Audits
Settings
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Theme
Light
Dark
Auto
Help
Plugins
Overview
Plugins Pipeline
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Release Notes
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Policies
Overview
Search
AWS Resources
Azure Resources
GCP Resources
Kubernetes Resources
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Settings
Theme
Light
Dark
Auto
Detections
Plugins
Overview
Plugins Pipeline
Release Notes
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Policies
Overview
Search
AWS Resources
Azure Resources
GCP Resources
Kubernetes Resources
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
Analytics
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Audits
DISA STIG AIX 5.3 v1r2
Changelog
Revision 1.22
Changelog
Revision 1.22
Oct 5, 2020
Functional Update
GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Dtlogin*greeting.labelString'
GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Xlogin*greeting'
GEN000920 - The root account's home directory (other than /) must have mode 0700 - Not Applicable
GEN000920 - The root account's home directory (other than /) must have mode 0700.
GEN001100 - Root passwords must never be passed over a network in clear text form - 'root has logged in over a network'
GEN001100 - Root passwords must never be passed over a network in clear text form - 'ssh is running'
GEN001361 - NIS/NIS+/yp command files must not have extended ACLs - '/var/nis'
GEN001361 - NIS/NIS+/yp command files must not have extended ACLs - '/var/yp'
GEN001730 - All global initialization files must not have extended ACLs - '/etc/.login'
GEN001730 - All global initialization files must not have extended ACLs - '/etc/bashrc'
GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.cshrc'
GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.login'
GEN001730 - All global initialization files must not have extended ACLs - '/etc/environment'
GEN001730 - All global initialization files must not have extended ACLs - '/etc/profile'
GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/.profile'
GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/environ'
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/audit umask'
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/audit' - suid
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditbin'
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditbin' - suid
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditcat'
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditcat' - suid
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditconv'
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditconv' - suid
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditmerge' - suid
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditmerge' - umask
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditpr'
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditpr' - suid
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditselect'
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditselect' - suid
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditstream'
GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditstream' - suid
GEN002990 - The cron.allow file must not have an extended ACL.
GEN003060 - Default system accounts must GEN003580be included in the cron.deny file - 'sshd'
GEN003060 - Default system accounts must be included in the cron.allow file - 'adm'
GEN003060 - Default system accounts must be included in the cron.allow file - 'bin'
GEN003060 - Default system accounts must be included in the cron.allow file - 'daemon'
GEN003060 - Default system accounts must be included in the cron.allow file - 'esaadmin'
GEN003060 - Default system accounts must be included in the cron.allow file - 'guest'
GEN003060 - Default system accounts must be included in the cron.allow file - 'invscout'
GEN003060 - Default system accounts must be included in the cron.allow file - 'ipsec'
GEN003060 - Default system accounts must be included in the cron.allow file - 'lp'
GEN003060 - Default system accounts must be included in the cron.allow file - 'lpd'
GEN003060 - Default system accounts must be included in the cron.allow file - 'nobody'
GEN003060 - Default system accounts must be included in the cron.allow file - 'nuucp'
GEN003060 - Default system accounts must be included in the cron.allow file - 'pconsole'
GEN003060 - Default system accounts must be included in the cron.allow file - 'snapp'
GEN003060 - Default system accounts must be included in the cron.allow file - 'sshd'
GEN003060 - Default system accounts must be included in the cron.allow file - 'sys'
GEN003060 - Default system accounts must be included in the cron.allow file - 'uucp'
GEN003060 - Default system accounts must be included in the cron.deny file - 'adm'
GEN003060 - Default system accounts must be included in the cron.deny file - 'bin'
GEN003060 - Default system accounts must be included in the cron.deny file - 'daemon'
GEN003060 - Default system accounts must be included in the cron.deny file - 'esaadmin'
GEN003060 - Default system accounts must be included in the cron.deny file - 'guest'
GEN003060 - Default system accounts must be included in the cron.deny file - 'invscout'
GEN003060 - Default system accounts must be included in the cron.deny file - 'ipsec'
GEN003060 - Default system accounts must be included in the cron.deny file - 'lp'
GEN003060 - Default system accounts must be included in the cron.deny file - 'lpd'
GEN003060 - Default system accounts must be included in the cron.deny file - 'nobody'
GEN003060 - Default system accounts must be included in the cron.deny file - 'nuucp'
GEN003060 - Default system accounts must be included in the cron.deny file - 'pconsole'
GEN003060 - Default system accounts must be included in the cron.deny file - 'snapp'
GEN003060 - Default system accounts must be included in the cron.deny file - 'sys'
GEN003060 - Default system accounts must be included in the cron.deny file - 'uucp'
GEN003245 - The at.allow file must not have an extended ACL.
GEN003300 - The at.deny file must not be empty if it exists
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'esaadmin' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'esaadmin' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'guest' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'guest' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'invscout' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'invscout' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ipsec' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ipsec' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lpd' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lpd' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nuucp' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nuucp' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'pconsole' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'pconsole' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'snapp' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'snapp' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sshd' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sshd' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sys' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sys' - at.deny
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp' - at.allow
GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp' - at.deny
GEN003640 - The root file system must employ journaling or another mechanism ensuring file system consistency
GEN003660 - The system must log authentication informational data - 'auth.*'
GEN003660 - The system must log authentication informational data - 'auth.info'
GEN003660 - The system must log authentication informational data - 'auth.notice'
GEN003700 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled
GEN003700 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled - inetd is running
GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'inetd.conf'
GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'xinetd.conf'
GEN004950 - The ftpusers file must not have an extended ACL.
GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host - Not Applicable
GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host file system.
GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user
GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user exists'
GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user shell'
GEN006150 - The /usr/lib/smb.conf file must not have an extended ACL.
GEN006210 - The /var/private/smbpasswd file must not have an extended ACL.
GEN006220 - The smb.conf file must use the hosts option to restrict access to Samba.
GEN006230 - Samba must be configured to use encrypted passwords.
GEN006270 - The /etc/news/hosts.nntp file must not have an extended ACL.
GEN006290 - The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
GEN006310 - The /etc/news/nnrp.access file must not have an extended ACL.
GEN006330 - The /etc/news/passwd.nntp file must not have an extended ACL.
GEN006640 - The system must use and update a DoD-approved virus scan program - 'clean.dat'
GEN006640 - The system must use and update a DoD-approved virus scan program - 'clean.dat' - update date
GEN006640 - The system must use and update a DoD-approved virus scan program - 'names.dat'
GEN006640 - The system must use and update a DoD-approved virus scan program - 'names.dat' - update date
GEN006640 - The system must use and update a DoD-approved virus scan program - 'scan.dat'
GEN006640 - The system must use and update a DoD-approved virus scan program - 'scan.dat' - update date
GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'Not Applicable'
GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'client Key Label'
GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'ldapsslkeyf exists'
GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'useSSL = yes'
GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'Not Applicable'
GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'client Key Label'
GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'ldapsslkeyf exists'
GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'useSSL = yes'
Miscellaneous
Platform check updated.