DISA STIG AIX 6.1 v1r13

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG AIX 6.1 v1r13

Updated: 2/11/2019

Authority: DISA STIG

Plugin: Unix

Revision: 1.4

Estimated Item Count: 884

File Details

Filename: DISA_STIG_AIX_6.1_v1r13.audit

Size: 1.2 MB

MD5: 9bfd453a58384c0664ec15ef6d9a67fe

SHA256: dff9c939c6da3b5b70b82030d32472759dd24566fffff3c277a7783dc791e3f6

Audit Changelog


Revision 1.4 Feb 11, 2019 Miscellaneous Audit deprecated. Metadata updated.
Revision 1.3 Feb 8, 2019 Miscellaneous Metadata updated. References updated.
Revision 1.2 Dec 14, 2018 Miscellaneous References updated.
Revision 1.1 Jul 24, 2018 Functional Update DISA_STIG_AIX_6.1_v1r13.audit for AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE v1r13 GEN000000-AIX00020 - AIX Trusted Computing Base (TCB) software must be implemented. GEN000000-AIX00040 - The securetcpip command must be used - /etc/security/config has been configured GEN000000-AIX00040 - The securetcpip command must be used. GEN000000-AIX00060 - A baseline of AIX files with the TCB bit set must be checked weekly. GEN000000-AIX00080 - The SYSTEM attribute must not be set to NONE for any account. GEN000000-AIX0085 - The /etc/netsvc.conf file must be root owned. GEN000000-AIX0090 - The /etc/netsvc.conf file must be group-owned by bin, sys, or system. GEN000000-AIX0100 - The /etc/netsvc.conf file must have mode 0644 or less permissive. GEN000000-AIX0110 - The /etc/netsvc.conf file must not have an extended ACL. GEN000000-AIX0200 - The system must not allow directed broadcasts to gateway. GEN000000-AIX0210 - The system must provide protection from Internet Control Message Protocol (ICMP) attacks on TCP connections. GEN000000-AIX0220 - The system must provide protection for the TCP stack against connection resets, SYN, and data injection attacks. GEN000000-AIX0230 - The system must provide protection against IP fragmentation attacks. GEN000000-AIX0300 - The system must not have the bootp service active. GEN000000-AIX0310 - The /etc/ftpaccess.ctl file must exist. GEN000000-AIX0320 - The /etc/ftpaccess.ctl file must be owned by root. GEN000000-AIX0330 - The /etc/ftpaccess.ctl file must be group-owned by bin, sys, or system. GEN000000-AIX0340 - The /etc/ftpaccess.ctl file must have mode 0640 or less permissive. GEN000000-AIX0350 - The /etc/ftpaccess.ctl file must not have an extended ACL. GEN000020 - The system must require authentication upon booting into single-user and maintenance modes. GEN000100 - The operating system must be a supported release. GEN000120 - System security patches and updates must be installed and up-to-date - instfix -i GEN000120 - System security patches and updates must be installed and up-to-date - oslevel -s GEN000140 - A file integrity baseline must be created and maintained. GEN000220 - A file integrity tool must be used at least weekly to check for unauthorized file, system libraries or binaries changes. GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'NTP daemon is running' GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'NTP daemon is started at boot' GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'NTP daemon uses approved sources' GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'xntpd is started at boot time' GEN000240 - The system clock must be synchronized to an authoritative DoD time source - 'xntpd\|ntpd is running' GEN000241 - The system clock must be synchronized continuously, or at least daily - 'NTP daemon is running' GEN000241 - The system clock must be synchronized continuously, or at least daily - 'NTP daemon is started at boot' GEN000242 - The system must use at least two time sources for clock synchronization - 'NTP daemon is running' GEN000242 - The system must use at least two time sources for clock synchronization - 'NTP daemon is started at boot' GEN000242 - The system must use at least two time sources for clock synchronization - 'at least 2 servers are configured' GEN000244 - The system must use time sources local to the enclave. GEN000250 - The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root. GEN000251 - The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by bin, sys, or system. GEN000252 - The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive. GEN000253 - The time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL. GEN000280 - Direct logins must not be permitted to shared, default, application, or utility accounts - '/etc/security/user rlogin=false' GEN000280 - Direct logins must not be permitted to shared, default, application, or utility accounts - 'results of last should be reviewed' GEN000290 - The system must not have unnecessary accounts - 'ftp does not exsit' GEN000290 - The system must not have unnecessary accounts - 'games does not exsit' GEN000290 - The system must not have unnecessary accounts - 'gopher does not exsit' GEN000290 - The system must not have unnecessary accounts - 'guest does not exsit' GEN000290 - The system must not have unnecessary accounts - 'lp does not exsit' GEN000290 - The system must not have unnecessary accounts - 'news does not exsit' GEN000290 - The system must not have unnecessary accounts - 'uucp does not exsit' GEN000300 - All accounts on the system must have unique user or account names. GEN000320 - All accounts must be assigned unique User Identification Numbers (UIDs). GEN000340 - UIDs reserved for system accounts must not be assigned to non-system accounts. GEN000360 - Group Identifiers (GIDs) reserved for system accounts must not be assigned to non-system groups. GEN000380 - All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file. GEN000400 - The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Dtlogingreeting.labelString' GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Xlogingreeting' GEN000410 - The FTPS/FTP service on the system must be configured with the DoD login banner - '/etc/ftpaccess.ctl contains herald' GEN000410 - The FTPS/FTP service on the system must be configured with the DoD login banner - '/etc/ftpaccess.ctl group-owned by system' GEN000410 - The FTPS/FTP service on the system must be configured with the DoD login banner - '/etc/ftpaccess.ctl owned by root' GEN000410 - The FTPS/FTP service on the system must be configured with the DoD login banner - '/etc/ftpaccess.ctl permissions are 640' GEN000410 - The FTPS/FTP service on the system must be configured with the DoD login banner - '/etc/herald contains banner' GEN000410 - The FTPS/FTP service on the system must be configured with the DoD login banner - '/etc/herald group-owned by system' GEN000410 - The FTPS/FTP service on the system must be configured with the DoD login banner - '/etc/herald owned by root' GEN000410 - The FTPS/FTP service on the system must be configured with the DoD login banner - '/etc/herald permissions are 644' GEN000440 - Successful and unsuccessful logins and logouts must be logged - 'successful logins are being logged' GEN000440 - Successful and unsuccessful logins and logouts must be logged - 'unsuccessful logins are being logged' GEN000450 - The system must limit users to 10 simultaneous system logins in accordance with operational requirements. GEN000452 - The system must display the date and time of the last successful account login upon login. GEN000460 - The system must disable accounts after three consecutive unsuccessful login attempts. GEN000480 - The delay between login prompts following a failed login attempt must be at least 4 seconds. GEN000500 - GUI desktops provided by the system must lock after 15 idle minutes and the must require users to re-authenticate to unlock. GEN000510 - The system must display a publicly-viewable pattern during a graphical desktop environment session lock. GEN000520 - The root user must not own the logon session for an application requiring a continuous display. GEN000540 - Users must not be able to change passwords more than once every 24 hours. GEN000560 - The system must not have accounts configured with blank or null passwords. GEN000580 - The system must require passwords to contain a minimum of 15 characters. GEN000585 - The system must enforce the entire password during authentication - 'Verify no password hashes in /etc/passwd' GEN000585 - The system must enforce the entire password during authentication - 'Verify no password hashes in the /etc/security/passwd' GEN000590 - The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes. GEN000595 - Password hashes must have been generated using a FIPS 140-2 hashing algorithm - 'Verify no password hashes in /etc/passwd' GEN000595 - Password hashes must have been generated using a FIPS 140-2 hashing algorithm - 'no password hashes in /etc/security/passwd' GEN000640 - The system must require that passwords contain at least one special character. GEN000680 - The system must require passwords to contain no more than three consecutive repeating characters. GEN000700 - User passwords must be changed at least every 60 days. GEN000740 - All non-interactive/automated processing account passwords must be changed at least once per year or be locked. GEN000750 - The system must require at least eight characters be changed between the old and new passwords during a password change. GEN000760 - Accounts must be locked upon 35 days of inactivity. GEN000790 - The system must prevent the use of dictionary words for passwords. GEN000800 - The system must prohibit the reuse of passwords within five iterations. GEN000850 - The system must restrict the ability to switch to the root user to members of a defined group. GEN000880 - The root account must be the only account having an UID of 0. GEN000900 - The root user's home directory must not be the root directory (/). GEN000920 - The root account's home directory (other than /) must have mode 0700. GEN000930 - The root account's home directory must not have an extended ACL. GEN000940 - The root accounts executable search path must be the vendor default and must contain only authorized paths