Detections
Analytics

DISA STIG AIX 6.1 v1r14

Audit Details

Name: DISA STIG AIX 6.1 v1r14

Updated: 9/19/2023

Authority: DISA STIG

Plugin: Unix

Revision: 1.14

Estimated Item Count: 883

File Details

Filename: DISA_STIG_AIX_6.1_v1r14.audit

Size: 1.47 MB

MD5: 2678bb9a1052a372f28fdce2a28ef470
SHA256: 8c4be57c9d36c324ce5e78a52c88edaaa537fc9fc964ab03ef92d2520144eb39

Audit Changelog

 
Revision 1.14

Sep 19, 2023

Functional Update
  • GEN001160/GEN001170 - All files and directories must have a valid owner and group owner.
  • GEN001890 - Local initialization files must not have extended ACLs - '.bash_logout'
  • GEN001890 - Local initialization files must not have extended ACLs - '.bash_profile'
  • GEN001890 - Local initialization files must not have extended ACLs - '.bashrc'
  • GEN001890 - Local initialization files must not have extended ACLs - '.cshrc'
  • GEN001890 - Local initialization files must not have extended ACLs - '.dispatch'
  • GEN001890 - Local initialization files must not have extended ACLs - '.dtprofile'
  • GEN001890 - Local initialization files must not have extended ACLs - '.emacs'
  • GEN001890 - Local initialization files must not have extended ACLs - '.env'
  • GEN001890 - Local initialization files must not have extended ACLs - '.exrc'
  • GEN001890 - Local initialization files must not have extended ACLs - '.login'
  • GEN001890 - Local initialization files must not have extended ACLs - '.logout'
  • GEN001890 - Local initialization files must not have extended ACLs - '.profile'
  • GEN002000 - There must be no .netrc files on the system.
  • GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - '.rhosts'
  • GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - '.shosts'
  • GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - 'hosts.equiv'
  • GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - 'shosts.equiv'
  • GEN002300 - Device files used for backup must only be readable and/or writable by root or the backup user - '/dev/cd*'
  • GEN002300 - Device files used for backup must only be readable and/or writable by root or the backup user - '/dev/rmt*'
  • GEN002330 - Audio devices must not have extended ACLs.
  • GEN002380 - The owner, group, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures
  • GEN002440 - The owner, group, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures
  • GEN002480 - Public directories must be the only world-writable directories and world-writable files must be located only in public dirs
  • GEN002500 - The sticky bit must be set on all public directories.
  • GEN002520 - All public directories must be owned by root or an application account.
  • GEN002540 - All public directories must be group-owned by system or an application group.
  • GEN003865 - Network analysis tools must not be installed - 'ethereal'
  • GEN003865 - Network analysis tools must not be installed - 'netcat'
  • GEN003865 - Network analysis tools must not be installed - 'snoop'
  • GEN003865 - Network analysis tools must not be installed - 'tcpdump'
  • GEN003865 - Network analysis tools must not be installed - 'tshark'
  • GEN003865 - Network analysis tools must not be installed - 'wireshark'
  • GEN004580 - The system must not use .forward files.
  • GEN005190 - The .Xauthority files must not have extended ACLs.
  • GEN005340 - Management Information Base (MIB) files must have mode 0640 or less permissive.
  • GEN005350 - Management Information Base (MIB) files must not have extended ACLs.
Miscellaneous
  • References updated.
  • Variables updated.
Revision 1.13

May 31, 2023

Miscellaneous
  • Variables updated.
Revision 1.12

Apr 12, 2023

Miscellaneous
  • Metadata updated.
  • Platform check updated.
  • Variables updated.
Revision 1.11

Mar 7, 2023

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.10

Dec 7, 2022

Functional Update
  • GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'NTP daemon uses approved sources'
Miscellaneous
  • Variables updated.
Revision 1.9

Apr 25, 2022

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.8

Jul 30, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.7

Jun 17, 2021

Miscellaneous
  • Metadata updated.
Revision 1.6

Feb 1, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.5

Oct 5, 2020

Functional Update
  • GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Dtlogin*greeting.labelString'
  • GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Xlogin*greeting'
  • GEN000920 - The root account's home directory (other than /) must have mode 0700.
  • GEN001100 - Root passwords must never be passed over a network in clear text form - 'root has logged in over a network'
  • GEN001100 - Root passwords must never be passed over a network in clear text form - 'ssh is running'
  • GEN001361 - NIS/NIS+/yp command files must not have extended ACLs - '/var/nis'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/.login'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/bashrc'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.cshrc'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.login'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/environment'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/profile'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/.profile'
  • GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/environ'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/audit'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditbin'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditcat'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditconv'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditmerge'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditpr'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditselect'
  • GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditstream'
  • GEN002990 - The cron.allow file must not have an extended ACL.
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'adm'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'bin'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'daemon'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'esaadmin'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'guest'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'invscout'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'ipsec'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'lp'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'lpd'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'nobody'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'nuucp'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'pconsole'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'snapp'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'sshd'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'sys'
  • GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'uucp'
  • GEN003245 - The at.allow file must not have an extended ACL.
  • GEN003300 - The at.deny file must not be empty if it exists
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'esaadmin'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'guest'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'invscout'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ipsec'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lpd'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nuucp'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'pconsole'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'snapp'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sshd'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sys'
  • GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp'
  • GEN003640 - The root file system must employ journaling or another mechanism ensuring file system consistency
  • GEN003660 - The system must log authentication informational data - 'auth.*'
  • GEN003660 - The system must log authentication informational data - 'auth.info'
  • GEN003660 - The system must log authentication informational data - 'auth.notice'
  • GEN003700 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled
  • GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'inetd.conf'
  • GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'xinetd.conf'
  • GEN004950 - The ftpusers file must not have an extended ACL.
  • GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host file system.
  • GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user exists'
  • GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user shell'
  • GEN006150 - The /usr/lib/smb.conf file must not have an extended ACL.
  • GEN006210 - The /var/private/smbpasswd file must not have an extended ACL.
  • GEN006220 - The smb.conf file must use the hosts option to restrict access to Samba.
  • GEN006230 - Samba must be configured to use encrypted passwords.
  • GEN006270 - The /etc/news/hosts.nntp file must not have an extended ACL.
  • GEN006290 - The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
  • GEN006310 - The /etc/news/nnrp.access file must not have an extended ACL.
  • GEN006330 - The /etc/news/passwd.nntp file must not have an extended ACL.
  • GEN006640 - The system must use a virus scan program.
  • GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'client Key Label'
  • GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'ldapsslkeyf exists'
  • GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'useSSL = yes'
  • GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'client Key Label'
  • GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'ldapsslkeyf exists'
  • GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'useSSL = yes'
Miscellaneous
  • Platform check updated.