CIS specifications for VIOS server
The Center for Internet Security (CIS) develops benchmarks for the secure configuration of a target system. CIS benchmarks are consensus-based, best-practice security configuration guides that are developed and accepted by government, business, industry, and academia.
| Benchmark | Group | Implementation specification | Location of the script that modifies the setting |
|---|---|---|---|
| AIX® 6.1: 1.1.1 AIX 7.1: 3.1.1 Level 1 |
Password policy rules | Defines the minimum number of characters that are required in a new password that were not in the old password. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.1.2 AIX 7.1: 3.1.2 Level 1 |
Password policy rules | Defines the minimum number of weeks before a password can be changed. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.1.3 AIX 7.1: 3.1.3 Level 1 |
Password policy rules | Defines the maximum number of weeks that a password is valid. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.1.4 AIX 7.1: 3.1.4 Level 1 |
Password policy rules | Defines the minimum length of a password. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.1.5 AIX 7.1: 3.1.5 Level 1 |
Password policy rules | Defines the minimum number of alphabetic characters in a password. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.1.6 AIX 7.1: 3.1.6 Level 1 |
Password policy rules | Defines the number of characters within a password that must be non-alphabetic. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.1.7 AIX 7.1: 3.1.7 Level 1 |
Password policy rules | Defines the maximum number of times a character may appear in a password. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.1.8 AIX 7.1: 3.1.8 Level 1 |
Password policy rules | Defines the period of time in weeks that a user will not be able to reuse a password. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.1.9 AIX 7.1: 3.1.9 Level 1 |
Password policy rules | Defines the number of previous passwords that a user may not reuse. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.1.10 AIX 7.1: 3.1.10 Level 1 |
Password policy rules | Defines the number of weeks after maxage that a password can be reset by the user. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 7.1: 3.1.11 Level 1 |
Password policy rules | Defines the minimum number of lower case alphabetic characters in a password. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 7.1: 3.1.12 Level 1 |
Password policy rules | Defines the minimum number of upper case alphabetic characters in a password. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 7.1: 3.1.13 Level 1 |
Password policy rules | Defines the minimum number of digits in a password. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 7.1: 3.1.14 Level 1 |
Password policy rules | Defines the minimum number of special characters in a password. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.1.11 AIX 7.1: 3.1.15 Level 1 |
Login policy recommendations | Defines the loadable password algorithm used when storing user passwords. | /etc/security/pscexpert/bin/chdefstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.1 Level 2 |
Login policy recommendations | Disables direct login access for the daemon user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.1 Level 2 |
Login policy recommendations | Disables direct rlogin access for the daemon user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.2 Level 2 |
Login policy recommendations | Disables direct login access for the bin user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.2 Level 2 |
Login policy recommendations | Disables direct rlogin access for the bin user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.3 Level 2 |
Login policy recommendations | Disables direct login access for the sys user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.3 Level 2 |
Login policy recommendations | Disables direct rlogin access for the sys user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.4 Level 2 |
Login policy recommendations | Disables direct login access for the adm user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.4 Level 2 |
Login policy recommendations | Disables direct rlogin access for the adm user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.5 Level 2 |
Login policy recommendations | Disables direct login access for the nobody user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.5 Level 2 |
Login policy recommendations | Disables direct rlogin access for the nobody user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.6 Level 2 |
Login policy recommendations | Disables direct login access for the uucp user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.6 Level 2 |
Login policy recommendations | Disables direct rlogin access for the uucp user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.7 Level 2 |
Login policy recommendations | Disables direct login access for the lpd user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.9 AIX 7.1: 3.2.1.7 Level 2 |
Login policy recommendations | Disables direct rlogin access for the lpd user account. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.2.1 AIX 7.1: 3.2.2 Level 1 |
Login policy recommendations | Defines the time interval, in seconds, when the unsuccessful logins must occur to disable a port. | /etc/security/pscexpert/bin/chdefstanza
Arguments:
|
| AIX 6.1: 1.2.2 AIX 7.1: 3.2.3 Level 1 |
Login policy recommendations | Defines the number of unsuccessful login attempts required before a port will be locked. This parameter is applicable to all tty connections and the system console. | /etc/security/pscexpert/bin/chdefstanza
Arguments:
|
| AIX 6.1: 1.2.3 AIX 7.1: 3.2.4 Level 1 |
Login policy recommendations | Defines the number of minutes after a port is locked when it will be automatically un-locked. This parameter is applicable to all tty connections and the system console. | /etc/security/pscexpert/bin/chdefstanza
Arguments:
|
| AIX 6.1: 1.2.4 AIX 7.1: 3.2.5 Level 1 |
Login policy recommendations | Defines the number of seconds during which the password must be typed at login. | /etc/security/pscexpert/bin/chdefstanza
Arguments:
|
| AIX 6.1: 1.2.5 AIX 7.1: 3.2.6 Level 1 |
