all accounts:\n# lsuser -a minspecialchar ALL\n\nThe above command should yield the following output:\nroot minspecialchar=1\nuser1 minspecialchar=1\nuser2 minspecialchar=2\nuser3 minspecialchar=1\n\nIf any account has \"minspecialchar=0\", or the \"minspecialchar\" value is not set, this is a finding.","fixText":"From the command prompt, run the following command to set \"minspecialchar=1\" for the default stanza in \"/etc/security/user\":\n# chsec -f /etc/security/user -s default -a minspecialchar=1\n\nRun the following command to re-check \"minspecialchar\" values for all users:\n# lsuser -a minspecialchar ALL\n\nFor each user who has \"minspecialchar=0\", set its \"minspecialchar\" to \"1\" by running the following command from command prompt:\n# chsec -f /etc/security/user -s [user_name] -a minspecialchar=1","ccis":["CCI-004066","CCI-001619"]},{"vulnId":"V-215229","ruleId":"SV-215229r991587_rule","severity":"medium","ruleTitle":"AIX must prevent the use of dictionary words for passwords.","description":"If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.","checkContent":"From the command prompt, run the following command to check if the default \"dictionlist\" attribute is set:\n# lssec -f /etc/security/user -s default -a dictionlist\n\nThe above command should yield the following output:\ndictionlist=\"/etc/security/ice/dictionary/English\"\n\nIf the above command shows an empty string for default \"dictionlist\" attribute, this is a finding.\n\nFrom the command prompt, run the following command to check if \"dictionlist\" attribute is set for all users:\n# lsuser -a dictionlist ALL\n\nThe above command should yield the following output:\nroot dictionlist=/etc/security/ice/dictionary/English\ndaemon dictionlist=/etc/security/ice/dictionary/English\nbin dictionlist=/etc/security/ice/dictionary/English\nsys dictionlist=/etc/security/ice/dictionary/English\n\nIf any user's \"dictionlist\" attribute is empty, this is a finding.","fixText":"From the command prompt, run the following command to set \"dictionlist\" attribute for the default stanza in \"/etc/security/user\":\n# chsec -f /etc/security/user -s default -a dictionlist=\"/etc/security/ice/dictionary/English\"\n\nFrom the command prompt, run the following command to set \"dictionlist\" attribute for users who have an empty \"dictionlist\" attribute:\n# chsec -f /etc/security/user -s [user_name] -a dictionlist=\"/etc/security/ice/dictionary/English\"","ccis":["CCI-000366"]},{"vulnId":"V-215230","ruleId":"SV-215230r991589_rule","severity":"medium","ruleTitle":"The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.","description":"Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.","checkContent":"Verify that the system wide password algorithm is set to {ssha256} or {ssha512} by running the following command:\n\n# lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm\nusw pwd_algorithm=ssha512\n\nIf the \"pwd_algorithm\" is not set to \"ssha256\" or \"ssha512\", this is a finding.\n\nVerify no password hashes in /etc/passwd by running the following command: \n\n# cat /etc/passwd | cut -f2,2 -d\":\" \n!\n!\n!\n!\n*\n*\n*\n*\n\nIf there are password hashes present, this is a finding. \n\nVerify all password hashes in \"/etc/security/passwd\" begin with {ssha256} or {ssha512} by running commands: \n \n# cat /etc/security/passwd | grep password \n password = {ssha512}06$e58YOawe/7UhChqh$hZEWlP4040jarX1NeOujmcxd.7qerUvjW9lM9djJsDITtdjFvVpLX.r04xieOWrbH0qb0SJJ98a0tmgZBzPP..\n password = {ssha512}06$Y6ztvMxKGdITxPex$B81/GDTEPt0xwp.BX1VhY9mAPaWHXdNoLI9D0T6dBExgo6r87X0etnfjxWODT73.udrbAY.F4HzaBR68lN5/..\n password = {ssha512}06$iIXQQqs.mdGpC9Wu$cXSajikWYKAUacbF50FNlFgYYSgTklGf4uhXb1J/GyBGF5j5aWa4YG5Ah2uaAHv/Jmbmx.7yBm8iXz9Pz1LM..\n password = {ssha512}06$3Sw24rPVdqDFFCIl$d1dZs7GYmTXnD9i270SxozIBxN0pqq/bNn0YbyKeDq0o6Y.j9qfkeH373DwkHBWgrifNcgj/K0pVyzjMg6QN..\n\nIf any password hashes are present not beginning with {ssha256} or {ssha512}, this is a finding.","fixText":"Set the system wide password algorithm to \"ssha256\" or \"ssha512\" by running the following command:\n\n# chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512\n\nChange the passwords for all accounts using non-compliant password hashes by running the following command: \n\n$ passwd [user_name]","ccis":["CCI-000366"]},{"vulnId":"V-215231","ruleId":"SV-215231r991589_rule","severity":"medium","ruleTitle":"If SNMP service is enabled on AIX, the default SNMP password must not be used in the /etc/snmpd.conf config file.","description":"Use default SNMP password increases the chance of security vulnerability on SNMP service.","checkContent":"Inspect \"/etc/snmpd.conf\" to find all the passwords that are used in the config file:\n\n# grep -v \"^#\" /etc/snmpd.conf | grep -E \"public|private|password\"\n\nIf any results are returned, default passwords are being used and this is a finding.","fixText":"Edit \"/etc/snmpd.conf\" config file to remove or change all the default passwords that are used in the file.\n\nRestart snmpd:\n# stopsrc -s snmpd\n# startsrc -s snmpd","ccis":["CCI-000366"]},{"vulnId":"V-215232","ruleId":"SV-215232r991589_rule","severity":"medium","ruleTitle":"AIX must require passwords to contain no more than three consecutive repeating characters.","description":"Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.","checkContent":"Check system default for \"maxrepeats\" attribute:\n# lssec -f /etc/security/user -s default -a maxrepeats\ndefault maxrepeats=3\n\nIf the default \"maxrepeats\" is greater than \"3\", or its value is not set, or its value is set to \"0\", this is a finding.\n\nCheck the \"maxrepeats\" setting for all users using:\n# lsuser -a maxrepeats ALL\n\nThe above command should yield the following output:\nroot maxrepeats=3\ndaemon maxrepeats=3\nbin maxrepeats=3\nsys maxrepeats=3\n\nIf the \"maxrepeats\" setting for any user is greater than \"3\", or its value is set to \"0\", this is a finding.","fixText":"Use the \"chsec\" command to set \"maxrepeats\" to \"3\" for the default stanza:\n# chsec -f /etc/security/user -s default -a maxrepeats=3 \n\nUse the \"chsec\" command to set \"maxrepeats\" to \"3\" for all the users who have \"maxrepeats\" values that are greater than \"3\", or its value is set to \"0\":\n# chuser maxrepeats=3 [user_name]","ccis":["CCI-000366"]},{"vulnId":"V-215233","ruleId":"SV-215233r958672_rule","severity":"high","ruleTitle":"AIX must be able to control the ability of remote login for users.","description":"Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nOperating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).","checkContent":"For users who are authorized to remote login through SSH, etc., this is Not Applicable.\n\nAsk ISSO/SA to obtain a list of users who are not authorized to remotely log in to AIX system.