| 2.6 Enforce Allowlist aka Trusted Execution Checks | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.8 Ensure the Trusted Execution Policies cannot be modified | CONFIGURATION MANAGEMENT |
| 3.1 Encryption: File System Level (EFS) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2 Encryption: Logical Volume (ELV) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.2.9 mrouted | CONFIGURATION MANAGEMENT |
| 4.1.3.1 autoconf6 | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 4.1.3.2 ndpd-host | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 4.1.3.3 ndpd-router | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 4.1.4.2 NFS - de-install NFS server | CONFIGURATION MANAGEMENT |
| 4.1.4.5 NFS - restrict NFS access | CONFIGURATION MANAGEMENT |
| 4.1.4.7 NFS - secure NFS | CONFIGURATION MANAGEMENT |
| 4.4.1.1 NIS - de-install NIS client | CONFIGURATION MANAGEMENT |
| 4.4.1.2 NIS - de-install NIS server | CONFIGURATION MANAGEMENT |
| 4.4.1.3 NIS - remove NIS markers from password and group files | IDENTIFICATION AND AUTHENTICATION |
| 4.4.1.4 NIS - restrict NIS server communication | CONFIGURATION MANAGEMENT |
| 4.4.2 Remote command lockdown | ACCESS CONTROL |
| 4.4.3 Removal of entries from /etc/hosts.equiv | CONFIGURATION MANAGEMENT |
| 4.4.4 Removal of .rhosts and .netrc files | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 4.4.5 Remote daemon lockdown | CONFIGURATION MANAGEMENT |
| 4.5.1.2 /etc/inetd.conf - cmsd | CONFIGURATION MANAGEMENT |
| 4.5.1.3 CDE - disabling dtlogin | CONFIGURATION MANAGEMENT |
| 4.5.1.4 /etc/inetd.conf - dtspc | CONFIGURATION MANAGEMENT |
| 4.5.1.6 CDE - remote GUI login disabled | CONFIGURATION MANAGEMENT |
| 4.5.3.5 sshd_config: PermitRootLogin is 'prohibit-password' or 'no' | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 4.5.3.14 sshd_config: Use Conditional exception(s). | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 4.5.5.1 SNMP - disable private community string | IDENTIFICATION AND AUTHENTICATION |
| 4.5.5.2 SNMP - disable system community string | ACCESS CONTROL |
| 4.5.5.3 SNMP - disable public community string | IDENTIFICATION AND AUTHENTICATION |
| 4.5.5.4 SNMP - disable Readwrite community access | ACCESS CONTROL |
| 4.5.5.5 SNMP - restrict community access | CONFIGURATION MANAGEMENT |
| 4.6.6 Unattended terminal session timeout is 900 seconds (or less) - readonly | ACCESS CONTROL |
| 4.8.1 TE - implementation | SYSTEM AND INFORMATION INTEGRITY |
| 6.1.1 Create baseline of executables that elevate to a different GUID (Not scored) | ACCESS CONTROL |
| 6.1.2 Create baseline of executables that require a specific group for elevation to a different EUID (not scored) | ACCESS CONTROL |
| 6.1.3 Create baseline of executables that elevate directly to a new EUID (not scored) | ACCESS CONTROL |
| 6.2.1 Privilege escalation: enhanced RBAC | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.3.1 Privilege escalation: sudo | ACCESS CONTROL |
| 6.3.2 Ensure sudo logging is active | AUDIT AND ACCOUNTABILITY |
| 6.3.3 Ensure sudo commands use pty | SYSTEM AND INFORMATION INTEGRITY |
| 6.5 Services - at access is root only | SYSTEM AND INFORMATION INTEGRITY |
| 6.7 Services - crontab access is root only | SYSTEM AND INFORMATION INTEGRITY |
| 7.1 Use FLRT regularly | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 8.1.2 Configuring syslog - remote logging | AUDIT AND ACCOUNTABILITY |
| 8.1.3 Configuring syslog - remote messages | AUDIT AND ACCOUNTABILITY |
| 8.2 AIX Auditing | AUDIT AND ACCOUNTABILITY |
| CIS_AIX_7.2_Benchmark_v1.1.0_Level_2.audit from CIS AIX 7.2 Benchmark v1.1.0 Level 2 Benchmark | |