GEN000945 - The root account's library search path must be the system default and must contain only absolute paths. GEN000950 - The root account's list of preloaded libraries must be empty. GEN000960 - The root account must not have world-writable directories in its executable search path. GEN000980 - The system must prevent the root account from directly logging in except from the system console. GEN001000 - Remote consoles must be disabled or protected from unauthorized access. GEN001020 - The root account must not be used for direct logins. GEN001060 - The system must log successful and unsuccessful access to the root account. GEN001100 - Root passwords must never be passed over a network in clear text form - 'root has logged in over a network' GEN001100 - Root passwords must never be passed over a network in clear text form - 'ssh is running' GEN001120 - The system must not permit root logins using remote access programs, such as ssh. GEN001140 - System files and directories must not have uneven access permissions - '/bin' GEN001140 - System files and directories must not have uneven access permissions - '/etc' GEN001140 - System files and directories must not have uneven access permissions - '/sbin' GEN001140 - System files and directories must not have uneven access permissions - '/usr/bin' GEN001140 - System files and directories must not have uneven access permissions - '/usr/lbin' GEN001140 - System files and directories must not have uneven access permissions - '/usr/sbin' GEN001140 - System files and directories must not have uneven access permissions - '/usr/ucb' GEN001160/GEN001170 - All files and directories must have a valid owner and group owner. GEN001180 - All network services daemon files must have mode 0755 or less permissive - '/usr/bin/' GEN001180 - All network services daemon files must have mode 0755 or less permissive - '/usr/sbin/' GEN001190 - All network services daemon files must not have extended ACLs - /usr/bin/* GEN001190 - All network services daemon files must not have extended ACLs - /usr/sbin/* GEN001200 - All system command files must have mode 0755 or less permissive - '/bin/' GEN001200 - All system command files must have mode 0755 or less permissive - '/etc/' GEN001200 - All system command files must have mode 0755 or less permissive - '/sbin/' GEN001200 - All system command files must have mode 0755 or less permissive - '/usr/bin/' GEN001200 - All system command files must have mode 0755 or less permissive - '/usr/lbin/' GEN001200 - All system command files must have mode 0755 or less permissive - '/usr/sbin/' GEN001200 - All system command files must have mode 0755 or less permissive - '/usr/ucb/' GEN001210 - All system command files must not have extended ACLs - '/bin/' GEN001210 - All system command files must not have extended ACLs - '/etc/' GEN001210 - All system command files must not have extended ACLs - '/sbin/' GEN001210 - All system command files must not have extended ACLs - '/usr/bin/' GEN001210 - All system command files must not have extended ACLs - '/usr/lbin/' GEN001210 - All system command files must not have extended ACLs - '/usr/sbin/' GEN001210 - All system command files must not have extended ACLs - '/usr/ucb/' GEN001220 - All system files, programs, and directories must be owned by a system account - '/bin/' GEN001220 - All system files, programs, and directories must be owned by a system account - '/etc/' GEN001220 - All system files, programs, and directories must be owned by a system account - '/sbin/' GEN001220 - All system files, programs, and directories must be owned by a system account - '/usr/bin/' GEN001220 - All system files, programs, and directories must be owned by a system account - '/usr/lbin/' GEN001220 - All system files, programs, and directories must be owned by a system account - '/usr/sbin/' GEN001220 - All system files, programs, and directories must be owned by a system account - '/usr/ucb/' GEN001240 - System files, programs, and directories must be group-owned by a system group - '/bin/' GEN001240 - System files, programs, and directories must be group-owned by a system group - '/etc/' GEN001240 - System files, programs, and directories must be group-owned by a system group - '/sbin/' GEN001240 - System files, programs, and directories must be group-owned by a system group - '/usr/bin/' GEN001240 - System files, programs, and directories must be group-owned by a system group - '/usr/lbin/' GEN001240 - System files, programs, and directories must be group-owned by a system group - '/usr/sbin/' GEN001240 - System files, programs, and directories must be group-owned by a system group - '/usr/ucb/' GEN001260 - System log files must have mode 0640 or less permissive - '/var/adm/' GEN001260 - System log files must have mode 0640 or less permissive - '/var/log/' GEN001260 - System log files must have mode 0640 or less permissive - '/var/log/syslog/' GEN001270 - System log files must not have extended ACLs, except as needed to support authorized software. GEN001280 - Manual page files must have mode 0644 or less permissive - '/usr/share/info/' GEN001280 - Manual page files must have mode 0644 or less permissive - '/usr/share/infopage/' GEN001280 - Manual page files must have mode 0644 or less permissive - '/usr/share/man/' GEN001290 - All manual page files must not have extended ACLs - '/usr/share/info/' GEN001290 - All manual page files must not have extended ACLs - '/usr/share/infopage/' GEN001290 - All manual page files must not have extended ACLs - '/usr/share/man/' GEN001300 - Library files must have mode 0755 or less permissive - '/lib/' GEN001300 - Library files must have mode 0755 or less permissive - '/usr/lib/' GEN001310 - All library files must not have extended ACLs - '/lib/' GEN001310 - All library files must not have extended ACLs - '/usr/lib/' GEN001320 - NIS/NIS+/yp files must be owned by root, sys, or bin - '/usr/lib/netsvc/yp/' GEN001320 - NIS/NIS+/yp files must be owned by root, sys, or bin - '/usr/lib/nis/' GEN001320 - NIS/NIS+/yp files must be owned by root, sys, or bin - '/var/nis/' GEN001320 - NIS/NIS+/yp files must be owned by root, sys, or bin - '/var/yp/' GEN001340 - NIS/NIS+/yp files must be group-owned by sys, bin, other, or system - '/usr/lib/netsvc/yp/' GEN001340 - NIS/NIS+/yp files must be group-owned by sys, bin, other, or system - '/usr/lib/nis/' GEN001340 - NIS/NIS+/yp files must be group-owned by sys, bin, other, or system - '/var/nis/' GEN001340 - NIS/NIS+/yp files must be group-owned by sys, bin, other, or system - '/var/yp/' GEN001360 - The NIS/NIS+/yp files must have mode 0755 or less permissive - '/usr/lib/netsvc/yp/' GEN001360 - The NIS/NIS+/yp files must have mode 0755 or less permissive - '/usr/lib/nis/' GEN001360 - The NIS/NIS+/yp files must have mode 0755 or less permissive - '/var/nis/' GEN001360 - The NIS/NIS+/yp files must have mode 0755 or less permissive - '/var/yp/' GEN001361 - NIS/NIS+/yp command files must not have extended ACLs - '/var/nis' GEN001361 - NIS/NIS+/yp command files must not have extended ACLs - '/var/yp' GEN001362 - The /etc/resolv.conf file must be owned by root. GEN001363 - The /etc/resolv.conf file must be group-owned by bin, sys, or system. GEN001364 - The /etc/resolv.conf file must have mode 0644 or less permissive. GEN001365 - The /etc/resolv.conf file must not have an extended ACL. GEN001366 - The /etc/hosts file must be owned by root. GEN001367 - The /etc/hosts file must be group-owned by bin, sys, or system. GEN001368 - The /etc/hosts file must have mode 0644 or less permissive. GEN001369 - The /etc/hosts file must not have an extended ACL. GEN001371 - The /etc/nsswitch.conf file must be owned by root - Not Applicable GEN001372 - The /etc/nsswitch.conf file must be group-owned by root, bin, sys, or system - Not Applicable GEN001373 - The /etc/nsswitch.conf file must have mode 0644 or less permissive - Not Applicable GEN001374 - The /etc/nsswitch.conf file must not have an extended ACL. GEN001378 - The /etc/passwd file must be owned by root. GEN001379 - The /etc/passwd file must be group-owned by bin, security, sys, or system. GEN001380 - The /etc/passwd file must have mode 0644 or less permissive. GEN001390 - The /etc/passwd file must not have an extended ACL. GEN001391 - The /etc/group file must be owned by root. GEN001392 - The /etc/group file must be group-owned by security, bin, sys, or system. GEN001393 - The /etc/group file must have mode 0644 or less permissive. GEN001394 - The /etc/group file must not have an extended ACL. GEN001400 - The /etc/security/passwd file must be owned by root. GEN001410 - The /etc/security/passwd file must be group-owned by security, bin, sys, or system. GEN001420 - The /etc/security/passwd file must have mode 0400. GEN001430 - The /etc/security/passwd file must not have an extended ACL. GEN001440 - All interactive users must be assigned a home directory in the /etc/passwd file. GEN001460 - All interactive user home directories defined in the /etc/passwd file must exist. GEN001475 - The /etc/group file must not contain any group password hashes. GEN001480 - All users' home directories must have mode 0750 or less permissive. GEN001490 - User home directories must not have extended ACLs. GEN001500 - All interactive users' home directories must be owned by their respective users. GEN001520 - All interactive users' home directories must be group-owned by the home directory owner's primary group. GEN001540 - All files and directories contained in interactive user's home directories must be owned by the home directory's owner. GEN001550 - All files and directories in user's home directories must be group-owned by a group the home directory's owner is a member. GEN001560 - All files and directories contained in user's home directories must have mode 0750 or less permissive. GEN001570 - All files and directories contained in user home directories must not have extended ACLs. GEN001580 - All run control scripts must have