DISA STIG AIX 5.3 v1r2

Audit Details

Name: DISA STIG AIX 5.3 v1r2

Updated: 9/19/2023

Authority: DISA STIG

Plugin: Unix

Revision: 1.31

Estimated Item Count: 946

File Details

Filename: DISA_STIG_AIX_5.3_v1r2.audit

Size: 1.46 MB

MD5: b255a89df05688a35afc97d1ab636256
SHA256: b71dee5f179f16bb2ee96d343d013774c44e42fd2425d09e8dfb50b41566f5dd

Audit Changelog

 
Revision 1.31

Sep 19, 2023

Functional Update
  • GEN001160 - All files and directories must have a valid owner.
  • GEN001170 - All files and directories must have a valid group owner.
  • GEN001890 - Local initialization files must not have extended ACLs - '.bash_logout'
  • GEN001890 - Local initialization files must not have extended ACLs - '.bash_profile'
  • GEN001890 - Local initialization files must not have extended ACLs - '.bashrc'
  • GEN001890 - Local initialization files must not have extended ACLs - '.cshrc'
  • GEN001890 - Local initialization files must not have extended ACLs - '.dispatch'
  • GEN001890 - Local initialization files must not have extended ACLs - '.dtprofile'
  • GEN001890 - Local initialization files must not have extended ACLs - '.emacs'
  • GEN001890 - Local initialization files must not have extended ACLs - '.env'
  • GEN001890 - Local initialization files must not have extended ACLs - '.exrc'
  • GEN001890 - Local initialization files must not have extended ACLs - '.login'
  • GEN001890 - Local initialization files must not have extended ACLs - '.logout'
  • GEN001890 - Local initialization files must not have extended ACLs - '.profile'
  • GEN002000 - There must be no .netrc files on the system.
  • GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - '.rhosts'
  • GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - '.shosts'
  • GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - 'hosts.equiv'
  • GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - 'shosts.equiv'
  • GEN002300 - Device files used for backup must only be readable and/or writable by root or the backup user - '/dev/cd*'
  • GEN002300 - Device files used for backup must only be readable and/or writable by root or the backup user - '/dev/rmt*'
  • GEN002330 - Audio devices must not have extended ACLs.
  • GEN002380 - The owner, group, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures
  • GEN002440 - The owner, group, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures
  • GEN002480 - Public directories must be the only world-writable directories and world-writable files must be located only in public dirs
  • GEN002500 - The sticky bit must be set on all public directories.
  • GEN002520 - All public directories must be owned by root or an application account.
  • GEN002540 - All public directories must be group-owned by system or an application group.
  • GEN003865 - Network analysis tools must not be installed - 'ethereal'
  • GEN003865 - Network analysis tools must not be installed - 'netcat'
  • GEN003865 - Network analysis tools must not be installed - 'snoop'
  • GEN003865 - Network analysis tools must not be installed - 'tcpdump'
  • GEN003865 - Network analysis tools must not be installed - 'tshark'
  • GEN003865 - Network analysis tools must not be installed - 'wireshark'
  • GEN004580 - The system must not use .forward files.
  • GEN005190 - The .Xauthority files must not have extended ACLs.
  • GEN005340 - Management Information Base (MIB) files must have mode 0640 or less permissive.
  • GEN005350 - Management Information Base (MIB) files must not have extended ACLs.
Miscellaneous
  • References updated.
  • Variables updated.
Revision 1.30

May 31, 2023

Miscellaneous
  • Variables updated.
Revision 1.29

Apr 12, 2023

Miscellaneous
  • Metadata updated.
  • Platform check updated.
  • Variables updated.
Revision 1.28

Mar 7, 2023

Miscellaneous
  • Metadata updated.
  • References updated.
  • Variables updated.
Revision 1.27

Dec 7, 2022

Functional Update
  • GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'NTP daemon uses approved sources'
Miscellaneous
  • Variables updated.
Revision 1.26

