Detections
Analytics

CIS IBM AIX 7.2 L1 v1.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS IBM AIX 7.2 L1 v1.0.0

Updated: 4/1/2024

Authority: CIS

Plugin: Unix

Revision: 1.5

Estimated Item Count: 205

File Details

Filename: CIS_AIX_7.2_Benchmark_v1.0.0_Level_1.audit

Size: 320 kB

MD5: 0893e40a4c2e4ba25e4794f583698a99
SHA256: 3c54d6b707abc34395149fa0ed8bfab6def92d43593096dd6a41d1a09fce9340

Audit Changelog

 
Revision 1.5

Apr 1, 2024

Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.4

Mar 19, 2024

Functional Update
  • 2.1 Collect system configuration regularly
  • 2.2 Scan for TROJAN aka Untrusted/Unauthorized Applications (Implement Allowlist)
  • 2.7 Remove Unused Symbolic Links
  • 3.3 Ensure default user umask is 027 or more restrictive
  • 3.4 Remove group write permission from default groups - exceptions must be in TSD and audit
  • 3.5 Application Data with requirement for world writable directories
  • 3.6 Ensure there are no world writable files - exceptions must be in TSD and audit
  • 3.7 Ensure there are no 'staff' writable files - exceptions must be in TSD and audit
  • 3.8 Ensure all files and directories are owned by a user (uid) and assigned to a group (gid)
  • 4.1.1.1 Disable writesrv
  • 4.1.1.2 Disable ntalk/talk
  • 4.1.1.3 dt
  • 4.1.1.4 piobe
  • 4.1.1.5 qdaemon
  • 4.1.1.6 rc.nfs
  • 4.1.1.7 cas_agent
  • 4.1.2.10 named
  • 4.1.2.11 portmap
  • 4.1.2.12 routed
  • 4.1.2.13 rwhod
  • 4.1.2.14 sendmail
  • 4.1.2.15 snmpd
  • 4.1.2.16 snmpmibd
  • 4.1.2.17 timed
  • 4.1.2.2 aixmibd
  • 4.1.2.3 dhcpcd
  • 4.1.2.4 dhcprd
  • 4.1.2.5 dhcpsd
  • 4.1.2.6 dpid2
  • 4.1.2.7 gated
  • 4.1.2.8 hostmibd
  • 4.1.3.1 autoconf6
  • 4.1.3.2 ndpd-host
  • 4.1.3.3 ndpd-router
  • 4.1.4.1 NFS - de-install NFS client
  • 4.1.4.6 NFS - no_root_squash option
  • 4.1.5.1 bootps
  • 4.1.5.10 imap2
  • 4.1.5.11 instsrv
  • 4.1.5.12 klogin
  • 4.1.5.13 kshell
  • 4.1.5.14 login
  • 4.1.5.15 netstat
  • 4.1.5.16 ntalk
  • 4.1.5.17 pcnfsd
  • 4.1.5.18 pop3
  • 4.1.5.19 rexd
  • 4.1.5.2 chargen
  • 4.1.5.20 rquotad
  • 4.1.5.21 rstatd
  • 4.1.5.22 rusersd
  • 4.1.5.23 rwalld
  • 4.1.5.24 shell
  • 4.1.5.25 sprayd
  • 4.1.5.26 xmquery
  • 4.1.5.27 talk
  • 4.1.5.28 telnet
  • 4.1.5.29 tftp
  • 4.1.5.3 comsat
  • 4.1.5.30 time
  • 4.1.5.31 uucp
  • 4.1.5.4 daytime
  • 4.1.5.5 discard
  • 4.1.5.6 echo
  • 4.1.5.7 exec
  • 4.1.5.8 finger
  • 4.1.5.9 ftp
  • 4.11 Remove current working directory from default /etc/environment PATH
  • 4.12 Lock historical users
  • 4.13 Remove current working directory from root's PATH
  • 4.14 Configuration: /etc/motd
  • 4.2.1 clean_partial_conns
  • 4.2.10 ipsrcroutesend
  • 4.2.11 ip6srcrouteforward
  • 4.2.13 nonlocsrcroute
  • 4.2.14 sockthresh
  • 4.2.15 tcp_pmtu_discover
  • 4.2.16 tcp_tcpsecure
  • 4.2.17 udp_pmtu_discover
  • 4.2.18 ip6forwarding
  • 4.2.2 bcastping
  • 4.2.3 directed_broadcast
  • 4.2.4 icmpaddressmask
  • 4.2.5 ipforwarding
  • 4.2.6 ipignoreredirects
  • 4.2.7 ipsendredirects
  • 4.2.8 ipsrcrouteforward
  • 4.2.9 ipsrcrouterecv
  • 4.5.1.1 CDE - de-installing CDE
  • 4.5.2.1 FTPD: Disable root access to ftpd
  • 4.5.2.2 FTPD: Display acceptable usage policy during login
  • 4.5.2.3 FTPD: Prevent world access and group write to files