mode 0755 or less permissive. GEN001590 - All run control scripts must have no extended ACLs - '/etc/init.d' GEN001590 - All run control scripts must have no extended ACLs - '/etc/rc' GEN001600 - Run control scripts executable search paths must contain only authorized paths. GEN001605 - Run control scripts library search paths must contain only authorized paths. GEN001610 - Run control scripts lists of preloaded libraries must contain only authorized paths. GEN001640 - Run control scripts must not execute world-writable programs or scripts. GEN001660 - All system start-up files must be owned by root. GEN001680 - All system start-up files must be group-owned by sys, bin, other, or system. GEN001700 - System start-up files must only execute programs owned by a privileged UID or an application. GEN001720 - All global initialization files must have mode 0644 or less permissive - '/etc/.login' GEN001720 - All global initialization files must have mode 0644 or less permissive - '/etc/bashrc' GEN001720 - All global initialization files must have mode 0644 or less permissive - '/etc/csh.cshrc' GEN001720 - All global initialization files must have mode 0644 or less permissive - '/etc/csh.login' GEN001720 - All global initialization files must have mode 0644 or less permissive - '/etc/environment' GEN001720 - All global initialization files must have mode 0644 or less permissive - '/etc/profile' GEN001720 - All global initialization files must have mode 0644 or less permissive - '/etc/security/.profile' GEN001720 - All global initialization files must have mode 0644 or less permissive - '/etc/security/environ' GEN001730 - All global initialization files must not have extended ACLs - '/etc/.login' GEN001730 - All global initialization files must not have extended ACLs - '/etc/bashrc' GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.cshrc' GEN001730 - All global initialization files must not have extended ACLs - '/etc/csh.login' GEN001730 - All global initialization files must not have extended ACLs - '/etc/environment' GEN001730 - All global initialization files must not have extended ACLs - '/etc/profile' GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/.profile' GEN001730 - All global initialization files must not have extended ACLs - '/etc/security/environ' GEN001740 - All global initialization files must be owned by root - '/etc/.login' GEN001740 - All global initialization files must be owned by root - '/etc/bashrc' GEN001740 - All global initialization files must be owned by root - '/etc/csh.cshrc' GEN001740 - All global initialization files must be owned by root - '/etc/csh.login' GEN001740 - All global initialization files must be owned by root - '/etc/environment' GEN001740 - All global initialization files must be owned by root - '/etc/profile' GEN001740 - All global initialization files must be owned by root - '/etc/security/.profile' GEN001740 - All global initialization files must be owned by root - '/etc/security/environ' GEN001760 - All global initialization files must be group-owned by sys, bin, system, or security - '/etc/.login' GEN001760 - All global initialization files must be group-owned by sys, bin, system, or security - '/etc/bashrc' GEN001760 - All global initialization files must be group-owned by sys, bin, system, or security - '/etc/csh.cshrc' GEN001760 - All global initialization files must be group-owned by sys, bin, system, or security - '/etc/csh.login' GEN001760 - All global initialization files must be group-owned by sys, bin, system, or security - '/etc/environment' GEN001760 - All global initialization files must be group-owned by sys, bin, system, or security - '/etc/profile' GEN001760 - All global initialization files must be group-owned by sys, bin, system, or security - '/etc/security/.profile' GEN001760 - All global initialization files must be group-owned by sys, bin, system, or security - '/etc/security/environ' GEN001780 - Global initialization files must contain the mesg -n or mesg n commands. GEN001800 - All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive - '/etc/security/.profile' GEN001800 - All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive - '/etc/security/mkuser.sys' GEN001810 - Skeleton files must not have extended ACLs - '/etc/security/.profile' GEN001810 - Skeleton files must not have extended ACLs - '/etc/security/mkuser.sys' GEN001820 - All skeleton files and directories (typically in /etc/skel) must be owned by root or bin - '/etc/security/.profile' GEN001820 - All skeleton files and directories (typically in /etc/skel) must be owned by root or bin - '/etc/security/mkuser.sys' GEN001830 - All skeleton files (typically in /etc/skel) must be group-owned by security - '/etc/security/.profile' GEN001830 - All skeleton files (typically in /etc/skel) must be group-owned by security - '/etc/security/mkuser.sys' GEN001840 - All global initialization files executable search paths must contain only authorized paths - '/etc/.login' GEN001840 - All global initialization files executable search paths must contain only authorized paths - '/etc/bashrc' GEN001840 - All global initialization files executable search paths must contain only authorized paths - '/etc/csh.cshrc' GEN001840 - All global initialization files executable search paths must contain only authorized paths - '/etc/csh.login' GEN001840 - All global initialization files executable search paths must contain only authorized paths - '/etc/environment' GEN001840 - All global initialization files executable search paths must contain only authorized paths - '/etc/profile' GEN001840 - All global initialization files executable search paths must contain only authorized paths - '/etc/security/environ' GEN001845 - Global initialization files library search paths must contain only authorized paths - '/etc/bashrc' GEN001845 - Global initialization files library search paths must contain only authorized paths - '/etc/environment' GEN001845 - Global initialization files library search paths must contain only authorized paths - '/etc/profile' GEN001845 - Global initialization files library search paths must contain only authorized paths - '/etc/security/.login' GEN001845 - Global initialization files library search paths must contain only authorized paths - '/etc/security/environ' GEN001850 - Global initialization files lists of preloaded libraries must contain only authorized paths - '/etc/bashrc' GEN001850 - Global initialization files lists of preloaded libraries must contain only authorized paths - '/etc/environment' GEN001850 - Global initialization files lists of preloaded libraries must contain only authorized paths - '/etc/profile' GEN001850 - Global initialization files lists of preloaded libraries must contain only authorized paths - '/etc/security/.login' GEN001850 - Global initialization files lists of preloaded libraries must contain only authorized paths - '/etc/security/environ' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.bash_logout' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.bash_profile' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.bashrc' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.cshrc' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.dispatch' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.dtprofile' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.emacs' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.env' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.exrc' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.login' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.logout' GEN001870 - Local initialization files must be group-owned by the user's primary group or root - '~/.profile' GEN001880 - All local initialization files must have mode 0740 or less permissive - '~/.bash_logout' GEN001880 - All local initialization files must have mode 0740 or less permissive - '~/.bash_profile' GEN001880 - All local initialization files must have mode 0740 or less permissive - '~/.bashrc' GEN001880 - All local initialization files must have mode 0740 or less permissive - '~/.cshrc' GEN001880 - All local initialization files must have mode 0740 or less permissive - '~/.dispatch' GEN001880 - All local initialization files must have mode 0740 or less permissive - '~/.emacs' GEN001880 - All local initialization files must have mode 0740 or less permissive - '~/.env' GEN001880 - All local initialization files must have mode 0740 or less permissive - '~/.exrc' GEN001880 - All local initialization files must have mode 0740 or less permissive - '~/.login' GEN001880 - All local initialization files must have mode 0740 or less permissive - '~/.logout' GEN001880 - All local initialization files must have mode 0740 or less permissive - '~/.profile' GEN001880 - All local initialization files must have mode 0755 or less permissive - '~/.dt' GEN001880 - All local initialization files must have mode 0755 or less permissive - '~/.dtprofile' GEN001890 - Local initialization files must not have extended ACLs - '.bash_logout' GEN001890 - Local initialization files must not have extended ACLs - '.bash_profile' GEN001890 - Local initialization files must not have extended ACLs - '.bashrc' GEN001890 - Local initialization files must not have extended ACLs - '.cshrc' GEN001890 - Local initialization files must not have extended ACLs - '.dispatch' GEN001890 - Local initialization files must not have extended ACLs - '.dtprofile' GEN001890 - Local initialization files must not have extended ACLs - '.emacs' GEN001890 - Local initialization files must not have extended ACLs - '.env' GEN001890 - Local initialization files must not have extended ACLs - '.exrc' GEN001890 - Local initialization files must not have extended ACLs - '.login' GEN001890 - Local initialization files must not have extended ACLs - '.logout' GEN001890 - Local initialization files must not have extended ACLs - '.profile' GEN001900 - All local initialization files executable search paths must contain only authorized paths. GEN001901 - Local initialization files library search paths must contain only authorized paths - 'LD_LIBRARY_PATH' GEN001901 - Local initialization files library search paths must contain only authorized paths - 'LIBPATH' GEN001902 - Local initialization files lists of preloaded libraries must contain only authorized paths. GEN001940 - User start-up files must not execute world-writable programs. GEN001980 - /etc/security/passwd file must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP-'/etc/security/passwd' GEN001980 - The .rhosts file must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP - '~/.rhosts' GEN001980 - The .shosts file must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP - '~/.shosts' GEN001980 - The /etc/group file must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP - '/etc/group' GEN001980 - The /etc/passwd file must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP - '/etc/passwd' GEN001980 - The hosts.equiv file must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP - '~/hosts.equiv' GEN001980 - The shosts.equiv file must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP - '~/shosts.equiv' GEN002000 - There must be no .netrc files on the system. GEN002020 - All .