| Checked | Name | Title |
|---|
| ☐ | SV-215169r508663_rule | AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account. |
| ☐ | SV-215170r508663_rule | AIX must automatically remove or disable temporary user accounts after 72 hours or sooner. |
| ☐ | SV-215171r508663_rule | AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator. |
| ☐ | SV-215172r508663_rule | AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types. |
| ☐ | SV-215173r508663_rule | If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA. |
| ☐ | SV-215174r508663_rule | If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords. |
| ☐ | SV-215175r508663_rule | All accounts on AIX system must have unique account names. |
| ☐ | SV-215176r508663_rule | All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users). |
| ☐ | SV-215177r508663_rule | The AIX SYSTEM attribute must not be set to NONE for any account. |
| ☐ | SV-215178r508663_rule | Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts. |
| ☐ | SV-215179r508663_rule | AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. |
| ☐ | SV-215180r508663_rule | The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. |
| ☐ | SV-215181r508663_rule | The shipped /etc/security/mkuser.sys file on AIX must not be customized directly. |
| ☐ | SV-215182r508663_rule | The regular users default primary group must be staff (or equivalent) on AIX. |
| ☐ | SV-215183r508663_rule | All system files, programs, and directories must be owned by a system account. |
| ☐ | SV-215184r508663_rule | AIX device files and directories must only be writable by users with a system account or as configured by the vendor. |
| ☐ | SV-215185r508663_rule | SSH must display the date and time of the last successful account login to AIX system upon login. |
| ☐ | SV-215186r538429_rule | AIX must configure the ttys value for all interactive users. |
| ☐ | SV-215187r508663_rule | AIX must provide the lock command to let users retain their session lock until users are reauthenticated. |
| ☐ | SV-215188r508663_rule | AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated. |
| ☐ | SV-215189r508663_rule | AIX system must prevent the root account from directly logging in except from the system console. |
| ☐ | SV-215190r508663_rule | All AIX public directories must be owned by root or an application account. |
| ☐ | SV-215191r508663_rule | AIX administrative accounts must not run a web browser, except as needed for local service administration. |
| ☐ | SV-215192r508663_rule | AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist. |
| ☐ | SV-215193r508663_rule | The AIX root account must not have world-writable directories in its executable search path. |
| ☐ | SV-215194r508663_rule | The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID. |
| ☐ | SV-215195r508663_rule | UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems. |
| ☐ | SV-215196r508663_rule | The AIX root accounts list of preloaded libraries must be empty. |
| ☐ | SV-215197r508663_rule | AIX must not have accounts configured with blank or null passwords. |
| ☐ | SV-215198r508663_rule | The AIX root accounts home directory (other than /) must have mode 0700. |
| ☐ | SV-215199r508663_rule | The AIX root accounts home directory must not have an extended ACL. |
| ☐ | SV-215200r508663_rule | AIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system. |
| ☐ | SV-215201r508663_rule | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts on AIX. |
| ☐ | SV-215202r508663_rule | The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX. |
| ☐ | SV-215203r508663_rule | Any publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. |
| ☐ | SV-215204r508663_rule | IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server. |
| ☐ | SV-215205r508663_rule | If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day. |
| ☐ | SV-215206r508663_rule | The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups. |
