Jun 17, 2024 |
Apr 1, 2024 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Mar 19, 2024 Functional Update- 2.8 Ensure the Trusted Execution Policies cannot be modified
- 4.1.2.9 mrouted
- 4.1.3.1 autoconf6
- 4.1.3.2 ndpd-host
- 4.1.3.3 ndpd-router
- 4.4.3 Removal of entries from /etc/hosts.equiv
- 4.5.3.14 sshd_config: Use Conditional exception(s).
- 4.5.3.4 sshd_config: Restrict users and groups allowed access via OpenSSH
- 4.5.3.5 sshd_config: PermitRootLogin is 'prohibit-password' or 'no'
- 6.3.1 Privilege escalation: sudo
- 6.3.2 Ensure sudo logging is active
- 6.3.3 Ensure sudo commands use pty
Informational Update- 4.5.3.14 sshd_config: Use Conditional exception(s).
- 6.1.1 Create baseline of executables that elevate to a different GUID (Not scored)
Miscellaneous- Metadata updated.
- See also link updated.
- Variables updated.
Added- 2.6 Enforce Allowlist aka Trusted Execution Checks
- 3.1 Encryption: File System Level (EFS)
- 4.1.4.2 NFS - de-install NFS server
- 4.1.4.5 NFS - restrict NFS access
- 4.1.4.7 NFS - secure NFS
- 4.4.1.1 NIS - de-install NIS client
- 4.4.1.2 NIS - de-install NIS server
- 4.4.1.3 NIS - remove NIS markers from password and group files
- 4.4.1.4 NIS - restrict NIS server communication
- 4.4.2 Remote command lockdown
- 4.4.4 Removal of .rhosts and .netrc files
- 4.4.5 Remote daemon lockdown
- 4.5.1.2 /etc/inetd.conf - cmsd
- 4.5.1.3 CDE - disabling dtlogin
- 4.5.1.4 /etc/inetd.conf - dtspc
- 4.5.1.6 CDE - remote GUI login disabled
- 4.5.5.1 SNMP - disable private community string
- 4.5.5.2 SNMP - disable system community string
- 4.5.5.3 SNMP - disable public community string
- 4.5.5.4 SNMP - disable Readwrite community access
- 4.5.5.5 SNMP - restrict community access
- 4.6.5 Unattended terminal session timeout is 900 seconds (or less)
- 4.8.1 TE - implementation
- 6.5 Services - at access is root only
- 6.7 Services - crontab access is root only
- 8.1.2 Configuring syslog - remote logging
- 8.1.3 Configuring syslog - remote messages
- 8.2 AIX Auditing
Removed- 2.6 Enforce Allowlist aka Trusted Execution Checks - stop_on_chkfail
- 2.6 Enforce Allowlist aka Trusted Execution Checks - stop_untrustd
- 3.1 Encryption: File System Level (EFS) - clic
- 3.1 Encryption: File System Level (EFS) - clic loaded
- 4.1.4.2 NFS - de-install NFS server - /etc/exports
- 4.1.4.2 NFS - de-install NFS server - server installed
- 4.1.4.5 NFS - restrict NFS access - restrict NFS access
- 4.1.4.7 NFS - secure NFS - secure NFS
- 4.4.1.1 NIS - de-install NIS client - de-install NIS client
- 4.4.1.2 NIS - de-install NIS server - de-install NIS server
- 4.4.1.3 NIS - remove NIS markers from password and group files - /etc/group
- 4.4.1.3 NIS - remove NIS markers from password and group files - /etc/passwd
- 4.4.1.4 NIS - restrict NIS server communication - file permissions
- 4.4.1.4 NIS - restrict NIS server communication - review contents
- 4.4.2 Remote command lockdown - rcp
- 4.4.2 Remote command lockdown - rlogin
- 4.4.2 Remote command lockdown - rsh
- 4.4.4 Removal of .rhosts and .netrc files - .netrc
- 4.4.4 Removal of .rhosts and .netrc files - .rhosts
- 4.4.5 Remote daemon lockdown - rlogind
- 4.4.5 Remote daemon lockdown - rshd
- 4.4.5 Remote daemon lockdown - tftpd
- 4.5.1.2 /etc/inetd.conf - cmsd - cmsd
- 4.5.1.3 CDE - disabling dtlogin - disabling dtlogin
- 4.5.1.4 /etc/inetd.conf - dtspc - dtspc
- 4.5.1.6 CDE - remote GUI login disabled - remote GUI login disabled
- 4.5.5.1 SNMP - disable private community string - disable private community string
- 4.5.5.2 SNMP - disable system community string - disable system community string
- 4.5.5.3 SNMP - disable public community string - disable public community string
- 4.5.5.4 SNMP - disable Readwrite community access - disable Readwrite community access
- 4.5.5.5 SNMP - restrict community access - restrict community access
- 4.6.5 Unattended terminal session timeout is 900 seconds (or less) - TIMEOUT
- 4.6.5 Unattended terminal session timeout is 900 seconds (or less) - TMOUT
- 4.6.5 Unattended terminal session timeout is 900 seconds (or less) - readonly
- 4.8.1 TE - implementation - CHKEXEC
- 4.8.1 TE - implementation - CHKSCRIPT
- 4.8.1 TE - implementation - STOP_ON_CHKFAIL
- 4.8.1 TE - implementation - TE
- 4.8.1 TE - implementation - TEP
- 6.5 Services - at access is root only - at.deny does not exist
- 6.5 Services - at access is root only - root exists in at.allow
- 6.7 Services - crontab access is root only - adm exists in cron.allow
- 6.7 Services - crontab access is root only - cron.deny does not exist
- 6.7 Services - crontab access is root only - root exists in cron.allow
- 8.1.2 Configuring syslog - remote logging - *.info;auth.none in /etc/syslog.conf
- 8.1.2 Configuring syslog - remote logging - auth.info in /etc/syslog.conf
- 8.1.3 Configuring syslog - remote messages - remote messages
- 8.2 AIX Auditing - /audit exists
- 8.2 AIX Auditing - /etc/security/audit/config update
- 8.2 AIX Auditing - audit startup
- 8.2 AIX Auditing - auditclasses update
- 8.2 AIX Auditing - cron audit rotation
|
Nov 9, 2023 Functional Update- 4.4.1.4 NIS - restrict NIS server communication - review contents
|
Apr 12, 2023 |