CIS IBM AIX 7.2 L2 v1.1.0

Audit Details

Name: CIS IBM AIX 7.2 L2 v1.1.0

Updated: 6/17/2024

Authority: CIS

Plugin: Unix

Revision: 1.1

Estimated Item Count: 46

File Details

Filename: CIS_AIX_7.2_Benchmark_v1.1.0_Level_2.audit

Size: 136 kB

MD5: a6d6f175053ad1bfc65f72f355b1a39b
SHA256: 8c07b813f5f80699837d638221edda85e113d08d5fd136868677cac2a5f3ef07

Audit Items

DescriptionCategories
2.6 Enforce Allowlist aka Trusted Execution Checks

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

2.8 Ensure the Trusted Execution Policies cannot be modified

CONFIGURATION MANAGEMENT

3.1 Encryption: File System Level (EFS)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2 Encryption: Logical Volume (ELV)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.1.2.9 mrouted

CONFIGURATION MANAGEMENT

4.1.3.1 autoconf6

ACCESS CONTROL, CONFIGURATION MANAGEMENT

4.1.3.2 ndpd-host

ACCESS CONTROL, CONFIGURATION MANAGEMENT

4.1.3.3 ndpd-router

ACCESS CONTROL, CONFIGURATION MANAGEMENT

4.1.4.2 NFS - de-install NFS server

CONFIGURATION MANAGEMENT

4.1.4.5 NFS - restrict NFS access

CONFIGURATION MANAGEMENT

4.1.4.7 NFS - secure NFS

CONFIGURATION MANAGEMENT

4.4.1.1 NIS - de-install NIS client

CONFIGURATION MANAGEMENT

4.4.1.2 NIS - de-install NIS server

CONFIGURATION MANAGEMENT

4.4.1.3 NIS - remove NIS markers from password and group files

IDENTIFICATION AND AUTHENTICATION

4.4.1.4 NIS - restrict NIS server communication

CONFIGURATION MANAGEMENT

4.4.2 Remote command lockdown

ACCESS CONTROL

4.4.3 Removal of entries from /etc/hosts.equiv

CONFIGURATION MANAGEMENT

4.4.4 Removal of .rhosts and .netrc files

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

4.4.5 Remote daemon lockdown

CONFIGURATION MANAGEMENT

4.5.1.2 /etc/inetd.conf - cmsd

CONFIGURATION MANAGEMENT

4.5.1.3 CDE - disabling dtlogin

CONFIGURATION MANAGEMENT

4.5.1.4 /etc/inetd.conf - dtspc

CONFIGURATION MANAGEMENT

4.5.1.6 CDE - remote GUI login disabled

CONFIGURATION MANAGEMENT

4.5.3.5 sshd_config: PermitRootLogin is 'prohibit-password' or 'no'

CONFIGURATION MANAGEMENT, MAINTENANCE

4.5.3.14 sshd_config: Use Conditional exception(s).

CONFIGURATION MANAGEMENT, MAINTENANCE

4.5.5.1 SNMP - disable private community string

IDENTIFICATION AND AUTHENTICATION

4.5.5.2 SNMP - disable system community string

ACCESS CONTROL

4.5.5.3 SNMP - disable public community string

IDENTIFICATION AND AUTHENTICATION

4.5.5.4 SNMP - disable Readwrite community access

ACCESS CONTROL

4.5.5.5 SNMP - restrict community access

CONFIGURATION MANAGEMENT

4.6.6 Unattended terminal session timeout is 900 seconds (or less) - readonly

ACCESS CONTROL

4.8.1 TE - implementation

SYSTEM AND INFORMATION INTEGRITY

6.1.1 Create baseline of executables that elevate to a different GUID (Not scored)

ACCESS CONTROL

6.1.2 Create baseline of executables that require a specific group for elevation to a different EUID (not scored)

ACCESS CONTROL

6.1.3 Create baseline of executables that elevate directly to a new EUID (not scored)

ACCESS CONTROL

6.2.1 Privilege escalation: enhanced RBAC

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

6.3.1 Privilege escalation: sudo

ACCESS CONTROL

6.3.2 Ensure sudo logging is active

AUDIT AND ACCOUNTABILITY

6.3.3 Ensure sudo commands use pty

SYSTEM AND INFORMATION INTEGRITY

6.5 Services - at access is root only

SYSTEM AND INFORMATION INTEGRITY

6.7 Services - crontab access is root only

SYSTEM AND INFORMATION INTEGRITY

7.1 Use FLRT regularly

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

8.1.2 Configuring syslog - remote logging

AUDIT AND ACCOUNTABILITY

8.1.3 Configuring syslog - remote messages

AUDIT AND ACCOUNTABILITY

8.2 AIX Auditing

AUDIT AND ACCOUNTABILITY

CIS_AIX_7.2_Benchmark_v1.1.0_Level_2.audit from CIS AIX 7.2 Benchmark v1.1.0 Level 2 Benchmark