Login policy recommendations | Defines the number of seconds delay between each failed login attempt. This works as a multiplier, so if the parameter is set to 10, after the first failed login it would delay for 10 seconds, after the second failed login 20 seconds, and so forth. | /etc/security/pscexpert/bin/chdefstanza
Arguments:
|
| AIX 6.1: 1.2.6 AIX 7.1: 3.2.7 Level 1 |
Password policy rules | Defines the number of attempts a user has to login to the system before their account is disabled. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.2.7 AIX 7.1: 3.2.8 Level 1 |
Login policy recommendations | Defines whether or not the root user can log in remotely. | /etc/security/pscexpert/bin/chuserstanza
Arguments:
|
| AIX 6.1: 1.3.1 AIX 7.1: 3.3.1 Level 2 |
Rules for /etc/inittab | Controls the printing scheduling daemon that manages the submission of print jobs to piobe. | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 1.3.2 AIX 7.1: 3.3.2 Level 2 |
Rules for /etc/inittab | Controls whether the lpd daemon accepts remote print jobs from other systems. | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 1.3.3 AIX 7.1: 3.3.3 Level 2 |
Rules for /etc/inittab | Controls the piobe daemon, which is the I/O back end for the printing process, handling the job scheduling and spooling. | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 1.3.4 AIX 7.1: 3.3.4 Level 2 |
Rules for /etc/inittab | Executes the CDE startup script which starts the AIX Common Desktop Environment. | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 1.3.5 AIX 7.1: 3.3.5 Level 2 |
Rules for /etc/inittab | Starts the NFS daemons during system boot. | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 1.3.6 AIX 7.1: 3.3.6 Level 2 |
/etc/rc.tcpip settings | Starts the sendmail daemon on system startup. This means that the system can operate as a mail server. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.7 AIX 7.1: 3.3.7 Level 2 |
/etc/rc.tcpip settings | Starts the snmpd daemon on system startup. This allows remote monitoring of network and server configuration. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.8 AIX 7.1: 3.3.8 Level 2 |
/etc/rc.tcpip settings | Starts the dhcpcd daemon on system startup. The dhcpcd deamon receives address and configuration information from the DHCP server. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.9 AIX 7.1: 3.3.9 Level 2 |
/etc/rc.tcpip settings | Starts the dhcprd daemon on system startup. The dhcprd daemon listens for broadcast packets, receives them, and forwards them to the appropriate server. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.10 AIX 7.1: 3.3.10 Level 2 |
/etc/rc.tcpip settings | Starts the dhcpsd daemon on system startup. The dhcpsd deamon is the DHCP server that serves addresses and configuration information to DHCP clients in the network. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.11 AIX 7.1: 3.3.11 Level 2 |
/etc/rc.tcpip settings | Starts autoconf6 on system startup. This is to automatically configure IPv6 interfaces at boot time. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.12 AIX 7.1: 3.3.12 Level 2 |
/etc/rc.tcpip settings | Starts the gated daemon system startup. This daemon provides gateway routing functions for protocols such as RIP and SNMP. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.13 AIX 7.1: 3.3.13 Level 2 |
/etc/rc.tcpip settings | Starts the mrouted daemon at system startup. This daemon is an implementation of the multicast routing protocol. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.14 AIX 7.1: 3.3.14 Level 2 |
/etc/rc.tcpip settings | Starts the named daemon at system startup. This is the server for the DNS protocol and controls domain name resolution for its clients. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.15 AIX 7.1: 3.3.15 Level 2 |
/etc/rc.tcpip settings | Starts the routed daemon at system startup. The routed daemon manages the network routing tables in the kernel. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.16 AIX 7.1: 3.3.16 Level 2 |
/etc/rc.tcpip settings | Starts the rwhod daemon at system startup. This is the remote WHO service. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.17 AIX 7.1: 3.3.17 Level 2 |
/etc/rc.tcpip settings | Starts the timed daemon at system startup. This is the old UNIX time service. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.18 AIX 7.1: 3.3.18 Level 2 |
/etc/rc.tcpip settings | Starts the dpid2 daemon on system startup. The dpid2 daemon acts as a protocol converter, which enables DPI (SNMP v2) sub-agents, such as hostmibd, to talk to a SNMP v1 agent that follows SNMP MUX protocol. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.19 AIX 7.1: 3.3.19 Level 2 |
/etc/rc.tcpip settings | Starts the hostmibd daemon on system startup. This is a dpi2 sub-agent that may be required if the server runs SNMP. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.20 AIX 7.1: 3.3.20 Level 2 |
/etc/rc.tcpip settings | Starts the snmpmibd daemon on system startup. This is a dpi2 sub-agent that may be required if the server runs SNMP. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.21 AIX 7.1: 3.3.21 Level 2 |
/etc/rc.tcpip settings | Starts the aixmibd daemon on system startup. This is a dpi2 sub-agent that may be required if the server runs SNMP. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.22 AIX 7.1: 3.3.22 Level 2 |
/etc/rc.tcpip settings | Starts ndpd-host on system startup. This is the Neighbor Discovery Protocol (NDP) daemon, required in IPv6. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.23 AIX 7.1: 3.3.23 Level 2 |
/etc/rc.tcpip settings | Starts ndpd-router on system startup. This manages the Neighbor Discovery Protocol (NDP) for non kernel activities, required in IPv6. | /etc/security/pscexpert/bin/rctcpip
Arguments:
|
| AIX 6.1: 1.3.24 AIX 7.1: 3.3.24 Level 1 |
/etc/inetd.conf Settings | Starts the telnetd daemon when required. This provides a protocol for command line access from a remote machine. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.25 AIX 7.1: 3.3.25 Level 1 |
/etc/inetd.conf Settings | Starts the rexecd daemon when required. This daemon executes a command from a remote system, once the connection has been authenticated. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.26 AIX 7.1: 3.3.26 Level 1 |
