| AIX7-00-001000 - AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account. | ACCESS CONTROL |
| AIX7-00-001001 - AIX must automatically remove or disable temporary user accounts after 72 hours or sooner. | ACCESS CONTROL |
| AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator. | ACCESS CONTROL |
| AIX7-00-001004 - AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types. | ACCESS CONTROL |
| AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA. | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001007 - If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords. | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001008 - All accounts on AIX system must have unique account names. | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001009 - All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users). | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001010 - The AIX SYSTEM attribute must not be set to NONE for any account. | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001011 - Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts. | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001012 - AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001014 - The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. | ACCESS CONTROL |
| AIX7-00-001015 - The shipped /etc/security/mkuser.sys file on AIX must not be customized directly. | ACCESS CONTROL |
| AIX7-00-001016 - The regular users default primary group must be staff (or equivalent) on AIX. | ACCESS CONTROL |
| AIX7-00-001018 - All system files, programs, and directories must be owned by a system account. | CONFIGURATION MANAGEMENT |
| AIX7-00-001019 - AIX device files and directories must only be writable by users with a system account or as configured by the vendor. | CONFIGURATION MANAGEMENT |
| AIX7-00-001025 - AIX must configure the ttys value for all interactive users. | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001028 - AIX must provide the lock command to let users retain their session lock until users are reauthenticated. | ACCESS CONTROL |
| AIX7-00-001029 - AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated. | ACCESS CONTROL |
| AIX7-00-001030 - AIX system must prevent the root account from directly logging in except from the system console. | CONFIGURATION MANAGEMENT |
| AIX7-00-001031 - All AIX public directories must be owned by root or an application account. | CONFIGURATION MANAGEMENT |
| AIX7-00-001032 - AIX administrative accounts must not run a web browser, except as needed for local service administration. | CONFIGURATION MANAGEMENT |
| AIX7-00-001033 - AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist. | CONFIGURATION MANAGEMENT |
| AIX7-00-001034 - The AIX root account must not have world-writable directories in its executable search path. | CONFIGURATION MANAGEMENT |
| AIX7-00-001035 - The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID. | CONFIGURATION MANAGEMENT |
| AIX7-00-001036 - UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems. | CONFIGURATION MANAGEMENT |
| AIX7-00-001037 - The AIX root accounts list of preloaded libraries must be empty. | CONFIGURATION MANAGEMENT |
| AIX7-00-001038 - AIX must not have accounts configured with blank or null passwords. | CONFIGURATION MANAGEMENT |
| AIX7-00-001039 - The AIX root accounts home directory (other than /) must have mode 0700. | CONFIGURATION MANAGEMENT |
| AIX7-00-001040 - The AIX root accounts home directory must not have an extended ACL. | CONFIGURATION MANAGEMENT |
| AIX7-00-001041 - AIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system. | ACCESS CONTROL |
| AIX7-00-001042 - The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts on AIX. | ACCESS CONTROL |
| AIX7-00-001043 - The Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX. | ACCESS CONTROL |
| AIX7-00-001044 - Any publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. | ACCESS CONTROL |
| AIX7-00-001045 - IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server. | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001046 - If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day. | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001047 - The AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups. | CONFIGURATION MANAGEMENT |
| AIX7-00-001048 - AIX must protect the confidentiality and integrity of all information at rest. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AIX7-00-001053 - AIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours. | AUDIT AND ACCOUNTABILITY |
| AIX7-00-001055 - All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions. | CONFIGURATION MANAGEMENT |
| AIX7-00-001056 - AIX nosuid option must be enabled on all NFS client mounts. | CONFIGURATION MANAGEMENT |
| AIX7-00-001100 - AIX must be configured to allow users to directly initiate a session lock for all connection types. | ACCESS CONTROL |
| AIX7-00-001101 - AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image. | ACCESS CONTROL |
| AIX7-00-001102 - AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. | MAINTENANCE |
| AIX7-00-001104 - If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions. | ACCESS CONTROL |
| AIX7-00-001105 - AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AIX7-00-001108 - AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AIX7-00-001120 - AIX must enforce password complexity by requiring that at least one upper-case character be used. | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001121 - AIX must enforce password complexity by requiring that at least one lower-case character be used. | IDENTIFICATION AND AUTHENTICATION |
| AIX7-00-001122 - AIX must enforce password complexity by requiring that at least one numeric character be used. | IDENTIFICATION AND AUTHENTICATION |