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs. GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - '.rhosts' GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - '.shosts' GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - 'hosts.equiv' GEN002040 - There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system - 'shosts.equiv' GEN002060 - All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner - '~/.rhosts' - permissions GEN002060 - All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner - '~/.rhosts' - user GEN002060 - All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner - '~/.shosts' - permissions GEN002060 - All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner - '~/.shosts' - user GEN002060 - All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner - '~/hosts.equiv' - permissions GEN002060 - All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner - '~/hosts.equiv' - user GEN002060 - All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner - '~/shosts.equiv' - permissions GEN002060 - All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner - '~/shosts.equiv' - user GEN002100 - The .rhosts file must not be supported in PAM. GEN002120 - The /etc/shells (or equivalent) file must exist - '/etc/security/login.cfg contains shells=' GEN002120 - The /etc/shells (or equivalent) file must exist - '/etc/shells file exists' GEN002140 - All shells referenced in /etc/passwd must be listed in the /etc/shells file, except shells specified for preventing logins GEN002200 - All shell files must be owned by root or bin. GEN002210 - All shell files must be group-owned by root, bin, sys, or system. GEN002220 - All shell files must have mode 0755 or less permissive. GEN002230 - All shell files must not have extended ACLs. GEN002260 - The system must be checked for extraneous device files at least weekly. GEN002280 - Device files and directories must only be writable by users with a system account or as configured by the vendor. GEN002300 - Device files used for backup must only be readable and/or writable by root or the backup user - '/dev/cd' GEN002300 - Device files used for backup must only be readable and/or writable by root or the backup user - '/dev/rmt' GEN002320 - Audio devices must have mode 0660 or less permissive. GEN002330 - Audio devices must not have extended ACLs. GEN002340 - Audio devices must be owned by root. GEN002360 - Audio devices must be group-owned by root, sys, bin, or system. GEN002380 - The owner, group, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures GEN002400 - The system must be checked weekly for unauthorized setuid files and unauthorized modification to authorized setuid files. GEN002420 - Removable media, remote file systems and any file system not containing approved setuid files must be mounted with nosuid. GEN002430 - Removable media, remote file systems and any file system not containing approved device files must be mounted with nodev GEN002440 - The owner, group, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures GEN002460 - The system must be checked weekly for unauthorized setgid files and unauthorized modification to authorized setgid files. GEN002480 - Public directories must be the only world-writable directories and world-writable files must be located only in public dirs GEN002500 - The sticky bit must be set on all public directories. GEN002520 - All public directories must be owned by root or an application account. GEN002540 - All public directories must be group-owned by system or an application group. GEN002560 - The system and user default umask must be 077 - '/etc/' GEN002560 - The system and user default umask must be 077 - user initialization files GEN002640 - Default system accounts must be disabled or removed. GEN002660 - Auditing must be implemented. GEN002680 - System audit logs must be owned by root. GEN002690 - System audit logs must be group-owned by bin, sys, or system. GEN002700 - System audit logs must have mode 0640 or less permissive. GEN002710 - All system audit files must not have extended ACLs. GEN002715 - System audit tool executables must be owned by root - '/usr/sbin/audit' GEN002715 - System audit tool executables must be owned by root - '/usr/sbin/auditbin' GEN002715 - System audit tool executables must be owned by root - '/usr/sbin/auditcat' GEN002715 - System audit tool executables must be owned by root - '/usr/sbin/auditconv' GEN002715 - System audit tool executables must be owned by root - '/usr/sbin/auditmerge' GEN002715 - System audit tool executables must be owned by root - '/usr/sbin/auditpr' GEN002715 - System audit tool executables must be owned by root - '/usr/sbin/auditselect' GEN002715 - System audit tool executables must be owned by root - '/usr/sbin/auditstream' GEN002716 - System audit tool executables must be group-owned by bin, sys, or system - '/usr/sbin/audit' GEN002716 - System audit tool executables must be group-owned by bin, sys, or system - '/usr/sbin/auditbin' GEN002716 - System audit tool executables must be group-owned by bin, sys, or system - '/usr/sbin/auditcat' GEN002716 - System audit tool executables must be group-owned by bin, sys, or system - '/usr/sbin/auditconv' GEN002716 - System audit tool executables must be group-owned by bin, sys, or system - '/usr/sbin/auditmerge' GEN002716 - System audit tool executables must be group-owned by bin, sys, or system - '/usr/sbin/auditpr' GEN002716 - System audit tool executables must be group-owned by bin, sys, or system - '/usr/sbin/auditselect' GEN002716 - System audit tool executables must be group-owned by bin, sys, or system - '/usr/sbin/auditstream' GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/audit' GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditbin' GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditcat' GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditconv' GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditmerge' GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditpr' GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditselect' GEN002717 - System audit tool executables must have mode 0750 or less permissive - '/usr/sbin/auditstream' GEN002718 - System audit tool executables must not have extended ACLs - '/usr/sbin/audit' GEN002718 - System audit tool executables must not have extended ACLs - '/usr/sbin/auditbin' GEN002718 - System audit tool executables must not have extended ACLs - '/usr/sbin/auditcat' GEN002718 - System audit tool executables must not have extended ACLs - '/usr/sbin/auditconv' GEN002718 - System audit tool executables must not have extended ACLs - '/usr/sbin/auditmerge' GEN002718 - System audit tool executables must not have extended ACLs - '/usr/sbin/auditpr' GEN002718 - System audit tool executables must not have extended ACLs - '/usr/sbin/auditselect' GEN002718 - System audit tool executables must not have extended ACLs - '/usr/sbin/auditstream' GEN002720 - System must be configured to audit failed attempts to access files/programs - '/etc/security/audit/config FILE_Open exists' GEN002720 - System must be configured to audit failed attempts to access files/programs - '/etc/security/audit/events FILE_Open exists' GEN002720 - System must be configured to audit failed attempts to access files/programs - 'User audit class assignments should be reviewed' GEN002740 - The audit system must be configured to audit file deletions - '/etc/security/audit/config FILE_Unlink exists' GEN002740 - The audit system must be configured to audit file deletions - '/etc/security/audit/events FILE_Unlink exists' GEN002740 - The audit system must be configured to audit file deletions - '/etc/security/audit/events FS_Rmdir exists' GEN002740 - The audit system must be configured to audit file deletions - 'User audit class assignments should be reviewed' GEN002750 - The audit system must be configured to audit account creation - '/etc/security/audit/config USER_Create exists' GEN002750 - The audit system must be configured to audit account creation - '/etc/security/audit/events USER_Create exists' GEN002750 - The audit system must be configured to audit account creation - 'User audit class assignments should be reviewed' GEN002751 - The audit system must be configured to audit account modification - '/etc/security/audit/config USER_Change exists' GEN002751 - The audit system must be configured to audit account modification - '/etc/security/audit/events USER_Change exists' GEN002751 - The audit system must be configured to audit account modification - 'User audit class assignments should be reviewed' GEN002752 - The audit system must be configured to audit account disabling - '/etc/security/audit/config