AIX7-00-001000 - AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account.

800-53|AC-2(1)

CAT|II

CCI|CCI-000015

Rule-ID|SV-215169r508663_rule

STIG-ID|AIX7-00-001000

STIG-Legacy|SV-101313

STIG-Legacy|V-91213

Vuln-ID|V-215169

AIX7-00-001001 - AIX must automatically remove or disable temporary user accounts after 72 hours or sooner.

800-53|AC-2(2)

CCI|CCI-000016

Rule-ID|SV-215170r508663_rule

STIG-ID|AIX7-00-001001

STIG-Legacy|SV-101317

STIG-Legacy|V-91217

Vuln-ID|V-215170

AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.

800-53|AC-7a.

800-53|AC-7b.

CCI|CCI-000044

CCI|CCI-002238

Rule-ID|SV-215171r853451_rule

STIG-ID|AIX7-00-001003

STIG-Legacy|SV-101319

STIG-Legacy|V-91219

Vuln-ID|V-215171

AIX7-00-001004 - AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types.

800-53|AC-10

CCI|CCI-000054

Rule-ID|SV-215172r877399_rule

STIG-ID|AIX7-00-001004

STIG-Legacy|SV-101327

STIG-Legacy|V-91227

Vuln-ID|V-215172

AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - Certificate Issuer

800-53|IA-5(2)(a)

CCI|CCI-000185

Rule-ID|SV-215173r508663_rule

STIG-ID|AIX7-00-001006

STIG-Legacy|SV-101375

STIG-Legacy|V-91277

Vuln-ID|V-215173

AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - ldapsslkeyf

AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - useSSL

AIX7-00-001007 - If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords - bindpwd DES

800-53|IA-5(1)(c)

CAT|I

CCI|CCI-000196

Rule-ID|SV-215174r877397_rule

STIG-ID|AIX7-00-001007

STIG-Legacy|SV-101389

STIG-Legacy|V-91291

Vuln-ID|V-215174

AIX7-00-001007 - If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords - ldapsslkeypwd

AIX7-00-001008 - All accounts on AIX system must have unique account names.

800-53|IA-2

CCI|CCI-000764

Rule-ID|SV-215175r508663_rule

STIG-ID|AIX7-00-001008

STIG-Legacy|SV-101519

STIG-Legacy|V-91421

Vuln-ID|V-215175

AIX7-00-001009 - All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users).

800-53|IA-8

CCI|CCI-000804

Rule-ID|SV-215176r508663_rule

STIG-ID|AIX7-00-001009

STIG-Legacy|SV-101521

STIG-Legacy|V-91423

Vuln-ID|V-215176

AIX7-00-001010 - The AIX SYSTEM attribute must not be set to NONE for any account.

Rule-ID|SV-215177r508663_rule

STIG-ID|AIX7-00-001010

STIG-Legacy|SV-101523

STIG-Legacy|V-91425

Vuln-ID|V-215177

AIX7-00-001011 - Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts.

800-53|IA-2(5)

CCI|CCI-000770

Rule-ID|SV-215178r508663_rule

STIG-ID|AIX7-00-001011

STIG-Legacy|SV-101525

STIG-Legacy|V-91427

Vuln-ID|V-215178

AIX7-00-001012 - AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

800-53|IA-2(8)

800-53|IA-2(9)

CCI|CCI-001941

CCI|CCI-001942

Rule-ID|SV-215179r853452_rule

STIG-ID|AIX7-00-001012

STIG-Legacy|SV-101527

STIG-Legacy|V-91429

Vuln-ID|V-215179

AIX7-00-001014 - The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.

CCI|CCI-001682

Rule-ID|SV-215180r508663_rule

STIG-ID|AIX7-00-001014

STIG-Legacy|SV-101535

STIG-Legacy|V-91437

Vuln-ID|V-215180

AIX7-00-001015 - The shipped /etc/security/mkuser.sys file on AIX must not be customized directly.

Rule-ID|SV-215181r508663_rule

STIG-ID|AIX7-00-001015

STIG-Legacy|SV-101311

STIG-Legacy|V-91211

Vuln-ID|V-215181

AIX7-00-001016 - The regular users default primary group must be staff (or equivalent) on AIX.

Rule-ID|SV-215182r508663_rule

STIG-ID|AIX7-00-001016

STIG-Legacy|SV-101315

STIG-Legacy|V-91215

Vuln-ID|V-215182

AIX7-00-001018 - All system files, programs, and directories must be owned by a system account.

800-53|CM-5(6)

CCI|CCI-001499

Rule-ID|SV-215183r508663_rule

STIG-ID|AIX7-00-001018

STIG-Legacy|SV-101573

STIG-Legacy|V-91475

Vuln-ID|V-215183

AIX7-00-001019 - AIX device files and directories must only be writable by users with a system account or as configured by the vendor.

Rule-ID|SV-215184r508663_rule

STIG-ID|AIX7-00-001019

STIG-Legacy|SV-101581

STIG-Legacy|V-91483

Vuln-ID|V-215184

AIX7-00-001025 - AIX must configure the ttys value for all interactive users.

800-53|IA-3

CCI|CCI-000778

Rule-ID|SV-215186r538429_rule

STIG-ID|AIX7-00-001025

STIG-Legacy|SV-102347

STIG-Legacy|V-92245

Vuln-ID|V-215186

AIX7-00-001028 - AIX must provide the lock command to let users retain their session lock until users are reauthenticated.

800-53|AC-11b.

CCI|CCI-000056

Rule-ID|SV-215187r508663_rule

STIG-ID|AIX7-00-001028

STIG-Legacy|SV-101329

STIG-Legacy|V-91229

Vuln-ID|V-215187

AIX7-00-001029 - AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated.

Rule-ID|SV-215188r508663_rule

STIG-ID|AIX7-00-001029

STIG-Legacy|SV-101331

STIG-Legacy|V-91231

Vuln-ID|V-215188

AIX7-00-001030 - AIX system must prevent the root account from directly logging in except from the system console.

800-53|CM-6b.

CCI|CCI-000366

Rule-ID|SV-215189r508663_rule

STIG-ID|AIX7-00-001030

STIG-Legacy|SV-101677

STIG-Legacy|V-91579

Vuln-ID|V-215189

AIX7-00-001031 - All AIX public directories must be owned by root or an application account.

Rule-ID|SV-215190r508663_rule

STIG-ID|AIX7-00-001031

STIG-Legacy|SV-101687

STIG-Legacy|V-91589

Vuln-ID|V-215190

AIX7-00-001032 - AIX administrative accounts must not run a web browser, except as needed for local service administration.

Rule-ID|SV-215191r808444_rule

STIG-ID|AIX7-00-001032

STIG-Legacy|SV-101705

STIG-Legacy|V-91607

Vuln-ID|V-215191

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - adm

Rule-ID|SV-215192r508663_rule

STIG-ID|AIX7-00-001033

STIG-Legacy|SV-101707

STIG-Legacy|V-91609

Vuln-ID|V-215192

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - bin

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - daemon

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - esaadmin

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - invscout

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - pconsole

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - snapp

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - sys

AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist - system

AIX7-00-001034 - The AIX root account must not have world-writable directories in its executable search path.

Rule-ID|SV-215193r508663_rule

STIG-ID|AIX7-00-001034

STIG-Legacy|SV-101719

STIG-Legacy|V-91621

Vuln-ID|V-215193

AIX7-00-001035 - The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID.

Rule-ID|SV-215194r508663_rule

STIG-ID|AIX7-00-001035

STIG-Legacy|SV-101721

STIG-Legacy|V-91623

Vuln-ID|V-215194

AIX7-00-001036 - UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems.

Rule-ID|SV-215195r508663_rule

STIG-ID|AIX7-00-001036

STIG-Legacy|SV-101763

STIG-Legacy|V-91665

Detections

Analytics

DISA STIG AIX 7.x v2r9

Audit Details

File Details

Audit Changelog

Revision 1.2

Functional Update

Revision 1.1

Miscellaneous