/etc/inetd.conf Settings | Starts the rexecd daemon when required. This daemon executes a command from a remote system, once the connection has been authenticated. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.26 AIX 7.1: 3.3.26 Level 1 |
/etc/inetd.conf Settings | Starts the rexecd daemon when required. This daemon executes a command from a remote system, once the connection has been authenticated. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.27 AIX 7.1: 3.3.27 Level 1 |
/etc/inetd.conf Settings | Starts the rshd daemon when required. This daemon executes a command from a remote system. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.28 AIX 7.1: 3.3.28 Level 2 |
/etc/inetd.conf Settings | Starts the cmsd service when required. This is a calendar and appointment service. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.29 AIX 7.1: 3.3.29 Level 2 |
/etc/inetd.conf Settings | Starts the ttdbserver service when required. It is not a prerequisite service for CDE, which is fully functional when it is disabled. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.30 AIX 7.1: 3.3.30 Level 2 |
/etc/inetd.conf Settings | Starts the uucp service when required. This service facilitates file copying between networked servers. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.31 AIX 7.1: 3.3.31 Level 2 |
/etc/inetd.conf Settings | Starts the time service when required. This service can be used to synchronize system clocks. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.31 AIX 7.1: 3.3.31 Level 2 |
/etc/inetd.conf Settings | Starts the time service when required. This service can be used to synchronize system clocks. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.32 AIX 7.1: 3.3.32 Level 1 |
/etc/inetd.conf Settings | Starts the rlogin daemon when required. This service authenticates remote user logins. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.33 AIX 7.1: 3.3.33 Level 2 |
/etc/inetd.conf Settings | starts the talkd daemon when required. This service establishes a two-way communication link between two users, either locally or remotely. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.34 AIX 7.1: 3.3.34 Level 2 |
/etc/inetd.conf Settings | Starts the talkd daemon when required. This service establishes a two-way communication link between two users, either locally or remotely. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.35 AIX 7.1: 3.3.35 Level 1 |
/etc/inetd.conf Settings | Starts the ftpd daemon when required. This service is used for transferring files from/to a remote machine. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.36 AIX 7.1: 3.3.36 Level 1 |
/etc/inetd.conf Settings | Starts the chargen service when required. This service is used to test the integrity of TCP/IP packets arriving at the destination. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.36 AIX 7.1: 3.3.36 Level 1 |
/etc/inetd.conf Settings | Starts the chargen service when required. This service is used to test the integrity of TCP/IP packets arriving at the destination. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.37 AIX 7.1: 3.3.37 Level 1 |
/etc/inetd.conf Settings | Starts the discard service when required. This service is used as a debugging tool by setting up a listening socket which ignores the data it receives. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.37 AIX 7.1: 3.3.37 Level 1 |
/etc/inetd.conf Settings | Starts the discard service when required. This service is used as a debugging tool by setting up a listening socket which ignores the data it receives. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.38 AIX 7.1: 3.3.38 Level 2 |
/etc/inetd.conf Settings | Starts the dtspc service when required. This service is used in response to a CDE client request. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.39 AIX 7.1: 3.3.39 Level 1 |
/etc/inetd.conf Settings | Starts the echo service when required. This service sends back data received by it on a specified port. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.39 AIX 7.1: 3.3.39 Level 1 |
/etc/inetd.conf Settings | Starts the echo service when required. This service sends back data received by it on a specified port. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.40 AIX 7.1: 3.3.40 Level 2 |
/etc/inetd.conf Settings | Starts the pcnfsd daemon when required. This service is an authentication and printing program, which uses NFS to provide file transfer services. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.41 AIX 7.1: 3.3.41 Level 2 |
/etc/inetd.conf Settings | Starts the rstatd daemon when required. This service is used to provide kernel statistics and other monitorable parameters such as CPU usage, system uptime, network usage, and so forth. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.42 AIX 7.1: 3.3.42 Level 2 |
/etc/inetd.conf Settings | Starts the rsusersd daemon when required. This service provides a list of current users active on a system. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.43 AIX 7.1: 3.3.43 Level 2 |
/etc/inetd.conf Settings | Starts the rwalld daemon when required. This service allows remote users to broadcast system wide messages. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.44 AIX 7.1: 3.3.44 Level 1 |
/etc/inetd.conf Settings | Starts the sprayd daemon when required. This service is used as a tool to generate UDP packets for testing and diagnosing network problems. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.45 AIX 7.1: 3.3.45 Level 2 |
/etc/inetd.conf Settings | Starts the klogin service when required. This is a kerberized login service, which provides a higher degree of security over traditional rlogin and telnet. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.46 AIX 7.1: 3.3.46 Level 2 |
/etc/inetd.conf Settings | Starts the kshell service when required. This is a kerberized remote shell service, which provides a higher degree of security over traditional rsh. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.47 AIX 7.1: 3.3.47 Level 2 |
/etc/inetd.conf Settings | Starts the rquotad service when required. This allows NFS clients to enforce disk quotas on locally mounted filesystems. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.48 AIX 7.1: 3.3.48 Level 2 |
