CIS AIX 5.3/6.1 L1 v1.1.0

Audit Details

Name: CIS AIX 5.3/6.1 L1 v1.1.0

Updated: 12/6/2023

Authority: CIS

Plugin: Unix

Revision: 1.29

Estimated Item Count: 107

File Details

Filename: CIS_AIX_5.3_6.1_v1.1.0_Level_I.audit

Size: 85.3 kB

MD5: 70a6b5214a5e1781d29217fcfedd4ff2
SHA256: 57bb6991a2d5efd77fb6976b47247ecdd2475e1154214a23f51e7f89372f7071

Audit Items

DescriptionCategories
1.1.1 - /etc/security/user - 'mindiff >= 4'

IDENTIFICATION AND AUTHENTICATION

1.1.2 - /etc/security/user - 'minage >= 1'

IDENTIFICATION AND AUTHENTICATION

1.1.3 - /etc/security/user - 'maxage <= 13' but not 0

IDENTIFICATION AND AUTHENTICATION

1.1.4 - /etc/security/user - 'minlen = 8'

IDENTIFICATION AND AUTHENTICATION

1.1.5 - /etc/security/user - 'minalpha >= 2'

IDENTIFICATION AND AUTHENTICATION

1.1.6 - /etc/security/user - 'minother >= 2'

IDENTIFICATION AND AUTHENTICATION

1.1.7 - /etc/security/user - 'maxrepeats <= 2'

IDENTIFICATION AND AUTHENTICATION

1.1.8 - /etc/security/user - 'histexpire >= 13'

IDENTIFICATION AND AUTHENTICATION

1.1.9 - /etc/security/user - 'histsize >= 20'

IDENTIFICATION AND AUTHENTICATION

1.1.10 - /etc/security/user - 'maxexpired <= 2'

IDENTIFICATION AND AUTHENTICATION

1.2.1 - /etc/security/login.cfg - 'logininterval <= 300'

ACCESS CONTROL

1.2.2 - /etc/security/login.cfg - 'logindisable <= 10'

ACCESS CONTROL

1.2.3 - /etc/security/login.cfg - 'loginreenable >= 360'

ACCESS CONTROL

1.2.4 - /etc/security/login.cfg - 'logintimeout <= 30'

ACCESS CONTROL

1.2.5 - /etc/security/login.cfg - 'logindelay >= 10'

ACCESS CONTROL

1.2.6 - /etc/security/user - 'loginretries <= 3'

ACCESS CONTROL

1.2.7 - /etc/security/user - 'rlogin = false'

CONFIGURATION MANAGEMENT

1.2.8 - /etc/security/user - 'sugroups=ALL su=true'

IDENTIFICATION AND AUTHENTICATION

1.3.53 - /etc/inetd.conf - permissions and ownership - '/etc/inetd.conf root:system 644'
1.7.3 - Miscellaneous Enhancements - '/etc/ftpusers includes root'

ACCESS CONTROL

1.7.4 - Miscellaneous Enhancements - login herald - 'default herald is set to appropriate text'

ACCESS CONTROL

1.7.5 - Miscellaneous Enhancements - 'guest account removal'

ACCESS CONTROL

1.7.6 - Miscellaneous Enhancements - crontab permissions - '/usr/bin/errclear 755'
1.7.6 - Miscellaneous Enhancements - crontab permissions - '/usr/lib/ras/dumpcheck 755'
1.7.6 - Miscellaneous Enhancements - crontab permissions - '/usr/lib/spell/compress 755'
1.7.6 - Miscellaneous Enhancements - crontab permissions - '/usr/sbin/skulker 755'
2.2.2 - Configuring SSH - disabling direct root access - 'PermitRootLogin = no'

ACCESS CONTROL

2.2.3 - Configuring SSH - server protocol - 'Protocol 2'
2.2.4 - Configuring SSH - client protocol - 'Protocol 2'
2.2.5 - Configuring SSH - banner configuration - 'Banner = /etc/motd'

ACCESS CONTROL

2.2.6 - Configuring SSH - ignore .shosts and .rhosts - 'IgnoreRhosts = yes'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.2.7 - Configuring SSH - disable null passwords - 'PermitEmptyPasswords = no'

IDENTIFICATION AND AUTHENTICATION

2.2.9 - Configuring SSH - set privilege separation - 'UsePrivilegeSeparation = yes'

CONFIGURATION MANAGEMENT

2.2.10 - Configuring SSH - sshd_config permissions lockdown - '/etc/ssh/sshd_config root:system 600'

CONFIGURATION MANAGEMENT

2.2.11 - Configuring SSH - ssh_config permissions lockdown - '/etc/ssh/ssh_config root:system 644'

CONFIGURATION MANAGEMENT

2.3.1 - /etc/mail/sendmail.cf - SmtpGreetingMessage - 'SmtpGreetingMessage = mailerready'

ACCESS CONTROL

2.3.2 - /etc/mail/sendmail.cf - permissions and ownership - '/etc/mail/sendmail.cf root:system 640'

ACCESS CONTROL

2.3.3 - /var/spool/mqueue - permissions and ownership - '/var/spool/mqueue root:system 700'
2.4.3 - CDE - sgid/suid binary lockdown - '/usr/dt/bin/dtaction root:sys 555'
2.4.3 - CDE - sgid/suid binary lockdown - '/usr/dt/bin/dtappgather root:bin 555'
2.4.3 - CDE - sgid/suid binary lockdown - '/usr/dt/bin/dtprintinfo root:bin 555'
2.4.3 - CDE - sgid/suid binary lockdown - '/usr/dt/bin/dtsession root:bin 555'
2.4.5 - CDE - screensaver lock - 'dtsession*lockTimeout <= 10'

ACCESS CONTROL

2.4.5 - CDE - screensaver lock - 'dtsession*saverTimeout <= 10'

ACCESS CONTROL

2.4.6 - CDE - /etc/dt/config/Xconfig permissions and ownership - '/etc/dt/config/Xconfig root:bin 444'

ACCESS CONTROL

2.4.7 - CDE - /etc/dt/config/Xservers permissions and ownership - '/etc/dt/config/Xservers root:bin 444'
2.4.7 - CDE - /etc/dt/config/Xservers permissions and ownership - 'Dtlogin.servers = /etc/dt/config/Xservers'

CONFIGURATION MANAGEMENT

2.4.8 - CDE - login screen hostname masking - 'dtlogin*greeting.labelString is set to appropriate text'

ACCESS CONTROL

2.4.8 - CDE - login screen hostname masking - 'dtlogin*greeting.persLabelString is set to appropriate text'

ACCESS CONTROL

2.4.9 - CDE - /etc/dt/config/*/Xresources permissions and ownership - '/etc/dt/config/*/Xresources root:sys 444'