DISA STIG AIX 7.x v2r5

Audit Details

Name: DISA STIG AIX 7.x v2r5

Updated: 6/6/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.0

Estimated Item Count: 454

File Details

Filename: DISA_STIG_AIX_7.x_v2r5.audit

Size: 841 kB

MD5: 44d0e136ced455c4290e7d17e1294922
SHA256: fff8a7fdd68135af506915ac04bbb9d66fbfd0c583cb6978e0a13f33a09c416a

Audit Items

DescriptionCategories
AIX7-00-001000 - AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account.

ACCESS CONTROL

AIX7-00-001001 - AIX must automatically remove or disable temporary user accounts after 72 hours or sooner.

ACCESS CONTROL

AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.

ACCESS CONTROL

AIX7-00-001004 - AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types.

ACCESS CONTROL

AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - Certificate Issuer

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - ldapsslkeyf

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - useSSL

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001007 - If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords - bindpwd DES

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001007 - If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords - ldapsslkeypwd

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001008 - All accounts on AIX system must have unique account names.

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001009 - All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users).

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001010 - The AIX SYSTEM attribute must not be set to NONE for any account.

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001011 - Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts.

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001012 - AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts - lssrc sshd

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001012 - AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts - openssh.base.server

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001014 - The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.

ACCESS CONTROL

AIX7-00-001015 - The shipped /etc/security/mkuser.sys file on AIX must not be customized directly.

ACCESS CONTROL

AIX7-00-001016 - The regular users default primary group must be staff (or equivalent) on AIX.

ACCESS CONTROL

AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /bin

CONFIGURATION MANAGEMENT

AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /etc

CONFIGURATION MANAGEMENT

AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /sbin

CONFIGURATION MANAGEMENT

AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /usr/bin

CONFIGURATION MANAGEMENT

AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /usr/lbin

CONFIGURATION MANAGEMENT

AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /usr/sbin

CONFIGURATION MANAGEMENT

AIX7-00-001018 - All system files, programs, and directories must be owned by a system account - /usr/ucb

CONFIGURATION MANAGEMENT

AIX7-00-001019 - AIX device files and directories must only be writable by users with a system account or as configured by the vendor - Type B

CONFIGURATION MANAGEMENT

AIX7-00-001019 - AIX device files and directories must only be writable by users with a system account or as configured by the vendor - Type C

CONFIGURATION MANAGEMENT

AIX7-00-001024 - SSH must display the date and time of the last successful account login to AIX system upon login.

ACCESS CONTROL

AIX7-00-001025 - AIX must configure the ttys value for all interactive users - ALL users

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001025 - AIX must configure the ttys value for all interactive users - default user

IDENTIFICATION AND AUTHENTICATION

AIX7-00-001028 - AIX must provide the lock command to let users retain their session lock until users are reauthenticated.

ACCESS CONTROL

AIX7-00-001029 - AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated.

ACCESS CONTROL

AIX7-00-001030 - AIX system must prevent the root account from directly logging in except from the system console.

CONFIGURATION MANAGEMENT

AIX7-00-001031 - All AIX public directories must be owned by root or an application account.

CONFIGURATION MANAGEMENT

AIX7-00-001032 - AIX administrative accounts must not run a web browser, except as needed for local service administration - mozilla

CONFIGURATION MANAGEMENT

AIX7-00-001032 - AIX administrative accounts must not run a web browser, except as needed for local service administration - netscape

CONFIGURATION MANAGEMENT

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - adm

CONFIGURATION MANAGEMENT

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - bin

CONFIGURATION MANAGEMENT

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - daemon

CONFIGURATION MANAGEMENT

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - esaadmin

CONFIGURATION MANAGEMENT

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - invscout

CONFIGURATION MANAGEMENT

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - pconsole

CONFIGURATION MANAGEMENT

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - snapp

CONFIGURATION MANAGEMENT

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - sys

CONFIGURATION MANAGEMENT

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - system

CONFIGURATION MANAGEMENT

AIX7-00-001034 - The AIX root account must not have world-writable directories in its executable search path.

CONFIGURATION MANAGEMENT

AIX7-00-001035 - The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID.

CONFIGURATION MANAGEMENT

AIX7-00-001036 - UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems.

CONFIGURATION MANAGEMENT

AIX7-00-001037 - The AIX root accounts list of preloaded libraries must be empty - /etc/hosts.deny

CONFIGURATION MANAGEMENT

AIX7-00-001037 - The AIX root accounts list of preloaded libraries must be empty.

CONFIGURATION MANAGEMENT