/etc/inetd.conf Settings | Starts the tftp service when required. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.49 AIX 7.1: 3.3.49 Level 2 |
/etc/inetd.conf Settings | Starts the imap2 service when required. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.50 AIX 7.1: 3.3.50 Level 2 |
/etc/inetd.conf Settings | Starts the pop3 service when required. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.51 AIX 7.1: 3.3.51 Level 1 |
/etc/inetd.conf Settings | Starts the fingerd daemon. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.52 AIX 7.1: 3.3.52 Level 2 |
/etc/inetd.conf Settings | Starts the instsrv service when required. | /etc/security/pscexpert/bin/cominetdconf
Arguments:
|
| AIX 6.1: 1.3.53 AIX 7.1: 3.3.53 Level 1 |
Permission settings | Applies the recommended permissions and ownership for /etc/inetd.conf. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 1.3.53 AIX 7.1: 3.3.53 Level 1 |
Ownership settings | Applies the recommended permissions and ownership for /etc/inetd.conf. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 1.4.1 AIX 7.1: 3.4.1 Level 2 |
Permission settings | Removes all permissions from the remote service commands: rsh, rlogin and rcp. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 1.4.1 AIX 7.1: 3.4.1 Level 2 |
Permission settings | Removes all permissions from the remote service commands: rsh, rlogin and rcp. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 1.4.1 AIX 7.1: 3.4.1 Level 2 |
Permission settings | Removes all permissions from the remote service commands: rsh, rlogin and rcp. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 1.4.2 AIX 7.1: 3.4.2 Level 2 |
Permission settings | Removes all permissions from the remote service commands: rsh, rlogin and rcp. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 1.4.2 AIX 7.1: 3.4.2 Level 2 |
Permission settings | Removes all permissions from the remote service commands: rsh, rlogin and rcp. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 1.4.2 AIX 7.1: 3.4.2 Level 2 |
Permission settings | Removes all permissions from the remote service commands: rsh, rlogin and rcp. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 1.5.1 AIX 7.1: 3.5.1 Level 2 |
Remove unauthorized access | Removes all instances of .rhosts and .netrc files from the system. | /etc/security/pscexpert/bin/rmrhostsnetrc
Arguments:
|
| AIX 6.1: 1.5.2 AIX 7.1: 3.5.2 Level 2 |
Remove unauthorized access | Removes all entries from the /etc/hosts.equiv file. | /etc/security/pscexpert/bin/rmetchostsequiv
Arguments:
|
| AIX 6.1: 1.6.1 AIX 7.1: 3.6.1 Level 2 |
Tune network options | Controls the ipsrcrouteforward parameter that determines whether or not the system forwards IPV4 source-routed packets. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.2 AIX 7.1: 3.6.2 Level 2 |
Tune network options | Controls the ipignoreredirects parameter that determines whether or not the system will process IP redirects. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.3 AIX 7.1: 3.6.3 Level 2 |
Tune network options | Determines whether or not the system is open to SYN attacks. This parameter, when enabled, clears down connections in the SYN RECEIVED state after a set period of time. This attempts to stop DoS attacks when a hacker may flood a system with SYN flag-set packets. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.4 AIX 7.1: 3.6.4 Level 2 |
Tune network options | Determines whether or not the system can send source-routed packets. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.5 AIX 7.1: 3.6.5 Level 2 |
Tune network options | Determines whether or not the system forwards TCP/IP packets. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.6 AIX 7.1: 3.6.6 Level 2 |
Tune network options | Determines whether or not the system forwards re-directed TCP/IP packets. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.7 AIX 7.1: 3.6.7 Level 2 |
Tune network options | Determines whether or not the system forwards IPV6 source-routed packets. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.8 AIX 7.1: 3.6.8 Level 2 |
Tune network options | Determines whether or not the system allows a directed broadcast to a network gateway. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.9 AIX 7.1: 3.6.9 Level 2 |
Tune network options | Controls whether TCP MTU discovery is enabled. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.10 AIX 7.1: 3.6.10 Level 2 |
Tune network options | Determines whether the system responds to ICMP echo packets sent to the broadcast address. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.11 AIX 7.1: 3.6.11 Level 2 |
Tune network options | Determines whether the system responds to an ICMP address mask ping. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.12 AIX 7.1: 3.6.12 Level 2 |
Tune network options | Controls whether MTU discovery is enabled. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.13 AIX 7.1: 3.6.13 Level 2 |
Tune network options | Determines whether the system accepts source routed packets. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.14 AIX 7.1: 3.6.14 Level 2 |
Tune network options | Determines whether the system allows source routed packets to be addressed to hosts outside of the LAN. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.15 AIX 7.1: 3.6.15 Level 2 |
Tune network options | Determines if the system is protected from three specific vulnerabilities:
|
/etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.16 AIX 7.1: 3.6.16 Level 2 |
Tune network options | Determines what percentage of the total memory allocated to networking, set via thewall, can be used for sockets. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.17 AIX 7.1: 3.6.17 Level 2 |
Tune network options | Determines whether the TCP window sizes (tcp_sendspace and tcp_recvspace) can be greater than 64KB. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.18 AIX 7.1: 3.6.18 Level 2 |
Tune network options | Sets the socket buffer size for sending data. This recommendation changes the default size, but many adapters have specific buffer sizes implemented within the device driver. These are typically 64KB or greater. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.19 AIX 7.1: 3.6.19 Level 2 |