\n\nFrom the command prompt, run the following command to check if remote login is disabled for all individual users who are not authorized to remotely login to AIX:\n# lsuser -a rlogin ALL\nroot rlogin=true\ndaemon rlogin=true\nbin rlogin=true\nsys rlogin=true\nadm rlogin=true\n\nIf \"rlogin=true\" for any user who should not login remotely, this is a finding.","fixText":"From the command prompt, run the following command to set \"rlogin=false\" for all users (user_name) who are not authorized to login remotely:\n# chsec -f /etc/security/user -s [user_name] -a rlogin=false","ccis":["CCI-002314"]},{"vulnId":"V-215234","ruleId":"SV-215234r1184573_rule","severity":"medium","ruleTitle":"NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs.","description":"The nosuid mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system not containing approved setuid files. Executing setuid files from untrusted file systems, or file systems not containing approved setuid files, increases the opportunity for unprivileged users to attain unauthorized administrative access.","checkContent":"Obtain a list of NFS file systems that contain approved \"setuid\" or \"setgid\" files from the information system security officer (ISSO)/information system security officer (ISSM).\n\nCheck the \"nosuid\" mount option is used on all NFS file systems that do not contain approved \"setuid\" or \"setgid\" files: \n# mount | grep -E \"options|nfs|---\"\n node mounted mounted over vfs date options \n-------- --------------- --------------- ------ ------------ --------------- \nnfs.example.com /path/to/directory1 /mnt_1 nfs3 Nov 05 14:11 ro,bg,hard,intr,nosuid,sec=sys\nnfs.example.com /path/to/directory2 /mnt_2 nfs3 Nov 05 14:12 ro,bg,hard,intr,sec=sys\n\nIf the NFS mounts do not show the \"nosuid\" setting in their \"options\" fields, along with other mount options, this is a finding.","fixText":"For each NFS file systems that does not contain approved \"setuid\" or \"setgid\" files, add the \"nosuid\" option, along with other mount options, to the \"options\" field in \"/etc/filesystems\" using the following command:\n# chfs -a options=ro,bg,hard,intr,nosuid,sec=sys \n\nNote that the other mount options (other than the nosuid options) may be different among NFS mounts.","ccis":["CCI-002233"]},{"vulnId":"V-215235","ruleId":"SV-215235r991589_rule","severity":"medium","ruleTitle":"AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option.","description":"The nodev (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system not containing approved device files. Device files can provide direct access to system hardware and can compromise security if not protected.","checkContent":"Identify any file system mounted from removable media, network shares, or file systems not containing any approved device files:\n\n# cat /etc/filesystems\n\n/:\n\n dev = /dev/hd4\n vfs = jfs2\n log = /dev/hd8\n mount = automatic\n check = false\n type = bootfs\n vol = root\n free = true\n\n/home:\n\n dev = /dev/hd1\n vol = \"/home\"\n mount = true\n check = true\n free = false\n vfs = jfs2\n log = /dev/hd8\n\n10.17.76.74:/opt/nfs /home/doejohn\n\n vfs = nfs\n log = /dev/hd8\n mount = true\n options = nodev \n account = false\n\nIf any file system mounted from removable media, network shares, or file systems not containing any approved device files is not using the \"nodev\" option, this is a finding.","fixText":"Edit \"/etc/filesystems\" and add the \"options = nodev\" to all entries for remote or removable media file systems, and file systems containing no approved device files.","ccis":["CCI-000366"]},{"vulnId":"V-215236","ruleId":"SV-215236r958412_rule","severity":"medium","ruleTitle":"AIX must produce audit records containing information to establish what the date, time, and type of events that occurred.","description":"Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in AIX audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016","checkContent":"Check if audit is turned on by running the following command:\n\n# audit query | grep -i auditing\nauditing on\n\nThe command should yield the following output:\nauditing on\n\nIf the command shows \"auditing off\", this is a finding.\n\nThe log file can be set by the \"trail\" variable in /etc/security/audit/config.\n# grep trail /etc/security/audit/config\n trail = /audit/trail\n\nNote: The default log file is \"/audit/trail\".\n\nUse the following command to display the audit events:\n\n# /usr/sbin/auditpr -i -helRtcp \n\nevent login status time command process \n--------------- -------- ----------- ------------------------ ------------------------------- -------- \nPROC_Delete root OK Wed Oct 31 23:01:37 2018 audit 9437656 \nFILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 \nFILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 \nFILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 \nFILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 \nPROC_Create root OK Wed Oct 31 23:01:44 2018 ksh 12976466 \nFILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658 \nFILE_Open root OK Wed Oct 31 23:01:44 2018 ksh 9437658 \nFILE_Read root OK Wed Oct 31 23:01:44 2018 ksh 9437658 \nFILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658 \nPROC_Execute root OK Wed Oct 31 23:01:44 2018 ls 9437658 \nFILE_Open root OK Wed Oct 31 23:01:44 2018 ls 9437658 \n\nIf event type is not displayed, this is a finding. \n\nMore information on the command options used above: \n -e the audit event.\n -l the login name of the user.\n -R the audit status.\n -t the time the record was written.\n -c the command name.\n -p the process ID.","fixText":"Reset the audit system with the following command:\n# /usr/sbin/audit shutdown\n\nStart the audit system with the following command:\n# /usr/sbin/audit start","ccis":["CCI-000130","CCI-000131"]},{"vulnId":"V-215237","ruleId":"SV-215237r958416_rule","severity":"medium","ruleTitle":"AIX must produce audit records containing information to establish where the events occurred.","description":"Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as operating system components, modules, device identifiers, node names, file names, and functionality.\n\nAssociating information about where the event occurred within AIX provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.","checkContent":"Verify audit event detailed information is displayed:\n\nThe log file can be set by the \"trail\" variable in /etc/security/audit/config.\n\n# grep trail /etc/security/audit/config\n trail = /audit/trail\n\nNote: The default log file is /audit/trail.\n\nUse the following command to display the audit events:\n\n# /usr/sbin/auditpr -i -v\n\nevent login status time command \n wpar name \n--------------- -------- ----------- ------------------------ ------------------\n------------- ------------------------- \nFS_Chdir root OK Sat Aug 26 19:31:37 2017 ps \n Global \n change current directory to: /dev\nFS_Chdir root OK Sat Aug 26 19:31:47 2017 ps \n Global \n change current directory to: /dev\nFS_Chdir root OK Sat Aug 26 19:31:57 2017 ps \n Global \n change current directory to: /dev\nFS_Chdir root OK Sat Aug 26 19:32:07 2017 ps \n Global \n change current directory to: /dev\nFS_Chdir root OK Sat Aug 26 19:32:17 2017 ps \n Global \n change current directory to: /dev\n\nIf event detailed information is not displayed, this is a finding. \nMore information on the command options used above:\n - v detailed information for the event","fixText":"Reset the audit system with the following command:\n# /usr/sbin/audit shutdown\n\nStart the audit system with the following command:\n# /usr/sbin/audit start","ccis":["CCI-000132"]},{"vulnId":"V-215238","ruleId":"SV-215238r958418_rule","severity":"medium","ruleTitle":"AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event.","description":"Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nWithout information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.