DISA STIG AIX 6.1 v1r14

Audit Details

Name: DISA STIG AIX 6.1 v1r14

Updated: 4/25/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.9

Estimated Item Count: 883

File Details

Filename: DISA_STIG_AIX_6.1_v1r14.audit

Size: 1.41 MB

MD5: fe6b7a10f0598463b1bf936c2ec0d320
SHA256: c0f95ebaffe7e7957de17d41d4da483e0f0f72a9a57ddd27b458334f39a4d735

Audit Items

DescriptionCategories
DISA_STIG_AIX_6.1_v1r14.audit for AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE v1r14
GEN000000-AIX00020 - AIX Trusted Computing Base (TCB) software must be implemented.

ACCESS CONTROL, SYSTEM AND SERVICES ACQUISITION

GEN000000-AIX00040 - The securetcpip command must be used - /etc/security/config has been configured

ACCESS CONTROL

GEN000000-AIX00040 - The securetcpip command must be used.

ACCESS CONTROL

GEN000000-AIX00060 - A baseline of AIX files with the TCB bit set must be checked weekly.

SYSTEM AND INFORMATION INTEGRITY

GEN000000-AIX00080 - The SYSTEM attribute must not be set to NONE for any account.

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

GEN000000-AIX0085 - The /etc/netsvc.conf file must be root owned.

ACCESS CONTROL

GEN000000-AIX0090 - The /etc/netsvc.conf file must be group-owned by bin, sys, or system.

ACCESS CONTROL

GEN000000-AIX0100 - The /etc/netsvc.conf file must have mode 0644 or less permissive.

ACCESS CONTROL

GEN000000-AIX0110 - The /etc/netsvc.conf file must not have an extended ACL.

ACCESS CONTROL

GEN000000-AIX0200 - The system must not allow directed broadcasts to gateway.

ACCESS CONTROL

GEN000000-AIX0210 - The system must provide protection from Internet Control Message Protocol (ICMP) attacks on TCP connections.

ACCESS CONTROL

GEN000000-AIX0220 - The system must provide protection for the TCP stack against connection resets, SYN, and data injection attacks.

ACCESS CONTROL

GEN000000-AIX0230 - The system must provide protection against IP fragmentation attacks.

ACCESS CONTROL

GEN000000-AIX0300 - The system must not have the bootp service active.

ACCESS CONTROL

GEN000000-AIX0310 - The /etc/ftpaccess.ctl file must exist.

ACCESS CONTROL

GEN000000-AIX0320 - The /etc/ftpaccess.ctl file must be owned by root.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-AIX0330 - The /etc/ftpaccess.ctl file must be group-owned by bin, sys, or system.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-AIX0340 - The /etc/ftpaccess.ctl file must have mode 0640 or less permissive.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000000-AIX0350 - The /etc/ftpaccess.ctl file must not have an extended ACL.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

GEN000020 - The system must require authentication upon booting into single-user and maintenance modes.

ACCESS CONTROL

GEN000100 - The operating system must be a supported release.

SYSTEM AND INFORMATION INTEGRITY

GEN000120 - System security patches and updates must be installed and up-to-date - instfix -i

SYSTEM AND INFORMATION INTEGRITY

GEN000120 - System security patches and updates must be installed and up-to-date - oslevel -s

SYSTEM AND INFORMATION INTEGRITY

GEN000140 - A file integrity baseline must be created and maintained.

CONFIGURATION MANAGEMENT

GEN000220 - A file integrity tool must be used at least weekly to check for unauthorized file, system libraries or binaries changes.

RISK ASSESSMENT

GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'NTP daemon is running'

AUDIT AND ACCOUNTABILITY

GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'NTP daemon is started at boot'

AUDIT AND ACCOUNTABILITY

GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'NTP daemon uses approved sources'

AUDIT AND ACCOUNTABILITY

GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'xntpd is started at boot time'

AUDIT AND ACCOUNTABILITY

GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'xntpd|ntpd is running'

AUDIT AND ACCOUNTABILITY

GEN000241 - The system clock must be synchronized continuously, or at least daily - 'NTP daemon is running'

CONFIGURATION MANAGEMENT

GEN000241 - The system clock must be synchronized continuously, or at least daily - 'NTP daemon is started at boot'

CONFIGURATION MANAGEMENT

GEN000242 - The system must use at least two time sources for clock synchronization - 'at least 2 servers are configured'

AUDIT AND ACCOUNTABILITY

GEN000242 - The system must use at least two time sources for clock synchronization - 'NTP daemon is running'

AUDIT AND ACCOUNTABILITY

GEN000242 - The system must use at least two time sources for clock synchronization - 'NTP daemon is started at boot'

AUDIT AND ACCOUNTABILITY

GEN000244 - The system must use time sources local to the enclave.

AUDIT AND ACCOUNTABILITY

GEN000250 - The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.

ACCESS CONTROL

GEN000251 - The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by bin, sys, or system.

ACCESS CONTROL

GEN000252 - The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.

ACCESS CONTROL

GEN000253 - The time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.

ACCESS CONTROL

GEN000280 - Direct logins must not be permitted to shared, default, application, or utility accounts - '/etc/security/user rlogin=false'

IDENTIFICATION AND AUTHENTICATION

GEN000280 - Direct logins must not be permitted to shared, default, application, or utility accounts - 'results of last should be reviewed'

IDENTIFICATION AND AUTHENTICATION

GEN000290 - The system must not have unnecessary accounts - 'ftp does not exsit'

ACCESS CONTROL

GEN000290 - The system must not have unnecessary accounts - 'games does not exsit'

ACCESS CONTROL

GEN000290 - The system must not have unnecessary accounts - 'gopher does not exsit'

ACCESS CONTROL

GEN000290 - The system must not have unnecessary accounts - 'guest does not exsit'

ACCESS CONTROL

GEN000290 - The system must not have unnecessary accounts - 'lp does not exsit'

ACCESS CONTROL

GEN000290 - The system must not have unnecessary accounts - 'news does not exsit'

ACCESS CONTROL

GEN000290 - The system must not have unnecessary accounts - 'uucp does not exsit'

ACCESS CONTROL