Tune network options | Sets the socket buffer size for receiving data. This recommendation changes the default size, but many adapters have specific buffer sizes implemented within the device driver. These are typically 64KB or greater. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.20 AIX 7.1: 3.6.20 Level 2 |
Tune network options | Sets the maximum segment size for communication to a remote network. This parameter is relevant only if MTU discovery is disabled, which is recommended in this benchmark. | /etc/security/pscexpert/bin/ntwkopts
Arguments:
|
| AIX 6.1: 1.6.21 AIX 7.1: 3.6.21 Level 2 |
Tune NFS options | Sets the value of the Network File System (NFS) tuning parameter portcheck to 1. | /etc/security/pscexpert/bin/chnfsopts
Arguments:
|
| AIX 6.1: 1.6.21 AIX 7.1: 3.6.21 Level 2 |
Tune NFS options | Sets the value of the Network File System (NFS) tuning parameter nfs_use_reserved_ports to 1 | /etc/security/pscexpert/bin/chnfsopts
Arguments:
|
| AIX 6.1: 1.7.1 AIX 7.1: 3.7.1 Level 2 |
Miscellaneous Rules | Creates a cron.allow file with a root user entry and removes the cron.deny file, if it exists. | /etc/security/pscexpert/bin/limitsysacc
Arguments:
|
| AIX 6.1: 1.7.2 AIX 7.1: 3.7.2 Level 2 |
Remote access settings | Makes root the only user in the at.allow file and removes the at.deny file. | /etc/security/pscexpert/bin/chcronfilescis
Arguments:
|
| AIX 6.1: 1.7.3 AIX 7.1: 3.7.3 Level 1 |
Miscellaneous Rules | Adds the root user to the /etc/ftpusers file, which disables ftp for root. | /etc/security/pscexpert/bin/chetcftpusers
Arguments:
|
| AIX 6.1: 1.7.4 AIX 7.1: 3.7.4 Level 1 |
Miscellaneous rules | Adds a default herald to the /etc/security/login.cfg file. | /etc/security/pscexpert/bin/loginherald
Arguments:
|
| AIX 6.1: 1.7.5 AIX 7.1: 3.7.5 Level 1 |
Remove user accounts | Removes the guest user and home directory from the system. | /etc/security/pscexpert/bin/rmlocaluser
Arguments:
|
| AIX 6.1: 1.7.6 AIX 7.1: 3.7.6 Level 1 |
Miscellaneous enhancements | Ensure that the permissions of all the root crontab entries are owned and writable only by the root user. | /etc/security/pscexpert/bin/rootcrnjobck
Arguments:
|
| AIX 6.1: 1.7.7 AIX 7.1: 3.7.7 Level 2 |
Password policy rules | Changes the default user umask in /etc/security/user. | /etc/security/pscexpert/bin/chusrattr
Arguments:
|
| AIX 6.1: 1.7.8 AIX 7.1: 3.7.8 Level 2 |
Resource limits recommendations | Sets the core limit in the default stanza to 0 in /etc/security/limits. | /etc/security/pscexpert/bin/chdefstanza
Arguments:
|
| AIX 6.1: 1.7.8 AIX 7.1: 3.7.8 Level 2 |
Resource limits recommendations | Sets the core hard limit in the default stanza to 0 in /etc/security/limits. | /etc/security/pscexpert/bin/chdefstanza
Arguments:
|
| AIX 6.1: 1.7.8 AIX 7.1: 3.7.8 Level 2 |
Resource limits recommendations | Sets the fullcore kernel parameter to false. | /etc/security/pscexpert/bin/chdevattr Arguments:
|
| AIX 6.1: 1.7.9 AIX 7.1: 3.7.9 Level 2 |
Resource limits recommendations | Configures AIX auditing in bin mode. | /etc/security/pscexpert/bin/pciaudit Arguments:
|
| AIX 6.1: 2.1.1, 2.1.2 AIX 7.1: 4.1.1, 4.1.2 Level 2 |
Manage syslog | Implements a local syslog configuration. Explicitly defines a log file for the
auth.info output in the /etc/syslog.conf file. Implements a remote syslog configuration. |
/etc/security/pscexpert/bin/syslog
Arguments:
|
| AIX 6.1: 2.1.3 AIX 7.1: 4.1.3 Level 2 |
Manage syslog | Disallow the local syslogd daemon from accepting messages from other hosts on the network. | /etc/security/pscexpert/bin/disable_syslogd
Arguments:
|
| AIX 6.1: 2.2.1 AIX 7.1: 4.2.1 Level 2 |
Manage filesets | Installs the OpenSSH libraries. | /etc/security/pscexpert/bin/managefilesets
Arguments:
|
| AIX 6.1: 2.2.1 AIX 7.1: 4.2.1 Level 2 |
Manage filesets | Installs the OpenSSL libraries. | /etc/security/pscexpert/bin/managefilesets
Arguments:
|
| AIX 6.1: 2.2.2 AIX 7.1: 4.2.2 Level 1 |
Remote access settings | Configures the SSH daemon to disable direct root login. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 6.1: 2.2.3 AIX 7.1: 4.2.3 Level 1 |
Remote access settings | Configures the SSH daemon to use only the SSHv2 protocol. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 6.1: 2.2.4 AIX 7.1: 4.2.4 Level 1 |
Remote access settings | Configures the SSH client to use only the SSHv2 protocol. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 6.1: 2.2.6 AIX 7.1: 4.2.6 Level 1 |
Remote access settings | Configures the SSH daemon to ignore .rhosts and .shosts files. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 6.1: 2.2.7 AIX 7.1: 4.2.7 Level 1 |
Remote access settings | Configures the SSH daemon to not authenticate users with a null password. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 6.1: 2.2.8 AIX 7.1: 4.2.8 Level 2 |
Remote access settings | Configures the SSH daemon to disallow host-based authentication. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 6.1: 2.2.9 AIX 7.1: 4.2.9 Level 1 |
Remote access settings | Configures the SSH daemon to use privilege separation. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 6.1: 2.2.10 AIX 7.1: 4.2.10 Level 2 |
Remote access settings | Remove any existing .shosts files from all user home directories. | /etc/security/pscexpert/bin/rmrhostsnetrc
Arguments:
|
| AIX 6.1: 2.2.11 AIX 7.1: 4.2.11 Level 2 |
Remote access settings | Remove the /etc/shosts.equiv file. | /etc/security/pscexpert/bin/chetchostsfiles
Arguments:
|
| AIX 7.1: 4.2.12 Level 1 |
Remote access settings | Configures the SSH daemon to log login and logout activity by setting LogLevel to INFO. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 7.1: 4.2.13 Level 1 |
Remote access settings | Configures the SSH daemon to permit a maximum of 4 authentication attempts per connection. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 7.1: 4.2.14 Level 1 |
Remote access settings | Configures the SSH daemon to not to send alive messages to clients. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 7.1: 4.2.14 Level 1 |
Remote access settings | Configures the SSH daemon to permit a maximum of 300 client keep alive messages without answer before disconnecting the session. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 7.1: 4.2.15 Level 1 |