\nIn addition to logging where events occur within AIX, AIX must also generate audit records that identify sources of events. Sources of operating system events include, but are not limited to, processes and services.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event.\n\nSatisfies: SRG-OS-000040-GPOS-00018, SRG-OS-000255-GPOS-00096","checkContent":"Verify the audit event \"process id\" is displayed:\n\nThe log file can be set by the \"trail\" variable in /etc/security/audit/config.\n\n# grep trail /etc/security/audit/config\n trail = /audit/trail\n\nNote: The default log file is /audit/trail.\n\nUse the following command to display the audit events:\n\n# /usr/sbin/auditpr -i -helRtcp \n\nevent login status time command \n process \n--------------- -------- ----------- ------------------------ ------------------\n------------- -------- \nPROC_Delete root OK Wed Oct 31 23:01:37 2018 audit \n 9437656 \nFILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin \n 12255562 \nFILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin \n 12255562 \nFILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin \n 12255562 \nFILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin \n 12255562 \nPROC_Create root OK Wed Oct 31 23:01:44 2018 ksh \n 12976466 \nFILE_Close root OK Wed Oct 31 23:01:44 2018 ksh \n 9437658 \nFILE_Open root OK Wed Oct 31 23:01:44 2018 ksh \n 9437658 \nFILE_Read root OK Wed Oct 31 23:01:44 2018 ksh \n 9437658 \nFILE_Close root OK Wed Oct 31 23:01:44 2018 ksh \n 9437658 \nPROC_Execute root OK Wed Oct 31 23:01:44 2018 ls \n 9437658 \nFILE_Open root OK Wed Oct 31 23:01:44 2018 ls \n 9437658 \n\nIf user id or process id is not displayed, this is a finding.\n\nMore information on the command options used above:\n -e the audit event.\n -l the login name of the user.\n -R the audit status.\n -t the time the record was written.\n -c the command name.\n -p the process ID.","fixText":"Reset the audit system with the following command:\n# /usr/sbin/audit shutdown\n\nStart the audit system with the following command:\n# /usr/sbin/audit start","ccis":["CCI-000133","CCI-001487"]},{"vulnId":"V-215239","ruleId":"SV-215239r958420_rule","severity":"medium","ruleTitle":"AIX must produce audit records containing information to establish the outcome of the events.","description":"Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system.\n\nEvent outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.","checkContent":"Verify the audit event \"status\" is displayed:\n\nThe log file can be set by the \"trail\" variable in /etc/security/audit/config.\n\n# grep trail /etc/security/audit/config\n trail = /audit/trail\n\nNote: The default log file is /audit/trail.\n\nUse the following command to display the audit events:\n\n# /usr/sbin/auditpr -i -helRtcp \n\nevent login status time command \n process \n--------------- -------- ----------- ------------------------ ------------------\n------------- -------- \nPROC_Delete root OK Wed Oct 31 23:01:37 2018 audit \n 9437656 \nFILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin \n 12255562 \nFILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin \n 12255562 \nFILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin \n 12255562 \nFILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin \n 12255562 \nPROC_Create root OK Wed Oct 31 23:01:44 2018 ksh \n 12976466 \nFILE_Close root OK Wed Oct 31 23:01:44 2018 ksh \n 9437658 \nFILE_Open root OK Wed Oct 31 23:01:44 2018 ksh \n 9437658 \nFILE_Read root OK Wed Oct 31 23:01:44 2018 ksh \n 9437658 \nFILE_Close root OK Wed Oct 31 23:01:44 2018 ksh \n 9437658 \nPROC_Execute root OK Wed Oct 31 23:01:44 2018 ls \n 9437658 \nFILE_Open root OK Wed Oct 31 23:01:44 2018 ls \n 9437658 \n\nIf audit status is not displayed, this is a finding.\n\nMore information on the command options used above:\n -e the audit event.\n -l the login name of the user.\n -R the audit status.\n -t the time the record was written.\n -c the command name.\n -p the process ID.","fixText":"Reset the audit system with the following command:\n# /usr/sbin/audit shutdown\n\nStart the audit system with the following command:\n# /usr/sbin/audit start","ccis":["CCI-000134"]},{"vulnId":"V-215240","ruleId":"SV-215240r958422_rule","severity":"medium","ruleTitle":"AIX must produce audit records containing the full-text recording of privileged commands.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.","checkContent":"Verify the audit daemon is configured for full-text recording of privileged commands: \n\nThe log file can be set by the \"trail\" variable in /etc/security/audit/config.\n\n# grep trail /etc/security/audit/config\n trail = /audit/trail\n\nNote: The default log file is /audit/trail.\n\nUse the following command to display the audit events:\n\n# /usr/sbin/auditpr -i -v\n\nevent login status time command \n wpar name \n--------------- -------- ----------- ------------------------ ------------------\n------------- ------------------------- \nS_PASSWD_READ root OK Sat Aug 26 19:35:00 2017 cron\n Global\n audit object read event detected /etc/security/passwd\nS_PASSWD_READ root OK Sat Aug 26 19:35:00 2017 cron\n Global\n audit object read event detected /etc/security/passwd\nCRON_Start root OK Sat Aug 26 19:35:00 2017 cron\n Global\n event = start cron job cmd = /usr/sbin/dumpctrl -k >/dev/null 2>/dev/nul\nl time = Sat Aug 26 19:35:00 2017\nFS_Chdir root OK Sat Aug 26 19:35:00 2017 cron\n Global\n change current directory to: /\n\nIf the full-text recording of privileged command is not displayed, this is a finding. \n\nMore information on the command options used above:\n - v detailed information for the event","fixText":"Reset the audit system with the following command:\n# /usr/sbin/audit shutdown\n\nStart the audit system with the following command:\n# /usr/sbin/audit start","ccis":["CCI-000135"]},{"vulnId":"V-215241","ruleId":"SV-215241r958424_rule","severity":"medium","ruleTitle":"AIX must be configured to generate an audit record when 75% of the audit file system is full.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","checkContent":"Check if \"freespace\" is configured for the audit subsystem:\n\n# grep -E freespace* /etc/security/audit/config \nfreespace = 65536\n\nIf the above command returns empty, or if the value is less than 25% of the filesystem size, this is a finding.","fixText":"Ensure the \"/etc/security/audit/config\" file contains the following line:\nfreepsace = \nwhere is greater than 25%* filesystem capacity\n\nReset the audit system with the following command:\n# /usr/sbin/audit shutdown\n\nStart the audit system with the following command:\n# /usr/sbin/audit start","ccis":["CCI-000139"]},{"vulnId":"V-215242","ruleId":"SV-215242r958430_rule","severity":"medium","ruleTitle":"AIX must provide the function to filter audit records for events of interest based upon all audit fields within audit records, support on-demand reporting requirements, and an audit reduction function that supports on-demand audit review and analysis and after-the-fact investigations of security incidents.","description":"The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded.\n\nEvents of interest can be identified by the content of specific audit record fields, including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component.\n\nThe ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents.\n\nThe ability to perform on-demand audit review and analysis, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. If the audit reduction capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies.\n\nAudit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports.\n\nThis requires operating systems to provide the capability to customize audit record reports based on all available criteria.\n\nSatisfies: SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137","checkContent":"The application file \"/usr/sbin/auditselect\" provides the audit filtering function. Check if it exists:\n\n# ls -l /usr/sbin/auditselect\n-r-sr-x--- 1 root audit 36240 Jul 4 1776 /usr/sbin/auditselect\n\nIf the \"/usr/sbin/auditselect\" file does not exist, this is a finding","fixText":"Re-install the \"bos.rte.security\" fileset from the base media.\n\nUse \"installp\" command (assume cd is mounted).\n\n# installp -aXYqg -d /dev/cd0 bos.rte.security","ccis":["CCI-000158","CCI-001875","CCI-001876","CCI-001877"]},{"vulnId":"V-215243","ruleId":"SV-215243r958434_rule","severity":"medium","ruleTitle":"Audit logs on the AIX system must be owned by root.","description":"Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029","checkContent":"Check the log files under the audit logging directory have correct ownership.\n\nThe default log file is /audit/trail.\n\nThe log file can be set by the \"trail\" variable in /etc/security/audit/config.\n# grep trail /etc/security/audit/config\n trail = /audit/trail\n\n# ls -l \ntotal 240\n-rw-rw---- 1 root system 0 Feb 23 08:44 bin1\n-rw-rw---- 1 root system 0 Feb 23 08:44 bin2\n-rw-r----- 1 root system 116273 Feb 23 08:44 trail\n\nIf any file's ownership is not \"root\", this is a finding.","fixText":"Set the owner of the audit log file to \"root\".\n# chown root ","ccis":["CCI-000162","CCI-000163","CCI-000164"]},{"vulnId":"V-215244","ruleId":"SV-215244r958434_rule","severity":"medium","ruleTitle":"Audit logs on the AIX system must be group-owned by system.","description":"Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029","checkContent":"Check the log files under the audit logging directory have correct group ownership.\n\nThe default log file is /audit/trail.\n\nThe log file can be set by the \"trail\" variable in /etc/security/audit/config.\n# grep trail /etc/security/audit/config\n trail = /audit/trail\n\n# ls -l \ntotal 240\n-rw-rw---- 1 root system 0 Feb 23 08:44 bin1\n-rw-rw---- 1 root system 0 Feb 23 08:44 bin2\n-rw-r----- 1 root system 116273 Feb 23 08:44 trail\n\nIf any file's group ownership is not \"system\", this is a finding.","fixText":"Set the group of the audit log file to \"system\".\n# chgrp system ","ccis":["CCI-000162","CCI-000163","CCI-000164"]},{"vulnId":"V-215245","ruleId":"SV-215245r958434_rule","severity":"medium","ruleTitle":"Audit logs on the AIX system must be set to 660 or less permissive.","description":"Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029","checkContent":"Check the log files under the audit logging directory have correct permissions.\n\nThe default log file is /audit/trail.\n\nThe log file can be set by the \"trail\" variable in /etc/security/audit/config.\n# grep trail /etc/security/audit/config\n trail = /audit/trail\n\n# ls -l \ntotal 240\n-rw-rw---- 1 root system 0 Feb 23 08:44 bin1\n-rw-rw---- 1 root system 0 Feb 23 08:44 bin2\n-rw-r----- 1 root system 116273 Feb 23 08:44 trail\n\nIf any file has a mode more permissive than \"660\", this is a finding.","fixText":"Set the permission of the audit log file to \"660\".\n\n# chmod 660 ","ccis":["CCI-000162","CCI-000163","CCI-000164"]},{"vulnId":"V-215246","ruleId":"SV-215246r1013689_rule","severity":"medium","ruleTitle":"AIX must provide audit record generation functionality for DoD-defined auditable events.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which AIX will provide an audit record generation capability as the following: \n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful login attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logins from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000051-GPOS-00024, SRG-OS-000064-GPOS-00033, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000277-GPOS-00107, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000327-GPOS-00127, SRG-OS-000327-GPOS-00127, SRG-OS-000364-GPOS-00151, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000476-GPOS-00221, SRG-OS-000477-GPOS-00222","checkContent":"Ensure that auditing is properly configured.\n\nRun the \"stig_audit_check.sh\" script.\n\nIf any results are returned from the script, this is a finding.\n\nVerify that the file \"/etc/security/audit/objects\" includes the following objects:\n\n/etc/security/environ:\nw = \"S_ENVIRON_WRITE\"\n\n/etc/security/group:\nw = \"S_GROUP_WRITE\"\n\n/etc/group: \nw = \"S_GROUP_WRITE\"\n\n/etc/security/limits:\nw = \"S_LIMITS_WRITE\"\n\n/etc/security/login.cfg:\nw = \"S_LOGIN_WRITE\"\n\n/etc/security/passwd:\nr = \"S_PASSWD_READ\"\nw = \"S_PASSWD_WRITE\"\n\n/etc/security/user:\nw = \"S_USER_WRITE\"\n\n/etc/security/audit/config:\nw = \"AUD_CONFIG_WR\"\n\nIf any of the objects listed above are missing from \"/etc/security/audit/objects\", this is a finding.","fixText":"Use the \"stig_audit_config.txt\" file to configure the AIX audit process.\n\nEdit the /etc/security/audit/objects file and add or update the following lines to the listed values:\n\n/etc/security/environ:\n w = \"S_ENVIRON_WRITE\"\n\n/etc/security/group:\n w = \"S_GROUP_WRITE\"\n\n/etc/group: \n w = \"S_GROUP_WRITE\"\n\n/etc/security/limits:\n w = \"S_LIMITS_WRITE\"\n\n/etc/security/login.cfg:\n w = \"S_LOGIN_WRITE\"\n\n/etc/security/passwd:\n r = \"S_PASSWD_READ\"\n w = \"S_PASSWD_WRITE\"\n\n/etc/security/user:\n w = \"S_USER_WRITE\"\n\n/etc/security/audit/config:\n w = \"AUD_CONFIG_WR\"\n\n\nRestart the audit process:\n# /usr/sbin/audit shutdown\n# /usr/sbin/audit start\n\nNote: There are multiple default \"classes\" defined in the \"/etc/security/audit/config\" file. The only audit class that is required by this document is the \"stig_aud_class\". All other defined classes can be removed at the discretion of the organization.","ccis":["CCI-000018","CCI-000154","CCI-000169","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-000015","CCI-001813","CCI-002130","CCI-002234","CCI-002884","CCI-001686","CCI-002132"]},{"vulnId":"V-215247","ruleId":"SV-215247r991555_rule","severity":"medium","ruleTitle":"AIX must start audit at boot.","description":"If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.","checkContent":"Check if /etc/rc contains the following line:\n/usr/sbin/audit start\n\n# grep \"audit start\" /etc/rc\n/usr/sbin/audit start\n\nIf a result is not returned, this is a finding.","fixText":"To start auditing at system startup, add the following line to the /etc/rc file, just prior to the line reading dspmsg rc.cat 5 'Multi-user initialization completed':\n/usr/sbin/audit start\n\nSymmetrically add the '/usr/sbin/audit shutdown' command to /etc/rc.shutdown.","ccis":["CCI-001464"]},{"vulnId":"V-215248","ruleId":"SV-215248r991557_rule","severity":"medium","ruleTitle":"AIX audit tools must be owned by root.","description":"Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nOperating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099","checkContent":"Check the following audit tools are owned by \"root\":\n\n /usr/sbin/audit\n /usr/sbin/auditbin\n /usr/sbin/auditcat\n /usr/sbin/auditconv\n /usr/sbin/auditmerge\n /usr/sbin/auditpr\n /usr/sbin/auditselect\n /usr/sbin/auditstream\n /usr/sbin/auditldap\n\n# ls -l /usr/sbin/audit*|grep -v ldap\n-r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit\n-r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin\n-r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat\n-r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv\n-r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge\n-r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr\n-r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect\n-r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream\n-r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap\n\nIf any above file's ownership is not \"root\", this is a finding.","fixText":"For each audit tool in: \n /usr/sbin/audit\n /usr/sbin/auditbin\n /usr/sbin/auditcat\n /usr/sbin/auditconv\n /usr/sbin/auditmerge\n /usr/sbin/auditpr\n /usr/sbin/auditselect\n /usr/sbin/auditstream\n\nSet the owner to \"root\". \n# chown root \n\nFor /usr/sbin/auditldap\n\nSet the owner to \"root\". \n# chown root /usr/sbin/auditldap","ccis":["CCI-001493","CCI-001494","CCI-001495"]},{"vulnId":"V-215249","ruleId":"SV-215249r991557_rule","severity":"medium","ruleTitle":"AIX audit tools must be group-owned by audit.","description":"Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nOperating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099","checkContent":"Check the following audit tools are group-owned by \"audit\":\n\n /usr/sbin/audit\n /usr/sbin/auditbin\n /usr/sbin/auditcat\n /usr/sbin/auditconv\n /usr/sbin/auditmerge\n /usr/sbin/auditpr\n /usr/sbin/auditselect\n /usr/sbin/auditstream\n\n# ls -l /usr/sbin/audit*|grep -v ldap\n-r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit\n-r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin\n-r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat\n-r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv\n-r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge\n-r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr\n-r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect\n-r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream\n\nIf any above file's are not group-owned by \"audit\", this is a finding. \n\nVerify that \"/usr/sbin/auditldap\" group-owned by \"security\":\n\n# ls -l /usr/sbin/auditldap\n-r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap\n\nIf the group-owner of \"/usr/sbin/auditldap\" is not \"security\", this is a finding.","fixText":"For each audit tool in: \n /usr/sbin/audit\n /usr/sbin/auditbin\n /usr/sbin/auditcat\n /usr/sbin/auditconv\n /usr/sbin/auditmerge\n /usr/sbin/auditpr\n /usr/sbin/auditselect\n /usr/sbin/auditstream\n\nSet the group to \"audit\". \n# chgrp audit \n\nFor /usr/sbin/auditldap:\n\nSet the group to \"security\". \n# chgrp security /usr/sbin/auditldap","ccis":["CCI-001493","CCI-001494","CCI-001495"]},{"vulnId":"V-215250","ruleId":"SV-215250r991557_rule","severity":"medium","ruleTitle":"AIX audit tools must be set to 4550 or less permissive.","description":"Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nOperating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099","checkContent":"Check the following audit tools are set to \"4550\" or less permissive:\n\n /usr/sbin/audit\n /usr/sbin/auditbin\n /usr/sbin/auditcat\n /usr/sbin/auditconv\n /usr/sbin/auditmerge\n /usr/sbin/auditpr\n /usr/sbin/auditselect\n /usr/sbin/auditstream\n\n# ls -l /usr/sbin/audit*|grep -v ldap\n-r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit\n-r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin\n-r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat\n-r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv\n-r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge\n-r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr\n-r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect\n-r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream\n\nIf any above file's permission is greater than \"4550\", this is a finding. \n\nVerify that \"/usr/sbin/auditldap\" is set to \"500\" or less permissive: \n\n# ls -l /usr/sbin/auditldap\n-r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap\n\nIf the permission of \"/usr/sbin/auditldap\" is greater than \"500\", this is a finding.","fixText":"For each audit tool in: \n /usr/sbin/audit\n /usr/sbin/auditbin\n /usr/sbin/auditcat\n /usr/sbin/auditconv\n /usr/sbin/auditmerge\n /usr/sbin/auditpr\n /usr/sbin/auditselect\n /usr/sbin/auditstream\n\nSet the permission to \"4550\".\n# chmod 4550 \n\nFor /usr/sbin/auditldap:\n\nSet the permission to \"500\".\n# chmod 500 /usr/sbin/auditldap","ccis":["CCI-001493","CCI-001494","CCI-001495"]},{"vulnId":"V-215251","ruleId":"SV-215251r991567_rule","severity":"medium","ruleTitle":"AIX must verify the hash of audit tools.","description":"Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs.\n\nTo address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.","checkContent":"Verify that Trusted Execution (TE) is \"on\" and \"CHKEXEC\" is \"on\" by running the following command: \n# trustchk -p \nTE=ON\nCHKEXEC=ON\nCHKSHLIB=OFF\nCHKSCRIPT=OFF\nCHKKERNEXT=OFF\nSTOP_UNTRUSTD=OFF\nSTOP_ON_CHKFAIL=OFF\nLOCK_KERN_POLICIES=OFF\nTSD_FILES_LOCK=OFF\nTSD_LOCK=OFF\nTEP=OFF\nTLP=OFF\n\nIf the result show \"TE=OFF\" or \"CHKEXEC=OFF\", this is a finding.