| ☐ | SV-215207r508663_rule | AIX must protect the confidentiality and integrity of all information at rest. |
| ☐ | SV-215208r508663_rule | AIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours. |
| ☐ | SV-215209r508663_rule | All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions. |
| ☐ | SV-215210r508663_rule | AIX nosuid option must be enabled on all NFS client mounts. |
| ☐ | SV-215211r508663_rule | AIX must be configured to allow users to directly initiate a session lock for all connection types. |
| ☐ | SV-215212r508663_rule | AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image. |
| ☐ | SV-215213r508663_rule | AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. |
| ☐ | SV-215214r508663_rule | If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions. |
| ☐ | SV-215215r508663_rule | AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. |
| ☐ | SV-215216r517598_rule | AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| ☐ | SV-215217r508663_rule | AIX must enforce password complexity by requiring that at least one upper-case character be used. |
| ☐ | SV-215218r508663_rule | AIX must enforce password complexity by requiring that at least one lower-case character be used. |
| ☐ | SV-215219r508663_rule | AIX must enforce password complexity by requiring that at least one numeric character be used. |
| ☐ | SV-215220r508663_rule | AIX must require the change of at least 50% of the total number of characters when passwords are changed. |
| ☐ | SV-215221r508663_rule | AIX root passwords must never be passed over a network in clear text form. |
| ☐ | SV-215222r508663_rule | AIX Operating systems must enforce 24 hours/1 day as the minimum password lifetime. |
| ☐ | SV-215223r508663_rule | AIX Operating systems must enforce a 60-day maximum password lifetime restriction. |
| ☐ | SV-215224r508663_rule | AIX must prohibit password reuse for a minimum of five generations. |
| ☐ | SV-215225r508663_rule | AIX must use Loadable Password Algorithm (LPA) password hashing algorithm. |
| ☐ | SV-215226r508663_rule | AIX must enforce a minimum 15-character password length. |
| ☐ | SV-215227r508663_rule | AIX must enforce password complexity by requiring that at least one special character be used. |
| ☐ | SV-215228r508663_rule | AIX must implement a way to force an identified temporary user to renew their password at next login. |
| ☐ | SV-215229r508663_rule | AIX must prevent the use of dictionary words for passwords. |
| ☐ | SV-215230r508663_rule | The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. |
| ☐ | SV-215231r508663_rule | If SNMP service is enabled on AIX, the default SNMP password must not be used in the /etc/snmpd.conf config file. |
| ☐ | SV-215232r508663_rule | AIX must require passwords to contain no more than three consecutive repeating characters. |
| ☐ | SV-215233r508663_rule | AIX must be able to control the ability of remote login for users. |
| ☐ | SV-215234r508663_rule | NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs. |
| ☐ | SV-215235r508663_rule | AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option. |
| ☐ | SV-215236r508663_rule | AIX must produce audit records containing information to establish what the date, time, and type of events that occurred. |
| ☐ | SV-215237r508663_rule | AIX must produce audit records containing information to establish where the events occurred. |
| ☐ | SV-215238r508663_rule | AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event. |
| ☐ | SV-215239r508663_rule | AIX must produce audit records containing information to establish the outcome of the events. |
| ☐ | SV-215240r508663_rule | AIX must produce audit records containing the full-text recording of privileged commands. |
| ☐ | SV-215241r508663_rule | AIX must be configured to generate an audit record when 75% of the audit file system is full. |
| ☐ | SV-215242r517599_rule | AIX must provide the function to filter audit records for events of interest based upon all audit fields within audit records, support on-demand reporting requirements, and an audit reduction function that supports on-demand audit review and analysis and after-the-fact investigations of security incidents. |