USER_Change exists' GEN002752 - The audit system must be configured to audit account disabling - '/etc/security/audit/config USER_Locked exists' GEN002752 - The audit system must be configured to audit account disabling - '/etc/security/audit/events USER_Change exists' GEN002752 - The audit system must be configured to audit account disabling - 'User audit class assignments should be reviewed' GEN002753 - The audit system must be configured to audit account termination - '/etc/security/audit/config USER_Remove exists' GEN002753 - The audit system must be configured to audit account termination - '/etc/security/audit/events USER_Remove exists' GEN002753 - The audit system must be configured to audit account termination - 'User audit class assignments should be reviewed' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config ACCT_Disable exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config ACCT_Enable exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config AUD_it exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config BACKUP_Export exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config DEV_Change exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config DEV_Configure exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config DEV_Create exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config FILE_Chpriv exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config FILE_Fchpriv exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config FILE_Mknod exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config FILE_Owner exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config FS_Chroot exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config FS_Mount exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config FS_Umount exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config PASSWORD_Check exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config PROC_Adjtime exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config PROC_Kill exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config PROC_Privilege exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config PROC_SetUserIDs exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config PROC_Setpgid exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config RESTORE_Import exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config TCBCK_Delete exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config USER_Change exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config USER_Create exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config USER_Reboot exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config USER_Remove exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/config USER_SetEnv exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events ACCT_Disable exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events ACCT_Enable exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events AUD_it exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events BACKUP_Export exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events DEV_Change exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events DEV_Configure exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events DEV_Create exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events FILE_Chpriv exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events FILE_Fchpriv exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events FILE_Mknod exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events FILE_Owner exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events FS_Chroot exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events FS_Mount exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events FS_Umount exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events PASSWORD_Check exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events PROC_Adjtime exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events PROC_Kill exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events PROC_Privilege exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events PROC_SetUserIDs exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events PROC_Setpgid exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events RESTORE_Import exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events TCBCK_Delete exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events USER_Change exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events USER_Create exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events USER_Reboot exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events USER_Remove exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - '/etc/security/audit/events USER_SetEnv exists' GEN002760 - System must be configured to audit all admin/privileged/security actions - 'User audit class assignments should be reviewed' GEN002800 - System must be configured to audit login, logout, and session initiation - '/etc/security/audit/config INIT_End exists' GEN002800 - System must be configured to audit login, logout, and session initiation - '/etc/security/audit/config INIT_Start exists' GEN002800 - System must be configured to audit login, logout, and session initiation - '/etc/security/audit/config USER_Login exists' GEN002800 - System must be configured to audit login, logout, and session initiation - '/etc/security/audit/config USER_Logout exists' GEN002800 - System must be configured to audit login, logout, and session initiation - '/etc/security/audit/config USER_SU exists' GEN002800 - System must be configured to audit login, logout, and session initiation - '/etc/security/audit/events INIT_End exists' GEN002800 - System must be configured to audit login, logout, and session initiation - '/etc/security/audit/events INIT_Start exists' GEN002800 - System must be configured to audit login, logout, and session initiation - '/etc/security/audit/events USER_Login exists' GEN002800 - System must be configured to audit login, logout, and session initiation - '/etc/security/audit/events USER_Logout exists' GEN002800 - System must be configured to audit login, logout, and session initiation - '/etc/security/audit/events USER_SU exists' GEN002800 - System must be configured to audit login, logout, and session initiation - 'User audit class assignments should be reviewed' GEN002820 - Audit system is configured to audit all access control permission modifications - 'FILE_Acl' GEN002820 - Audit system is configured to audit all access control permission modifications - 'FILE_Fchmod' GEN002820 - Audit system is configured to audit all access control permission modifications - 'FILE_Fchown' GEN002820 - Audit system is configured to audit all access control permission modifications - 'FILE_Mode' GEN002820 - Audit system is configured to audit all access control permission modifications - 'FILE_Owner' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/config DEV_Configure exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/config DEV_Create exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/config DEV_Remove exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/config DEV_Stop exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/config DEV_Unconfigure exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/config FILE_Mknod exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/events DEV_Configure exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/events DEV_Create exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/events DEV_Remove exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/events DEV_Stop exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/events DEV_Unconfigure exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/events FILE_Mknod exists' GEN002825 - System must be configured to audit load/unload dynamic kernel modules - 'User audit class assignments should be reviewed' GEN002860 - Audit logs must be rotated daily. GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/security/audit/config streammode=on' GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/security/audit/streamcmds is configured' GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/syslog.conf has been configured' GEN002960 - Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s) - '/var/adm/cron/cron.allow' GEN002960 - Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s) - '/var/adm/cron/cron.deny' GEN002980 - The cron.allow file must have mode 0600 or less permissive. GEN002990 - The cron.allow file must not have an extended ACL. GEN003000 - Cron must not execute group-writable or world-writable programs. GEN003020 - Cron must not execute programs in, or subordinate to, world-writable directories. GEN003040 - Crontabs must be owned by root or the crontab creator. GEN003050 - Crontab files must be group-owned by system, cron, or the crontab creator's primary group. GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'adm' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'bin' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'daemon' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'esaadmin' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'guest' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'invscout' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'ipsec' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'lp' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'lpd' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'nobody' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'nuucp' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'pconsole' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'snapp' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'sshd' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'sys' GEN003060 - Default system accounts must not be in the cron.allow file or must be in cron.deny - 