\n\nVerify that TSD (Trusted Signature Database) contains all the audit tools and their signatures by running the following command:\n\n# awk '/\\/usr\\/sbin\\/audit/ {print; for(i=1; i<=10; i++) {getline; print}}' /etc/security/tsd/tsd.dat |grep -E \"\\/usr\\/sbin\\/audit|cert_tag|signature|hash_value\"\n\n/usr/sbin/auditselect:\n cert_tag = 00d3cbd2922627b209\n signature = 8f6044a166ad7d1256a2798432dcb06b528eb6c515f4d2d0af90dd17e6ba05665bd8d39ee8f15e8872e90d3b52e0e25c7be9d62c9c5d71cd16b662fb8511f168b6facb4105cc0e9c19c316e37459ad739b75b6037827f3ba60896eeeec62cf47e7514b10d4813c48cacd76b75dc5b0e1a87f7cd10552992021efb5b44eb33a1a\n hash_value = 002e02eda12663a2c9478e1b5154cc97452c07a68a8b9d5a6ca3408b008d95bb\n/usr/sbin/auditstream:\n cert_tag = 00d3cbd2922627b209\n signature = 3d5a678962b684208f3996262a997d8838012c1625d83b7df75d9bb3a83065819ae476a21ada2ec7afd683828d9ce5c9d3eb829ed907d11fc2713d895419cbec5855e96b4a3b36a4f5b3c44a801555727b1ca799026262120b18fe2d93f53da8e95f6560c0cf5ea73dccd7daa9ec3df7e24ede0201b9d632becfb58a8f81fee4\n hash_value = 5c434a89bf2fb50a2c21734a5ecd3c4e0a92c34d6685633d59a93caf1684e515\n/usr/sbin/auditpr:\n cert_tag = 00d3cbd2922627b209\n signature = 8356f57d227a85037620ec6f357204a9dd3ceeb89fab2ea8b4dea5529a37d290e111a46e9deca8ebd86b37c50b8b2d27599d09a02353081db9f7140780ace0d9986c8f7265d3d91eed7a2502050a6342c79cf1fd6c9b2633e353fdc3603de3b6fc341b2b7a0c6eb286155ae9542bdbbcc29eba84a50f1f8c4f6f5924403f6556\n hash_value = 34bf3b145327d33f810e939d15ae084711dcd0eb7e7f3ebcb135f5ff7b3ba776\n/usr/sbin/auditcat:\n cert_tag = 00d3cbd2922627b209\n signature = abf001ee98c5e81ec730552cd26473221ee14694a7fea06d97ae030f1b8603bafdb3f4917cb50c87c90fc8ff03e8762b05c6b21d1907a05288736fa820fd4a05d38f236fec5cfc3813aeb5b0618294effe0356ac26be0e6701398cf181fb38897c5a2496154bba3eab513caaa74a9abb230ad6948190d24907a107d8968a0c27\n hash_value = 78febbeb1e7e4ca1ed4015fb147d27bd451814ed8c81429b42ee9e2f8301bf58\n/usr/sbin/auditbin:\n cert_tag = 00d3cbd2922627b209\n signature = 9bb3fde97a70dd3ee93ecf556cf13e3981d1f0794c7a253701e011956574754eb17922525092f38a3b0f9375aef8fadfe3cb6e47f6aa7424e3449910af6cc6e1754f6fe8c2fb20867af7f9a048485ea2dfcd7b8f718d350d21ec2ffe394423f4c513b22ff9a654f1ef55f6e679424ad0e630404fcfd707ed91d542d64564c601\n hash_value = 2deb07bbdf5b744168bb9484b25c0e61813b546f0dd0555d9b9ebcb8cf17272d\n/usr/sbin/auditldap:\n cert_tag = 00d3cbd2922627b209\n signature = ab3ea5ba592ef8d1576f632c6154e10a172fbdad1c6379954a48d76bd2c365848a208dfa698e828008fa73b60daf0ad0ab9ad08035f9df2d39ac21a67873cfac3eb07103858903c47e5d1e264ace01de9599ff3c966b12d8cbc6c2b6e3c97f8c56b7a5a4fa33f15bbe472319266854f83fad57917d9dd0c09383fd2b5df41e6d\n hash_value = f929ca078995a6b2a28d1247e9837e03d06fa2c5b12a6c86e679201192694c8c\n/usr/sbin/auditconv:\n cert_tag = 00d3cbd2922627b209\n signature = ab7a0e0e5aa62ec741db601cc1609bf7db6006705a3d6b7001b3aa4da5ab6bcfecea569d6891b67088b2033045fdf6532a24433711c74fcffc92744884f0f14211a7625c168f11d4b3de2e7083e57a5063933c0eea5b92c6ab9ea1b131ca8fe85143f616887e4d60cfb534da8b3a920c428279ea8eee04bf57ad70da3c69104c\n hash_value = 0d2a989fa77df6984348f5c66d20af1e71aebd5a0d9f85551873563ee9d851d7\n/usr/sbin/audit:\n cert_tag = 00d3cbd2922627b209\n signature = 2b6ed42788eca469aaaf960d4ea9956793182cdbf6b8570ded724762701354f62d003a3ed99db9b4fbb670c5864c9a641d485083789840c71005bbdcc4659dbbfbec0e8c63c8223be9e54f46240e3a5ebed8647fbd9e0e9f2db0d046e0cd73e72c87977c9dc394b61027c2856a27db0e51afb05e07c2d4f8ea3bc33564f2e7a6\n hash_value = 0c5d10f7c7cefec133bee45bd0d30933b18041438a7c7b15b8aa7de60ce208af\n/usr/sbin/auditmerge:\n cert_tag = 00d3cbd2922627b209\n signature = 64e0f95c1efa90f34b6ddd370fc0a277db2858b01b993a2f32eb9f0c86e6d901675f67f42158015ceafa37507a0bc36bbd58aca6685464f8b43edb099db670aa497db349c51fc0ed6066da43e2eb5529af8bbdd0c30b66b22158261c224213fc406ffee36e4df476107f867d8f7c09c24e4318a13e2b279d200a9fa4a8b515e4\n hash_value = 6b4a1d1288a1d7e987ad14b395d0067890574a09956171bb32b9a022dc975015\n\nIf any of the cert_tag, signature, or hash values is missing or “= VOLATILE\", this is a finding.","fixText":"Turn on Trusted Execution and check the integrity of audit tools. \n# /usr/sbin/trustchk -p TE=ON CHKEXEC=ON\n\nIf audit tool integrity data is missing from \"/etc/security/tsd/tsd.dat\", re-install the \"bos.rte.security\" fileset from AIX DVD using the installp command (assume the DVD is mounted to /dev/cd0):\n# installp -aXYqg -d /dev/cd0 bos.rte.security","ccis":["CCI-001496"]},{"vulnId":"V-215252","ruleId":"SV-215252r971541_rule","severity":"medium","ruleTitle":"AIX must provide the function for assigned ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.","description":"If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting.","checkContent":"Verify that an audit admin role has been configured to include the authorizations for auditing, namely \"aix.security.audit,aix.security.user.audit,aix.security.role.audit\": \n\n# lsrole ALL |grep \"aix.security.audit\" |grep \"aix.security.user.audit\" |grep \"aix.security.role.audit\"\nauditadm authorizations=aix.security.audit,aix.security.user.audit,aix.security.role.audit rolelist= groups= visibility=1 screens=* dfltmsg=Audit Administrator msgcat=role_desc.cat msgnum=15 msgset=1 auth_mode=INVOKER id=16\n\nIf the above command has no output, this is a finding.","fixText":"Create a role \"auditadm\" that is assigned with security related authorization with the following commend:\n# mkrole authorizations=\"aix.security.audit,aix.security.user.audit,aix.security.role.audit\" auditadm","ccis":["CCI-001914"]},{"vulnId":"V-215253","ruleId":"SV-215253r958752_rule","severity":"medium","ruleTitle":"AIX must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.","description":"In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of AIX.","checkContent":"Check the file system size where the log file resides is greater than the organizationally defined size of audit logs for one week (1GB). \n\nFind out where the audit log resides: \n# grep trail /etc/security/audit/config \n trail = /audit/trail\n\nFind out the available space in the file system hosting the audit logs. \n\n# df /audit/trail\nFilesystem 512-blocks Free %Used Iused %Iused Mounted on\n/dev/hd4 1966080 1792872 9% 3913 2% /\n\nIf the \"512-blocks\" multiplied by \"Free\" is less than the required size for the audit logs, this is a finding.","fixText":"Increase the size of the file system hosting the audit logs (by 1GB).\n# chfs -a size=+1G ","ccis":["CCI-001849"]},{"vulnId":"V-215254","ruleId":"SV-215254r958770_rule","severity":"medium","ruleTitle":"AIX must provide a report generation function that supports on-demand audit review and analysis, on-demand reporting requirements, and after-the-fact investigations of security incidents.","description":"The report generation capability must support on-demand review and analysis in order to facilitate the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies.\n\nReport generation must be capable of generating on-demand (i.e., customizable, ad hoc, and as-needed) reports. On-demand reporting allows personnel to report issues more rapidly to more effectively meet reporting requirements. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective.\n\nSatisfies: SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140","checkContent":"Check to see if the application for generating audit reports exists (\"/usr/sbin/auditpr\"):\n\n# ls -l /usr/sbin/auditpr\n-r-sr-x--- 1 root audit 54793 Feb 14 2017 /usr/sbin/auditpr\n\nIf the file does not exist, this is a finding.","fixText":"Use the installp command to install a fileset (assume cd is mounted).\n# installp -aXYqg -d /dev/cd0 bos.rte.security","ccis":["CCI-001878","CCI-001879","CCI-001880"]},{"vulnId":"V-215255","ruleId":"SV-215255r958788_rule","severity":"medium","ruleTitle":"AIX must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).","description":"If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.