Apr 25, 2022

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.25

Jul 30, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.24

Jun 17, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.23

Feb 1, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.22

Oct 5, 2020

Functional Update
  • GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Dtlogin*greeting.labelString'
  • GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Xlogin*greeting'
  • GEN000920 - The root account's home directory (other than /) must have mode 0700 - Not Applicable
  • GEN000920 - The root account's home directory (other than /) must have mode 0700.
  • GEN001100 - Root passwords must never be passed over a network in clear text form - 'root has logged in over a network'
  • GEN001100 - Root passwords must never be passed over a network in clear text form - 'ssh is running'
  • GEN001361 - NIS/NIS+/yp command files must not have extended ACLs - '/var/nis'
  • GEN001361 - NIS/NIS+/yp command files must not have extended ACLs - '/var/yp'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/.login'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/bashrc'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.cshrc'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.login'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/environment'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/profile'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/.profile'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/environ'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/audit umask'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/audit' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditbin'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditbin' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditcat'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditcat' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditconv'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditconv' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditmerge' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditmerge' - umask
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditpr'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditpr' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditselect'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditselect' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditstream'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditstream' - suid
  • GEN002990 - The cron.allow file must not have an extended ACL.
  • GEN003060 - Default system accounts must GEN003580be included in the cron.deny file - 'sshd'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'adm'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'bin'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'daemon'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'esaadmin'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'guest'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'invscout'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'ipsec'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'lp'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'lpd'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'nobody'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'nuucp'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'pconsole'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'snapp'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'sshd'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'sys'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'uucp'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'adm'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'bin'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'daemon'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'esaadmin'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'guest'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'invscout'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'ipsec'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'lp'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'lpd'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'nobody'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'nuucp'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'pconsole'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'snapp'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'sys'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'uucp'
  • GEN003245 - The at.allow file must not have an extended ACL.
  • GEN003300 - The at.deny file must not be empty if it exists
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'esaadmin' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'esaadmin' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'guest' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'guest' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'invscout' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'invscout' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ipsec' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ipsec' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lpd' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lpd' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nuucp' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nuucp' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'pconsole' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'pconsole' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'snapp' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'snapp' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sshd' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sshd' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sys' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sys' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp' - at.deny
  • GEN003640 - The root file system must employ journaling or another mechanism ensuring file system consistency
  • GEN003660 - The system must log authentication informational data - 'auth.*'
  • GEN003660 - The system must log authentication informational data - 'auth.info'
  • GEN003660 - The system must log authentication informational data - 'auth.notice'
  • GEN003700 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled
  • GEN003700 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled - inetd is running
  • GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'inetd.conf'
  • GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'xinetd.conf'
  • GEN004950 - The ftpusers file must not have an extended ACL.
  • GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host - Not Applicable
  • GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host file system.
  • GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user
  • GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user exists'
  • GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user shell'
  • GEN006150 - The /usr/lib/smb.conf file must not have an extended ACL.
  • GEN006210 - The /var/private/smbpasswd file must not have an extended ACL.
  • GEN006220 - The smb.conf file must use the hosts option to restrict access to Samba.
  • GEN006230 - Samba must be configured to use encrypted passwords.
  • GEN006270 - The /etc/news/hosts.nntp file must not have an extended ACL.
  • GEN006290 - The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
  • GEN006310 - The /etc/news/nnrp.access file must not have an extended ACL.
  • GEN006330 - The /etc/news/passwd.nntp file must not have an extended ACL.
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'clean.dat'
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'clean.dat' - update date
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'names.dat'
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'names.dat' - update date
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'scan.dat'
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'scan.dat' - update date
  • GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'Not Applicable'
  • GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'client Key Label'
  • GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'ldapsslkeyf exists'
  • GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'useSSL = yes'
  • GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'Not Applicable'
  • GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'client Key Label'
  • GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'ldapsslkeyf exists'
  • GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'useSSL = yes'
Miscellaneous
  • Platform check updated.