| ☐ | SV-215243r508663_rule | Audit logs on the AIX system must be owned by root. |
| ☐ | SV-215244r508663_rule | Audit logs on the AIX system must be group-owned by system. |
| ☐ | SV-215245r508663_rule | Audit logs on the AIX system must be set to 660 or less permissive. |
| ☐ | SV-215246r508663_rule | AIX must provide audit record generation functionality for DoD-defined auditable events. |
| ☐ | SV-215247r508663_rule | AIX must start audit at boot. |
| ☐ | SV-215248r508663_rule | AIX audit tools must be owned by root. |
| ☐ | SV-215249r508663_rule | AIX audit tools must be group-owned by audit. |
| ☐ | SV-215250r508663_rule | AIX audit tools must be set to 4550 or less permissive. |
| ☐ | SV-215251r508663_rule | AIX must verify the hash of audit tools. |
| ☐ | SV-215252r508663_rule | AIX must provide the function for assigned ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. |
| ☐ | SV-215253r508663_rule | AIX must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility. |
| ☐ | SV-215254r508663_rule | AIX must provide a report generation function that supports on-demand audit review and analysis, on-demand reporting requirements, and after-the-fact investigations of security incidents. |
| ☐ | SV-215255r508663_rule | AIX must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
| ☐ | SV-215256r508663_rule | AIX audit logs must be rotated daily. |
| ☐ | SV-215257r508663_rule | The AIX rexec daemon must not be running. |
| ☐ | SV-215258r508663_rule | AIX telnet daemon must not be running. |
| ☐ | SV-215259r508663_rule | AIX ftpd daemon must not be running. |
| ☐ | SV-215260r508663_rule | AIX must remove NOPASSWD tag from sudo config files. |
| ☐ | SV-215261r508663_rule | AIX must remove !authenticate option from sudo config files. |
| ☐ | SV-215262r508663_rule | AIX must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router. |
| ☐ | SV-215263r508663_rule | IP forwarding for IPv4 must not be enabled on AIX unless the system is a router. |
| ☐ | SV-215264r508663_rule | AIX must be configured with a default gateway for IPv6 if the system uses IPv6 unless the system is a router. |
| ☐ | SV-215265r508663_rule | AIX must not have IP forwarding for IPv6 enabled unless the system is an IPv6 router. |
| ☐ | SV-215266r508663_rule | AIX log files must be owned by a system account. |
| ☐ | SV-215267r508663_rule | AIX log files must be owned by a system group. |
| ☐ | SV-215268r508663_rule | AIX system files, programs, and directories must be group-owned by a system group. |
| ☐ | SV-215269r508663_rule | The inetd.conf file on AIX must be owned by root and system group. |
| ☐ | SV-215270r508663_rule | AIX cron and crontab directories must be owned by root or bin. |
| ☐ | SV-215271r508663_rule | AIX audio devices must be group-owned by root, sys, bin, or system. |
| ☐ | SV-215272r508663_rule | AIX time synchronization configuration file must be owned by root. |
| ☐ | SV-215273r508663_rule | AIX time synchronization configuration file must be group-owned by bin, or system. |
| ☐ | SV-215274r508663_rule | The AIX /etc/group file must be owned by root. |
| ☐ | SV-215275r508663_rule | The AIX /etc/group file must be group-owned by security. |
| ☐ | SV-215276r508663_rule | All AIX interactive users home directories must be owned by their respective users. |
| ☐ | SV-215277r508663_rule | All AIX interactive users home directories must be group-owned by the home directory owner primary group. |
| ☐ | SV-215278r508663_rule | All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member. |
| ☐ | SV-215279r508663_rule | AIX library files must have mode 0755 or less permissive. |
| ☐ | SV-215280r508663_rule | Samba packages must be removed from AIX. |
| ☐ | SV-215281r508663_rule | AIX time synchronization configuration file must have mode 0640 or less permissive. |
