← Back to IBM AIX 7.x Security Technical Implementation Guide

V-215419

CAT II (Medium)

The AIX systems access control program must be configured to grant or deny system access to specific hosts.

Rule ID

SV-215419r991589_rule

STIG

IBM AIX 7.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000366

Discussion

If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.

Check Content

Check for the existence of the "/etc/hosts.allow" and "/etc/hosts.deny" files using commands: 

# ls -la /etc/hosts.allow 
-rw-r--r--    1 root     system           11 Jan 28 11:09 /etc/hosts.allow

# ls -la /etc/hosts.deny
-rw-r--r--    1 root     system            0 Jan 28 11:02 /etc/hosts.deny
 
If either file does not exist, this is a finding. 

Check for the presence of a default deny entry using command: 

# grep -E "ALL:[[:blank:]]*ALL" /etc/hosts.deny 
ALL:ALL

If the "ALL: ALL" entry is not present in the "/etc/hosts.deny" file, any TCP service from a host or network not matching other rules will be allowed access. 

If the entry is not in "/etc/hosts.deny", this is a finding.

Fix Text

Edit the "/etc/hosts.allow" and "/etc/hosts.deny" files to configure access restrictions.

Add "ALL: ALL" entry to "/etc/hosts.deny" file.