'uucp' GEN003080 - Crontab files must have mode 0600 or less permissive. GEN003090 - Crontab files must not have extended ACLs. GEN003100 - Cron and crontab directories must have mode 0755 or less permissive. GEN003110 - Cron and crontab directories must not have extended ACLs - '/var/spool/cron' - acls disabled GEN003110 - Cron and crontab directories must not have extended ACLs - '/var/spool/cron' - no acls enabled GEN003110 - Cron and crontab directories must not have extended ACLs - '/var/spool/cron/crontabs/' GEN003120 - Cron and crontab directories must be owned by root or bin. GEN003140 - Cron and crontab directories must be group-owned by system, sys, bin, or cron. GEN003160 - Cron logging must be implemented. GEN003180 - The cronlog file must have mode 0600 or less permissive. GEN003190 - The cron log files must not have extended ACLs. GEN003200 - The cron.deny file must have mode 0600 or less permissive. GEN003210 - The cron.deny file must not have an extended ACL. GEN003220 - Cron programs must not set the umask to a value less restrictive than 077. GEN003240 - The cron.allow file must be owned by root, bin, or sys. GEN003245 - The at.allow file must not have an extended ACL. GEN003250 - The cron.allow file must be group-owned by system, bin, sys, or cron. GEN003252 - The at.deny file must have mode 0640 or less permissive. GEN003255 - The at.deny file must not have an extended ACL. GEN003260 - The cron.deny file must be owned by root, bin, or sys. GEN003270 - The cron.deny file must be group-owned by system, bin, sys, or cron. GEN003280 - Access to the at utility must be controlled via the at.allow and/or at.deny file(s) - '/var/adm/cron/at.allow exists' GEN003280 - Access to the at utility must be controlled via the at.allow and/or at.deny file(s) - '/var/adm/cron/at.deny exists' GEN003300 - The at.deny file must not be empty if it exists GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'adm' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'bin' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'daemon' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'esaadmin' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'guest' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'invscout' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'ipsec' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lp' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'lpd' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nobody' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'nuucp' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'pconsole' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'snapp' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sshd' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'sys' GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'uucp' GEN003340 - The at.allow file must have mode 0600 or less permissive. GEN003360 - The at daemon must not execute group-writable or world-writable programs. GEN003380 - The 'at' daemon must not execute programs in, or subordinate to, world-writable directories. GEN003400 - The at directory must have mode 0755 or less permissive. GEN003410 - The at directory must not have an extended ACL. GEN003420 - The at directory must be owned by root, bin, sys, daemon, or cron. GEN003430 - The 'at' directory must be group-owned by system, bin, sys, or cron. GEN003440 - 'At' jobs must not set the umask to a value less restrictive than 077 - '/var/spool/atjobs/' GEN003440 - 'At' jobs must not set the umask to a value less restrictive than 077 - '/var/spool/cron/atjobs/' GEN003460 - The at.allow file must be owned by root, bin, or sys. GEN003470 - The at.allow file must be group-owned by system, bin, sys, or cron. GEN003480 - The at.deny file must be owned by root, bin, or sys. GEN003490 - The at.deny file must be group-owned by system, bin, sys, or cron. GEN003500 - Process core dumps must be disabled unless needed. GEN003510 - Kernel core dumps must be disabled unless needed - 'primary dump device' GEN003510 - Kernel core dumps must be disabled unless needed - 'secondary dump device' GEN003520 - The kernel core dump data directory must be owned by root. GEN003521 - The kernel core dump data directory must be group-owned by bin, sys, or system. GEN003522 - The kernel core dump data directory must have mode 0700 or less permissive. GEN003523 - The kernel core dump data directory must not have an extended ACL. GEN003540 - The system must implement non-executable program stacks. GEN003600 - The system must not forward IPv4 source-routed packets. GEN003601 - TCP backlog queue sizes must be set appropriately. GEN003602 - The system must not process ICMP timestamp requests. GEN003603 - The system must not respond to ICMPv4 echoes sent to a broadcast address. GEN003604 - The system must not respond to ICMP timestamp requests sent to a broadcast address. GEN003605 - The system must not apply reversed source routing to TCP responses. GEN003606 - The system must prevent local applications from generating source-routed packets. GEN003607 - The system must not accept source-routed IPv4 packets. GEN003608 - Proxy ARP must not be enabled on the system. GEN003609 - The system must ignore IPv4 ICMP redirect messages. GEN003610 - The system must not send IPv4 ICMP redirects. GEN003611 - The system must log martian packets. GEN003612 - The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. GEN003620 - A separate file system must be used for user home directories (such as /home or equivalent). GEN003621 - The system must use a separate file system for /var. GEN003623 - The system must use a separate file system for the system audit data path. GEN003624 - The system must use a separate file system for /tmp (or equivalent). GEN003640 - The root file system must employ journaling or another mechanism ensuring file system consistency GEN003650 - All local file systems must employ journaling or another mechanism ensuring file system consistency. GEN003660 - The system must log authentication informational data - 'auth.' GEN003660 - The system must log authentication informational data - 'auth.info' GEN003660 - The system must log authentication informational data - 'auth.notice' GEN003700 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled GEN003720 - The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin - 'inetd.conf' GEN003720 - The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin - 'xinetd.conf' GEN003720 - The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin - 'xinetd.d' GEN003730 - The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by bin, sys, or system - 'inetd.conf' GEN003730 - The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by bin, sys, or system - 'xinetd.conf' GEN003730 - The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by bin, sys, or system - 'xinetd.d' GEN003740 - The inetd.conf and xinetd.conf files must have mode 0440 or less permissive - 'inetd.conf' GEN003740 - The inetd.conf and xinetd.conf files must have mode 0440 or less permissive - 'xinetd.conf' GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'inetd.conf' GEN003745 - The inetd.conf and xinetd.conf files must not have extended ACLs - 'xinetd.conf' GEN003760 - The services file must be owned by root or bin. GEN003770 - The services file must be group-owned by bin, sys, or system. GEN003780 - The services file must have mode 0444 or less permissive. GEN003790 - The services file must not have an extended ACL. GEN003800 - Inetd or xinetd logging/tracing must be enabled. GEN003810 - The portmap or rpcbind service must not be running unless needed. GEN003815 - The portmap or rpcbind service must not be installed unless needed. GEN003820 - The rsh daemon must not be running. GEN003830 - The rlogind service must not be running. GEN003840 - The rexec daemon must not be running. GEN003850 - The telnet daemon must not be running. GEN003860 - The system must not have the finger service active. GEN003865 - Network analysis tools must not be installed - 'ethereal' GEN003865 - Network analysis tools must not be installed - 'netcat' GEN003865 - Network analysis tools must not be installed - 'snoop' GEN003865 - Network analysis tools must not be installed - 'tcpdump' GEN003865 - Network analysis tools must not be installed - 'tshark' GEN003865 - Network analysis tools must not be installed - 'wireshark' GEN003900 - The hosts.lpd file (or equivalent) must not contain a '+' character. GEN003920 - The hosts.lpd (or equivalent) file must be owned by root, bin, sys, or lp GEN003930 - The hosts.lpd (or equivalent) file must be group-owned by bin, sys, or system. GEN003940 - The hosts.lpd (or equivalent) must have mode 0644 or less permissive. GEN003950 - The hosts.lpd (or equivalent) file must not have an extended ACL. GEN003960 - The traceroute command owner must be root. GEN003980 - The traceroute command must be group-owned by sys, bin, or system. GEN004000 - The traceroute file must have mode 0700 or less permissive. GEN004010 - The traceroute file must not have an extended ACL. GEN004220 - Administrative accounts must not run a web browser, except as needed for local service administration. GEN004360 - The alias file must be owned by root. GEN004370 - The aliases file must be group-owned by sys, bin, or system. GEN004380 - The alias file must have mode 0644 or less permissive. GEN004390 - The alias file must not have an extended ACL. GEN004400 - Files executed through a mail aliases file must be owned by root and reside within a directory owned and writable only by root. GEN004410 - Files executed through a mail aliases file must be group-owned by root, bin, sys, or other. GEN004420 - Files executed through a mail aliases file must have mode 0755 or less permissive. GEN004430 - Files executed through a mail aliases file must not have extended ACLs. GEN004440 - Sendmail logging must not be set to less than nine in the sendmail.cf file. GEN004460 - The