| ☐ | SV-215282r508663_rule | The AIX /etc/group file must have mode 0644 or less permissive. |
| ☐ | SV-215283r508663_rule | AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required. |
| ☐ | SV-215284r508663_rule | AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods. |
| ☐ | SV-215285r508663_rule | AIX must monitor and record successful remote logins. |
| ☐ | SV-215286r508663_rule | AIX must monitor and record unsuccessful remote logins. |
| ☐ | SV-215287r508663_rule | On AIX, the SSH server must not permit root logins using remote access programs. |
| ☐ | SV-215288r508663_rule | All AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins. |
| ☐ | SV-215289r508663_rule | The AIX SSH server must use SSH Protocol 2. |
| ☐ | SV-215290r648727_rule | AIX must config the SSH idle timeout interval. |
| ☐ | SV-215291r508663_rule | AIX must disable Kerberos Authentication in ssh config file to enforce access restrictions. |
| ☐ | SV-215292r508663_rule | If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication. |
| ☐ | SV-215293r508663_rule | AIX must setup SSH daemon to disable revoked public keys. |
| ☐ | SV-215294r508663_rule | AIX SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. |
| ☐ | SV-215295r508663_rule | The AIX SSH daemon must be configured for IP filtering. |
| ☐ | SV-215296r508663_rule | The AIX SSH daemon must not allow compression. |
| ☐ | SV-215297r508663_rule | AIX must turn on SSH daemon privilege separation. |
| ☐ | SV-215298r508663_rule | AIX must turn on SSH daemon reverse name checking. |
| ☐ | SV-215299r508663_rule | AIX SSH daemon must perform strict mode checking of home directory configuration files. |
| ☐ | SV-215300r508663_rule | AIX must turn off X11 forwarding for the SSH daemon. |
| ☐ | SV-215301r508663_rule | AIX must turn off TCP forwarding for the SSH daemon. |
| ☐ | SV-215302r508663_rule | The AIX SSH daemon must be configured to disable empty passwords. |
| ☐ | SV-215303r508663_rule | The AIX SSH daemon must be configured to disable user .rhosts files. |
| ☐ | SV-215304r508663_rule | The AIX SSH daemon must be configured to not use host-based authentication. |
| ☐ | SV-215305r508663_rule | The AIX SSH daemon must not allow RhostsRSAAuthentication. |
| ☐ | SV-215306r508663_rule | If AIX SSH daemon is required, the SSH daemon must only listen on the approved listening IP addresses. |
| ☐ | SV-215307r508663_rule | AIX must request and perform data origin and integrity authentication verification on the name/address resolution responses the system receives from authoritative sources. |
| ☐ | SV-215308r508663_rule | AIX system must require authentication upon booting into single-user and maintenance modes. |
| ☐ | SV-215309r508663_rule | If bash is used, AIX must display logout messages. |
| ☐ | SV-215310r508663_rule | If Bourne / ksh shell is used, AIX must display logout messages. |
| ☐ | SV-215311r508663_rule | If csh/tcsh shell is used, AIX must display logout messages. |
| ☐ | SV-215312r508663_rule | AIX must implement a remote syslog server that is documented using site-defined procedures. |
| ☐ | SV-215313r508663_rule | The AIX syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures. |
| ☐ | SV-215314r508663_rule | AIX must be configured to use syslogd to log events by TCPD. |
| ☐ | SV-215315r508663_rule | The AIX audit configuration files must be owned by root. |
| ☐ | SV-215316r508663_rule | The AIX audit configuration files must be group-owned by audit. |
| ☐ | SV-215317r508663_rule | The AIX audit configuration files must be set to 640 or less permissive. |
| ☐ | SV-215318r508663_rule | AIX must automatically lock after 15 minutes of inactivity in the CDE Graphical desktop environment. |
| ☐ | SV-215320r508663_rule | AIX must set inactivity time-out on login sessions and terminate all login sessions after 10 minutes of inactivity. |
| ☐ | SV-215321r508663_rule | AIX SSH private host key files must have mode 0600 or less permissive. |