Remote access settings | Configures the SSH daemon to use ciphers as described in RFC4344. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 7.1: 4.2.16 Level 1 |
Remote access settings | Configures the SSH daemon to ignore user-provided environment variables. | /etc/security/pscexpert/bin/ssh_config_rules
Arguments:
|
| AIX 7.1: 4.2.17 Level 1 |
Permission settings | Limit access via SSH by setting at least one of the AllowUsers, AllowGroups, DenyUsers, or DenyGroups options. | etc/security/pscexpert/bin/sshconfcheck
Arguments:
|
| AIX 6.1: 2.2.10 AIX 7.1: 4.2.18 Level 1 |
Permission settings | Controls the /etc/ssh/sshd_config file that defines SSH server behavior. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.2.11 AIX 7.1: 4.2.19 Level 1 |
Permission settings | Controls the /etc/ssh/sshd_config file that defines SSH client behavior. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.3.1 AIX 7.1: 4.3.1 Level 1 |
Miscellaneous rules | Ensures that the default sendmail greeting string does not include the sendmail version and other related information. | /etc/security/pscexpert/bin/sendmailcis
Arguments:
|
| AIX 6.1: 2.3.2 AIX 7.1: 4.3.2 Level 1 |
Ownership settings | Determines the recommended ownership for /etc/mail/sendmail.cf are applied. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.3.2 AIX 7.1: 4.3.2 Level 1 |
Permission settings | Determines the recommended permissions for /etc/mail/sendmail.cf are applied. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.3.3 AIX 7.1: 4.3.3 Level 1 |
Ownership settings | Applies the recommended ownership for the /var/spool/mqueue directory. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.3.3 AIX 7.1: 4.3.3 Level 1 |
Permission settings | Applies the recommended permissions for the /var/spool/mqueue directory. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.4.1 AIX 7.1: 4.4.1 Level 2 |
Manage filesets | Uninstalls CDE from the system, assuming that it is not required and is already installed. | /etc/security/pscexpert/bin/managefilesets
Arguments:
|
| AIX 6.1: 2.4.2 AIX 7.1: 4.4.2 Level 2 |
Rules for /etc/inittab | Stops dt and comments its entry in the /etc/inittab file. | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 2.4.3 AIX 7.1: 4.4.3 Level 1 |
Permission settings | Sets the permissions to ug-s for /usr/dt/bin/dtaction. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.4.3 AIX 7.1: 4.4.3 Level 1 |
Permission settings | Sets the permissions to ug-s for /usr/dt/bin/dtappgather. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.4.3 AIX 7.1: 4.4.3 Level 1 |
Permission settings | Sets the permissions to ug-s for /usr/dt/bin/dtprintinfo. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.4.3 AIX 7.1: 4.4.3 Level 1 |
Permission settings | Sets the permissions to ug-s for /usr/dt/bin/dtsession. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.4.6 AIX 7.1: 4.4.7 Level 1 |
Ownership settings | Ensures that the /etc/dt/config/Xconfig file is owned by root:bin. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.4.6 AIX 7.1: 4.4.7 Level 1 |
Permission settings | Sets the permissions to go-w for /etc/dt/config/Xconfig. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.4.7 AIX 7.1: 4.4.8 Level 1 |
Ownership settings | Ensures that the /etc/dt/config/Xservers file is owned by root:bin. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.4.7 AIX 7.1: 4.4.8 Level 1 |
Permission settings | Set the permissions to go-w for /etc/dt/config/Xservers. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.4.9 AIX 7.1: 4.4.9 Level 1 |
Ownership settings | Sets the ownership to root:sys for /etc/dt/config/*/Xresources. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.4.9 AIX 7.1: 4.4.9 Level 1 |
Permission settings | Sets the permissions to u=rw,go=r for /etc/dt/config/*/Xresources. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.5.2 AIX 7.1: 4.5.3 Level 1 |
Permission settings | Disables suid/sgid program execution within any mounted NFS file system. | /etc/security/pscexpert/bin/disableNFSsuid
Arguments:
|
| AIX 6.1: 2.5.3 AIX 7.1: 4.5.4 Level 1 |
Permission settings | Removes any reference to localhost or localhost aliases from the /etc/exports file. | /etc/security/pscexpert/bin/disableNFSlocal
Arguments:
|
| AIX 6.1: 2.5.4 AIX 7.1: 4.5.5 Level 2 |
Permission settings | Ensures that the NFS exported file systems and directories have defined host access. | /etc/security/pscexpert/bin/restrictNFSaccess
Arguments:
|
| AIX 6.1: 2.5.5 AIX 7.1: 4.5.6 Level 1 |
Permission settings | Sets the root_squash to -2 or -1 for all NFS exports. | /etc/security/pscexpert/bin/rootsquashNFS
Arguments:
|
| AIX 6.1: 2.5.6 AIX 7.1: 4.5.7 Level 2 |
Permission settings | Ensures that the secure option is selected for all NFS exports. | /etc/security/pscexpert/bin/secureNFS
Arguments:
|
| AIX 6.1: 2.6.1 AIX 7.1: 4.6.1 Level 2 |
Manage filesets | Ensures that the NIS client is disabled and uninstalled if it is not used in the environment. | /etc/security/pscexpert/bin/managefilesets
Arguments:
|
| AIX 6.1: 2.6.2 AIX 7.1: 4.6.2 Level 2 |
Manage filesets | Ensures the TCP Wrapper is installed and configured if there are active inetd controlled services on the system. | /etc/security/pscexpert/bin/managefilesets
Arguments:
|
| AIX 6.1: 2.6.3 AIX 7.1: 4.6.3 Level 2 |
Miscellaneous rules | Removes the + (plus) markers from the /etc/group file. | /etc/security/pscexpert/bin/rmplusmarker
Arguments:
|
| AIX 6.1: 2.6.3 AIX 7.1: 4.6.3 Level 2 |
Miscellaneous rules | Removes the + (plus) markers from the /etc/passwd file. | /etc/security/pscexpert/bin/rmplusmarker
Arguments:
|
| AIX 6.1: 2.6.4 AIX 7.1: 4.6.4 Level 2 |
Miscellaneous rules | Limits access to the NIS data to specific subnets if NIS must be used in the environment. | /etc/security/pscexpert/dodv7/checkdata
Arguments:
|
| AIX 6.1: 2.7.1, 2.7.2, 2.7.3 AIX 7.1: 4.7.1, 4.7.2, 4.7.3 Level 2 |
Miscellaneous rules | Disables the private, system, and public community string in the /etc/snmpd.conf file. | /etc/security/pscexpert/dodv2/chsnmp
Arguments:
|
| AIX 6.1: 2.8.1 AIX 7.1: 4.8.1 Level 2 |
Miscellaneous rules | Disables the inetd daemon, if all of the services that are run and managed by it are disabled. | /etc/security/pscexpert/bin/disinetd
Arguments:
|
| AIX 6.1: 2.9.1 AIX 7.1: 4.9.1 Level 2 |
