Ensure that software that supports passwordless and/or clear-text password connections is disabled. Examples include daemons such as: rlogind rshd and talkd Remote services that either send or receive usernames and passwords in clear text and should not be used.
Solution
Use the following script to disable the files in these packages: for fileset in bos.net.tcp.rcmd_server bos.net.tcp.rcmd do lslpp -L ${fileset} >/dev/null 2>&1 if [[ $? -eq 0 ]] then lslpp -f ${fileset} | /usr/bin/egrep "^ +/" | while read command rest do # aclput will also do a classic chmod on the standard file mode bits /usr/bin/aclput </dev/null ${command} /usr/bin/chtcb off ${command} # if in the TSD as a privileged command - make sure accessauths attribute is cleare lssecattr -c ${command} && setsecattr accessauths= ${command} # ignore errors, if any, when the file is not already in the TSD # Note: trustchk does not (always) update the attribute 'accessauths'. Ignore this if it occurs trustchk -u ${command} mode accessauths done # update the kernal security tables setkst fi done Impact: Ideally, these packages were not installed. If they are installed during system installation and configuration they are practically impossible to uninstall . The alternative is to set the file mode bits to zero to block execution and/or copying.