  • 4.5.3.1 OpenSSH: Minimum version is 8.1
  • 4.5.3.10 sshd_config: LogLevel is 'INFO' or 'VERBOSE'
  • 4.5.3.11 sshd_config: sftp-server arguments include '-u 027 -f AUTH -l INFO'
  • 4.5.3.12 sshd_config: MaxAuthTries is '4'
  • 4.5.3.13 sshd_config: PermitUserEnvironment is 'no'
  • 4.5.3.15 sshd_config, ssh_config: KexAlgorithms
  • 4.5.3.16 sshd_config, ssh_config: Ciphers
  • 4.5.3.17 sshd_config, ssh_config: MACs - Message Authtification Codes
  • 4.5.3.18 sshd_config, ssh_config: ReKeyLimit
  • 4.5.3.3 OpenSSH: Remove .shosts files
  • 4.5.3.6 sshd_config: Banner exists and message contains 'Only authorized users allowed'
  • 4.5.3.7 sshd_config: HostbasedAuthentication is 'no'
  • 4.5.3.8 sshd_config: IgnoreRhosts is 'yes' or 'shosts-only'
  • 4.5.3.9 sshd_config: PermitEmptyPasswords is 'no'
  • 4.5.4.2 /etc/mail/sendmail.cf - PrivacyOptions
  • 4.5.4.3 /etc/mail/sendmail.cf - DaemonPortOptions
  • 4.5.4.4 /etc/mail/sendmail.cf - access control
  • 4.5.4.5 /var/spool/clientmqueue - access control
  • 4.5.4.6 /var/spool/mqueue - access control
  • 4.5.6 Uninstall snmp
  • 4.5.7 Uninstall/Disable sendmail
  • 4.6.4 loginretries
  • 4.7.1.1 Home directory must exist
  • 4.7.1.10 Ensure root user has a dedicated home directory
  • 4.7.1.11 /etc/security/audit
  • 4.7.1.2 Home directory must be owned by account, or special account
  • 4.7.1.3 Home directory: write access restricted to 'owner'
  • 4.7.1.5 SECURITY Subsystems: /etc/security
  • 4.7.1.6 /var/adm/ras
  • 4.7.1.7 /var/adm/sa
  • 4.7.1.8 /var/spool/cron/crontabs
  • 4.7.2.1 New configuration file for sendmail /etc/mail/submit.cf
  • 4.7.2.10 /etc/ssh/ssh_config
  • 4.7.2.11 /etc/ssh/sshd_config
  • 4.7.2.12 /var/adm/cron/at.allow
  • 4.7.2.13 /var/adm/cron/cron.allow
  • 4.7.2.14 /var/ct/RMstart.log
  • 4.7.2.15 /var/adm/cron/log
  • 4.7.2.16 /var/tmp/dpid2.log
  • 4.7.2.17 /var/tmp/hostmibd.log
  • 4.7.2.18 /var/tmp/snmpd.log
  • 4.7.2.2 Verify Trust of suid, sgid, acl, and trusted-bit files and programs
  • 4.7.2.4 Home directory configuration files
  • 4.7.2.5 /smit.log
  • 4.7.2.6 /etc/group
  • 4.7.2.7 /etc/inetd.conf
  • 4.7.2.8 /etc/motd
  • 4.7.2.9 /etc/passwd
  • 5.1.1.1 histexpire
  • 5.1.1.2 histsize
  • 5.1.1.3 minage
  • 5.1.2 All accounts must have a hashed password
  • 5.1.3 All usernames and UIDs must be unique
  • 5.1.4 All group names and GIDs must be unique
  • 5.2.1 Ensure new passwords are controlled by password attributes (disable NOCHECK)
  • 5.2.10 mindigit
  • 5.2.11 minloweralpha
  • 5.2.12 minupperalpha
  • 5.2.13 minspecialchar
  • 5.2.3 Ensure passwords are not hashed using 'crypt'
  • 5.2.4 Ensure password policy is enforced for all users
  • 5.2.5 minlen
  • 5.2.6 mindiff
  • 5.2.7 minalpha
  • 5.2.8 minother
  • 5.2.9 maxrepeats
  • 5.3.1 adm
  • 5.3.10 Ensure System Accounts cannot access system using ftp.
  • 5.3.2 bin
  • 5.3.3 daemon
  • 5.3.4 guest
  • 5.3.5 lpd
  • 5.3.6 nobody
  • 5.3.7 nuucp
  • 5.3.8 sys
  • 5.3.9 uucp
  • 5.6 maxage
  • 5.7 maxexpired
  • 6.4 Adding authorized users in at.allow
  • 6.6 Adding authorised users in cron.allow
Informational Update
  • 3.7 Ensure there are no 'staff' writable files - exceptions must be in TSD and audit
  • 4.1.2.11 portmap