Miscellaneous rules | Disables the portmap daemon, if all RPC services are disabled. | /etc/security/pscexpert/bin/disprtmap
Arguments:
|
| AIX 6.1: 2.10.1 AIX 7.1: 4.10.1 Level 2 |
Manage filesets | Installs and configures TCP Wrappers if there are active inetd controlled services on the system. | /etc/security/pscexpert/bin/managefilesets
Arguments:
|
| AIX 6.1: 2.10.2 AIX 7.1: 4.10.2 Level 1 |
Miscellaneous rules | Creates and configures the /etc/hosts.allow file if TCP wrappers are installed. | /etc/security/pscexpert/bin/chetchosts
Arguments:
|
| AIX 6.1: 2.10.3 AIX 7.1: 4.10.3 Level 2 |
Miscellaneous rules | Creates and configures the /etc/hosts.deny file if TCP wrappers are installed. | /etc/security/pscexpert/bin/chetchosts
Arguments:
|
| AIX 6.1: 2.10.4 AIX 7.1: 4.10.4 Level 2 |
/etc/inetd.conf Settings | Ensures that the inetd services utilize the TCP wrappers to restrict host access. | /etc/security/pscexpert/bin/cominetdtcpd
Arguments:
|
| AIX 6.1: 2.11.1 AIX 7.1: 4.11.1 Level 1 |
Permission settings | Controls the /etc/security directory that contains the user and group configuration files and the encrypted passwords. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.11.1 AIX 7.1: 4.11.1 Level 1 |
Permission settings | Controls the /etc/security directory that contains the user and group configuration files and the encrypted passwords. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.2 AIX 7.1: 4.11.2 Level 1 |
Ownership settings | Controls the /etc/group file that contains a list of the groups defined within the system. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.11.2 AIX 7.1: 4.11.2 Level 1 |
Permission settings | Controls the /etc/group file that contain a list of the groups defined within the system. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.11.3 AIX 7.1: 4.11.3 Level 1 |
Ownership settings | Sets the ownership for the /etc/passwd file that contains a list of the users defined within the system. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.11.3 AIX 7.1: 4.11.3 Level 1 |
Permission settings | Sets the permissions for the /etc/passwd file that contains a list of the users defined within the system. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.4 AIX 7.1: 4.11.4 Level 1 |
Ownership settings | Sets the ownership for the system audit configuration files. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.11.4 AIX 7.1: 4.11.4 Level 1 |
Permission settings | Sets the permissions for the system audit configuration files. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.4 AIX 7.1: 4.11.4 Level 1 |
Permission settings | Set the permissions for all /etc/security/audit/* objects and the children objects, recursively. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.5 AIX 7.1: 4.11.5 Level 1 |
Ownership settings | Sets the ownership for /audit. | etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.11.5 AIX 7.1: 4.11.5 Level 1 |
Permission settings | Sets the permissions for /audit. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.5 AIX 7.1: 4.11.5 Level 1 |
Permission settings | Sets the permissions for all /audit/* objects and the children objects, recursively. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.6 AIX 7.1: 4.11.6 Level 1 |
Permission settings | Sets the permissions to o-rw for /smit.log. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.7 AIX 7.1: 4.11.7 Level 1 |
Permission settings | Set the permissions to o-rw for /var/adm/cron/log. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.8 AIX 7.1: 4.11.8 Level 1 |
Permission settings | Set the permissions to o= for the children objects of /var/spool/cron/crontabs recursively. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.8 AIX 7.1: 4.11.8 Level 1 |
Permission settings | Sets the permissions to ug=rwx,o= for /var/spool/cron/crontabs. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.8 AIX 7.1: 4.11.8 Level 1 |
Ownership settings | Sets the group ownership for all /var/spool/cron/crontabs directory tree objects. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.11.9 AIX 7.1: 4.11.9 Level 1 |
Ownership settings | Sets the ownership for users who can schedule jobs via the at command. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.11.9 AIX 7.1: 4.11.9 Level 1 |
Permission settings | Sets the permissions for users who can schedule jobs via the at command. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.10 AIX 7.1: 4.11.10 Level 1 |
Ownership settings | Sets the ownership for users who can schedule jobs via the cron command. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.11.10 AIX 7.1: 4.11.10 Level 1 |
Permission settings | Sets the permissions for users who can schedule jobs via the cron command. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.11 AIX 7.1: 4.11.11 Level 1 |
Ownership settings | Sets the ownership for /etc/motd. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.11.11 AIX 7.1: 4.11.11 Level 1 |
Permission settings | Sets the permissions for /etc/motd. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.12 AIX 7.1: 4.11.12 Level 1 |
Permission settings | Sets the permissions to o-rw for /var/adm/ras/*. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.13 AIX 7.1: 4.11.13 Level 1 |
Permission settings | Sets the permissions to o-rw for /var/ct/RMstart.log. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.14 AIX 7.1: 4.11.14 Level 1 |
Permission settings | Sets the permissions to o-rw for /var/tmp/dpid2.log. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.15 AIX 7.1: 4.11.15 Level 1 |
Permission settings | Sets the permissions o-rw for /var/tmp/hostmibd.log. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.16 AIX 7.1: 4.11.16 Level 1 |
Permission settings | Sets the permissions to o-rw for /var/tmp/snmpd.log. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.17 AIX 7.1: 4.11.17 Level 1 |
Ownership settings | Sets the ownership for /var/adm/sa, which holds the performance data produced by the sar utility. | /etc/security/pscexpert/bin/chowngrp
Arguments:
|
| AIX 6.1: 2.11.17 AIX 7.1: 4.11.17 Level 1 |
Permission settings | Sets the permissions for /var/adm/sa, which holds the performance data produced by the sar utility. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.18 AIX 7.1: 4.11.18 Level 1 |