\n\nTime stamps generated by AIX include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","checkContent":"Check the time zone setting by the following command:\n# echo $TZ\nUTC\n\nIf the result is not UTC, GMT, or an offset from UTC, this is a finding.","fixText":"Change time zone setting to UTC, GMT, or an offset from UTC and then reboot the system for the setting to take effect. \n\n# chtz UTC\nOr change time zone to GMT or an offset of UTC.\n\nThe system must be rebooted for the change to take effect:\n# reboot","ccis":["CCI-001890"]},{"vulnId":"V-215256","ruleId":"SV-215256r991589_rule","severity":"medium","ruleTitle":"AIX audit logs must be rotated daily.","description":"Rotate audit logs daily to preserve audit file system space and to conform to the DoD/DISA requirement. If it is not rotated daily and moved to another location, then there is more of a chance for the compromise of audit data by malicious users.","checkContent":"Check for any \"crontab\" entries that rotate audit logs:\n\n# crontab -l \n30 23 * * * /root/logrotate.sh #Daily log rotation script\nIf such a cron job is found, this is not a finding. \n\nOtherwise, query the SA. \n\nIf there is a process automatically rotating audit logs, this is not a finding. \n\nIf the SA manually rotates audit logs, this is a finding. \n\nIf the audit output is not archived daily, to tape or disk, this is a finding. \n\nReview the audit log directory.\n\nIf more than one file is there, or if the file does not have today's date, this is a finding.","fixText":"Configure a cron job or other automated process to rotate the audit logs on a daily basis.","ccis":["CCI-000366"]},{"vulnId":"V-215257","ruleId":"SV-215257r987796_rule","severity":"high","ruleTitle":"The AIX rexec daemon must not be running.","description":"The exec service is used to execute a command sent from a remote server. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the rexecd daemon will be disabled. This function, if required, should be facilitated through SSH.","checkContent":"Determine if the \"rexec\" daemon is running by running the following command:\n# grep \"^exec[[:blank:]]\" /etc/inetd.conf\n\nIf the above grep command returned a line that contains \"rexecd\", this is a finding.","fixText":"Disable the \"rexecd\" entry in \"/etc/inetd.conf\" using command: \n# chsubserver -r inetd -C /etc/inetd.conf -d -v 'exec' -p 'tcp6'\n\nReload the inetd process:\n# refresh -s inetd","ccis":["CCI-000197"]},{"vulnId":"V-215258","ruleId":"SV-215258r987796_rule","severity":"high","ruleTitle":"AIX telnet daemon must not be running.","description":"This telnet service is used to service remote user connections. This is historically the most commonly used remote access method for UNIX servers. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the telnetd daemon will be disabled. This function, if required, should be facilitated through SSH.","checkContent":"Determine if the \"telnet\" daemon is running by running the following command:\n# grep -v '^#' /etc/inetd.conf | grep telnet \n\nIf an entry is returned, this is a finding.","fixText":"Disable the \"telnet\" entry in \"/etc/inetd.conf\" using command: \n# chsubserver -r inetd -C /etc/inetd.conf -d -v 'telnet' -p 'tcp6' \n\nReload the inetd process:\n# refresh -s inetd","ccis":["CCI-000197"]},{"vulnId":"V-215259","ruleId":"SV-215259r987796_rule","severity":"high","ruleTitle":"AIX ftpd daemon must not be running.","description":"The ftp service is used to transfer files from or to a remote machine. The username and passwords are passed over the network in clear text and therefore insecurely. Remote file transfer, if required, should be facilitated through SSH.","checkContent":"Determine if the \"ftp\" daemon is running by running the following command:\n# grep \"^ftp[[:blank:]]\" /etc/inetd.conf\n\nIf an entry is returned like the following line, the \"ftp\" daemon is running:\nftp stream tcp6 nowait root /usr/sbin/ftpd ftpd \n\nIf the above grep command returned a line that contains \"ftpd\", this is a finding.","fixText":"Disable \"ftp\" daemon entry in \"/etc/inetd.conf\" using command: \n# chsubserver -r inetd -C /etc/inetd.conf -d -v 'ftp' -p 'tcp6'\n\nReload the inetd process:\n# refresh -s inetd","ccis":["CCI-000197"]},{"vulnId":"V-215260","ruleId":"SV-215260r1050789_rule","severity":"high","ruleTitle":"AIX must remove NOPASSWD tag from sudo config files.","description":"sudo command does not require reauthentication if NOPASSWD tag is specified in /etc/sudoers config file, or sudoers files in /etc/sudoers.d/ directory. With this tag in sudoers file, users are not required to reauthenticate for privilege escalation.","checkContent":"If sudo is not used on AIX, this is Not Applicable.\n\nRun the following command to find the \"NOPASSWD\" tag in \"/etc/sudoers\" file:\n# grep NOPASSWD /etc/sudoers\n\nIf there is a \"NOPASSWD\" tag found in \"/etc/sudoers\" file, this is a finding.\n\nRun the following command to find the \"NOPASSWD\" tag in one of the sudo config files in \"/etc/sudoers.d/\" directory:\n# find /etc/sudoers.d -type f -exec grep -l NOPASSWD {} \\;\n\nThe above command displays all sudo config files that are in \"/etc/sudoers.d/\" directory and they contain the \"NOPASSWD\" tag.\n\nIf above command found a config file that is in \"/etc/sudoers.d/\" directory and contains the \"NOPASSWD\" tag, this is a finding.","fixText":"Edit \"/etc/sudoers\" using \"visudo\" command to remove all the \"NOPASSWD\" tags:\n# visudo -f \n\nEditing a sudo config file that is in \"/etc/sudoers.d/\" directory and contains the \"NOPASSWD\" tags, use \"visudo\" the command as follows:\n# visudo -f /etc/sudoers.d/","ccis":["CCI-004895","CCI-002038"]},{"vulnId":"V-215261","ruleId":"SV-215261r1050789_rule","severity":"medium","ruleTitle":"AIX must remove !authenticate option from sudo config files.","description":"sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are not required to reauthenticate for privilege escalation.","checkContent":"If sudo is not used on AIX, this is Not Applicable.\n\nRun the following command to find \"!authenticate\" option in \"/etc/sudoers\" file:\n# grep \"!authenticate\" /etc/sudoers\n\nIf there is a \"!authenticate\" option found in \"/etc/sudoers\" file, this is a finding.\n\nRun the following command to find \"!authenticate\" option in one of the sudo config files in \"/etc/sudoers.d/\" directory:\n# find /etc/sudoers.d -type f -exec grep -l \"!authenticate\" {} \\;\n\nThe above command displays all sudo config files that are in \"/etc/sudoers.d/\" directory and they contain the \"!authenticate\" option.