  • 4.1.3.2 ndpd-host
  • 4.5.3.17 sshd_config, ssh_config: MACs - Message Authtification Codes
  • 7.2 Use FLRTVC regularly
Miscellaneous
  • Metadata updated.
  • References updated.
  • See also link updated.
  • Variables updated.
Added
  • 2.3 Allowlist Authorized Software and Report Violations
  • 2.4 Allowlist Authorized Libraries and Report Violations
  • 2.5 Allowlist Authorized Scripts and Report Violations
  • 4.1.2.1 inetd - aka Super Daemon
  • 4.1.4.3 NFS - enable both nosuid and nodev options on NFS client mounts
  • 4.1.4.4 NFS - localhost removal
  • 4.10 Disable core dumps
  • 4.2.12 nfs_use_reserved_ports
  • 4.3.1 Ensure that IP Security is available
  • 4.3.2 Ensure loopback traffic is blocked on external interfaces
  • 4.3.3 Ensure that IPsec filters are active
  • 4.5.1.10 CDE - /etc/dt/config/Xservers permissions and ownership
  • 4.5.1.11 CDE - /etc/dt/config/*/Xresources permissions and ownership
  • 4.5.1.5 CDE - sgid/suid binary lockdown
  • 4.5.1.7 CDE - screensaver lock
  • 4.5.1.8 CDE - login screen hostname masking
  • 4.5.1.9 CDE - /etc/dt/config/Xconfig permissions and ownership
  • 4.5.3.2 OpenSSH: Remove /etc/shosts.equiv and /etc/rhosts.equiv
  • 4.5.4.1 /etc/mail/sendmail.cf - Hide sendmail version information
  • 4.6.1 /etc/security/login.cfg - logintimeout
  • 4.6.2 /etc/security/login.cfg - logindelay
  • 4.6.3 herald (logon message)
  • 4.6.5 Unattended terminal session timeout is 900 seconds (or less)
  • 4.7.1.4 AUDIT subsystem: /audit and /etc/security/audit
  • 4.7.2.3 crontab entries - owned by userid
  • 4.9 Ensure root access is controlled
  • 5.2.2 pwd_algorithm
  • 8.1.1 Configuring syslog - local logging
Removed
  • 2.3 Allowlist Authorized Software and Report Violations - CHKEXEC
  • 2.3 Allowlist Authorized Software and Report Violations - TE
  • 2.3 Allowlist Authorized Software and Report Violations - kern.info
  • 2.4 Allowlist Authorized Libraries and Report Violations - CHKKERNEXT
  • 2.4 Allowlist Authorized Libraries and Report Violations - CHKSHLIB
  • 2.4 Allowlist Authorized Libraries and Report Violations - TE
  • 2.4 Allowlist Authorized Libraries and Report Violations - kern.info
  • 2.5 Allowlist Authorized Scripts and Report Violations - CHKSCRIPT
  • 2.5 Allowlist Authorized Scripts and Report Violations - kern.info
  • 4.1.2.1 inetd - aka Super Daemon - aka Super Daemon
  • 4.1.4.3 NFS - enable both nosuid and nodev options on NFS client mounts - nodev
  • 4.1.4.3 NFS - enable both nosuid and nodev options on NFS client mounts - nosuid
  • 4.1.4.4 NFS - localhost removal - localhost removal
  • 4.10 Disable core dumps - lsattr
  • 4.10 Disable core dumps - lssec
  • 4.2.12 nfs_use_reserved_ports - nfs_use_reserved_ports
  • 4.2.12 nfs_use_reserved_ports - portcheck
  • 4.3.1 Ensure that IP Security is available - ipsec_v4
  • 4.3.1 Ensure that IP Security is available - ipsec_v6
  • 4.3.2 Ensure loopback traffic is blocked on external interfaces - v4
  • 4.3.2 Ensure loopback traffic is blocked on external interfaces - v6
  • 4.3.3 Ensure that IPsec filters are active - v4
  • 4.3.3 Ensure that IPsec filters are active - v6
  • 4.5.1.10 CDE - /etc/dt/config/Xservers permissions and ownership - explicit definition
