DISA STIG AIX 5.3 v1r2

Audit Details

Name: DISA STIG AIX 5.3 v1r2

Updated: 4/25/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.26

Estimated Item Count: 946

File Details

Filename: DISA_STIG_AIX_5.3_v1r2.audit

Size: 1.4 MB

MD5: 8799001da9405f45f39092761b09abe9
SHA256: 4fd2a13980d624781fbd2b5cd1843bb450500a8829d3225eee7bb792d26aa885

Audit Changelog

 
Revision 1.26

Apr 25, 2022

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.25

Jul 30, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.24

Jun 17, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.23

Feb 1, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.22

Oct 5, 2020

Functional Update
  • GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Dtlogin*greeting.labelString'
  • GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Xlogin*greeting'
  • GEN000920 - The root account's home directory (other than /) must have mode 0700 - Not Applicable
  • GEN000920 - The root account's home directory (other than /) must have mode 0700.
  • GEN001100 - Root passwords must never be passed over a network in clear text form - 'root has logged in over a network'
  • GEN001100 - Root passwords must never be passed over a network in clear text form - 'ssh is running'
  • GEN001361 - NIS/NIS+/yp command files must not have extended ACLs - '/var/nis'
  • GEN001361 - NIS/NIS+/yp command files must not have extended ACLs - '/var/yp'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/.login'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/bashrc'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.cshrc'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.login'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/environment'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/profile'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/.profile'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/environ'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/audit umask'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/audit' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditbin'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditbin' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditcat'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditcat' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditconv'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditconv' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditmerge' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditmerge' - umask
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditpr'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditpr' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditselect'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditselect' - suid
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditstream'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditstream' - suid
  • GEN002990 - The cron.allow file must not have an extended ACL.
  • GEN003060 - Default system accounts must GEN003580be included in the cron.deny file - 'sshd'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'adm'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'bin'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'daemon'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'esaadmin'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'guest'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'invscout'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'ipsec'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'lp'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'lpd'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'nobody'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'nuucp'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'pconsole'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'snapp'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'sshd'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'sys'
  • GEN003060 - Default system accounts must be included in the cron.allow file - 'uucp'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'adm'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'bin'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'daemon'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'esaadmin'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'guest'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'invscout'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'ipsec'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'lp'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'lpd'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'nobody'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'nuucp'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'pconsole'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'snapp'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'sys'
  • GEN003060 - Default system accounts must be included in the cron.deny file - 'uucp'
  • GEN003245 - The at.allow file must not have an extended ACL.
  • GEN003300 - The at.deny file must not be empty if it exists
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'esaadmin' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'esaadmin' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'guest' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'guest' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'invscout' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'invscout' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ipsec' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ipsec' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lpd' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lpd' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nuucp' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nuucp' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'pconsole' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'pconsole' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'snapp' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'snapp' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sshd' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sshd' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sys' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sys' - at.deny
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp' - at.allow
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp' - at.deny
  • GEN003640 - The root file system must employ journaling or another mechanism ensuring file system consistency
  • GEN003660 - The system must log authentication informational data - 'auth.*'
  • GEN003660 - The system must log authentication informational data - 'auth.info'
  • GEN003660 - The system must log authentication informational data - 'auth.notice'
  • GEN003700 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled
  • GEN003700 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled - inetd is running
  • GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'inetd.conf'
  • GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'xinetd.conf'
  • GEN004950 - The ftpusers file must not have an extended ACL.
  • GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host - Not Applicable
  • GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host file system.
  • GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user
  • GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user exists'
  • GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user shell'
  • GEN006150 - The /usr/lib/smb.conf file must not have an extended ACL.
  • GEN006210 - The /var/private/smbpasswd file must not have an extended ACL.
  • GEN006220 - The smb.conf file must use the hosts option to restrict access to Samba.
  • GEN006230 - Samba must be configured to use encrypted passwords.
  • GEN006270 - The /etc/news/hosts.nntp file must not have an extended ACL.
  • GEN006290 - The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
  • GEN006310 - The /etc/news/nnrp.access file must not have an extended ACL.
  • GEN006330 - The /etc/news/passwd.nntp file must not have an extended ACL.
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'clean.dat'
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'clean.dat' - update date
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'names.dat'
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'names.dat' - update date
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'scan.dat'
  • GEN006640 - The system must use and update a DoD-approved virus scan program - 'scan.dat' - update date
  • GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'Not Applicable'
  • GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'client Key Label'
  • GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'ldapsslkeyf exists'
  • GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'useSSL = yes'
  • GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'Not Applicable'
  • GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'client Key Label'
  • GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'ldapsslkeyf exists'
  • GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'useSSL = yes'
Miscellaneous
  • Platform check updated.
Revision 1.21

Sep 30, 2020

Functional Update
  • GEN001560 - All files and directories contained in user's home directories must have mode 0750 or less permissive.
  • GEN001900 - All local initialization files' executable search paths must contain only absolute paths.
  • GEN001901 - Local initialization files' library search paths must contain only absolute paths - 'LD_LIBRARY_PATH'
  • GEN001901 - Local initialization files' library search paths must contain only absolute paths - 'LIBPATH'
  • GEN001902 - Local initialization files' lists of preloaded libraries must contain only absolute paths.
Revision 1.20

Sep 29, 2020

Miscellaneous
  • References updated.
Revision 1.19

Jul 28, 2020

Functional Update
  • GEN001160 - All files and directories must have a valid owner.
  • GEN001170 - All files and directories must have a valid group owner.
Revision 1.18

Apr 17, 2020

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.17

Mar 12, 2019

Functional Update
  • GEN005550 - The SSH daemon must be configured with the Department of Defense (DoD) logon banner - 'Banner file contents'
Miscellaneous
  • Variables updated.