\n\nIf above command found a config file that is in \"/etc/sudoers.d/\" directory and that contains the \"!authenticate\" option, this is a finding.","fixText":"Edit \"/etc/sudoers\" using \"visudo\" command to remove all the \"!authenticate\" options:\n# visudo -f /etc/sudoers\n\nEditing a sudo config file that is in \"/etc/sudoers.d/\" directory and contains \"!authenticate\" options, use the \"visudo\" command as follows:\n# visudo -f /etc/sudoers.d/","ccis":["CCI-004895","CCI-002038"]},{"vulnId":"V-215262","ruleId":"SV-215262r991589_rule","severity":"medium","ruleTitle":"AIX must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.","description":"If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks.","checkContent":"Check the system for an IPv4 default route using command:\n \n# netstat -r |grep default \ndefault 10.11.20.1 UG 1 1811 en0 - -\n\nIf a default route is not defined, this is a finding.","fixText":"Set a default gateway for IPv4 using:\n# route add 0 ","ccis":["CCI-000366"]},{"vulnId":"V-215263","ruleId":"SV-215263r991589_rule","severity":"medium","ruleTitle":"IP forwarding for IPv4 must not be enabled on AIX unless the system is a router.","description":"IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.","checkContent":"From the command prompt, run the following command:\n\n# no -o ipforwarding \nipforwarding = 0\n\nIf the value returned is not \"0\", this is a finding.","fixText":"Disable IPv4 forwarding on the system by running command:\n# no -p -o ipforwarding=0","ccis":["CCI-000366"]},{"vulnId":"V-215264","ruleId":"SV-215264r991589_rule","severity":"medium","ruleTitle":"AIX must be configured with a default gateway for IPv6 if the system uses IPv6 unless the system is a router.","description":"If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial of Service attacks.","checkContent":"If the system is a router, this is Not Applicable. \n\nIf the system does not use IPv6, this is Not Applicable. \n\nDetermine if the system has a default route configured for IPv6 by running: \n\n# netstat -r | grep default \ndefault 10.11.20.1 UG 1 1823 en0 - -\n\nIf a default route is not defined, this is a finding.","fixText":"Configure an IPv6 default route on the system: \n# smitty route","ccis":["CCI-000366"]},{"vulnId":"V-215265","ruleId":"SV-215265r991589_rule","severity":"medium","ruleTitle":"AIX must not have IP forwarding for IPv6 enabled unless the system is an IPv6 router.","description":"If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.","checkContent":"From the command prompt, run the following command:\n\n# /usr/sbin/no -o ip6forwarding \nip6forwarding = 0\n\nIf the value returned is not \"0\", this is a finding.","fixText":"Disable IPv6 forwarding on the system: \n# /usr/sbin/no -p -o ip6forwarding=0","ccis":["CCI-000366"]},{"vulnId":"V-215266","ruleId":"SV-215266r958566_rule","severity":"medium","ruleTitle":"AIX log files must be owned by a system account.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.","checkContent":"Check the owner of log files:\n\n# ls -lL /var/log /var/log/syslog /var/adm \n/var/adm:\ntotal 376\ndrw-r----- 2 root system 256 Jan 24 12:31 SRC\ndrwx------ 4 root system 256 Jan 24 07:28 config\n-rw-r----- 1 root system 1081 Jan 24 09:05 dev_pkg.fail\n-rw-r----- 1 root system 250 Jan 24 09:05 dev_pkg.success\n-rw------- 1 root system 64 Jan 24 09:43 sulog\ndrwxr-xr-x 3 root system 256 Jan 24 12:28 sw\ndrwx------ 2 root system 256 Jan 24 08:06 wpars\n-rw-r----- 1 adm adm 7517448 Apr 29 14:10 wtmp\n\n/var/log:\ntotal 8\ndrwxr-xr-x 2 root system 256 Jan 24 08:44 aso\n-rw-r----- 1 root system 603 Jan 24 10:30 cache_mgt.dr.log\n\nIf any of the log files are not owned by a system account, this is a finding.","fixText":"Change the owner of the system log file(s) to a system account: \n# chown [system_account] /path/to/system-log-file","ccis":["CCI-001314"]},{"vulnId":"V-215267","ruleId":"SV-215267r958566_rule","severity":"medium","ruleTitle":"AIX log files must be owned by a system group.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify AIX or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.","checkContent":"Check the group of log files:\n\n# ls -lL /var/log /var/log/syslog /var/adm \n/var/adm:\ntotal 376\ndrw-r----- 2 root system 256 Jan 24 12:31 SRC\ndrwx------ 4 root system 256 Jan 24 07:28 config\n-rw-r----- 1 root system 1081 Jan 24 09:05 dev_pkg.fail\n-rw-r----- 1 root system 250 Jan 24 09:05 dev_pkg.success\n-rw------- 1 root system 64 Jan 24 09:43 sulog\ndrwxr-xr-x 3 root system 256 Jan 24 12:28 sw\ndrwx------ 2 root system 256 Jan 24 08:06 wpars\n-rw-r----- 1 adm adm 7517448 Apr 29 14:10 wtmp\n\n/var/log:\ntotal 8\ndrwxr-xr-x 2 root system 256 Jan 24 08:44 aso\n-rw-r----- 1 root system 603 Jan 24 10:30 cache_mgt.dr.log\n\nIf any of the log files have group other than a system group, this is a finding.","fixText":"Change the group of the system log file(s) to a system group: \n# chgrp [system_group] /path/to/system-log-file","ccis":["CCI-001314"]},{"vulnId":"V-215268","ruleId":"SV-215268r991560_rule","severity":"medium","ruleTitle":"AIX system files, programs, and directories must be group-owned by a system group.","description":"Restricting permissions will protect the files from unauthorized modification.","checkContent":"Check the group ownership of system files, programs, and directories run the following command: \n# ls -lLa /etc /bin /usr/bin /usr/lbin /usr/ucb /sbin /usr/sbin \n\nIf any system file, program, or directory is not group-owned by a system group, this is a finding. \n\nNote: For this check, the system-provided \"ipsec\" group is also acceptable.","fixText":"Change the group owner of system files to a system group by running the following command:\n # chgrp sys /path/to/system/file \n\nNote: System groups other than \"sys\" may be used.","ccis":["CCI-001499"]},{"vulnId":"V-215269","ruleId":"SV-215269r991589_rule","severity":"medium","ruleTitle":"The inetd.conf file on AIX must be owned by root.","description":"Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.","checkContent":"Check the ownership of \"/etc/inetd.conf\": \n# ls -al /etc/inetd.conf \n\nThe above command should yield the following output:\n-rw-r----- root system 993 Mar 11 07:04 /etc/inetd.conf\n\nIf the file is not owned by root, this is a finding.","fixText":"Change the ownership of \"/etc/inetd.conf\": \n# chown root /etc/inetd.conf","ccis":["CCI-000366"]},{"vulnId":"V-215270","ruleId":"SV-215270r991589_rule","severity":"medium","ruleTitle":"AIX cron and crontab directories must be owned by root or bin.","description":"Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron or crontab directories to root or to bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.","checkContent":"Check the owner of the \"crontab\" directory using command:\n\n# ls -ld /var/spool/cron/crontabs \ndrwxrwx--- 2 bin cron 256 Jan 25 12:33 /var/spool/cron/crontabs\n\nIf the owner of the \"crontab\" directory is not \"root\" or \"bin\", this is a finding.","fixText":"Change the owner of the \"crontab\" directory:\n# chown root /var/spool/cron/crontabs","ccis":["CCI-000366"]},{"vulnId":"V-215271","ruleId":"SV-215271r991589_rule","severity":"medium","ruleTitle":"AIX audio devices must be group-owned by root, sys, bin, or system.","description":"Without privileged group owners, audio devices will be vulnerable to being used as eaves-dropping devices by malicious users or intruders to possibly listen to conversations containing sensitive information.","checkContent":"Check the group owner of audio devices using commands:\n\n# /usr/sbin/lsdev -C | grep -i audio \naud0 Available USB Audio Device\n\n# ls -lL /dev/*aud0\ncr--r--r-- 1 root system 16, 0 Jan 24 07:25 aud0 \n\nIf the group owner of an audio device is not \"root\", \"sys\", \"bin\", or \"system\", this is a finding.","fixText":"Change the group owner of the audio device using command: \n# chgrp system