  • 4.5.1.10 CDE - /etc/dt/config/Xservers permissions and ownership - permissions and ownership
  • 4.5.1.11 CDE - /etc/dt/config/*/Xresources permissions and ownership - /etc/dt/config/*/Xresources permissions and ownership
  • 4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtaction
  • 4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtappgather
  • 4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtprintinfo
  • 4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtsession
  • 4.5.1.7 CDE - screensaver lock - dtsession*lockTimeout
  • 4.5.1.7 CDE - screensaver lock - dtsession*saverTimeout
  • 4.5.1.8 CDE - login screen hostname masking - dtlogin.greeting.labelString
  • 4.5.1.8 CDE - login screen hostname masking - dtlogin.greeting.persLabelString
  • 4.5.1.9 CDE - /etc/dt/config/Xconfig permissions and ownership - /etc/dt/config/Xconfig permissions and ownership
  • 4.5.3.2 OpenSSH: Remove /etc/shosts.equiv and /etc/rhosts.equiv - /etc/rhosts.equiv
  • 4.5.3.2 OpenSSH: Remove /etc/shosts.equiv and /etc/rhosts.equiv - /etc/shosts.equiv
  • 4.5.4.1 /etc/mail/sendmail.cf - Hide sendmail version information - SmtpGreetingMessage
  • 4.5.4.1 /etc/mail/sendmail.cf - Hide sendmail version information - helpfile
  • 4.6.1 /etc/security/login.cfg - logintimeout - logintimeout
  • 4.6.2 /etc/security/login.cfg - logindelay - logindelay
  • 4.6.3 herald (logon message) - logon message
  • 4.6.5 Unattended terminal session timeout is 900 seconds (or less) - TIMEOUT
  • 4.6.5 Unattended terminal session timeout is 900 seconds (or less) - TMOUT
  • 4.6.5 Unattended terminal session timeout is 900 seconds (or less) - readonly
  • 4.7.1.4 AUDIT subsystem: /audit and /etc/security/audit - /audit
  • 4.7.1.4 AUDIT subsystem: /audit and /etc/security/audit - /etc/security/audit
  • 4.7.2.3 crontab entries - owned by userid - owned by userid
  • 4.9 Ensure root access is controlled - rlogin
  • 4.9 Ensure root access is controlled - sugroups
  • 5.2.2 pwd_algorithm - pwd_algorithm
  • 8.1.1 Configuring syslog - local logging - *.info/auth.none in /etc/syslog.conf
  • 8.1.1 Configuring syslog - local logging - /var/adm/authlog
  • 8.1.1 Configuring syslog - local logging - /var/adm/syslog
  • 8.1.1 Configuring syslog - local logging - auth.info in /etc/syslog.conf
Revision 1.3

Feb 7, 2024

Functional Update
  • 4.13 Remove current working directory from root's PATH
  • 4.3.3 Ensure that IPsec filters are active - v4
  • 4.3.3 Ensure that IPsec filters are active - v6
Miscellaneous
  • Metadata updated.
Revision 1.2

Sep 19, 2023

Functional Update
  • 2.7 Remove Unused Symbolic Links
  • 3.4 Remove group write permission from default groups - exceptions must be in TSD and audit
  • 3.5 Application Data with requirement for world writable directories
  • 3.6 Ensure there are no world writable files - exceptions must be in TSD and audit
  • 3.8 Ensure all files and directories are owned by a user (uid) and assigned to a group (gid)
  • 4.5.3.3 OpenSSH: Remove .shosts files
  • 4.7.1.6 /var/adm/ras
  • 4.7.2.2 Verify Trust of suid, sgid, acl, and trusted-bit files and programs
Miscellaneous
  • References updated.
  • Variables updated.
Revision 1.1

Apr 12, 2023

Miscellaneous
  • Metadata updated.