system syslog service must log informational and more severe SMTP service messages. GEN004480 - The SMTP service log file must be owned by root. GEN004500 - The SMTP service log file must have mode 0644 or less permissive. GEN004510 - The SMTP service log file must not have an extended ACL. GEN004540 - The SMTP service HELP command must not be enabled. GEN004560 - The SMTP service's SMTP greeting must not provide version information. GEN004580 - The system must not use .forward files. GEN004600 - The SMTP service must be an up-to-date version. GEN004620 - The Sendmail server must have the debug feature disabled. GEN004640 - The SMTP service must not have a uudecode alias active - '/etc/aliases decode alias does not exist' GEN004640 - The SMTP service must not have a uudecode alias active - '/etc/aliases uudecode alias does not exist' GEN004640 - The SMTP service must not have a uudecode alias active - '/usr/lib/aliases decode alias does not exist' GEN004640 - The SMTP service must not have a uudecode alias active - '/usr/lib/aliases uudecode alias does not exist' GEN004660 - The SMTP service must not have the EXPN feature active. GEN004680 - The SMTP service must not have the VRFY feature active. GEN004700 - The Sendmail service must not have the wizard backdoor active. GEN004710 - Mail relaying must be restricted. GEN004800 - Unencrypted FTP must not be used on the system - 'ftp is disabled' GEN004800 - Unencrypted FTP must not be used on the system - 'telnet is disabled' GEN004820 - Anonymous FTP must not be active on the system unless authorized. GEN004840 - If the system is an anonymous FTP server, it must be isolated to the DMZ network. GEN004880 - The ftpusers file must exist. GEN004900 - The ftpusers file must contain account names not allowed to use FTP. GEN004920 - The ftpusers file must be owned by root. GEN004930 - The ftpusers file must be group-owned by bin, sys, or system. GEN004940 - The ftpusers file must have mode 0640 or less permissive. GEN004950 - The ftpusers file must not have an extended ACL. GEN004980 - The FTP daemon must be configured for logging or verbose mode - '/etc/inetd.conf contains ftpd -l' GEN004980 - The FTP daemon must be configured for logging or verbose mode - '/etc/syslog.conf contains daemon.info or .info' GEN005000 - Anonymous FTP accounts must not have a functional shell. GEN005040 - All FTP users must have a default umask of 077. GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host file system. GEN005100 - The TFTP daemon must have mode 0755 or less permissive. GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user exists' GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user shell' GEN005140 - Any active TFTP daemon must be authorized and approved in the system accreditation package. GEN005180 - All .Xauthority files must have mode 0600 or less permissive. GEN005190 - The .Xauthority files must not have extended ACLs. GEN005200 - X displays must not be exported to the world. GEN005220 - .Xauthority or X.hosts (or equivalent) file(s) must be used to restrict access to the X server. GEN005240 - The .Xauthority utility must only permit access to authorized hosts. GEN005260 - X Window System connections not required must be disabled. GEN005280 - The system must not have the UUCP service active. GEN005300 - SNMP communities, users, and passphrases must be changed from the default. GEN005305 - The SNMP service must use only SNMPv3 or its successors. GEN005306 - SNMP service must require a FIPS 140-2 approved hash algorithm as part of its authentication and integrity methods GEN005320 - The snmpd.conf file must have mode 0600 or less permissive - '/etc/snmpd.conf' GEN005320 - The snmpd.conf file must have mode 0600 or less permissive - '/etc/snmpdv3.conf' GEN005340 - Management Information Base (MIB) files must have mode 0640 or less permissive. GEN005350 - Management Information Base (MIB) files must not have extended ACLs. GEN005360 - The snmpd.conf file must be owned by root - '/etc/snmpd.conf' GEN005360 - The snmpd.conf file must be owned by root - '/etc/snmpdv3.conf' GEN005365 - The snmpd.conf file must be group-owned by bin, sys, or system - '/etc/snmpd.conf' GEN005365 - The snmpd.conf file must be group-owned by bin, sys, or system - '/etc/snmpdv3.conf' GEN005375 - The snmpd.conf file must not have an extended ACL - '/etc/snmpd.conf' GEN005375 - The snmpd.conf file must not have an extended ACL - '/etc/snmpdv3.conf' GEN005380 - If the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS. GEN005390 - The /etc/syslog.conf file must have mode 0640 or less permissive. GEN005395 - The /etc/syslog.conf file must not have an extended ACL. GEN005400 - The /etc/syslog.conf file must be owned by root. GEN005420 - The /etc/syslog.conf file must be group-owned by bin, sys, or system. GEN005440 - The system must not be used as a syslog server (loghost) for systems external to the enclave. GEN005450 - The system must use a remote syslog server (log host). GEN005460 - The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures. GEN005480 - The syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures. GEN005500 - The SSH daemon must be configured to only use the SSHv2 protocol. GEN005501 - The SSH client must be configured to only use the SSHv2 protocol. GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management. GEN005505 - The SSH daemon must be configured to only use FIPS 140-2 approved ciphers. GEN005506 - The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers. GEN005507 - SSH daemon must be configured to only use MACs employing FIPS 140-2 approved cryptographic hash algorithms GEN005510 - The SSH client must be configured to only use FIPS 140-2 approved ciphers. GEN005511 - The SSH client must be configured to not use CBC-based ciphers. GEN005512 - The SSH client must only use MACs employing FIPS 140-2 approved cryptographic hash algorithms GEN005521 - The SSH daemon must restrict login ability to specific users and/or groups. GEN005522 - The SSH public host key files must have mode 0644 or less permissive. GEN005523 - The SSH private host key files must have mode 0600 or less permissive. GEN005524 - The SSH daemon must not permit GSSAPI authentication unless needed. GEN005525 - The SSH client must not permit GSSAPI authentication unless needed. GEN005526 - The SSH daemon must not permit Kerberos authentication unless needed. GEN005533 - The SSH daemon must limit connections to a single session. GEN005536 - The SSH daemon must perform strict mode checking of home directory configuration files. GEN005537 - The SSH daemon must use privilege separation. GEN005538 - The SSH daemon must not allow rhosts RSA authentication. GEN005539 - The SSH daemon must not allow compression or must only allow compression after successful authentication. GEN005540 - The SSH daemon must be configured for IP filtering - '/etc/hosts.allow' GEN005540 - The SSH daemon must be configured for IP filtering - '/etc/hosts.deny' GEN005550 - The SSH daemon must be configured with the Department of Defense (DoD) logon banner - 'Banner file contents' GEN005550 - The SSH daemon must be configured with the Department of Defense (DoD) logon banner - 'Banner file has been defined' GEN005560 - The system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router. GEN005570 - The system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router. GEN005580 - A system used for routing must not run other network services or applications. GEN005590 - The system must not be running any routing protocol daemons, unless the system is a router. GEN005600 - IP forwarding for IPv4 must not be enabled, unless the system is a router. GEN005610 - The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router. GEN005740 - The NFS export configuration file must be owned by root. GEN005750 - The NFS export configuration file must be group-owned by root, bin, sys, or system. GEN005760 - The NFS export configuration file must have mode 0644 or less permissive. GEN005770 - The NFS exports configuration file must not have an extended ACL. GEN005800 - All NFS-exported system files and system directories must be owned by root. GEN005810 - All NFS-exported system files and system directories must be group-owned by root, bin, sys, or system. GEN005820 - The NFS anonymous UID and GID must be configured to values without permissions. GEN005840 - The NFS server must be configured to restrict file system access to local hosts - 'All exports contain ro or rw' GEN005840 - The NFS server must be configured to restrict file system access to local hosts - 'Exports containing rw should be reviewed' GEN005900 - The nosuid option must be enabled on all NFS client mounts. GEN006000 - The system must not have a public Instant Messaging (IM) client installed. GEN006040 - The system must not have any peer-to-peer file-sharing application installed. GEN006060 - The system must not run Samba unless needed. GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL. GEN006100 - The /usr/lib/smb.conf file must be owned by root. GEN006120 - The /usr/lib/smb.conf file must be group-owned by bin, sys, or system. GEN006140 - The /usr/lib/smb.conf file must have mode 0644 or less permissive. GEN006150 - The /usr/lib/smb.conf file must not have an extended ACL. GEN006160 - The /var/private/smbpasswd file must be owned by root. GEN006180 - The /var/private/smbpasswd file must be group-owned by sys or system. GEN006200 - The /var/private/smbpasswd file must have mode 0600 or less permissive. GEN006210 - The /var/private/smbpasswd file must not have an extended ACL. GEN006220 - The smb.conf file must use the hosts option to restrict access to Samba. GEN006225 - Samba must be configured to use an authentication mechanism other than share. GEN006230 - Samba must be configured to use encrypted passwords. GEN006235 - Samba must be configured to not allow guest access to shares. GEN006240 - The system must not run an Internet Network News (INN) server. GEN006260 - The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive. GEN006270 - The /etc/news/hosts.nntp file must not have an extended ACL. GEN006280 - The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive. GEN006290 - The /etc/news/hosts.nntp.nolimit file must not have an extended ACL. GEN006300 - The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive. GEN006310 - The /etc/news/nnrp.access file must not have an extended ACL. GEN006320 - The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive. GEN006330 - The /etc/news/passwd.nntp file must not have an extended ACL. GEN006340 - Files in /etc/news must be owned by root or news. GEN006360 - The files in /etc/news must be group-owned by system or news. GEN006380 - The system must not use UDP for NIS/NIS+. GEN006400 - The Network Information System (NIS) protocol must not be used. GEN006420 - NIS maps must be protected through hard-to-guess domain names. GEN006460 - Any NIS+ server must be operating at security level 2. GEN006480 - The system must have a host-based intrusion detection tool installed. GEN006560 - The system vulnerability assessment, host-based intrusion detection, and file integrity tools must notify of a security breach. GEN006565 - The system package management tool must be used to verify system software periodically. GEN006570 - The file integrity tool must be configured to verify ACLs. GEN006571 - The file integrity tool must be configured to verify extended attributes. GEN006575 - The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents. GEN006580 - The system must use an access control program. GEN006620 - The system's access control program must be configured to grant or deny system access to specific hosts - '/etc/hosts.allow' GEN006620 - The system's access control program must be configured to grant or deny system access to specific hosts - '/etc/hosts.deny' GEN006620 - The system's access control program must be configured to grant or deny system access to specific hosts - 'hosts.deny ALL:ALL' GEN006640 - The system must use a virus scan program. GEN007020 - The Stream Control Transmission Protocol (SCTP) must be disabled unless required. GEN007480 - The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required. GEN007760 - Proxy Neighbor Discovery Protocol (NDP) must not be enabled on the system. GEN007780 - The system must not have 6to4 enabled. GEN007820 - The system must not have IP tunnels configured - 'ifconfig -a' GEN007820 - The system must not have IP tunnels configured - 'lstun -a' GEN007840 - The DHCP client must be disabled if not needed. GEN007841 - Wireless network adapters must be disabled. GEN007850 - The DHCP client must not send dynamic DNS updates - 'updateDNS exists in /etc/dhcpc.opt' GEN007850 - The DHCP client must not send dynamic DNS updates - 'updateDNS exists in /etc/dhcpcd.ini' GEN007860 - The system must ignore IPv6 ICMP redirect messages. GEN007880 - The system must not send IPv6 ICMP redirects. GEN007900 - The system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6. GEN007920 - The system must not forward IPv6 source-routed packets. GEN007940 - The system must not accept source-routed IPv6 packets. GEN007950 - The system must not respond to ICMPv6 echo requests sent to a broadcast address. GEN007960 - The ldd command must be disabled unless it protects against the execution of untrusted files. GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'client Key Label' GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'ldapsslkeyf exists' GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'useSSL = yes' GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'client Key Label' GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'ldapsslkeyf exists' GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'useSSL = yes' GEN008050 - The /etc/ldap.conf file (or equivalent) must not contain passwords - 'bindpwd: is not unencrypted' GEN008050 - The /etc/ldap.conf file (or equivalent) must not contain passwords - 'ldapsslkeypwd: is not unencrypted' GEN008060 - If the system is using LDAP the /etc/ldap.conf file must have mode 0644 or less permissive GEN008080 - If the system is using LDAP the /etc/ldap.conf file must be owned by root GEN008100 - If the system is using LDAP the /etc/ldap.conf file must be group-owned by security, bin, sys, or system GEN008120 - If the system is using LDAP the /etc/ldap.conf file must not have an extended ACL GEN008140 - The TLS certificate authority file and/or directory (as appropriate) must be owned by root GEN008160 - The TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system GEN008180 - The TLS certificate authority file must have mode 0644 (0755 for directories) or less permissive GEN008200 - The LDAP TLS certificate authority file must not have an extended ACL GEN008420 - The system must use available memory address randomization techniques. GEN008440 - Automated file system mounting tools must not be enabled unless needed. GEN008460 - The system must have USB disabled unless needed - 'lsdev' GEN008460 - The system must have USB disabled unless needed - 'lslpp' GEN008480 - The system must have USB Mass Storage disabled unless needed. GEN008520 - The system must employ a local firewall. GEN008540 - The system's local firewall must implement a deny-all, allow-by-exception policy. GEN008600 - The system must be configured to only boot from the system boot device. GEN008620 - System BIOS or system controllers supporting password protection must have admin accounts/passwords configured, and no others. GEN008640 - The system must not use removable media as the boot loader - 'both' GEN008640 - The system must not use removable media as the boot loader - 'normal' GEN008640 - The system must not use removable media as the boot loader - 'prevboot' GEN008640 - The system must not use removable media as the boot loader - 'service' GEN008680 - If the system boots from removable media, it must be stored in a safe or similarly secured container. GEN009120 - The system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token. GEN009140 - The system must not have the chargen service active. GEN009160 - The system must not have the Calendar Manager Service Daemon (CMSD) service active. GEN009180 - The system must not have the tool-talk database server (ttdbserver) service active. GEN009190 - The system must not have the comsat service active. GEN009200 - The system must not have the daytime service active. GEN009210 - The system must not have the discard service active. GEN009220 - The system must not have the dtspc service active. GEN009230 - The system must not have the echo service active. GEN009240 - The system must not have Internet Message Access Protocol (IMAP) service active. GEN009250 - The system must not have the PostOffice Protocol (POP3) service active. GEN009260 - The system must not have the talk or ntalk services active. GEN009270 - The system must not have the netstat service active on the inetd process. GEN009280 - The system must not have the PCNFS service active. GEN009290 - The system must not have the systat service active. GEN009300 - The inetd time service must not be active on the system on the inetd daemon. GEN009310 - The system must not have the rusersd service active. GEN009320 - The system must not have the sprayd service active. GEN009330 - The system must not have the rstatd service active. GEN009340 - Xserver login managers must not be running unless needed for X11 session management. Informational Update DISA_STIG_AIX_6.1_v1r13.audit for AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE v1r13 GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Dtlogingreeting.labelString' GEN000402 - The DoD login banner must be displayed as part of graphical desktop environment login prompts - 'Xlogingreeting' GEN000920 - The root account's home directory (other than /) must have mode 0700. GEN003300 - The at.deny file must not be empty if it exists GEN003640 - The root file system must employ journaling or another mechanism ensuring file system consistency GEN003660 - The system must log authentication informational data - 'auth.' GEN003660 - The system must log authentication informational data - 'auth.info' GEN003660 - The system must log authentication informational data - 'auth.notice' GEN003700 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled GEN005080 - The TFTP daemon must operate in 'secure mode' which provides access only to a single directory on the host file system. GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user exists' GEN005120 - The TFTP daemon must be configured to vendor specs including a home directory owned by the TFTP user - 'tftp user shell' GEN006640 - The system must use a virus scan program. GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'client Key Label' GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'ldapsslkeyf exists' GEN008000 - Certificates used to authenticate to the LDAP server must be provided from DoD-approved external PKI - 'useSSL = yes' GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'client Key Label' GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'ldapsslkeyf exists' GEN008020 - The LDAP TLS connection must require a certificate and this certificate has a valid path to a trusted CA - 'useSSL = yes' Miscellaneous Platform check updated. References updated. See also link updated.

Detections

Analytics

DISA STIG AIX 6.1 v1r13

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Revision 1.4

Miscellaneous

Revision 1.3

Miscellaneous

Revision 1.2

Miscellaneous

Revision 1.1

Functional Update

Informational Update

Miscellaneous

Detections

Analytics

DISA STIG AIX 6.1 v1r13 Download File

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Revision 1.4

Miscellaneous

Revision 1.3

Miscellaneous

Revision 1.2

Miscellaneous

Revision 1.1

Functional Update

Informational Update

Miscellaneous

DISA STIG AIX 6.1 v1r13