| ☐ | SV-215322r508663_rule | AIX must disable /usr/bin/rcp,
/usr/bin/rlogin,
/usr/bin/rsh, /usr/bin/rexec and /usr/bin/telnet commands. |
| ☐ | SV-215323r508663_rule | AIX log files must have mode 0640 or less permissive. |
| ☐ | SV-215324r508663_rule | AIX log files must not have extended ACLs, except as needed to support authorized software. |
| ☐ | SV-215325r508663_rule | All system command files must not have extended ACLs. |
| ☐ | SV-215326r508663_rule | All library files must not have extended ACLs. |
| ☐ | SV-215327r508663_rule | AIX passwd.nntp file must have mode 0600 or less permissive. |
| ☐ | SV-215328r508663_rule | The AIX /etc/group file must not have an extended ACL. |
| ☐ | SV-215329r508663_rule | The AIX ldd command must be disabled. |
| ☐ | SV-215330r508663_rule | AIX NFS server must be configured to restrict file system access to local hosts. |
| ☐ | SV-215331r508663_rule | All AIX users home directories must have mode 0750 or less permissive. |
| ☐ | SV-215332r508663_rule | The AIX user home directories must not have extended ACLs. |
| ☐ | SV-215333r508663_rule | AIX must use Trusted Execution (TE) Check policy. |
| ☐ | SV-215334r508663_rule | AIX must disable trivial file transfer protocol. |
| ☐ | SV-215335r508663_rule | AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. |
| ☐ | SV-215336r508663_rule | AIX must remove all software components after updated versions have been installed. |
| ☐ | SV-215337r508663_rule | AIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt. |
| ☐ | SV-215338r508663_rule | AIX system must restrict the ability to switch to the root user to members of a defined group. |
| ☐ | SV-215339r508663_rule | All AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file. |
| ☐ | SV-215340r508663_rule | All AIX files and directories must have a valid owner. |
| ☐ | SV-215341r508663_rule | The sticky bit must be set on all public directories on AIX systems. |
| ☐ | SV-215342r508663_rule | The AIX global initialization files must contain the mesg -n or mesg n commands. |
| ☐ | SV-215343r508663_rule | The AIX hosts.lpd file must not contain a + character. |
| ☐ | SV-215344r508663_rule | AIX sendmail logging must not be set to less than nine in the sendmail.cf file. |
| ☐ | SV-215345r508663_rule | AIX run control scripts executable search paths must contain only absolute paths. |
| ☐ | SV-215346r508663_rule | The AIX rsh daemon must be disabled. |
| ☐ | SV-215347r508663_rule | The AIX rlogind service must be disabled. |
| ☐ | SV-215348r508663_rule | The AIX qdaemon must be disabled if local or remote printing is not required. |
| ☐ | SV-215349r508663_rule | If AIX system does not act as a remote print server for other servers, the lpd daemon must be disabled. |
| ☐ | SV-215350r508663_rule | If AIX system does not support either local or remote printing, the piobe service must be disabled. |
| ☐ | SV-215351r508663_rule | If there are no X11 clients that require CDE on AIX, the dt service must be disabled. |
| ☐ | SV-215352r508663_rule | If NFS is not required on AIX, the NFS daemon must be disabled. |
| ☐ | SV-215353r508663_rule | If sendmail is not required on AIX, the sendmail service must be disabled. |
| ☐ | SV-215354r508663_rule | If SNMP is not required on AIX, the snmpd service must be disabled. |
| ☐ | SV-215355r508663_rule | The AIX DHCP client must be disabled. |
| ☐ | SV-215356r508663_rule | If DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled. |
| ☐ | SV-215357r513945_rule | If IPv6 is not utilized on AIX server, the autoconf6 daemon must be disabled. |
| ☐ | SV-215358r508663_rule | If AIX server is not functioning as a network router, the gated daemon must be disabled. |
| ☐ | SV-215359r508663_rule | If AIX server is not functioning as a multicast router, the mrouted daemon must be disabled. |
| ☐ | SV-215360r508663_rule | If AIX server is not functioning as a DNS server, the named daemon must be disabled. |
| ☐ | SV-215361r508663_rule | If AIX server is not functioning as a network router, the routed daemon must be disabled. |