Permission settings | Sets the permissions g-w,o-w for all user configuration files in each home directory, such as .profile. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.19 AIX 7.1: 4.11.19 Level 1 |
Permission settings | Set the permissions g-w,o-w for all user home directories. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.11.20 AIX 7.1: 4.11.20 Level 1 |
Permission settings | Sets the permissions g-w,o-w for all the directories in the root user's PATH environment variable. | /etc/security/pscexpert/bin/chpermpath
Arguments:
|
| AIX 6.1: 2.12.1 AIX 7.1: 4.12.1 Level 2 |
Miscellaneous rules | Disables the login capability of all connected tty devices. | /etc/security/pscexpert/bin/ttylogin
Arguments:
|
| AIX 6.1: 2.12.2 AIX 7.1: 4.12.2 Level 2 |
Rules for /etc/inittab | Disables the i4ls license manager. | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 2.12.2 AIX 7.1: 4.12.2 Level 2 |
Rules for /etc/inittab | Disables the i4ls license manager. | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 2.12.3 AIX 7.1: 4.12.3 Level 2 |
Rules for /etc/inittab | Disables Network Computing System (NCS). | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 2.12.4 AIX 7.1: 4.12.4 Level 2 |
Rules for /etc/inittab | Disables httpdlite, which is a web server that provides on-line documentation. | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 2.12.5 AIX 7.1: 4.12.5 Level 2 |
Rules for /etc/inittab | Disables pmd, which is a power management service that turns the machine off if it has been idle for a specific amount of time. | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 2.12.6 AIX 7.1: 4.12.6 Level 2 |
Rules for /etc/inittab | Disables writesrv, which allows users to chat using the system write facility on a terminal. | /etc/security/pscexpert/bin/comntrows
Arguments:
|
| AIX 6.1: 2.12.7 AIX 7.1: 4.12.7 Level 2 |
Permission settings | Blocks attempts to use the talk and write command. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.12.7 AIX 7.1: 4.12.7 Level 2 |
Permission settings | Blocks attempts to use the talk and write command. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.12.9 AIX 7.1: 4.12.9 Level 2 |
Permission settings | Adds all users with a UID less than 200 to the /etc/ftpusers file. | /etc/security/pscexpert/bin/uidftpusers
Arguments:
|
| AIX 6.1: 2.12.10 AIX 7.1: 4.12.10 Level 1 |
Permission settings | Sets the umask of the ftp service to 027 to prevent the FTP daemon process from creating world-writable files by default. | /etc/security/pscexpert/bin/chperm
Arguments:
|
| AIX 6.1: 2.12.11 AIX 7.1: 4.12.11 Level 1 |
Miscellaneous rules | Sets an ftp login banner that displays the acceptable usage policy. | /etc/security/pscexpert/bin/ftpbanner
Arguments:
|
| AIX 6.1: 2.12.12 AIX 7.1: 4.12.12 Level 1 |
Miscellaneous rules | Creates a /etc/motd file that displays a statutory warning message after initial logon. | /etc/security/pscexpert/dodv7/checkdata
Arguments:
|
| AIX 6.1: 2.12.13, 2.12.14 AIX 7.1: 4.12.13, 4.12.14 Level 1 |
Miscellaneous rules | Reviews the current at files and adds any relevant users to the /var/adm/cron/at.allow file. Reviews the current cron files and adds any relevant users to the /var/adm/cron/cron.allow file. | /etc/security/pscexpert/bin/limitcissysacc
Arguments:
|
| AIX 6.1: 2.12.14 AIX 7.1: 4.12.14 Level 1 |
Miscellaneous rules | Reviews the current cron files and adds any relevant users to the /var/adm/cron/cron.allow file. | /etc/security/pscexpert/bin/limitcissysacc
Arguments:
|
| AIX 6.1: 2.12.15 AIX 7.1: 4.12.15 Level 1 |
Password policy settings | Ensure that all unlocked accounts on the server have a password. | /etc/security/pscexpert/bin/chkpasswd
Arguments:
|
| AIX 6.1: 2.12.16 AIX 7.1: 4.12.16 Level 1 |
Password policy settings | Ensures that all users have a unique UID on the system. | /etc/security/pscexpert/bin/checkuid
Arguments:
|
| AIX 6.1: 2.12.17 AIX 7.1: 4.12.17 Level 1 |
Password policy settings | Ensures that all groups have a unique GID on the system. | /etc/security/pscexpert/bin/checkgid
Arguments:
|
| AIX 6.1: 2.12.18 AIX 7.1: 4.12.18 Level 1 |
Remove user accounts | Removes the uucp user account to further enhance security. | /etc/security/pscexpert/bin/rmlocaluser
Arguments:
|
| AIX 6.1: 2.12.18 AIX 7.1: 4.12.18 Level 1 |
Remove user accounts | Removes the nuucp user account to further enhance security. | /etc/security/pscexpert/bin/rmlocaluser
Arguments:
|
| AIX 6.1: 2.12.18 AIX 7.1: 4.12.18 Level 1 |
Remove user accounts | Removes the lpd user account to further enhance security. | /etc/security/pscexpert/bin/rmlocaluser
Arguments:
|
| AIX 6.1: 2.12.18 AIX 7.1: 4.12.18 Level 1 |
Remove user accounts | Removes the printq user account to further enhance security. | /etc/security/pscexpert/bin/rmlocaluser
Arguments:
|
| AIX 6.1: 2.12.18 AIX 7.1: 4.12.18 Level 1 |
Manage filesets | Local Accounts: Remove the user account uucp. | /etc/security/pscexpert/bin/managefilesets
Arguments:
|
| AIX 6.1: 2.12.19 AIX 7.1: 4.12.19 Level 1 |
Miscellaneous rules | Removes the dot from the PATH environment variable in files .profile, .kshrc, .cshrc, and .login in the root home directory. | /etc/security/pscexpert/bin/rmdotfrmpathroot
Arguments:
|
| AIX 6.1: 2.12.20 AIX 7.1: 4.12.20 Level 1 |
Miscellaneous config | Removes the dot from the PATH variable in the /etc/environment file. | /etc/security/pscexpert/bin/rmdotfrmpathetcenv
Arguments:
|
| AIX 6.1: 2.14.1 AIX 7.1: 4.13.1 Level 2 |
Manage filesets | Utilizes EFS if there is a requirement for file-based encryption. | /etc/security/pscexpert/bin/managefilesets
Arguments:
|
| AIX 6.1: 2.13.2 AIX 7.1: 4.14.2 Level 2 |
Miscellaneous rules | Enables RBAC by creating so, sa, and isso users with appropriate roles. | /etc/security/pscexpert/bin/EnableRbac
Arguments:
|
| AIX 6.1: 2.15.1 AIX 7.1: 4.15.1 Level 2 |
System integrity verification | Maintains the system integrity by detecting, removing and protecting against known types of malicious software. | /etc/security/pscexpert/bin/manageITsecurity
Arguments:
|
| AIX 6.1: 2.16.1 AIX 7.1: 4.16.1 Level 2 |
Disable SUID commands | Removes suid and sgid permissions where possible. | /etc/security/pscexpert/bin/filepermgr
Arguments:
|