| ☐ | SV-215362r508663_rule | If rwhod is not required on AIX, the rwhod daemon must be disabled. |
| ☐ | SV-215363r508663_rule | The timed daemon must be disabled on AIX. |
| ☐ | SV-215364r508663_rule | If AIX server does not host an SNMP agent, the dpid2 daemon must be disabled. |
| ☐ | SV-215365r508663_rule | If SNMP is not required on AIX, the snmpmibd daemon must be disabled. |
| ☐ | SV-215366r508663_rule | The aixmibd daemon must be disabled on AIX. |
| ☐ | SV-215367r508663_rule | The ndpd-host daemon must be disabled on AIX. |
| ☐ | SV-215368r508663_rule | The ndpd-router must be disabled on AIX. |
| ☐ | SV-215369r508663_rule | The daytime daemon must be disabled on AIX. |
| ☐ | SV-215370r508663_rule | The cmsd daemon must be disabled on AIX. |
| ☐ | SV-215371r508663_rule | The ttdbserver daemon must be disabled on AIX. |
| ☐ | SV-215372r508663_rule | The uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX. |
| ☐ | SV-215373r508663_rule | The time daemon must be disabled on AIX. |
| ☐ | SV-215374r508663_rule | The talk daemon must be disabled on AIX. |
| ☐ | SV-215375r508663_rule | The ntalk daemon must be disabled on AIX. |
| ☐ | SV-215376r508663_rule | The chargen daemon must be disabled on AIX. |
| ☐ | SV-215377r508663_rule | The discard daemon must be disabled on AIX. |
| ☐ | SV-215378r508663_rule | The dtspc daemon must be disabled on AIX. |
| ☐ | SV-215379r508663_rule | The pcnfsd daemon must be disabled on AIX. |
| ☐ | SV-215380r508663_rule | The rstatd daemon must be disabled on AIX. |
| ☐ | SV-215381r508663_rule | The rusersd daemon must be disabled on AIX. |
| ☐ | SV-215382r508663_rule | The sprayd daemon must be disabled on AIX. |
| ☐ | SV-215383r508663_rule | The klogin daemon must be disabled on AIX. |
| ☐ | SV-215384r508663_rule | The kshell daemon must be disabled on AIX. |
| ☐ | SV-215385r508663_rule | The rquotad daemon must be disabled on AIX. |
| ☐ | SV-215386r508663_rule | The tftp daemon must be disabled on AIX. |
| ☐ | SV-215387r508663_rule | The imap2 service must be disabled on AIX. |
| ☐ | SV-215388r508663_rule | The pop3 daemon must be disabled on AIX. |
| ☐ | SV-215389r508663_rule | The finger daemon must be disabled on AIX. |
| ☐ | SV-215390r508663_rule | The instsrv daemon must be disabled on AIX. |
| ☐ | SV-215391r508663_rule | The echo daemon must be disabled on AIX. |
| ☐ | SV-215392r508663_rule | The Internet Network News (INN) server must be disabled on AIX. |
| ☐ | SV-215393r508663_rule | If Stream Control Transmission Protocol (SCTP) must be disabled on AIX. |
| ☐ | SV-215394r508663_rule | The Reliable Datagram Sockets (RDS) protocol must be disabled on AIX. |
| ☐ | SV-215395r508663_rule | If automated file system mounting tool is not required on AIX, it must be disabled. |
| ☐ | SV-215396r508663_rule | AIX process core dumps must be disabled. |
| ☐ | SV-215397r508663_rule | AIX kernel core dumps must be disabled unless needed. |
| ☐ | SV-215398r508663_rule | AIX must set Stack Execution Disable (SED) system wide mode to all. |
| ☐ | SV-215399r508663_rule | AIX must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring AIX is implementing rate-limiting measures on impacted network interfaces. |
| ☐ | SV-215400r508663_rule | AIX must allow admins to send a message to all the users who logged in currently. |
| ☐ | SV-215401r508663_rule | AIX must allow admins to send a message to a user who logged in currently. |
| ☐ | SV-215402r508663_rule | The AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers. |
| ☐ | SV-215403r508663_rule | The AIX system must have no .netrc files on the system. |
| ☐ | SV-215404r513948_rule | AIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status. |
| ☐ | SV-215405r508663_rule | If DHCP server is not required on AIX, the DHCP server must be disabled. |
| ☐ | SV-215406r508663_rule | The rwalld daemon must be disabled on AIX. |
| ☐ | SV-215407r508663_rule | In the event of a system failure, AIX must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. |
| ☐ | SV-215408r508663_rule | The /etc/shells file must exist on AIX systems. |
| ☐ | SV-215409r508663_rule | AIX public directories must be the only world-writable directories and world-writable files must be located only in public directories. |
| ☐ | SV-215410r508663_rule | AIX must be configured to only boot from the system boot device. |
| ☐ | SV-215411r508663_rule | AIX must not use removable media as the boot loader. |
| ☐ | SV-215412r508663_rule | If the AIX host is running an SMTP service, the SMTP greeting must not provide version information. |
| ☐ | SV-215413r508663_rule | AIX must contain no .forward files. |
| ☐ | SV-215414r508663_rule | The sendmail server must have the debug feature disabled on AIX systems. |
| ☐ | SV-215415r508663_rule | SMTP service must not have the EXPN or VRFY features active on AIX systems. |
| ☐ | SV-215416r508663_rule | All global initialization file executable search paths must contain only absolute paths. |
| ☐ | SV-215417r508663_rule | The SMTP service HELP command must not be enabled on AIX. |
| ☐ | SV-215418r508663_rule | NIS maps must be protected through hard-to-guess domain names on AIX. |
| ☐ | SV-215419r508663_rule | The AIX systems access control program must be configured to grant or deny system access to specific hosts. |
| ☐ | SV-215420r508663_rule | All AIX files and directories must have a valid group owner. |
| ☐ | SV-215421r508663_rule | AIX control scripts library search paths must contain only absolute paths. |
| ☐ | SV-215422r508663_rule | The control script lists of preloaded libraries must contain only absolute paths on AIX systems. |
| ☐ | SV-215423r508663_rule | The global initialization file lists of preloaded libraries must contain only absolute paths on AIX. |
| ☐ | SV-215424r508663_rule | The local initialization file library search paths must contain only absolute paths on AIX. |
| ☐ | SV-215425r508663_rule | The local initialization file lists of preloaded libraries must contain only absolute paths on AIX. |
| ☐ | SV-215426r508663_rule | AIX package management tool must be used daily to verify system software. |
| ☐ | SV-215427r508663_rule | The AIX DHCP client must not send dynamic DNS updates. |
| ☐ | SV-215428r508663_rule | AIX must not run any routing protocol daemons unless the system is a router. |
| ☐ | SV-215429r508663_rule | AIX must not process ICMP timestamp requests. |
| ☐ | SV-215430r508663_rule | AIX must not respond to ICMPv6 echo requests sent to a broadcast address. |
| ☐ | SV-215431r508663_rule | AIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. |
| ☐ | SV-215432r508663_rule | There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the AIX system. |
| ☐ | SV-215433r508663_rule | The .rhosts file must not be supported in AIX PAM. |
| ☐ | SV-215434r508663_rule | The AIX root user home directory must not be the root directory (/). |
| ☐ | SV-215435r508663_rule | All AIX interactive users must be assigned a home directory in the passwd file and the directory must exist. |
| ☐ | SV-215436r508663_rule | The AIX operating system must use Multi Factor Authentication. |
| ☐ | SV-215437r508663_rule | The AIX operating system must be configured to authenticate using Multi Factor Authentication. |
| ☐ | SV-215438r508663_rule | The AIX operating system must be configured to use Multi Factor Authentication for remote connections. |
| ☐ | SV-215439r508663_rule | AIX must have the have the PowerSC Multi Factor Authentication Product configured. |
| ☐ | SV-215440r508663_rule | The AIX operating system must be configured to use a valid server_ca.pem file. |
| ☐ | SV-215441r508663_rule | The AIX operating system must accept and verify Personal Identity Verification (PIV) credentials. |
| ☐ | SV-219057r508663_rule | AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. |
| ☐ | SV-219956r508663_rule | AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full. |
STIGQter: STIG Summary: