#TRUSTED 31f78f88229ab9c9f4407a99817de87856d441bf49f87d61cd2378bd5e08350dea49cb3a064638ddf5a15133a00030896f583dd4b6fad7f20f9e649c489d9510e865b163fa2af3f491f93e7c8ab2db1bb7134ad6d10010e465502581030e82660427bb01bca0430676400c0e4e3f857ecbf8d5ee0db1e1b33f3a63168db7f0700a1f69507815c1afa216ace77cffc13b47ff99afeb9e8b9287bef52edad113ce69b0800bfd645c296d6fa41509db1f3ce020750493e998deb8a414eb126ab439299df8471d9edaed19b3efb629f1d7ee4439300bab7a1dfea7ce1dee86574e0b6308c463ca7906c41a2d2a880ffb33b5259c543dbeb71e9f8be0750cc57555ef3623196e7b4f019ef321b3194e13e09468a99cc4d5903a4e192d102babc99d9d563a11b22c926cfbc4c873929ed8155d00a46feae258842454e83933a5da4c5852b0a4b525e4dab4e92c9cee1f009130123aa2bda92357b2941e4fd2f7ab67676c1c4ed74de0fca381483fe28d6accb862feb182280ce8b65d3871b356a913bf4273ad736f651b26f092656ea2c2139d259747fd6b1d0f8ced793f2aa6573c96d914aa026e21a00452d9c5019e3183905ced2239c9dd98344661a851ea21b64d489bcc218048beaaa5e946ecc2ad08a7df79bd10c697e7d7ec193ffc93c9730e167db09d1b91c1156db090e7cae4210b0ca029f48cd56d1fd79cbd1c772f59c6 #TRUST-RSA-SHA256 93e9bcf60568ab04f824a10311a9c91dc1321f75d4fbcabaa7eb8b2c7011e4b8a44d9551d08437f0fc8b310af6989a6a7c665e8f6e78afa299c8cecb4026a31f1c913a4b4294cc3df2afaa391781caff126a2fef98e8ac70f62f42f37c167e8213deffa0c4f2faa3c81ee2e4986a3da1e51d7b700de6b2dae9768d77c436982f3ae2751c9aa71e54092fcf85baa8653cb5030dfdd2d4270ef036ce6f1761facfb8d1148bf3e1480281956d464f3745878dd6e6e923dc2391ae878226656e1e2189f494d6c927c4ceceb79e80eba868424e8ca128cdd3da0b137cd8483f9ac5ee4c84fa6000f142943fa424285aeb4bc6c1968ed900486a140825ad0506e318d29839e38f88a40173430b3b9e2469b720301a2fd66b7432f958e588905b09bbebbb483b6d3e2bdc1449ae5c844b78b355c96717c104ca34777f62bc23f12cf17a80713ba029849effdf740a0bbd942b2e538d9863ca9353cd1a6dda3444c9adf469eaffcdf856685e1c3c8543c273b1eb05522f3a478d578c7715bbe851c3cde458790f015fd95fe88ec3cded46ab082f1b5a3edd2668f843d1e5462f566fbfc4e08c2e9075abeded5d97f8d142a0820a30802cf5fa1258d3f63928380192589e2f4d2ea7b431f41bd70cd23e3dc19bbe53fca26ac9d5c9ad502eeb83e43e6c67ca47a95c2fcaedb7d8ca90ba315533d19454dce7ee5a9f6866e91fdf3b7db76d # # This script is Copyright (C) 2004-2025 and is owned by Tenable, Inc. or an Affiliate thereof. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable, Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # $Revision: 1.1 $ # $Date: 2025/01/06 $ # # description : This .audit is designed against the CIS IBM AIX 7 Benchmark 1.0.0 # # #Safeguard IBM AIX 7 v1.0.0 # # CIS # IBM AIX 7 # L1 # 1.0.0 # https://workbench.cisecurity.org/benchmarks/10385 # #cis,aix_unix_7 #CSCv6,CSCv7,CSCv8,LEVEL # # # FIND_TIMEOUT # 7200 # Timeout for checks that search for files # Timeout, in seconds, for checks that search for files. Range of 1-7200. # INTEGER # # # BANNER_TEXT # All activities performed on this system will be monitored. # Banner Text # This is the text for the warning a user receives when logging onto the system. # STRING # # # BANNER_FILE # /etc/ssh/ssh_banner # Banner File Path # This is a filepath that will need to exist within sshd_config for Banner and contain the BANNER_TEXT. # UNIX_FILE_PATH # # # LOGIN_HERALD_TEXT # Unauthorized use of this system is prohibited. # Default Herald Text # The default herald located in /etc/security/login.cfg # STRING # # # LOCAL_SYSLOG_FILE # /var/log/syslog/inventory.log # Local log file # Local log file used to collect local1.info messages. # UNIX_FILE_PATH # # # CDE_LABEL_STRING # Authorized uses only. All activity may be monitored and reported. # Default CDE Label Text # The default text located in Xresources for greeting.labelString # STRING # # # CDE_PERSLABEL_STRING # Authorized uses only. All activity may be monitored and reported. # Default CDE PersLabel Text # The default text located in Xresources for greeting.persLabelString # STRING # # # FTP_LOGIN_TEXT # %s Authorized uses only. All activity may be monitored and reported # Text displayed for FTP logins # The message in banner.msg is displayed for FTP logins # STRING # # # PASSWORD_MINIMUM_DIFF # ([4-9]|[1-9][0-9]+) # Password Minimum Diff # Defines the minimum number of characters that are required in a new password which were not in the old password. # STRING # # # PASSWORD_MINIMUM_ALPHA # ([3-9]|[1-9][0-9]+) # Password Minimum Alphabetic Characters # Defines the minimum number of alphabetic characters in a password. # STRING # # # PASSWORD_MINIMUM_OTHER # ([3-9]|[1-9][0-9]+) # Password Minimum Other Characters # Defines the number of characters within a password which must be non-alphabetic. # STRING # # # PASSWORD_MINIMUM_DIGIT # ([1-9]|[1-9][0-9]+) # Password Minimum Digits # In setting the mindigit attribute, the password must contain a digit when it is changed by the user. # STRING # # # PASSWORD_MINIMUM_L_ALPHA # ([1-9]|[1-9][0-9]+) # Password Minimum Lower Case Alphabetic Characters # Defines the minimum number of lower case alphabetic characters in a password. # STRING # # # PASSWORD_MINIMUM_U_ALPHA # ([1-9]|[1-9][0-9]+) # Password Minimum Upper Case Alphabetic Characters # Defines the minimum number of upper case alphabetic characters in a password. # STRING # # # PASSWORD_MINIMUM_S_CHAR # ([1-9]|[1-9][0-9]+) # Password Minimum Special Characters # Defines the minimum number of special characters in a password. # STRING # # # HIST_EXPIRE # (2[6-9]|[3-9][0-9]|[1-9][0-9][0-9]+) # Password History Expiry # The history expiry determines the number of weeks that a user will not be able to reuse a password. # STRING # # # PASSWORD_MAXREPEAT # [1-3] # Password maxrepeat. # The maximum number of allowed same consecutive characters in a new password. # STRING # # # PASSWORD_MAX_EXPIRED # ([1-4]) # Password Maximum Expired # The maxexpired attribute limits the number of weeks after password expiry that a password may be changed by the user. # STRING # # # PASSWORD_MAX_AGE # ([1-9]|1[0-2]) # Password Maximum Age # Defines the maximum number of weeks that a password is valid. # STRING # # # PASSWORD_MINIMUM_LENGTH # (1[4-9]|[2-9][0-9]|[1-9][0-9]{2,}) # Password Minimum Length # Password Minimum Length found in /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf # STRING # # # PLATFORM_VERSION # 7\.[0-9]+ # AIX Version # AIX Version # STRING # # # type : CMD_EXEC description : "AIX Version 7 found" cmd : "/usr/bin/oslevel" expect : "^[\\s]*@PLATFORM_VERSION@" description : "Safeguard IBM AIX 7 v1.0.0 Audit File v1.0.0" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "trustchk" cmd : "/usr/sbin/trustchk -p TE" expect : "^[\\s]*TE[\\s]*=[\\s]*[Oo][Nn][\\s]*$" type : CMD_EXEC description : "chkexec" cmd : "/usr/sbin/trustchk -p CHKEXEC" expect : "^[\\s]*CHKEXEC[\\s]*=[\\s]*[Oo][Nn][\\s]*$" type : FILE_CONTENT_CHECK description : "kern.info" file : "/etc/syslog.conf" regex : "^[\\s]*kern\.info" expect : "^[\\s]*kern\.info[\\s]+" type : CMD_EXEC description : "audit config TE_Untrusted" cmd : "/usr/bin/grep -p classes: /etc/security/audit/config | /usr/bin/grep TE_Untrusted | /usr/bin/awk '{ print } END { if (NR != 0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "audit config TE_FileWrite" cmd : "/usr/bin/grep -p classes: /etc/security/audit/config | /usr/bin/grep TE_FileWrite | /usr/bin/awk '{ print } END { if (NR != 0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "audit config TE_Policies" cmd : "/usr/bin/grep -p classes: /etc/security/audit/config | /usr/bin/grep TE_Policies | /usr/bin/awk '{ print } END { if (NR != 0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "audit config TEAdd_Stnz" cmd : "/usr/bin/grep -p classes: /etc/security/audit/config | /usr/bin/grep TEAdd_Stnz | /usr/bin/awk '{ print } END { if (NR != 0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "audit config TEDel_Stnz" cmd : "/usr/bin/grep -p classes: /etc/security/audit/config | /usr/bin/grep TEDel_Stnz | /usr/bin/awk '{ print } END { if (NR != 0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "audit config TESwitch_algo" cmd : "/usr/bin/grep -p classes: /etc/security/audit/config | /usr/bin/grep TESwitch_algo | /usr/bin/awk '{ print } END { if (NR != 0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "audit config TEQuery_Stnz" cmd : "/usr/bin/grep -p classes: /etc/security/audit/config | /usr/bin/grep TEQuery_Stnz | /usr/bin/awk '{ print } END { if (NR != 0) print \"pass\" }'" expect : "^pass$" description : "2.1.2 Ensure Unauthorized Applications are reported" info : "At Level 1, utilize Trusted Execution (TE) to log execution of applications not yet allowlisted. This can be used to update the allowlist (TSD - /etc/security/tsd/tsd.dat ) so that, at Profile Level 2, non-listed applications are actually prevented from executing. Trusted Execution (TE) provides an additional layer of access controls to processes on top of the base Discretionary Access Controls. Monitoring how processes access system resources can improve awareness of system integrity." solution : "NOTE : This does not include the process for configuring the AUDIT system.See: Setting Up Auditing -> https://www.ibm.com/docs/en/aix/7.3?topic=overview-setting-up-auditing # trustchk -p TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=OFF # mkdir -p /var/log/syslog # touch /var/log/syslog/kernel.log # print \"kern.info /var/log/syslog/kernel.log rotate 1m files 24 compress\" >> /etc/syslog.conf # print \"kern.info @rsyslog.domain\" >> /etc/syslog.conf # refresh -s syslogd || startsrc -s syslogd Impact: As long as the TE policies STOP_UNTRUSTED=OFF and STOP_ON_CHKFAIL=OFF the system will only log missing entries." reference : "800-171|3.4.8,800-53|CM-7(5),800-53|CM-10,800-53r5|CM-7(5),800-53r5|CM-10,CSCv7|2.7,CSCv8|2.5,CSF|DE.CM-3,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : FILE_CONTENT_CHECK description : "2.2 Ensure system configuration is documented and verified regularly" info : "Maintain a listing of the system configuration showing assets configured into the system. The syslog facility local1 is chosen as this is also the facility that the Dynamic Resource Manager (DRM) reports to. The command logger simplifies appending command stdout to the syslogd" solution : "- This example shows how to setup a daily cronjob. The actual frequency you use might differ. The keyword in the recommendation is: regular . - This example also shows two syslog reporting lines: one to a system file, the second to a centralized syslog service. - The syslog facility local1 is used to keep these reports out of the standard syslog facilities. There is not meant to establish a requirement to use facility local1. # mkdir -p /var/log/syslog # touch /var/log/syslog/inventory.log # print \"local1.info /var/log/syslog/inventory.log rotate 1m files 24 compress\" >> /etc/syslog.conf # print \"local1.info @rsyslog.domain\" >> /etc/syslog.conf # refresh -s syslogd || startsrc -s syslogd # print \"0 0 * * * /usr/sbin/lsconf -v | /usr/bin/logger -p local1.info -t Inventory\" >> /var/spool/cron/crontabs/root # /usr/sbin/lsconf -v | /usr/bin/logger -p local1.info -t Inventory Impact: All changes to the system configuration should be logged so that the expected configuration is documented. Regular verification of the current configuration makes it possible to identify and correct undocumented system configuration changes." reference : "800-171|3.4.1,800-53|CM-8,800-53|CM-8(1),800-53|PM-5,800-53r5|CM-8,800-53r5|CM-8(1),800-53r5|PM-5,CN-L3|8.1.10.2(a),CN-L3|8.1.10.2(b),CSCv7|1.4,CSCv8|1.1,CSF|DE.CM-7,CSF|ID.AM-1,CSF|ID.AM-2,CSF|PR.DS-3,CSF2.0|ID.AM-01,CSF2.0|ID.AM-02,CSF2.0|PR.PS-01,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ITSG-33|CM-8,ITSG-33|CM-8(1),LEVEL|1M,NESA|T1.2.1,NESA|T1.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/syslog.conf" regex : "^[\\s]*local1.info[\\s]*@LOCAL_SYSLOG_FILE@" expect : "^[\\s]*local1.info[\\s]*@LOCAL_SYSLOG_FILE@" type : CMD_EXEC description : "2.4 Ensure unused symbolic links are removed" info : "This recommendation finds and removes symbolic links whose targets are missing. Symbolic Links that do not have a valid target are a risk to system integrity. The recommendation is to scan frequently (weekly or daily) for symbolic links without a valid target object and remove them. Do not assume that anyone responsible for maintaining system integrity is (actively) monitoring unknown software. Symbolic links - pointing at nothing - are, by definition, unauthorized and/or belong on a blocklist" solution : "The following command will remove all symbolic links that lack a valid target object: find -L / \( -fstype jfs -o -fstype jfs2 \) -type l | xargs rm Impact: Symbolic Links, used properly, are a tremendous asset - enhancing system usability (ease of use). ob体育ever, when pointing to nothing (i.e., whatever they pointed at has been removed but not replaced) system integrity is at the mercy of whatever process replaces that filesystem location later. To reduce risk to system integrity any symbolic link that points at a non-existent file-system object is to be removed. Note: most symbolic links that point at no longer existent objects exist due to incomplete software removal procedures. When an authorized application is (re-)installed it's installation process will (or should) re-create the symbolic link." reference : "800-171|3.4.1,800-171|3.4.7,800-171|3.4.9,800-53|CM-7(2),800-53|CM-8(3),800-53|CM-10,800-53|CM-11,800-53r5|CM-7(2),800-53r5|CM-8(3),800-53r5|CM-10,800-53r5|CM-11,CN-L3|8.1.10.2(a),CN-L3|8.1.10.2(b),CSCv7|2.6,CSCv8|2.3,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|ID.AM-01,CSF2.0|ID.AM-02,CSF2.0|PR.PS-01,CSF2.0|PR.PS-02,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7(2),ITSG-33|CM-8(3),LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/find -L / \\( -fstype jfs -o -fstype jfs2 \\) -type l -ls 2>&1 | /usr/bin/grep -v 'Link to an already visited ancestor' | /usr/bin/awk '{print} END {if (NR==0) print \"none\"}'" expect : "^none$" timeout : "@FIND_TIMEOUT@" type : CMD_EXEC description : "3.1 Ensure default user umask is configured" info : "The user file-creation mode mask ( umask ) is used to determine the file permission for newlycreated directories and files. In AIX, the default permissions for any newly createddirectory is 0755 (rwxr-xr-x), and for any newly created file it is 0644 (rw-r--r--). The umask modifies the default AIX permissions by restricting (masking) these permissions.The umask is not simply subtracted, but is processed bitwise. Bits set in the umask arecleared in the resulting file mode. Setting a very secure default value for umask ensures that users make a conscious choiceabout their file permissions. A default umask setting of 077 causes files and directoriescreated by users to not be readable by any other user on the system. A umask of 027 wouldmake files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system." solution : "Add the umask attribute to the default user stanza in /etc/security/user : chsec -f /etc/security/user -s default -a umask=027" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a umask" expect : "^[\\s]*default[\\s]+umask[\\s]*=[\\s]*[2-7]7[\\s]*$" type : FIND_CMD description : "3.2 Ensure group write permission are removed from default groups" info : "The system is audited for group writable files. An audit should be performed on the system to search for the presence of group writable files. In an extreme case - where this permission is required - the file needs to be added to the TSD and audit configurations. The preference is no group writeable files." solution : "- Review the currently mounted local filesystems using the following to find all group writable files on local JFS/JFS2 filesystems only: find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -ls - Remedy any files in the list, e.g., chmod g-w {filename} - Document any files, and motivate why they are group writeable, and also add documentation re: when/why this exception ceases." reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" not_expect : ".+" find_type : "f" perm : "-g+w" type : FIND_CMD description : "3.3 Ensure world writable directories have the SVTX bit set" info : "The system is audited for world writable directories. World writable directories are considered as a common application component - usually a location for temporary files. An audit should be performed on the system to search for the presence of world writable directories. Directories should only be world writable when absolutely necessary, and only with the so-called SVTX bit set. This protects users files from being deleted or renamed." solution : "- Review the local mounted JFS/JFS2 filesystems using the following command to find all world writable directories missing the SVTX bit: find / \( -fstype jfs -o -fstype jfs2 \) -type d -perm -o+w ! -perm -1000 -ls - If a directory must retain world writable access, ensure that SVTX bit is set so that users can only remove the filenames they own: chmod o+t ${dir} NOTE: This will leave existing modes while adding the SVTX (also known as sticky bit ) to the directory. The documented meaning of the flag for directories is: Sets the link permission to directories - Otherwise, remove world-write permission - without modifying the other mode bits: chmod o-w ${dir} Impact: World writable directories exist on UNIX systems (e.g., /tmp, /var/tmp). These directories are needed for normal operations. To protect the files created in the directories the 'links to the inode' (ie, filename) need to be protected so that others may not accidentally, or maliciously - remove or modify the filename." reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" not_expect : ".+" find_type : "d" not_perm : "-1000" perm : "-o+w" type : FIND_CMD description : "3.5 Ensure world writable files are secured" info : "The system is audited for world writable files. An audit should be performed on the system to search for the presence of world writable files. In an extreme case - where this permission is required - the file needs to be added to the TSD and audit configurations. The preference is no world writeable files." solution : "- Review the currently mounted local filesystems using the following to find all world writable files on local JFS/JFS2 filesystems only: find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -o+w -ls - Remedy any files in the list, e.g., chmod o-w {filename} - Document any files, and motivate why they are world writeable, and also add documentation re: when/why this exception ceases." reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" not_expect : ".+" exec : "ls -ld '{}' \\;" find_type : "f" perm : "-o+w" type : FIND_CMD description : "3.6 Ensure there are no group \"staff\" writable files" info : "The system is audited for group staff writable files. An audit should be performed on the system to search for files that can be modified by members of the group staff As staff is the default group for user accounts any file that is writable via group staff is comparable to being writable by other aka world writable. In a case - where this permission is required - the recommendation is to create a new group and appoint a group administrator. The goal is no group staff writable files." solution : "- Review the currently mounted local filesystems using the following to find all world writable files on local JFS/JFS2 filesystems only: find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff -ls - Remedy any files in the list, e.g., chmod o-w {filename} - Document any files, and motivate why they are world writeable, and also add documentation re: when/why this exception ceases." reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" not_expect : ".+" exec : "ls -ld '{}' \\;" find_type : "f" group : "staff" perm : "-g+w" type : FIND_CMD description : "3.7 Ensure no files or directories without an owner and a group exist" info : "When a user or group identifier is removed from the system verify that any data associated with the ID removed is either removed or re-assigned. Worst case: a previously removed UID/GID is re-instated. Data left behind suddenly is owned and/or accessible to the new ID - gaining unintended access to data left-behind." solution : "Review the currently mounted local filesystems: find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls - Either assign UID/GID: chown chgrp - or remove the file/directory: [[ -f ]] && rm -f [[ -d ]] && rmdir - Repeat the audit" reference : "800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|MP-6,800-53r5|MP-6,800-53r5|SR-12,CSCv8|3.5,CSF|PR.DS-3,CSF|PR.IP-6,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.8.3.2,ITSG-33|MP-6,LEVEL|1A,NESA|T1.4.1,NESA|T1.4.2,NIAv2|MS5b,NIAv2|MS6,NIAv2|MS9,NIAv2|MS10a,NIAv2|MS10b,NIAv2|MS10c,NIAv2|MS10d,NIAv2|MS10e,NIAv2|MS10f,NIAv2|MS11a,NIAv2|MS11b,NIAv2|MS12a,NIAv2|MS12b,NIAv2|MS12c,NIAv2|MS13,NIAv2|MS14,NIAv2|MS17,NIAv2|MS18a,NIAv2|MS18b,NIAv2|MS18c,NIAv2|MS20,NIAv2|MS21,NIAv2|NS16,QCSC-v1|3.2,QCSC-v1|6.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" not_expect : ".+" exec : "ls -ld '{}' \\;" find_type : "f" || "d" nogroup : YES nouser : YES type : FILE_CHECK description : "4.1.1.1 Ensure access on /smit.log is configured" info : "The /smit.log file maintains a history of all smit commands run as root. The /smit.log file may contain sensitive information regarding system configuration, which may be of interest to an attacker. This log file must be secured from unauthorized access and modifications." solution : "Remove world read and write access to /smit.log : chmod o-rw /smit.log" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/smit.log" mask : "137" file_required : NO type : FILE_CHECK description : "4.1.1.10 Ensure access on /var/adm/cron/at.allow is configured" info : "The /var/adm/cron/at.allow file contains a list of users who can schedule jobs via the at command. The /var/adm/cron/at.allow file controls which users can schedule jobs via the at command. Only the root user should have permissions to create, edit, or delete this file." solution : "Apply the appropriate permissions to /var/adm/cron/at.allow : chown root:sys /var/adm/cron/at.allow chmod u=r,go= /var/adm/cron/at.allow" reference : "800-171|3.1.1,800-53|AC-3,800-53|AC-3(1),800-53r5|AC-3,800-53r5|AC-3(1),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|3.3,CSCv7|14.6,CSF|PR.AC-4,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-3(1),LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/var/adm/cron/at.allow" owner : "root" mask : "377" required : NO group : "sys" type : FILE_CHECK description : "4.1.1.11 Ensure access on /var/adm/cron/cron.allow is configured" info : "The /var/adm/cron/cron.allow file contains a list of users who can schedule jobs via the cron command. The /var/adm/cron/cron.allow file controls which users can schedule jobs via cron Only the root user should have permissions to create, edit, or delete this file." solution : "Apply the appropriate permissions to /var/adm/cron/cron.allow : chown root:sys /var/adm/cron/cron.allow chmod u=r,go= /var/adm/cron/cron.allow" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/var/adm/cron/cron.allow" owner : "root" mask : "377" required : NO group : "sys" type : FILE_CHECK description : "4.1.1.12 Ensure access on /var/adm/cron/log is configured" info : "The /var/adm/cron/log file contains a log of all cron jobs run on the system. The /var/adm/cron/log records all cron jobs run on the system. The file permissions must ensure that it is accessible only to its owner and group." solution : "Specify exact permissions and user.group ids to /var/adm/cron/log : chmod ug=rw /var/adm/cron/log chown bin.cron /var/adm/cron/log" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/var/adm/cron/log" owner : "bin" mask : "117" group : "cron" type : FILE_CHECK description : "4.1.1.13 Ensure access on /var/ct/RMstart.log is configured" info : "The /var/ct/RMstart.log is the logfile used by RMC and can contain sensitive data that must be secured. RMC provides a single monitoring and management infrastructure for both RSCT peer domains and management domains. Its generalized framework is used by cluster management tools to monitor, query, modify, and control cluster resources, /var/ct/RMstart.log is the logfile used by RMC and can contain sensitive data that must be secured." solution : "Remove world read and write from /var/ct/RMstart.log : chmod o-rw /var/ct/RMstart.log" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/var/ct/RMstart.log" owner : "root" mask : "137" group : "system" type : FILE_CHECK description : "4.1.1.14 Ensure access on /var/tmp/dpid2.log is configured" info : "The /var/tmp/dpid2.log is the logfile used by dpid2 daemon, and contains SNMP information. The /var/tmp/dpid2.log logfile is used by the dpid2 daemon and can contain sensitive SNMP information. This file must be secured from unauthorized access and modifications." solution : "Remove world read and write from /var/tmp/dpid2.log : chmod o-rw /var/tmp/dpid2.log" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/var/tmp/dpid2.log" owner : "root" mask : "137" required : NO group : "system" type : FILE_CHECK description : "4.1.1.15 Ensure access on /var/tmp/hostmibd.log is configured" info : "The /var/tmp/hostmibd.log is the logfile used by hostmibd daemon, and contains network and machine related information. The /var/tmp/hostmibd.log log file can contain network and machine related statistics logged by the daemon. This file must be secured from unauthorized access and modifications." solution : "Remove world read and write from /var/tmp/hostmibd.log : chmod o-rw /var/tmp/hostmibd.log" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/var/tmp/hostmibd.log" owner : "root" mask : "137" file_required : NO group : "system" type : FILE_CHECK description : "4.1.1.16 Ensure access on /var/tmp/snmpd.log is configured" info : "The /var/tmp/snmpd.log is the logfile used by snmpd daemon, and contains network and machine related information. The /var/tmp/snmpd.log logfile contains sensitive information through which an attacker can find out about the SNMP deployment architecture in your network. This log file must be secured from unauthorized access." solution : "Remove world read and write from /var/tmp/snmpd.log: chmod o-rw /var/tmp/snmpd.log" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/var/tmp/snmpd.log" owner : "root" mask : "137" file_required : NO group : "system" type : CMD_EXEC description : "4.1.1.17 Ensure crontab is restricted to authorized users" info : "This script checks the permissions of all the root crontab entries, to ensure that they are owned and writable by the root user only. All root crontab entries must be owned and writable by the root user only. If a script had group or world writable access, it could be replaced or edited with malicious content, which would then subsequently run on the system with root authority." solution : "Ensure that all root crontab entries are owned and writable by root only. The script below traverses up each individual directory path, ensuring that all directories are not group/world writable and that they are owned by the root or bin user: crontab -l |egrep -v '^#' |awk '{print $6}' |grep \"^/\" |sort -u | while read DIR do DIR=${DIR:-$(pwd)} while [[ -a ${DIR} ]] do [[ \"$(ls -ld ${DIR})\" = @(????????w? *) ]] && print \" WARNING ${DIR} is world writable\" [[ \"$(ls -ld ${DIR})\" = @(?????w???? *) ]] && print \" WARNING ${DIR} is group writable\" [[ \"$(ls -ld ${DIR} |awk '{print $3}')\" != @(root|bin) ]] && print \" WARNING ${DIR} is not owned by root or bin\" DIR=${DIR%/*} done done NOTE: Review the output and manually change the directories, if possible. Directories which are group and/or world writable or not owned by root are marked with \"WARNING\" To manually change permissions on the files or directories: To remove group writable access: chmod g-w To remove world writable access: chmod o-w To remove both group and world writable access: chmod go-w To change the owner of a file or directory: chown " reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/crontab -l | /usr/bin/egrep -v '^#' | /usr/bin/awk '{print $6}' | /usr/bin/grep \"^/\" | /usr/bin/sort -u | while read DIR; do DIR=${DIR:-$(pwd)}; while [[ -a ${DIR} ]]; do [[ \"$(ls -ld ${DIR})\" = @(????????w? *) ]] && print \" WARNING ${DIR} is world writable\"; [[ \"$(ls -ld ${DIR})\" = @(?????w???? *) ]] && print \" WARNING ${DIR} is group writable\"; [[ \"$(ls -ld ${DIR} |/usr/bin/awk '{print $3}')\" != @(root|bin) ]] && print \" WARNING ${DIR} is not owned by root or bin\"; DIR=${DIR%/*}; done; done | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'" expect : "^none$" type : CMD_EXEC description : "4.1.1.18 Ensure Home directory configuration file access is configured" info : "The user configuration files in each home directory e.g. $HOME/.profile must not be group or world writable. Group or world-writable user configuration files may enable malicious users to steal or modify other user's data, or to gain elevated privileges." solution : "Search and remediate any user configuration files which have group or world writable access: lsuser -a home ALL |cut -f2 -d= |egrep -v \"^/$|/etc|/bin|/var|/usr|/usr/sys\" |while read homedir; do if [[ -d ${homedir} ]]; then echo \"Removing 'go-w' from all user confguration files in '${homedir}'\" ls -a ${homedir} |egrep \"^\.[a-z]\" |while read file; do if [[ -f \"${homedir}/${file}\" ]]; then echo \"Running 'chmod go-w' on '${homedir}/${file}'\" chmod go-w \"${homedir}/${file}\" fi done else echo \"ERROR - no home directory for '${homedir}'\" fi done NOTE: The permission change is automatically applied" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/cat /etc/passwd | /usr/bin/awk -F: '($7 != \"/sbin/nologin\" && $7 != \"/bin/false\") { print $1 \" \" $6 }' | /usr/bin/egrep -v \"^/$|/etc|/bin|/var|/usr|/usr/sys\" | while read user dir; do if [ ! -d \"$dir\" ]; then /usr/bin/echo \"The home directory ($dir) of user $user does not exist.\"; else for file in $dir/.[A-Za-z0-9]*; do if [ ! -h \"$file\" -a -f \"$file\" ]; then fileperm=`ls -ld $file | cut -f1 -d\" \"`; if [ `/usr/bin/echo $fileperm | cut -c6` != \"-\" ]; then /usr/bin/echo \"Group Write permission set on file $file\"; fi; if [ `/usr/bin/echo $fileperm | cut -c9` != \"-\" ]; then /usr/bin/echo \"Other Write permission set on file $file\"; fi; fi; done; fi; done | /usr/bin/awk '{print} END {if (NR == 0) print \"Pass - No home configuration files found with group or other permissions\"; else print}'" expect : "Pass - No home configuration files found with group or other permissions" type : FIND_CMD description : "4.1.1.19 Ensure SUID and SGID files are reviewed" info : "The system is audited for both suid and sgid files and programs. An audit should be performed on the system to search for the presence of both suid and sgid files and programs. In order to prevent these files from being potentially exploited the suid and sgid permissions should be removed wherever possible." solution : "Review the currently mounted filesystems: mount Un-mount all non-local filesystems and cdrom media: unmount If there are non-local filesystems which cannot be un-mounted, use the following to find all suid and sgid files on local JFS/JFS2 filesystems only: find / \( -fstype jfs -o -fstype jfs2 \) \( -perm -04000 -o -perm -02000 \) -type f -ls If all non-local filesystems have been un-mounted: find / \( -perm -04000 -o -perm -02000 \) -type f -ls Review the files and where possible, use the chmod command to remove the appropriate suid or sgid bits: chmod u-s chmod g-s " reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" not_expect : ".+" exec : "ls -ld '{}' \\;" find_type : "f" perm : "-04000" || "-02000" type : FILE_CHECK description : "4.1.1.2 Ensure access on /etc/group is configured" info : "The /etc/group file contains a list of the groups defined within the system. The /etc/group file defines basic group attributes. Since the file contains sensitive information, it must be properly secured." solution : "Ensure correct ownership and permissions are in place for /etc/group : chown root:security /etc/group chmod u=rw,go=r /etc/group" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/group" owner : "root" mask : "133" group : "security" type : FILE_CHECK description : "4.1.1.3 Ensure access on /etc/inetd.conf is configured" info : "The recommended permissions and ownership for /etc/inetd.conf are applied. The /etc/inetd.conf file contains the list of services that inetd controls and determines their current status i.e. active or disabled. This file must be protected from unauthorized access and modifications to ensure that the services disabled in this benchmark remain locked down." solution : "Set the recommended permissions and ownership to /etc/inetd.conf : chmod u=rw,go=r /etc/inetd.conf chown root:system /etc/inetd.conf trustchk -u /etc/inetd.conf mode=644" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/inetd.conf" owner : "root" mask : "133" group : "system" type : FILE_CHECK description : "4.1.1.4 Ensure access on /etc/motd is configured" info : "The /etc/motd file contains the message of the day, shown after successful initial login. The /etc/motd file contains the message of the day, shown after successful initial login. The file should only be editable by its owner." solution : "Apply the appropriate permissions to /etc/motd : chown bin:bin /etc/motd chmod u=rw,go=r /etc/motd" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/motd" owner : "bin" mask : "133" group : "bin" type : FILE_CHECK description : "4.1.1.5 Ensure access on /etc/passwd is configured" info : "The /etc/passwd file contains a list of the users defined within the system. The /etc/passwd file defines all users within the system. Since the file contains sensitive information, it must be properly secured." solution : "Ensure correct ownership and permissions are in place for /etc/passwd : chown root:security /etc/passwd chmod u=rw,go=r /etc/passwd" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/passwd" owner : "root" mask : "133" group : "security" type : FILE_CHECK description : "4.1.1.6 Ensure /etc/mail/submit.cf access is configured" info : "From 7.2.4, sendmail is updated to version 8.15.2, there is a new configuration file /etc/mail/submit.cf.Ensure the permission is changed to -rw-r----- (0640). Privileged access to make changes to this configuration file /etc/mail/submit.cf." solution : "chmod u=rw,g=r,o= /etc/mail/submit.cf Impact: It will not impact the usability of application or system." reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/mail/submit.cf" mask : "137" required : NO type : FILE_CHECK description : "4.1.1.7 Ensure access to /etc/ssh/ssh_banner is configured" info : "The contents of the /etc/ssh/ssh_banner file are displayed to users prior to login for connections via SSH. -IF- the /etc/ssh/ssh_banner file does not have the correct access configured, it could be modified by unauthorized users with incorrect or misleading information." solution : "Run the following commands to set mode, owner, and group on /etc/ssh/ssh_banner : # chown root:root /etc/ssh/ssh_banner # chmod u=rw,go=r /etc/ssh/ssh_banner" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/ssh/ssh_banner" owner : "root" mask : "133" required : NO group : "system" type : FILE_CHECK description : "4.1.1.8 Ensure access on /etc/ssh/ssh_config is configured" info : "The /etc/ssh/ssh_config file defines SSH client behavior. The /etc/ssh/ssh_config file is the system-wide client configuration file for OpenSSH, which allows you to set options that modify the operation of the client programs. The recommended value is not to provide any writable access rights for any user other than root" solution : "Change the permissions of the /etc/ssh/ssh_config file to ensure that only the owner can read and write to the file: chmod 644 /etc/ssh/ssh_config" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/ssh/ssh_config" owner : "root" mask : "133" group : "system" type : FILE_CHECK description : "4.1.1.9 Ensure access on /etc/ssh/sshd_config is configured" info : "The /etc/ssh/sshd_config file defines SSH server behavior. The SSH daemon reads the configuration information from this file and includes the authentication mode and cryptographic levels to use during SSH communication." solution : "Change the permissions of the /etc/ssh/sshd_config file to ensure all accounts can read the file but only the owner (root) can modify it: chmod u=rw,go=r /etc/ssh/sshd_config Impact: Some organizations feel all configuration information for OpenSSH server must be confidential - and many other benchmarks recommend exclusive root access to the file /etc/ssh/sshd_config This configuration will work UNLESS sftp access is required by non-root users. Non-root users (when mode is octal 0600) cannot load_server_config and the connection closes even though authentication succeeded. Jun 25 14:42:45 x071 auth|security:info sshd[12255378]: Accepted password for michael from 192.168.129.65 port 32810 ssh2 Jun 25 14:42:45 x071 auth|security:info sftp-server[7077962]: session opened for local user michael from [192.168.129.65] Jun 25 14:42:45 x071 auth|security:debug sftp-server[7077962]: debug2: load_server_config: filename /etc/ssh/sshd_config Jun 25 14:42:45 x071 auth|security:info sshd[8847468]: Received disconnect from 192.168.129.65 port 32810:11: disconnected by user Jun 25 14:42:45 x071 auth|security:info sshd[8847468]: Disconnected from user michael 192.168.129.65 port 32810 - This is what is needed for the sftp-server to start: Jun 25 14:45:10 x071 auth|security:info sshd[7077994]: Accepted password for michael from 192.168.129.65 port 32812 ssh2 Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: session opened for local user michael from [192.168.129.65] Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: load_server_config: filename /etc/ssh/sshd_config Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: load_server_config: done config len = 288 Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug2: parse_server_config: config /etc/ssh/sshd_config len 288 Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:34 setting SyslogFacility AUTH Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:36 setting LogLevel INFO Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:114 setting Banner /etc/banner Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: /etc/ssh/sshd_config:117 setting Subsystem sftp\t/usr/sbin/sftp-server -l DEBUG3 -f AUTH Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: received client version 3 Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug3: request 0: realpath Jun 25 14:45:10 x071 auth|security:info sftp-server[11272308]: realpath \".\" Jun 25 14:45:10 x071 auth|security:debug sftp-server[11272308]: debug1: request 0: sent names count 1 - The recommendation is to stay with the default file mode (octal 0644) unless site policy requires octal 0600 AND it is acceptable that sftp will not function. - Choosing octal 0600 is considered a Level 2 recommendation" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/ssh/sshd_config" owner : "root" mask : "133" group : "system" type : CMD_EXEC description : "4.1.2.1 Ensure local user Home directories exists" info : "All accounts must have a trusted started point - a HOME directory. A missing home directory on many systems places the account in a default directory. Examples include: / and /home/guest This recommendation is specifically about locally administered accounts (in AIX terms, -R files ). If an account exists in the local registry it must have a home directory that is accessible. This is to ensure it is not an invalid account (e.g., restored via a backup accidentally). If a valid account - it still needs a home directory. As the difference between: valid account but missing a HOME directory and invalid account but missing a HOME directory cannot be made by a script - the recommendation is to lock the account." solution : "Lock local accounts with UID >= 200 when HOME directory does not exist: #!/usr/bin/ksh -e # Provided to CIS by AIXTools # Copyright AIXTools, 2022 lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest; do uid=$(echo ${ids} | cut -f2 -d =) if [[ ${uid} -ge 200 ]]; then home=$(echo ${homes} | cut -f2 -d =) locked=$(echo ${locks} | cut -f2 -d =) if [[ ${locked} == \"true\" ]]; then continue elif [[ ! -d ${home} ]]; then /usr/bin/printf \"Locked Account [%s]: Missing \${HOME} at: %-32s\n\" ${name} ${home} /usr/bin/chuser -R files account_locked=true ${name} fi fi done Impact: A valid user can open a ticket and get a HOME directory created or restored. The risk of an invalid user gaining access via an old username is reduced." reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh -e lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest; do uid=$(echo ${ids} | cut -f2 -d =) if [[ ${uid} -ge 200 ]]; then home=$(echo ${homes} | cut -f2 -d =) locked=$(echo ${locks} | cut -f2 -d =) if [[ ${locked} == \"true\" ]]; then continue elif [[ ! -d ${home} ]]; then /usr/bin/printf \"Recommend Lock Account [%s]: Missing \\${HOME} at: %-32s\\n\" ${name} ${home} fi fi done | /usr/bin/awk '{ print } END { if(NR==0) { print \"pass\" } }'" expect : "^pass$" type : CMD_EXEC description : "4.1.2.10 Ensure root user has a dedicated home directory" info : "The root user must have a dedicated home directory and not use / as their home directory. By default, the home directory for the root user on AIX is / This means that all configuration files and directories it creates are visible to all users and may be accessible if the root user has a weak umask setting. Moving these files to a dedicated home directory and setting appropriate file permissions allows for appropriate use of discretionary access control to these files." solution : "Create a new home directory for the root user mkdir /root Set ownership and permissions on this directory chown root:system /root chmod 0700 /root Update the home directory for the root user chuser home=/root root Move any necessary configuration files or directories to this new directory" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a home root" expect : "^root[\\s]*home=/[a-zA-Z0-9_-]+$" type : CMD_EXEC description : "4.1.2.2 Ensure Home directories access is configured" info : "All user home directories must have a suitable owner UID. Manipulating home directories may enable malicious users to steal or modify data, or to gain other user's system privileges. The UID (or owner) of the HOME directory needs to be either the account or a special account defined for this purpose. When the account is the owner - the security policy must specify that (some) accounts may have DAC authorization to modify HOME directory contents. Security policy may also specify a special UID used to own HOME directories to prevent accounts from modifying the layout and/or content of the HOME directory. The assumption of this recommendation is that security policy has not specified either. The recommendation is to lock accounts when the HOME directory is not owned by the user or by root ." solution : "For all local accounts with UID >= 200: #!/usr/bin/ksh -e # Provided to CIS by AIXTools # Copyright AIXTools, 2022 lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest; do uid=$(echo ${ids} | cut -f2 -d =) if [[ ${uid} -ge 200 ]]; then home=$(echo ${homes} | cut -f2 -d =) locked=$(echo ${locks} | cut -f2 -d =) if [[ ${home} == \"/dev/null\" || ${locked} == \"true\" ]]; then continue elif [[ ! -d ${home} ]]; then /usr/bin/printf \"%-32s does not exist; Run appropriate CIS remediation\n\" ${home} ${name} continue else /usr/bin/perl -e ' $user=$ARGV[0]; $hd=$ARGV[1]; $uid=$ARGV[2]; $huid=((stat $hd)[4]); if ($huid != $uid && $huid != 0) { printf(\"Locked Account: %s does not own %s.\n\", ${user},${hd}); exit(1); # triggers command after OR (||) }' ${name} ${home} ${uid} || \ /usr/bin/chuser -R files account_locked=true $name fi fi done Impact: * Locally administered accounts with HOME directories owned by a random userid will be locked. Valid users can open a ticket to get the UID of their HOME directory corrected. The risk of a malicious user modifying an accounts HOME directory is reduced." reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|ID.AM-08,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-09,CSF2.0|PR.DS-10,CSF2.0|PR.IR-03,CSF2.0|PR.PS-01,CSF2.0|PR.PS-06,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh -e lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest; do uid=$(echo ${ids} | cut -f2 -d =) if [[ ${uid} -ge 200 ]]; then home=$(echo ${homes} | cut -f2 -d =) locked=$(echo ${locks} | cut -f2 -d =) if [[ ${home} == \"/dev/null\" || ${locked} == \"true\" ]]; then continue elif [[ ! -d ${home} ]]; then /usr/bin/printf \"%-32s does not exist; Recommend Lock Account [%s]\\n\" ${home} ${name} continue else /usr/bin/perl -e ' $user=$ARGV[0]; $hd=$ARGV[1]; $uid=$ARGV[2]; $huid=((stat $hd)[4]); if ($huid != $uid && $huid != 0) { exit(1); # triggers command after OR (||) }' ${name} ${home} ${uid} || \\ /usr/bin/printf \"Recommend Lock Account: %s does not own %s\\n\" ${name} ${home} fi fi done | /usr/bin/awk '{ print } END { if(NR==0) { print \"pass\" } }'" expect : "^pass$" type : CMD_EXEC description : "4.1.2.3 Ensure Home directory write access is restricted to owner" info : "Home directories must be writeable only by the owner This recommendation audits (or removes) any write permission given via traditional file mode permissions (using chmod ). Neither should a home directory have any permissions managed (whether permit or deny) via ACL's. HOME directories with group or world write access enable malicious users to add files or directories, or even remove them if the directory 'T' (SVTX) bit is not also set. While this does not necessarily allow access to data - existing data might be destroyed (unlink()) or replaced (new file added with same name). These modifications could be used, e.g., to use the users authorizations to gain other system privileges. Disabling read and execute access for world and/or group might be part of a company security policy - and the audit and remediation scripts will need to be modified to reflect this addition. The use of ACL's is discouraged because their effect is not immediately visible using standard tools. They must be identified (locating inodes with permission bit 0200000000 set) as active and read using aclget before the actual permissions granted or denied are known.Better is to deny outside access to home (ie, user) related data. When data must be shared create an area outside of ${HOME}" solution : "For all local accounts with UID >= 200: - Remove write permission from home directories that have group or world write access: #!/usr/bin/ksh -e # home_mode_acl: 4.8.1.3 # Provided to CIS by AIXTools # Copyright AIXTools, 2022 typeset -i UIDCK=$1 typeset -i ret=0 if test $UIDCK == 0; then UIDCK=200 fi lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest; do uid_check=$(echo ${ids} | cut -f2 -d =) if [[ ${uid_check} -ge ${UIDCK} ]]; then home=$(echo ${homes} | cut -f2 -d =) locked=$(echo ${locks} | cut -f2 -d =) if [[ ${home} == \"/dev/null\" || ${locked} == \"true\" ]]; then continue elif [[ ! -d ${home} ]]; then /usr/bin/printf \"%-32s does not exist; locking account named [%s]\n\" ${home} ${name} chuser -R files account_locked=true $name else [[ ${home} != \"/\" && ${home} != \"/dev/null\" ]] perl -e '$f=$ARGV[0]; $m=(stat $f)[2];\ exit (($m & 022) + 1) if ($m & 0200000000);\ exit($m & 022);' $home # exit($m&022 +1) if ($m & 0200000000) else exit ($m &022); ' $home ret=$? [[ $ret == 0 ]] && continue if (( $ret & 022 )); then printf \"%s: had group or world write mode\n\" $home chmod og-w ${home} fi if (($ret & 1)); then printf \"%s: had ACL defined and enabled\n\" $home rm -rf /tmp/$$/${home} mkdir -p /tmp/$$/${home} aclget /tmp/$$/${home} | aclput ${home} rm -rf /tmp/$$/${home} fi fi fi done - NOTE: The permission change is automatically applied to all accounts with a user ID ( uid ) greater or equal to 200 Also, if the HOME directory has already been defined to something special (here, /dev/null ) no change is made to the account attributes. - To automate the process for new users see Additional Information below. Impact: There should be no impact - at least as far a world permissions are concerned. There is a potential that all members in the group staff or system might see minimal impact - if their systems have, or had, a default umask of 002 when their accounts were created. Accounts created with a default umask of 022 or stricter will not be impacted, unless a user account modified their HOME directory mode bits to permit group and/or other write access." reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh -e lsuser -R files -a id home ALL | while read name ids homes rest; do uid_check=$(echo ${ids} | cut -f2 -d =) if [[ ${uid_check} -ge 200 ]]; then home=$(echo ${homes} | cut -f2 -d =) if [[ ${home} == \"/dev/null\" ]]; then continue elif [[ ! -d ${home} ]]; then /usr/bin/printf \"%-32s does not exist; recommend to lock account named [%s]\\n\" ${home} ${name} else [[ ${home} != \"/\" && ${home} != \"/dev/null\" ]] /usr/bin/perl -e '$f=$ARGV[0]; $m=(stat $f)[2]; \\ printf(\"Recommend chmod on: %s: to remove group or world write mode\\n\", $f) if $m & 022; \\ printf(\"Recommend remove ACL on: %s\\n \", $f) if $m & 0200000000; \\ exit($m & 0200000022)' ${home} \\ || (ls -led ${home} && (aclget ${home} | grep -ip Enabled)) fi fi done | /usr/bin/awk '{ print } END { if(NR==0) { print \"pass\" } }'" expect : "^pass$" type : FILE_CHECK description : "/etc/security/audit" file : "/etc/security/audit" owner : "root" mask : "5027" group : "audit" type : FILE_CHECK description : "/audit" file : "/audit" owner : "root" mask : "5027" group : "audit" description : "4.1.2.4 Ensure access on /audit and /etc/security/audit is configured" info : "This recommendation verifies the access control settings for the default locations of AUDIT configuration and output files. The default location for the AUDIT subsystem configuration files are in /etc/security/audit The default location for output produced by the audit subsystem is the firectory /audit Access control must prevent unauthorized access. NOTE: If your configuration does not store output in /audit ensure this directory is configured to prevent unauthorized access." solution : "Ensure correct ownership and permissions are in place for /etc/security/audit and /audit #!/usr/bin/ksh -e # audit_subsys:4.8.1.4 # Provided to CIS by AIXTools # Copyright AIXTools, 2022 for AUDITDIR in /etc/security/audit /audit; do find ${AUDITDIR} | grep -v 'lost+found' | xargs chown root:audit find ${AUDITDIR} -type d | grep -v 'lost+found' | xargs chmod u=rwx,g=rxs,o= find ${AUDITDIR} ! -type d | grep -v 'lost+found' | xargs chmod -R u=rw,g=r,o= done" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "4.1.2.5 Ensure access to /etc/security is configured" info : "The /etc/security directory contains multiple files and directories used to keep the targeted AIX system secure.Most subsystems are owned by root:security (UID:GID). ob体育ever, additional systems such as AUDIT and AIXPERT have their own permissions (and recommendations). Traditionally, /etc/security has been identified as USER administration - including the shadow password file. But there is much more under /etc/security. Normal installations also have configuration files for security subsystems including: aixpert tsd ice ldap rbac audit ipsec fpm and trusted computing (tscd) While these subsystems may not be enabled - their configuration files need to be secured to ensure no unauthorized access. The /etc/security directory contains sensitive files for multiple security systems. For the USER subsystem there are files such as /etc/security/passwd /etc/security/user that must be secured from unauthorized access and modification." solution : "Ensure correct access control settings for security subsystem configuration files installed in /etc/security : #!/usr/bin/ksh -e # security_subsys:4.8.1.5 # Provided to CIS by AIXTools # Copyright AIXTools, 2022 EXCLUDE=\"security/(aixpert|audit|ice)\" find /etc/security -type d | \ /usr/bin/egrep -v ${EXCLUDE} | \ /usr/bin/sort | xargs ls -led | \ /usr/bin/awk '{print $1 \" \" $3 \" \" $4 \" \" $9}' | \ /usr/bin/grep -v drwxr-s---- | \ awk '{print $NF}' | while read SECDIR; do find ${SECDIR} | grep -v ${EXCLUDE} | xargs chown root:security find ${SECDIR} -type d | grep -v ${EXCLUDE} | xargs chmod g-w,o-rwx find ${SECDIR} -type f | grep -v ${EXCLUDE} | xargs chmod u-x,g-wx,o-rwx done" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh -e { EXCLUDE=\"security/(aixpert|audit|ice)\" /usr/bin/find /etc/security -type d | \\ /usr/bin/egrep -v ${EXCLUDE} | \\ /usr/bin/sort | xargs ls -led | \\ /usr/bin/awk '{print $1 \" \" $3 \" \" $4 \" \" $9}' | \\ /usr/bin/grep -v drwxr-s---- } | /usr/bin/awk '{ print } END { if(NR==0) { print \"pass\" } }'" expect : "^pass$" timeout : "@FIND_TIMEOUT@" type : CMD_EXEC description : "4.1.2.6 Ensure access on /var/adm/ras is configured" info : "The /var/adm/ras directory contains log files which contain sensitive information such as login times and IP addresses. The log files in the /var/adm/ras directory can contain sensitive information such as login times and IP addresses, which may be altered by an attacker when removing traces of system access. All files in this directory must be secured from unauthorized access and modifications." solution : "Remove world read and write access from all files in /var/adm/ras : chmod o-rw /var/adm/ras/*" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/find /var/adm/ras/* ! -name . -prune -type f -a \\( -perm -o=r -o -perm -o=w \\) | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"}'" expect : "^pass$" timeout : "@FIND_TIMEOUT@" type : FILE_CHECK description : "4.1.2.7 Ensure access on /var/adm/sa is configured" info : "The /var/adm/sa directory holds the performance data produced by the sar utility. The /var/adm/sa directory contains the report files produced by the sar utility. This directory must be secured from unauthorized access." solution : "Set the recommended ownership and permissions on /var/adm/sa : chown adm:adm /var/adm/sa chmod u=rwx,go=rx /var/adm/sa" reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|ID.AM-08,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-09,CSF2.0|PR.DS-10,CSF2.0|PR.IR-03,CSF2.0|PR.PS-01,CSF2.0|PR.PS-06,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/var/adm/sa" owner : "adm" mask : "022" group : "adm" type : FILE_CHECK description : "4.1.2.8 Ensure access on /var/spool/cron/crontabs is configured" info : "The /var/spool/cron/crontabs directory contains all of the crontabs for the users on the system. The /var/spool/cron/crontabs directory contains all of the crontabs for the users on the system. Crontab files present a security problem because they are run by the cron daemon, which runs with super user rights. Allowing other users to have read/write permissions on these files may allow them to escalate their privileges. To negate this risk, the directory and all the files that it contains must be secured." solution : "Apply the appropriate permissions to /var/spool/cron/crontabs : chmod -R o= /var/spool/cron/crontabs chmod ug=rwx,o= /var/spool/cron/crontabs chown -R root:cron /var/spool/cron/crontabs" reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|ID.AM-08,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-09,CSF2.0|PR.DS-10,CSF2.0|PR.IR-03,CSF2.0|PR.PS-01,CSF2.0|PR.PS-06,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/var/spool/cron/crontabs" owner : "root" mask : "007" group : "cron" description : "4.1.2.9 Ensure all directories in root PATH access is configured" info : "To secure the root users executable PATH, all directories must not be group and world writable. There should not be group or world writable directories in the root user's executable path. This may allow an attacker to gain super user access by forcing an administrator operating as root to execute a Trojan horse program." solution : "Search and report on group or world writable directories in root's PATH. The command must be run as the root user. The script below traverses up each individual directory PATH, ensuring that all directories are not group/world writable and that they are owned by root or the bin user: echo \"/:${PATH}\" | tr ':' '\n' | grep \"^/\" | sort -u | while read DIR do DIR=${DIR:-$(pwd)} print \"Checking ${DIR}\" while [[ -d ${DIR} ]] do [[ \"$(ls -ld ${DIR})\" = @(d???????w? *) ]] && print \" WARNING ${DIR} is world writable\" || print \" ${DIR} is not world writable\" [[ \"$(ls -ld ${DIR})\" = @(d????w???? *) ]] && print \" WARNING ${DIR} is group writable\" || print \" ${DIR} is not group writable\" [[ \"$(ls -ld ${DIR} |awk '{print $3}')\" != @(root|bin) ]] && print \" WARNING ${DIR} is not owned by root or bin\" DIR=${DIR%/*} done done NOTE: Review the output and manually change the directories, if possible. Directories which are group and/or world writable are marked with \"WARNING\" To manually change permissions on the directories: To remove group writable access: chmod g-w To remove world writable access: chmod o-w To remove both group and world writable access: chmod go-w To change the owner of a directory: chown To fully automate the PATH directory permission changes execute the following code as the root user: echo \"/:${PATH}\" | tr ':' '\n' | grep \"^/\" | sort -u | while read DIR do DIR=${DIR:-$(pwd)} while [[ -d ${DIR} ]] do [[ \"$(ls -ld ${DIR})\" = @(d???????w? *) ]] && chmod o-w ${DIR} && print \"Removing world write from ${DIR}\" [[ \"$(ls -ld ${DIR})\" = @(d????w???? *) ]] && chmod g-w ${DIR} && print \"Removing group write from ${DIR}\" DIR=${DIR%/*} done done" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" name : "writeable_dirs_in_root_path_variable" mask : "022" type : CMD_EXEC description : "4.2.1 Ensure sendmail in not in use" info : "On AIX, unless otherwise needed - uninstall or disable sendmail support. ALSO: if the version installed does not display support for SASLv2 - remove sendmail on AIX 7.2 and chmod to 0 (zero) otherwise. Maintaining a secure sendmail MTA (mail transfer agent) is a complex process. While, historically, *NIX systems have run a (localhost) MTA (mail transmission agent) or MSP (mail submission program) - there is no real need these days for every system to have this software installed. Note: Historically, the AIX sendmail build has not supported the AUTH feature. Since AIX 7.2 TL4 a new packaging of sendmail (still as version 8.15.2, so version number is not the way to verify suitability) allows AUTH support indirectly via the SASLv2 (Simple Authentication and Security Layer) API interface.Our recommendation is to disable/remove sendmail programs that do not provide SASLv2 support." solution : "Execute the following command: (lslpp -Lcq bos.net.tcp.sendmail >/dev/null && installp -ug bos.net.tcp.sendmail) || \ echo bos.net.tcp.sendmail is not installed Impact: - If not installed, the rest of the recommendations in this section titled Sendmail Configuration may be ignored. - Applications configured to speak to a localhost MTA or MSP may fail to send mail.These applications should be (re-)configured to use STARTTLS or SSL and send their mail messages via a hardened MTA host." reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lslpp -Lcq | /usr/bin/grep -i 'sendmail' | /usr/bin/awk '{print} END {if (NR == 0) print \"none\"}'" expect : "^none$" type : CMD_EXEC description : "4.2.2 Ensure NIS client is not installed" info : "If NIS is not used in the environment, disable the NIS client and de-install the software. As NIS is extremely insecure, the NIS client packages must be removed from the system unless absolutely needed." solution : "Ensure that all of the NIS daemons are inactive: stopsrc -g yp De-install the NIS client software: installp -u bos.net.nis.client" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lslpp -L bos.net.nis.client" expect : "[\\s]*not[\\s]+installed\\.[\\s]*$" type : CMD_EXEC description : "4.2.3 Ensure NIS server services are not in use" info : "A Network Information Service (NIS) server is a host that provides configuration information to other hosts on a network. NIS servers store tables of information about users, groups, and more. They also maintain a set of maps and run the ypserv daemon, which processes requests from clients for information in those maps. As NIS is extremely insecure, the NIS server packages must be removed from the system unless absolutely needed. - IF - NIS must be used in the environment, and is approved by local site policy, limit access to the NIS data to specific subnets. By default the NIS server will authenticate all IP addresses if the /var/yp/securenets file does not exist, or exists without any subnets defined. The /var/yp/securenets file contains a list of subnets that are considered trusted and are allowed to access NIS data using the ypserv and ypxfrd daemons. This is a user-created file that resides on a NIS master server and any slave servers. Without configuring this file, anyone with knowledge of the NIS server address and the domain name, can obtain NIS served data, including the contents of the /etc/passwd file. Hence, it is recommended that the /var/yp/securenets file is configured to restrict access." solution : "Ensure that all of the NIS daemons are inactive: stopsrc -g yp De-install the NIS server software: installp -u bos.net.nis.server - OR - - IF - the NIS server package is required as a dependency, or NIS must be used in the environment, and is approved by local site policy: Ensure that all of the NIS daemons are inactive: stopsrc -g yp De-install the NIS server software: installp -u bos.net.nis.server Create and secure the /var/yp/securenets file (if it does not already exist): touch /var/yp/securenets chmod u=rw,go= /var/yp/securenets chown root:system /var/yp/securenets Edit the file: vi /var/yp/securenets Add the allowed subnets: 255.255.255.0 128.311.10.0 NOTE: The format of the file is netmask netaddr as shown in the example above. Explicitly define all valid network subnets (one entry per line). Stop and start NIS to implement the configuration changes: stopsrc -g yp startsrc -g yp" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lslpp -L bos.net.nis.server" expect : "[\\s]*not[\\s]+installed\\.[\\s]*$" type : FILE_CONTENT_CHECK_NOT description : "/etc/passwd" file : "/etc/passwd" regex : "^\\+" expect : "^\\+" type : FILE_CONTENT_CHECK_NOT description : "/etc/group" file : "/etc/group" regex : "^\\+" expect : "^\\+" description : "4.2.4 Ensure legacy NIS markers are removed" info : "If NIS has been de-installed in the environment, or has historically been used, ensure the + markers are removed from /etc/passwd and /etc/group The + entries in /etc/passwd and /etc/group were used as markers to insert data from a NIS map. These entries may provide an avenue for attackers to gain privileged access on the system. The + entries must be deleted if they still exist." solution : "Examine the /etc/passwd and /etc/group files: grep \"^+\" /etc/passwd /etc/group If the above command yields output, delete the + line: vi /etc/passwd vi /etc/group" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "4.2.7 Ensure legacy remote daemon support is not available" info : "Ensure that software that supports passwordless and/or clear-text password connections is disabled. Examples include daemons such as: rlogind rshd and talkd Remote services that either send or receive usernames and passwords in clear text and should not be used." solution : "Use the following script to disable the files in these packages: for fileset in bos.net.tcp.rcmd_server bos.net.tcp.rcmd do lslpp -L ${fileset} >/dev/null 2>&1 if [[ $? -eq 0 ]] then lslpp -f ${fileset} | /usr/bin/egrep \"^ +\/\" | while read command rest do # aclput will also do a classic chmod on the standard file mode bits /usr/bin/aclput /dev/null 2>&1 if [[ $? -eq 0 ]] then lslpp -f ${fileset} | /usr/bin/egrep \"^ +\\/\" | while read command rest do /usr/bin/ls -led $command | /usr/bin/egrep -v \"^-----------\" done fi done } | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'" expect : "^none$" type : CMD_EXEC description : "snmp check" cmd : "/usr/bin/lslpp -Lcq bos.net.tcp.snmp" expect : "[\\s]*not[\\s]+installed\\.[\\s]*$" type : CMD_EXEC description : "snmpd check" cmd : "/usr/bin/lslpp -Lcq bos.net.tcp.snmpd" expect : "[\\s]*not[\\s]+installed\\.[\\s]*$" description : "4.2.8 Ensure snmpd is not available" info : "Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. bos.net.tcp.snmpd is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. SNMP server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system. The snmpd daemon is used by many 3rd party applications to monitor the health of the system. If snmpd is not required, it is recommended that it is disabled. The SNMP server can communicate using SNMPv1 which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the bos.net.tcp.snmpd fileset should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. - If SNMP v2 is absolutely necessary, modify the community strings' values." solution : "Execute the following command: installp -ug bos.net.tcp.snmp bos.net.tcp.snmpd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "snmpd check" cmd : "/usr/bin/lslpp -Lcq bos.net.tcp.snmpd >/dev/null 2>&1 && echo \" - SNMP server fileset exists on the system\"" expect : "^Manual Review Required$" severity : MEDIUM type : CMD_EXEC description : "snmp check" cmd : "/usr/bin/lslpp -Lcq bos.net.tcp.snmp >/dev/null 2>&1 && echo \" - SNMP client fileset exists on the system\"" expect : "^Manual Review Required$" severity : MEDIUM description : "4.2.8 Ensure snmpd is not available" info : "Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. bos.net.tcp.snmpd is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. SNMP server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system. The snmpd daemon is used by many 3rd party applications to monitor the health of the system. If snmpd is not required, it is recommended that it is disabled. The SNMP server can communicate using SNMPv1 which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the bos.net.tcp.snmpd fileset should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. - If SNMP v2 is absolutely necessary, modify the community strings' values. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance." solution : "Execute the following command: installp -ug bos.net.tcp.snmp bos.net.tcp.snmpd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "lsitab writesrv" cmd : "/usr/sbin/lsitab writesrv | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "lssrc writesrv" cmd : "/usr/bin/lssrc -s writesrv | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+inoperative$" description : "4.3.1.1 Ensure writesrv service is not in use" info : "The recommendation is to disable writesrv This allows users to chat using the system write facility on a terminal. writesrv allows users to chat using the system write facility on a terminal. The recommendation is that this service must be disabled." solution : "Identify if writesrv is enabled: lsitab writesrv | wc -l If the command output != \"0\" stop the service and remove the entry from /etc/inittab rmitab writesrv stopsrc -s writesrv" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "4.3.1.2 Ensure dt service is not in use" info : "This entry executes the CDE startup script which starts the AIX Common Desktop Environment. If there is not an lft connected to the system and there are no other X11 clients that require CDE, remove the dt entry." solution : "In /etc/inittab remove the dt entry: rmitab dt" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsitab dt | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "4.3.1.3 Ensure piobe service is not in use" info : "The piobe daemon is the I/O back end for the printing process, handling the job scheduling and spooling. If there is not a requirement for the system to support either local or remote printing, remove the piobe entry." solution : "In /etc/inittab remove the piobe entry: rmitab piobe" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsitab piobe | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "4.3.1.4 Ensure qdaemon service is not in use" info : "This is the printing scheduling daemon that manages the submission of print jobs to piobe If there is not a requirement to support local or remote printing, remove the qdaemon entry from /etc/inittab" solution : "In /etc/inittab remove the qdaemon entry: rmitab qdaemon" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsitab qdaemon | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "4.3.1.5 Ensure rcnfs service is not in use" info : "The rcnfs entry starts the NFS, NIS and automount daemons during system boot. Additionally, it automounts filesystems with the attribute vfs = nfs NFS is a service with numerous historical vulnerabilities and should not be enabled unless there is no alternative" solution : "Use the rmitab command to remove the NFS start-up script from /etc/inittab : rmitab rcnfs Also, to be certain NFS related services have been discounted - execute the following script: /etc/nfs.clean" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsitab rcnfs | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" type : FILE_CONTENT_CHECK_NOT description : "4.3.2.1 Ensure inetd daemon is disabled when no additional services are required" info : "When none of the services run and managed by inetd are required then disable the inetd daemon itself. This is the preferred state. When no inetd managed services are required there is no need to start the daemon at boot time. An administrator can manually start the inetd service post-IPL, should any of the inetd supported services are/become required." solution : "Review any active inetd services: refresh -s inetd lssrc -ls inetd NOTE: If there are active services and the services are required, do not disable inetd Skip to the next section and consider the implementation of TCP Wrappers to secure access to these active services. If the active services are not required disable them via the chsubserver command. Disable inetd if there are no active services: chrctcp -d inetd stopsrc -s inetd Impact: When an inetd service is required this service is permitted. Be sure to review the section 4.1.5 Inetd (aka Super Daemon) Services later in the document." reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/inetd" expect : "^[\\s]*start[\\s]+/usr/sbin/inetd" type : CMD_EXEC description : "lssrc named" cmd : "/usr/bin/lssrc -s named | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+(^pass|inoperative|The named Subsystem is not on file\\.)$" type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/sbin/named" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/named" expect : "^[\\s]*start[\\s]+/usr/sbin/named" description : "4.3.2.10 Ensure named is not in use" info : "This entry starts the named daemon on system startup. This is the server for the DNS protocol and controls domain name resolution for its clients. The named daemon is the server for the DNS protocol and controls domain name resolution for its clients. It is recommended that this daemon is disabled, unless the server is functioning as a DNS server.This entry starts the named daemon at system startup. This is the server for the DNS protocol and controls domain name resolution for its clients." solution : "- On AIX 7.1 and earlier comment out the named entry in /etc/rc.tcpip and ensure service is stopped: chrctcp -d named stopsrc -s named - On AIX 7.2 and later remove the software: installp -u bos.net.tcp.bind" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "4.3.2.11 Ensure portmap is not in use" info : "If all RPC services are disabled, disable the portmap daemon itself. The portmap daemon is required for the RPC service. It converts the RPC program numbers into Internet port numbers. The daemon may be disabled if the server is not: - An NFS server - A NIS (YP) or NIS+ server - Running the CDE GUI - Running a third-party software application that relies on RPC support If no RPC services are required then there is no need to start the portmap daemon at boot time. A start of portmap can be done either manually, or scripted, should RPC port-mapping support be needed post-IPL. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance." solution : "- Review any active RPC services: rpcinfo -p localhost - Run the program above (in Audit) with the argument fix - check exit status (should be 0)" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh -e { # Author: Michael Felt, AIXTools # Version: 1.01 action=$1 ret=0 set $(rpcinfo -p localhost 2>/dev/null | /usr/bin/egrep -v \"(portmap)|(status)|(nsm)|(pyramid)\" | wc -l) if [ $1 -gt 1 ] ; then # There are RPC services other than portmap related services # Unless specifically required for a business process this is considered a risk. # If there are RPC services active - will not disable portmap service if [[ $# -eq 0 || ${action} != \"fix\" ]]; then print \"$0: Audit mode: Verify the services listed are actually needed.\" print \"This should be scored as an error unless there is a documented need\" print \"for the following RPC based services.\" else print \"$0: FIX mode: cannot fix portmap service activation\" print \"\\tbefore the RPC services are deactivated.\" ret=-1 fi print \"++++ The following services (excluding portmap itself) are active ++++\" rpcinfo -p localhost 2>/dev/null | /usr/bin/egrep -v \"(portmap)|(status)|(nsm)|(pyramid)\" elif [ $1 -le 1 ] ; then if [[ ${action} != \"fix\" ]] ; then if [ $1 -eq 1 ] ; then print \"portmap is active. This should be considered an error.\" fi # No RPC services were reported. Check is autostart is disabled. result=$(grep \"start[[:blank:]]/usr/sbin/portmap\" /etc/rc.tcpip) if [[ $result == '[ -z \"$portmap_pid\" ] && start /usr/sbin/portmap \"${src_running}\"' ]] ; then print \"portmap is set to autostart. This should be considered an error.\" fi elif [[ $action == \"fix\" ]]; then print \"Removing autostart of portmap.\" PID=$$ umask 077 cat /etc/rc.tcpip >/var/tmp/rctcpip.${PID} sed -e \"s/^\\[ -z \\\"\\$portmap_pid\\\"/#&/\" /etc/rc.tcpip rm -f /var/tmp/rctcpip.${PID} # Stop the portmapper, if active stopsrc -s portmap # Switch of automatic NFS services, if still in /etc/inittab chitab \"rcnfs:23456789:off:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons\" fi fi }" expect : "^Manual Review Required$" severity : MEDIUM type : CMD_EXEC description : "lssrc routed" cmd : "/usr/bin/lssrc -s routed | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+inoperative$" type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/sbin/routed" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/routed" expect : "^[\\s]*start[\\s]+/usr/sbin/routed" description : "4.3.2.12 Ensure routed is not in use" info : "This entry starts the routed daemon on system startup. The routed daemon manages the network routing tables in the kernel. The routed daemon manages the network routing tables in the kernel. This daemon should not be used as it only supports RIP1. If the AIX server must communicate with routers use gated instead." solution : "In /etc/rc.tcpip comment out the routed entry: chrctcp -d routed stopsrc -s routed Impact: Like mrouted this daemon is part of bos.net.tcp.server_core (AIX 7.2 and later) so it cannot be removed from the system. Unlike mrouted this daemon should not be used. Should the AIX server need to communicate directly with routers (i.e., there is no default route but routes are managed by software) - the gated should be used." reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/sbin/rwhod" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/rwhod" expect : "^[\\s]*start[\\s]+/usr/sbin/rwhod" type : CMD_EXEC description : "lssrc rwhod" cmd : "/usr/bin/lssrc -s rwhod | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+(^pass|inoperative|The rwhod Subsystem is not on file\\.)$" description : "4.3.2.13 Ensure rwhod is not in use" info : "This entry starts the rwhod daemon on system startup. This is the remote WHO service. The rwhod daemon is the remote WHO service, which collects and broadcasts status information to peer servers on the same network. It is recommended that this daemon is disabled, unless it is required." solution : "- On AIX 7.1 and earlier comment out the rwhod entry in /etc/rc.tcpip and ensure service is stopped: chrctcp -d rwhod stopsrc -s rwhod - On AIX 7.2 and later remove the software: installp -ug bos.net.tcp.rcmd_server" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/lib/sendmail" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/lib/sendmail" expect : "^[\\s]*start[\\s]+/usr/lib/sendmail" type : CMD_EXEC description : "lssrc sendmail" cmd : "/usr/bin/lssrc -s sendmail | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+(^pass|inoperative|The sendmail Subsystem is not on file\\.)$" description : "4.3.2.14 Ensure sendmail is not in use" info : "This entry starts the sendmail daemon on system startup. This means that the system can operate as a mail server. sendmail is a service with many historical vulnerabilities and where possible should be disabled. If the system is not required to operate as a mail server i.e. sending, receiving or processing e-mail, comment out the sendmail entry." solution : "- On AIX 7.1 and earlier comment out the sendmail entry in /etc/rc.tcpip and ensure service is stopped: chrctcp -d sendmail stopsrc -s sendmail - On AIX 7.2 and later remove the software: installp -u bos.net.tcp.sendmail" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "lssrc snmpmibd" cmd : "/usr/bin/lssrc -s snmpmibd | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+(^pass|inoperative|The snmpmibd Subsystem is not on file\\.)$" type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/sbin/snmpmibd" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/snmpmibd" expect : "^[\\s]*start[\\s]+/usr/sbin/snmpmibd" description : "4.3.2.15 Ensure snmpmib2 is not in use" info : "This entry starts the snmpmibd daemon on system startup. This is a dpi2 sub-agent that may be required if the server runs SNMP. The snmpmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. If snmpd is not required, it is recommended that it is disabled. The specific MIB variables which are managed by snmpmibd are defined by numerous RFCs. Further details relating to these MIBS can be found in the URL below: https://www.ibm.com/docs/en/aix/7.1?topic=s-snmpmibd-daemon" solution : "- On AIX 7.1 and earlier comment out the snmpmibd entry in /etc/rc.tcpip and ensure service is stopped: chrctcp -d snmpmibd stopsrc -s snmpmibd - On AIX 7.2 and later remove the software: installp -u bos.net.tcp.snmpd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/sbin/timed" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/timed" expect : "^[\\s]*start[\\s]+/usr/sbin/timed" type : CMD_EXEC description : "lssrc timed" cmd : "/usr/bin/lssrc -s timed | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+(^pass|inoperative|The timed Subsystem is not on file\\.)$" description : "4.3.2.16 Ensure timed is not in use" info : "This entry starts the timed daemon on system startup. This is the old and obsolete UNIX time service. The timed daemon is the old UNIX time service. Disable this service. If time synchronization is required in your environment use xntp" solution : "- On AIX 7.1 and earlier comment out the timed entry in /etc/rc.tcpip and ensure service is stopped: chrctcp -d timed stopsrc -s timed - On AIX 7.2 and later remove the software: installp -u bos.net.tcp.timed" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "4.3.2.2 Ensure aixmibd service is removed" info : "This entry starts the aixmibd daemon on system startup. This is a dpi2 sub-agent that may be required if the server runs SNMP. The aixmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. The recommendation is to disable aixmibd Unless snmpd is required." solution : "Run the following command to remove aixmibd : installp -u bos.net.tcp.snmpd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lslpp -Lcq bos.net.tcp.snmpd" expect : "[\\s]*not[\\s]+installed\\.[\\s]*$" type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/sbin/dhcpcd" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/dhcpcd" expect : "^[\\s]*start[\\s]+/usr/sbin/dhcpcd" type : CMD_EXEC description : "lssrc dhcpcd" cmd : "/usr/bin/lssrc -s dhcpcd | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+(^pass|inoperative|The dhcpcd Subsystem is not on file\\.)$" description : "4.3.2.3 Ensure dhcpcd is not in use" info : "This entry starts the dhcpcd daemon on system startup. The dhcpcd deamon receives address and configuration information from the DHCP server. The dhcpcd daemon is the DHCP client that receives address and configuration information from the DHCP server. This must be disabled if DHCP is not used to serve IP address to the local system." solution : "- On AIX 7.1 and earlier comment out the dhcpcd entry in /etc/rc.tcpip and ensure service is stopped: chrctcp -d dhcpcd stopsrc -s dhcpcd - On AIX 7.2 and later remove the software: installp -u bos.net.tcp.dhcpd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "lssrc dhcprd" cmd : "/usr/bin/lssrc -s dhcprd | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+(^pass|inoperative|The dhcprd Subsystem is not on file\\.)$" type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/sbin/dhcprd" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/dhcprd" expect : "^[\\s]*start[\\s]+/usr/sbin/dhcprd" description : "4.3.2.4 Ensure dhcprd is not in use" info : "This entry starts the dhcprd daemon on system startup. The dhcprd daemon listens for broadcast packets, receives them, and forwards them to the appropriate server. The dhcprd daemon is the DHCP relay deamon that forwards the DHCP and BOOTP packets in the network. You must disable this service if DHCP is not enabled in the network." solution : "- On AIX 7.1 and earlier comment out the dhcprd entry in /etc/rc.tcpip and ensure service is stopped: chrctcp -d dhcprd stopsrc -s dhcprd - On AIX 7.2 and later remove the software: installp -u bos.net.tcp.dhcpd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/sbin/dhcpsd" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/dhcpsd" expect : "^[\\s]*start[\\s]+/usr/sbin/dhcpsd" type : CMD_EXEC description : "lssrc dhcpsd" cmd : "/usr/bin/lssrc -s dhcpsd | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+(^pass|inoperative|The dhcpsd Subsystem is not on file\\.)$" description : "4.3.2.5 Ensure dhcpsd is not in use" info : "This entry starts the dhcpsd daemon on system startup. The dhcpsd deamon is the DHCP server that serves addresses and configuration information to DHCP clients in the network. The dhcpsd daemon is the DHCP server that serves addresses and configuration information to DHCP clients in the network. You must disable this service if the server is not a DHCP server." solution : "- On AIX 7.1 and earlier comment out the dhcpsd entry in /etc/rc.tcpip and ensure service is stopped: chrctcp -d dhcpsd stopsrc -s dhcpsd - On AIX 7.2 and later remove the software: installp -u bos.net.tcp.dhcpd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "lssrc dpid2" cmd : "/usr/bin/lssrc -s dpid2 | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+(^pass|inoperative|The dpid2 Subsystem is not on file\\.)$" type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/sbin/dpid2" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/dpid2" expect : "^[\\s]*start[\\s]+/usr/sbin/dpid2" description : "4.3.2.6 Ensure dpid2 is not in use" info : "This entry starts the dpid2 daemon on system startup. The dpid2 daemon acts as a protocol converter, which enables DPI (SNMP v2) sub-agents, such as hostmibd to talk to a SNMP v1 agent that follows SNMP MUX protocol. The dpid2 daemon acts as a protocol converter, which enables DPI sub-agents, such as hostmibd to talk to a SNMP v1 agent that follows SNMP MUX protocol. Unless the server hosts an SNMP agent, it is recommended that dpid2 is disabled." solution : "- On AIX 7.1 and earlier comment out the dpid2 entry in /etc/rc.tcpip and ensure service is stopped: chrctcp -d dpid2 stopsrc -s dpid2 - On AIX 7.2 and later remove the software: installp -u bos.net.tcp.snmpd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/sbin/gated" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/gated" expect : "^[\\s]*start[\\s]+/usr/sbin/gated" type : CMD_EXEC description : "lssrc gated" cmd : "/usr/bin/lssrc -s gated | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+(^pass|inoperative|The gated Subsystem is not on file\\.)$" description : "4.3.2.7 Ensure gated is not in use" info : "This entry starts the gated daemon on system startup. This daemon provides gateway routing functions for protocols such as RIP OSPF and BGP. The gated daemon provides gateway routing functions for protocols such as RIP, OSPF and BGP. The recommendation is that this daemon is disabled unless the server is acting as a network router, e.g., to support VIPA." solution : "Choose one of the following: - On AIX 7.1 and earlier comment out the gated entry in /etc/rc.tcpip and ensure service is stopped: chrctcp -d gated stopsrc -s gated - On AIX 7.2 and later remove the software: installp -u bos.net.tcp.gated" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : FILE_CONTENT_CHECK_NOT description : "on disk /usr/sbin/hostmibd" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/hostmibd" expect : "^[\\s]*start[\\s]+/usr/sbin/hostmibd" type : CMD_EXEC description : "lssrc hostmibd" cmd : "/usr/bin/lssrc -s hostmibd | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "[\\s]+(^pass|inoperative|The hostmibd Subsystem is not on file\\.)$" description : "4.3.2.8 Ensure hostmibd is not in use" info : "This entry starts the hostmibd daemon on system startup. This is a dpi2 sub-agent that may be required if the server runs SNMP. The hostmibd daemon is a dpi2 sub-agent which manages a number of MIB variables. If snmpd is not required, it is recommended that it is disabled. The specific MIB variables which are managed by hostmibd are defined by RFC 2790. Details relating to these MIBS can be found in: https://www.ibm.com/docs/en/aix/7.1?topic=h-hostmibd-daemon" solution : "- On AIX 7.1 and earlier comment out the hostmibd entry in /etc/rc.tcpip and ensure service is stopped: chrctcp -d hostmibd stopsrc -s hostmibd - On AIX 7.2 and later remove the software: installp -u bos.net.tcp.snmpd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : FILE_CONTENT_CHECK_NOT description : "4.3.3.1 Ensure autoconf6 is not in use" info : "This entry starts autoconf6 on system startup. This is to automatically configure IPv6 interfaces at boot time. autoconf6 is used to automatically configure IPv6 interfaces at boot time. Running this service may allow other hosts on the same physical subnet to connect via IPv6, even when the network does not support it. You must disable this unless you utilize IPv6 on the server." solution : "In /etc/rc.tcpip comment out the autoconf6 entry: chrctcp -d autoconf6" reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|9.2,CSCv8|4.2,CSCv8|4.8,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,CSF2.0|DE.CM-09,CSF2.0|ID.AM-08,CSF2.0|PR.AA-05,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/autoconf6" expect : "^[\\s]*start[\\s]+/usr/sbin/autoconf6" type : FILE_CONTENT_CHECK_NOT description : "4.3.3.2 Ensure ndpd-host is not in use" info : "This entry starts ndpd-host on system startup. This is the Neighbor Discovery Protocol (NDP) daemon. The ndpd-host command handles the default route, which includes the default router, the default interface, and the default interface address. ob体育ever, the ndpd-host command does not overwrite the static default routes that are set on the host. When the daemon is stopped, the daemon cleans up the prefix addresses and the routes that are created during its lifetime. The ndpd-host performs the client function of the NDP protocol. - Unless the server utilizes (dynamic) IPv6 this utility is not required and should be disabled. - Ipv6 static configuration is not affected by ndpd-host" solution : "In /etc/rc.tcpip comment out the ndpd-host entry: chrctcp -d ndpd-host Impact: When IPv6 is active and NDP is used to get a non-link-local IPv6 address (link-local addresses begin with fe80:: ) it is also likely that the MTU size of the interface will change from 1500 to 1492 Additionally, it may add default route to the IPv6 router it received it's address from. For example: - BEFORE NDP netstat -ni Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll ... en0 1500 192.168.129 192.168.129.71 105156791 0 49249083 1 0 en0 1500 fe80::dead:beef:fef7:6204 105156791 0 49249083 1 0 netstat -rn Routing tables Destination Gateway Flags Refs Use If Exp Groups Route tree for Protocol Family 2 (Internet): default 192.168.129.1 UG 23 35660110 en0 - - 127/8 127.0.0.1 U 2 22988 lo0 - - 192.168.129.0 192.168.129.71 UHSb 0 0 en0 - - => 192.168.129/24 192.168.129.71 U 12 13578475 en0 - - 192.168.129.71 127.0.0.1 UGHS 0 21471 lo0 - - 192.168.129.255 192.168.129.71 UHSb 0 0 en0 - - Route tree for Protocol Family 24 (Internet v6): default link#2 UC 0 0 en0 - - ::1%1 ::1%1 UH 0 19154 lo0 - - ... - After NDP netstat -ni Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll ... en0 1492 192.168.129 192.168.129.71 105190883 0 49267729 1 0 en0 1492 BEEF:980:a9ea:1:deed:beef:fef7:6204 105190883 0 49267729 1 0 en0 1492 fe80::deed:beef:fef7:6204 105190883 0 49267729 1 0 netstat -nr Routing tables Destination Gateway Flags Refs Use If Exp Groups Route tree for Protocol Family 2 (Internet): default 192.168.129.1 UG 17 35724295 en0 - - 127/8 127.0.0.1 U 2 23044 lo0 - - 192.168.129.0 192.168.129.71 UHSb 0 0 en0 - - => 192.168.129/24 192.168.129.71 U 14 13622746 en0 - - 192.168.129.71 127.0.0.1 UGHS 0 21576 lo0 - - 192.168.129.255 192.168.129.71 UHSb 0 0 en0 - - Route tree for Protocol Family 24 (Internet v6): default fe80::dead:beef:fefa:4bfe UG 0 0 en0 - - ::1%1 ::1%1 UH 0 19198 lo0 - - Note: the IPv6 destination address is the link-local ( fe80:: ) address of the IPv6 router." reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/ndpd-host" expect : "^[\\s]*start[\\s]+/usr/sbin/ndpd-host" type : FILE_CONTENT_CHECK_NOT description : "4.3.3.3 Ensure ndpd-router is not in use" info : "This entry starts ndpd-router on system startup. This manages the Neighbor Discovery Protocol (NDP) for non kernel activities. It receives Router Solicitations and sends Router Advertisements. It can also exchange routing information using the RIPng protocol. The ndpd-router manages NDP for non-kernel activities. Unless the server utilizes IPv6, this is not required and should be disabled." solution : "In /etc/rc.tcpip comment out the ndpd-router entry: chrctcp -d ndpd-router Impact: This service is not needed unless the AIX host is actively exchanging routing information with IPv6 routers. See: manpage AIX 7.1 ndpd-router Daemon" reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|9.2,CSCv8|4.2,CSCv8|4.8,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,CSF2.0|DE.CM-09,CSF2.0|ID.AM-08,CSF2.0|PR.AA-05,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/rc.tcpip" regex : "^[\\s]*start[\\s]+/usr/sbin/ndpd-router" expect : "^[\\s]*start[\\s]+/usr/sbin/ndpd-router" type : CMD_EXEC description : "4.3.4.1 Ensure bootps daemon is not in use" info : "This entry starts the command /usr/sbin/bootpd when required. This service is used to provide boot partition data for a network boot. It uses the same UDP port as DHCP server dhcpsd The recommendation is to disable this service UNLESS you are operating a NIM server. When using NIM bootps as a service is accepted, but the preference would be to configure a DHCP server with the equivalent information. The bootpd command implements an Internet Boot Protocol server." solution : "In /etc/inetd.conf, comment out the bootps entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'bootps' -p udp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep bootps | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.10 Ensure imap2 daemon is not in use" info : "This entry starts the imap2 service when required. The imap2 service orInternet Message Access Protocol (IMAP) supports the IMAP4 remote mail access protocol. It works with sendmail and bellmail This service should be disabled if it is not required." solution : "In /etc/inetd.conf, comment out the imap2 entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'imap2' -p tcp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep imap2 | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.11 Ensure instsrv daemon is not in use" info : "This entry starts the instsrv service when required. This service should be disabled. The instsrv service is part of the Network Installation Tools, used for servicing servers running AIX 3.2. This is no longer applicable for modern AIX installations." solution : "In /etc/inetd.conf comment out the instsrv entry: chsubserver -r inetd -C /etc/inetd.conf -d -v 'instsrv' -p 'tcp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep instsrv | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.12 Ensure klogin daemon is not in use" info : "This entry starts the klogin service when required. This is a kerberized login service, which provides a higher degree of security over traditional rlogin and telnet The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text password exchanges on the network. ob体育ever, it is still not as secure as SSH, which encrypts all traffic. If you use klogin to login to a system, the password is not sent in clear text; however, if you su to another user, that password exchange is open to detection from network-sniffing programs. The recommendation is to utilize SSH wherever possible instead of klogin. If the klogin service is used, you must use the latest kerberos version available and make sure that all the latest patches are installed." solution : "In /etc/inetd.conf, comment out the klogin entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'klogin' -p tcp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep klogin | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.13 Ensure kshell daemon is not in use" info : "This entry starts the kshell service when required. This is a kerberized remote shell service, which provides a higher degree of security over traditional rsh The kshell service offers a higher degree of security than traditional rsh services. ob体育ever, it still does not use encrypted communications. The recommendation is to utilize SSH wherever possible instead of kshell If the kshell service is used, you should use the latest kerberos version available and must make sure that all the latest patches are installed." solution : "In /etc/inetd.conf, comment out the kshell entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'kshell' -p tcp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep kshell | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.14 Ensure rlogin daemon is not in use" info : "This entry starts the rlogin daemon when required. This service authenticates remote user logins. This login service is used to authenticate a remote user connection when logging in via the rlogin command. The username and password are passed over the network in clear text and therefore insecurely. Unless required the rlogin daemon will be disabled. This function, if required, should be facilitated through SSH." solution : "In /etc/inetd.conf, comment out the rlogin entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'rlogin' -p tcp6 lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep rlogin | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.15 Ensure netstat daemon is not in use" info : "This entry executes the command netstat -f inet This service displays active IP connections on a server. The recommendation is to leave this disabled. The netstat command symbolically displays the contents of various network-related data structures for active connections. This interface requests a report of statistics or address control blocks to those items specified by the inet aka AF_INET (ipv4) address family." solution : "In /etc/inetd.conf comment out the netstat entry: chsubserver -r inetd -C /etc/inetd.conf -d -v 'netstat' -p 'tcp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep netstat | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.16 Ensure ntalk daemon is not in use" info : "This entry starts the talkd daemon when required. This service establishes a two-way communication link between two users, either locally or remotely. This ntalk service is used to establish an interactive two-way communication link between two UNIX users. It is unlikely that there would be a requirement to run this type of service on a UNIX system. Unless required the ntalk service will be disabled." solution : "In /etc/inetd.conf, comment out the ntalk entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'ntalk' -p udp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep ntalk | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.17 Ensure pcnfsd daemon is not in use" info : "This entry starts the pcnfsd daemon when required. This service is an authentication and printing program, which uses NFS to provide file transfer services. The pcnfsd service is an authentication and printing program, which uses NFS to provide file transfer services. This service is vulnerable and exploitable and permits the machine to be compromised both locally and remotely. If PC NFS clients are required within the environment, Samba is recommended as an alternative software solution. The pcnfsd daemon predates Microsoft's release of SMB specifications. This service should therefore be disabled." solution : "In /etc/inetd.conf, comment out the pcnfsd entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'pcnfsd' -p udp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep pcnfsd | /usr/bin/wc -l" expect : "^0$" type : FILE_CONTENT_CHECK_NOT description : "4.3.4.18 Ensure pop3 daemon is not in use" info : "This entry starts the pop3 service when required. The pop3 service provides a pop3 server. It supports the pop3 remote mail access protocol. It works with sendmail and bellmail This service should be disabled if it is not required." solution : "In /etc/inetd.conf, comment out the pop3 entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'pop3' -p tcp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/inetd.conf" regex : "^[\\s]*pop3[\\s]+" expect : "^[\\s]*pop3[\\s]+" type : CMD_EXEC description : "4.3.4.19 Ensure rexd daemon is not in use" info : "This entry starts the rxed service when required. This service should be disabled if it is not required. The rexd daemon executes programs for remote machines when a client issues a request to execute a program on a remote machine. The inetd daemon starts the rexd daemon from the /etc/inetd.conf file. Non-interactive programs use standard file descriptors connected directly to TCP connections. Interactive programs use pseudo-terminals, similar to the login sessions provided by the rlogin command. The rexd daemon can use the network file system (NFS) to mount the file systems specified in the remote execution request. Diagnostic messages are normally printed on the console and returned to the requester." solution : "Use chsubserver to disable this service in /etc/inetd.conf: chsubserver -r inetd -C /etc/inetd.conf -d -v 'rexd' -p 'tcp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]rexd\" | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.2 Ensure chargen daemon is not in use" info : "This entry starts the chargen service when required. This service is used to test the integrity of TCP/IP packets arriving at the destination. This chargen service is a character generator service and is used for testing the integrity of TCP/IP packets arriving at the destination. An attacker may spoof packets between machines running the chargen service and thus provide an opportunity for DoS attacks. You must disable this service unless you are testing your network." solution : "In /etc/inetd.conf, comment out the chargen entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'chargen' -p udp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep chargen | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.20 Ensure rquotad daemon is not in use" info : "This entry starts the rquotad service when required. This allows NFS clients to enforce disk quotas on locally mounted filesystems. The rquotad service allows NFS clients to enforce disk quotas on file systems that are mounted on the local system. This service should be disabled if it is not required." solution : "Use chsubserver to disable this service in /etc/inetd.conf and if running, refresh inetd : chsubserver -r inetd -C /etc/inetd.conf -d -v 'rquotad' -p 'udp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]rquotad\" | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.21 Ensure rstatd daemon is not in use" info : "This entry starts the rstatd daemon. This service is used to provide kernel statistics and other monitorable parameters such as CPU usage, system uptime, network usage etc. This service should be disabled if not explicitly required by performance monitoring software to collect statistics. The rstatd service is used to provide kernel statistics and other monitorable parameters pertinent to the system such as: CPU usage, system uptime, network usage etc. An attacker may use this information in a DoS attack." solution : "In /etc/inetd.conf, comment out the rstatd entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'rstatd' -p udp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep rstatd | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.22 Ensure rusersd daemon is not in use" info : "This entry starts the rsusersd daemon when required. This service provides a list of current users active on a system. The rusersd service runs as root and provides a list of current users active on a system. An attacker may use this service to learn valid account names on the system. This is not an essential service and should be disabled." solution : "Use chsubserver to disable this service in /etc/inetd.conf: chsubserver -r inetd -C /etc/inetd.conf -d -v 'rusersd' -p 'udp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]rusersd\" | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.23 Ensure rwalld daemon is not in use" info : "This entry starts the rwalld daemon when required. This service allows remote users to broadcast system wide messages. The rwalld service allows remote users to broadcast system wide messages. The service runs as root and should be disabled unless absolutely necessary." solution : "Use chsubserver to disable this service in /etc/inetd.conf: chsubserver -r inetd -C /etc/inetd.conf -d -v 'rwalld' -p 'udp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]rwalld\" | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.24 Ensure shell daemon is not in use" info : "This entry starts the rshd daemon when required. This daemon executes a command from a remote system. This shell service is used to execute a command from a remote server. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the rshd daemon will be disabled. This function, if required, should be facilitated through SSH." solution : "Use chsubserver to disable this service in /etc/inetd.conf : chsubserver -r inetd -C /etc/inetd.conf -d -v 'shell' -p 'tcp6' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]shell\" | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.25 Ensure sprayd daemon is not in use" info : "This entry starts the sprayd daemon when required. This service is used as a tool to generate UDP packets for testing and diagnosing network problems. The sprayd service is used as a tool to generate UDP packets for testing and diagnosing network problems. The service must be disabled if not explicitly required for network performance testing purposes as it can be used as a (Distributed) Denial of Service ((D)DoS) attack." solution : "In /etc/inetd.conf, comment out the sprayd entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'sprayd' -p udp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep sprayd | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.26 Ensure xmquery daemon is not in use" info : "This entry starts the xmquery daemon when required. This xmquery service provides near real-time network-based data monitoring and local recording from a given node." solution : "Use chsubserver to disable this service in /etc/inetd.conf: chsubserver -r inetd -C /etc/inetd.conf -d -v 'xmquery' -p 'udp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]xmquery\" | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.27 Ensure talk daemon is not in use" info : "This entry starts the talkd daemon when required. This service establishes a two-way communication link between two users, either locally or remotely. This talk service is used to establish an interactive two-way communication link between two UNIX users. It is unlikely that there would be a requirement to run this type of service on a UNIX system. Unless required the talk service will be disabled" solution : "Use chsubserver to disable this service in /etc/inetd.conf: chsubserver -r inetd -C /etc/inetd.conf -d -v 'talk' -p 'udp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]talk\" | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.28 Ensure telnetd daemon is not in use" info : "The recommendation is that telnet is disabled and OpenSSH is used as a replacement mechanism. This entry starts the telnetd daemon when required. This provides a protocol for command line access from a remote machine. The telnet protocol passes username and password in clear text over the network in clear text and therefore insecurely. This telnet service is used to service remote user connections. Historically, telnet was the most commonly used remote access method for UNIX servers. This has been replaced by OpenSSH (or no remote CLI access). Unless required the telnetd daemon should be disabled." solution : "In /etc/inetd.conf comment out the telnet entry: chsubserver -r inetd -C /etc/inetd.conf -d -v 'telnet' -p 'tcp6' refresh -s inetd Impact: When OpenSSH is not available other steps should be examined, e.g., a bastion hosted environment where OpenSSH is used to get to the bastion host and then telnet from bastion to telnet-only server." reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep telnet | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.29 Ensure tftpd daemon is not in use" info : "This entry starts the tftp service when required. The tftp service allows remote systems to download or upload files to the tftp server without any authentication. It is therefore a service that should not run, unless needed. One of the main reasons for requiring this service to be activated is if the host is a NIM master. ob体育ever, the service can be enabled and then disabled once a NIM operation has completed, rather than left running permanently." solution : "Use chsubserver to disable this service in /etc/inetd.conf: chsubserver -r inetd -C /etc/inetd.conf -d -v 'tftp' -p 'udp6' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]tftp\" | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.3 Ensure comsat daemon is not in use" info : "This entry starts the comsat service. The comsat daemon receives messages on a datagram port associated with the biff service specification. The recommendation is to leave this service disabled. The comsat daemon is the server that receives reports of incoming mail and notifies users if they have enabled this service with the biff command. Started by the inetd daemon, the comsat daemon is not meant to be used at the command line." solution : "In /etc/inetd.conf, comment out the comsat entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'comsat' -p udp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep comsat | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.30 Ensure time daemon is not in use" info : "This entry starts the time service when required. This service can be used to synchronize system clocks. The time service is an obsolete process used to synchronize system clocks at boot time. This has been superseded by NTP, which should be use if time synchronization is necessary. Unless required the time service will be disabled." solution : "Use chsubserver to disable this service in /etc/inetd.conf: chsubserver -r inetd -C /etc/inetd.conf -d -v 'time' -p 'tcp' chsubserver -r inetd -C /etc/inetd.conf -d -v 'time' -p 'udp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]time\" | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.31 Ensure uucp daemon is not in use" info : "This entry starts the uucp service when required. This service facilitates file copying between networked servers. The uucp (UNIX to UNIX Copy Program), service allows users to copy files between networked machines. Unless an application or process requires UUCP this should be disabled." solution : "Use chsubserver to disable this service in /etc/inetd.conf: chsubserver -r inetd -C /etc/inetd.conf -d -v 'uucp' -p 'tcp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep \"[[:blank:]]uucp\" | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.4 Ensure daytime daemon is not in use" info : "The service should be disabled as it can leave the system vulnerable to DoS ping attacks. This entry starts the daytime service when required. This provides the current date and time to other servers on a network. This daytime service is a defunct time service, typically used for testing purposes only." solution : "In /etc/inetd.conf comment out the daytime entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'daytime' -p tcp chsubserver -r inetd -C /etc/inetd.conf -d -v 'daytime' -p udp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep daytime | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.5 Ensure discard daemon is not in use" info : "This entry starts the discard service when required. This service is used as a debugging tool by setting up a listening socket which ignores the data it receives. The discard service is used as a debugging and measurement tool. It sets up a listening socket and ignores data that it receives. This is a /dev/null service and is obsolete. This can be used in DoS attacks and therefore, must be disabled." solution : "In /etc/inetd.conf, comment out the discard entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'discard' -p udp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep discard | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.6 Ensure echo daemon is not in use" info : "This entry starts the echo service when required. This service sends back data received by it on a specified port. The echo service sends back data received by it on a specified port. This can be misused by an attacker to launch DoS attacks or Smurf attacks by initiating a data storm and causing network congestion. The service is used for testing purposes and therefore must be disabled if not required." solution : "In /etc/inetd.conf, comment out the echo entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'echo' -p tcp chsubserver -r inetd -C /etc/inetd.conf -d -v 'echo' -p udp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep echo | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.7 Ensure exec daemon is not in use" info : "The recommendation is that rexecd is disabled. This service can be performed securely using OpenSSH. This entry starts the rexecd daemon when required. This daemon executes a command from a remote system once the connection has been authenticated. The exec service is used to execute a command sent from a remote server. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the rexecd daemon will be disabled. This function, if required, should be facilitated through SSH." solution : "In /etc/inetd.conf comment out the exec entry: chsubserver -r inetd -C /etc/inetd.conf -d -v 'exec' -p 'tcp6' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep exec | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.8 Ensure finger daemon is not in use" info : "This entry starts the fingerd daemon. The fingerd daemon provides the server function for the finger command. This allows users to view real-time pertinent user login information on other remote systems. This service should be disabled as it may provide an attacker with a valid user list to target." solution : "In /etc/inetd.conf, comment out the finger entry and refresh the inetd process: chsubserver -r inetd -C /etc/inetd.conf -d -v 'finger' -p tcp lssrc -s inetd && refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep finger | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.3.4.9 Ensure ftpd daemon is not in use" info : "This entry starts the ftpd daemon when required. This service is used for transferring files from/to a remote machine. The recommendation is that ftp is disabled and sftp is used as a replacement file and directory copying mechanism. This ftp service is used to transfer files from or to a remote machine. The username and passwords are passed over the network in clear text and therefore insecurely. Unless required the ftpd daemon should be disabled." solution : "In /etc/inetd.conf comment out the ftp entry: chsubserver -r inetd -C /etc/inetd.conf -d -v 'ftp' -p 'tcp6' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep -v tftp | /usr/bin/grep ftp | /usr/bin/wc -l" expect : "^0$" type : CMD_EXEC description : "4.4.1.1 Ensure NFS client mounts are disabled in /etc/filesystems" info : "Disable automated mount of remote NFS shares. NFS is frequently exploited to gain unauthorized access to files and directories. Automated and/or pre-defined mounts should not exist. AIX does not allow the kernel service that enables NFS mounts to be disabled. The protection against unauthorized mounts is that only accounts in the group system can mount pre-existing (i.e., defined in /etc/filesystems ) NFS mounts. Non-existing NFS mounts require root (euid==0) access." solution : "Ensure that there are no current NFS client mounts: mount |grep \"nfs\" cat /etc/filesystems |grep \"nfs\" The above commands should yield no output. De-install the NFS client software: installp -u bos.net.nfs.client Impact: The use of NFS mounts is discouraged. The only expected use of NFS is when used in combination with a NIM server for system maintenance." reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/grep -p nfs /etc/filesystems | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'" expect : "^none$" type : CMD_EXEC description : "4.4.1.2 Ensure NFS server services are not in use" info : "De-install NFS server if the server does not act as an NFS server to remote clients. An expected exception is a system configured as a NIM server. NFS is frequently exploited to gain unauthorized access to file and directories. Unless the server needs to act as an NFS server or client, the filesets should be de-installed." solution : "Ensure that there are no current NFS exports: cat /etc/exports The above command should yield no output. Or the file should not exist. De-install the NFS sever software: installp -u bos.net.nfs.server If there was an empty /etc/exports file, remove it: rm /etc/exports" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lslpp -L | /usr/bin/grep bos.net.nfs.server | /usr/bin/awk '{ print } END { if (NR==0) print \"none\" }'" expect : "^none$" type : CMD_EXEC description : "lsnfsmnt nodev" cmd : "/usr/sbin/lsnfsmnt -l | /usr/bin/egrep -v \"^Name\" | /usr/bin/grep -v \"nodev\" | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "lsnfsmnt nosuid" cmd : "/usr/sbin/lsnfsmnt -l | /usr/bin/egrep -v \"^Name\" | /usr/bin/grep -v \"nosuid\" | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" description : "4.4.1.3 Ensure NFS client mounts include nosuid and nodev options" info : "When using NFS shares ensure that suid/sgid program execution and/or access to system devices via permissions set on any mounted NFS filesystem are disabled. Setting the nosuid and nodev options means that files on the NFS server cannot be used to gain privileged access on the client. This hampers a malicious user from creating an attack vector on the server and then log onto an NFS client as a standard user and use the suid/sgid program to effectively become another user (especially root) on that client. The nodev options blocks malicious/accidental (raw) access to system devices (e.g., /dev/kmem, /dev/rhdisk0). Access to devices is not exclusive to the /dev directory. Device access is so-called special-files that are defined as a Major, Minor device id's." solution : "For each NFS mount, disable suid programs and device access. List the current NFS mounts: lsnfsmnt -l | /usr/bin/egrep -v \"^Name\" | /usr/bin/grep -v \"nosuid\" | while read remote local host rest; do chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z done lsnfsmnt -l | /usr/bin/egrep -v \"^Name\" | /usr/bin/grep -v \"nodev\" | while read remote local host rest; do chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z done NOTE: The NFS mount needs is re-mounted automatically by chnfsmnt.NOTE: The second loop might not do anything as both loops set both nosuid (-y) and nodev (-z)" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : FILE_CHECK description : "/etc/exports exists" file : "/etc/exports" type : CMD_EXEC description : "4.4.1.4 Ensure localhost aliases do not exist in /etc/exports" info : "Remove any reference to localhost or localhost aliases from /etc/exports If the RPC portmapper has proxy forwarding enabled, which is a default setting in many vendor versions. You must not export your local filesytems back to the localhost, either by name or to the alias localhost, and you must not export to any netgroups of which your host is a member. If proxy forwarding is enabled, an attacker may carefully craft NFS packets and send them to the portmapper, which in turn, forwards them to the NFS server. As the packets come from the portmapper process, which runs as root, they appear to be coming from a trusted system. This configuration may allow anyone to alter and delete files at will. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance." solution : "Remove any reference to localhost or localhost aliases in /etc/exports : Review the content of /etc/exports and check for localhost or localhost aliases: cat /etc/exports NOTE: If instances of localhost or localhost aliases are found, edit the file and remove them. Create a copy of /etc/exports : cp -p /etc/exports /etc/exports.pre_cis Edit the file: vi /etc/exports Edit the relevant NFS exports to remove the localhost access, for example: /nfsexport sec=sys,rw,access=localhost:testserver If /etc/exports is updated, as localhost references have been removed, update the current NFS export options: exportfs -a" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/cat /etc/exports" expect : "^Manual Review Required$" severity : MEDIUM description : "4.4.1.4 Ensure localhost aliases do not exist in /etc/exports" info : "Remove any reference to localhost or localhost aliases from /etc/exports If the RPC portmapper has proxy forwarding enabled, which is a default setting in many vendor versions. You must not export your local filesytems back to the localhost, either by name or to the alias localhost, and you must not export to any netgroups of which your host is a member. If proxy forwarding is enabled, an attacker may carefully craft NFS packets and send them to the portmapper, which in turn, forwards them to the NFS server. As the packets come from the portmapper process, which runs as root, they appear to be coming from a trusted system. This configuration may allow anyone to alter and delete files at will." solution : "Remove any reference to localhost or localhost aliases in /etc/exports : Review the content of /etc/exports and check for localhost or localhost aliases: cat /etc/exports NOTE: If instances of localhost or localhost aliases are found, edit the file and remove them. Create a copy of /etc/exports : cp -p /etc/exports /etc/exports.pre_cis Edit the file: vi /etc/exports Edit the relevant NFS exports to remove the localhost access, for example: /nfsexport sec=sys,rw,access=localhost:testserver If /etc/exports is updated, as localhost references have been removed, update the current NFS export options: exportfs -a" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "4.4.1.6 Ensure root access is disabled or blocked." info : "For each NFS export, ensure that the anon aka root_squash option is set to -2 or -1. Each NFS export on the server should have the anon=-2 option set. With this (default) value root (euid==0') is seen as the account nobody When anon=0 the remote root user has root access on the NFS mount. By ensuring the export option anon=-2 when a client process with euid==0 attempts to access (read, write, or delete) the NFS mount the server substitutes the UID to the server's nobody account. This means that the root user on the client cannot access or change files that only root on the server can access or change. Many NFS servers call this root_squash On AIX is is called anon To be consistent with other benchmark terminalogy CIS recommends that root_squash is set on all exported filesystems. On AIX the default value of any exported filesystem or directory for anon is -2. Thus, when anon is not set it's effective value is -2 Any other value has to be explicitly set. As a more secure option you can set the option to anon=-1 This setting is accepted because it disables anonymous access. By default, secure NFS accepts non-secure requests as anonymous. NOTE: The root user on the client can still use su to become any other user (change the euid ) and access and change that users files, assuming that the same user exists on the NFS server and owns files and/or directories in the NFS export." solution : "To change this value for all failing NFS exported filesystems: lsnfsexp | grep -v 'anon=-1' | grep anon= | while read fs rest; do chnfsexp -d ${fs} -a -2 done - The command chnfsexp re-exports the file or directory with the new settings active." reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsnfsexp -l | /usr/bin/grep -v \"anon=-1\" | /usr/bin/grep \"anon=\" | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "pass" type : CMD_EXEC description : "mount" cmd : "/usr/sbin/mount | /usr/bin/grep jfs | /usr/bin/egrep -v \"/dev/hd4|nodev\" | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "lsfs" cmd : "/usr/sbin/lsfs | /usr/bin/grep jfs | /usr/bin/egrep -v \"/dev/hd4|nodev\" | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" description : "4.4.3.1 Ensure only / permits device files." info : "The filesystem mount option nodev ensures that special device files are not recognized as device files. This recommendation audits all rootvg filesystems to ensure that only the root filesystem '/' allows the use of device special files." solution : "- The following command remounts filesystems with 'nodev' added: mount | grep jfs | /usr/bin/egrep -v \"/dev/hd4|nodev\" | while read lv fs jfs m d t options do mount -o remount,${options},nodev $fs done - The following command updates the stanza in /etc/filesystems lsfs | grep jfs | /usr/bin/egrep -v \"/dev/hd4|nodev\" | while read lv node fs jfs size options rest do if [ ${options} == \"--\" ]; then chfs -a options=nodev $fs else chfs -a options=${options},nodev $fs fi done" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "4.5.1 Ensure sockthresh is configured" info : "The sockthresh parameter value determines what percentage of the total memory allocated to networking, set via thewall can be used for sockets. The sockthresh parameterwill be set to 60 This means that 60% of network memory can be used to service new socket connections, the remaining 40% is reserved for existing sockets. This ensures a quality of service for existing connections." solution : "In /etc/tunables/nextboot add the sockthresh entry: no -p -o sockthresh=60 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1A,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep sockthresh" expect : "^[\\s]*sockthresh[\\s]*=[\\s]*60[\\s]*$" type : CMD_EXEC description : "4.5.10 Ensure ipsrcrouteforward is disabled" info : "The ipsrcrouteforward parameter determines whether or not the system forwards IPV4 source-routed packets. The ipsrcrouteforward will be set to 0 to prevent source-routed packets being forwarded by the system. This would prevent a hacker from using source-routed packets to bridge an external facing server to an internal LAN, possibly even through a firewall." solution : "In /etc/tunables/nextboot add the ipsrcrouteforward entry: no -p -o ipsrcrouteforward=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep ipsrcrouteforward" expect : "^[\\s]*ipsrcrouteforward[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "4.5.11 Ensure ipsrcrouterecv is disabled" info : "The ipsrcrouterecv parameter determines whether the system accepts source routed packets. The ipsrcrouterecv parameter will be set to 0 This means that the system will not accept source routed packets. By default, when this is enabled the system is susceptible to source routing attacks." solution : "In /etc/tunables/nextboot add the ipsrcrouterecv entry: no -p -o ipsrcrouterecv=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep ipsrcrouterecv" expect : "^[\\s]*ipsrcrouterecv[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "4.5.12 Ensure ipsrcroutesend is disabled" info : "The ipsrcroutesend parameter determines whether or not the system can send source-routed packets. The ipsrcroutesend parameter will be set to 0 to ensure that any local applications cannot send source routed packets." solution : "In /etc/tunables/nextboot add the ipsrcroutesend entry: no -p -o ipsrcroutesend=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep ipsrcroutesend" expect : "^[\\s]*ipsrcroutesend[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "4.5.13 Ensure ip6srcrouteforward is disabled" info : "The ip6srcrouteforward parameter determines whether or not the system forwards IPV6 source-routed packets. The ip6srcrouteforward parameter will be set to 0 to prevent source-routed packets being forwarded by the system. This would prevent a hacker from using source-routed packets to bridge an external facing server to an internal LAN, possibly even through a firewall." solution : "In /etc/tunables/nextboot add the ip6srcrouteforward entry: no -p -o ip6srcrouteforward=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep ip6srcrouteforward" expect : "^[\\s]*ip6srcrouteforward[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "use_reserved_ports" cmd : "/usr/sbin/nfso -a | /usr/bin/grep nfs_use_reserved_ports" expect : "^[\\s]*nfs_use_reserved_ports[\\s]*=[\\s]*1[\\s]*$" type : CMD_EXEC description : "portcheck" cmd : "/usr/sbin/nfso -a | /usr/bin/grep portcheck" expect : "^[\\s]*portcheck[\\s]*=[\\s]*1[\\s]*$" description : "4.5.14 Ensure nfs_use_reserved_ports is enabled" info : "The portcheck and nfs_use_reserved_ports parameters force the NFS server process on the local system to ignore NFS client requests that do not originate from the privileged ports range (ports less than 1024). The portcheck and nfs_use_reserved_ports parameters will both be set to 1 This value means that NFS client requests that do not originate from the privileged ports range (ports less than 1024) will be ignored by the local system." solution : "In /etc/tunables/nextboot add the portcheck and nfs_use_reserved_ports entries: nfso -p -o portcheck=1 nfso -p -o nfs_use_reserved_ports=1 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "4.5.15 Ensure nonlocsrcroute is disabled" info : "The nonlocsrcroute parameter determines whether the system allows source routed packets to be addressed to hosts outside of the LAN. The nonlocsrcroute parameter will be set to 0 This means that the system will not allow source routed packets to be addressed to hosts outside of the LAN. By default, when this is enabled the system is susceptible to source routing attacks." solution : "In /etc/tunables/nextboot add the nonlocsrcroute entry: no -p -o nonlocsrcroute=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep nonlocsrcroute" expect : "^[\\s]*nonlocsrcroute[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "4.5.16 Ensure tcp_pmtu_discover is disabled" info : "The tcp_pmtu_discover parameter controls whether TCP MTU discovery is enabled. The tcp_pmtu_discover parameter will be set to 0 The idea of MTU discovery is to avoid packet fragmentation between remote networks. This is achieved by discovering the network route and utilizing the smallest MTU size within that path when transmitting packets. When tcp_pmtu_discover is enabled, it leaves the system vulnerable to source routing attacks." solution : "In /etc/tunables/nextboot add the tcp_pmtu_discover entry: no -p -o tcp_pmtu_discover=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep tcp_pmtu_discover" expect : "^[\\s]*tcp_pmtu_discover[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "4.5.17 Ensure tcp_tcpsecure is configured" info : "The tcp_tcpsecure parameter value determines if the system is protected from three specific TCP vulnerabilities: The values are OR ed together. If all three values are to be set the value to set is: 1|2|4 (or 7). - Fake SYN - This is used to terminate an established connection. A tcp_tcpsecure bit-value of 1 protects the system from this vulnerability. - Fake RST - As above, this is used to terminate an established connection. A tcp_tcpsecure bit-value of 2 protects the system from this vulnerability. - Fake data - A hacker may inject fake data into an established connection. A tcp_tcpsecure bit-value of 4 protects the system from this vulnerability. The tcp_tcpsecure parameter should be set to 7 This means that the system will be protected from TCP connection reset and data integrity attacks." solution : "In /etc/tunables/nextboot add the tcp_tcpsecure entry: no -p -o tcp_tcpsecure=7 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -o tcp_tcpsecure" expect : "^[\\s]*tcp_tcpsecure[\\s]*=[\\s]*7[\\s]*$" type : CMD_EXEC description : "4.5.18 Ensure udp_pmtu_discover is disabled" info : "The udp_pmtu_discover parameter controls whether MTU discovery is enabled. The udp_pmtu_discover parameter will be set to 0 The idea of MTU discovery is to avoid packet fragmentation between remote networks. This is achieved by discovering the network route and utilizing the smallest MTU size within that path when transmitting packets. When udp_pmtu_discover is enabled, it leaves the system vulnerable to source routing attacks." solution : "In /etc/tunables/nextboot add the udp_pmtu_discover entry: no -p -o udp_pmtu_discover=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep udp_pmtu_discover" expect : "^[\\s]*udp_pmtu_discover[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "4.5.2 Ensure bcastping is disabled" info : "The bcastping parameter determines whether the system responds to ICMP echo packets sent to the broadcast address. The bcastping parameter will be set to 0 This means that the system will not respond to ICMP packets sent to the broadcast address. By default, when this is enabled the system is susceptible to smurf attacks, where a hacker utilizes this tool to send a small number of ICMP echo packets. These packets can generate huge numbers of ICMP echo replies and seriously affect the performance of the targeted host and network. This parameter will be disabled to ensure protection from this type of attack." solution : "In /etc/tunables/nextboot add the bcastping entry: no -p -o bcastping=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep bcastping" expect : "^[\\s]*bcastping[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "4.5.3 Ensure clean_partial_conns is enabled" info : "The clean_partial_conns parameter determines whether or not the system is open to SYN attacks. This parameter, when enabled, clears down connections in the SYN RECEIVED state after a set period of time. This attempts to stop DoS attacks when a hacker may flood a system with SYN flag set packets. The clean_partial_conns parameter will be set to 1 to clear down pending SYN received connections after a set period of time." solution : "In /etc/tunables/nextboot add the clean_partial_conns entry: no -p -o clean_partial_conns=1 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep clean_partial_conns" expect : "^[\\s]*clean_partial_conns[\\s]*=[\\s]*1[\\s]*$" type : CMD_EXEC description : "4.5.4 Ensure directed_broadcast is disabled" info : "The directed_broadcast parameter determines whether or not the system allows a directed broadcast to a network gateway. The directed_broadcast parameter will be set to 0 to prevent directed broadcasts being sent network gateways. This would prevent a redirected packet from reaching a remote network." solution : "In /etc/tunables/nextboot add the directed_broadcast entry: no -p -o directed_broadcast=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep directed_broadcast" expect : "^[\\s]*directed_broadcast[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "4.5.5 Ensure icmpaddressmask is disabled" info : "The icmpaddressmask parameter determines whether the system responds to an ICMP address mask ping. The icmpaddressmask parameter will be set to 0 This means that the system will not respond to ICMP address mask request pings. By default, when this is enabled the system is susceptible to source routing attacks. This is typically a feature performed by a device such as a network router and should not be enabled within the operating system." solution : "In /etc/tunables/nextboot add the icmpaddressmask entry: no -p -o icmpaddressmask=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep icmpaddressmask" expect : "^[\\s]*icmpaddressmask[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "4.5.6 Ensure ipforwarding is disabled" info : "The ipforwarding parameter determines whether or not the system forwards TCP/IP packets. The ipforwarding parameter will be set to 0 to ensure that redirected packets do not reach remote networks. This should only be enabled if the system is performing the function of an IP router. This is typically handled by a dedicated network device." solution : "In /etc/tunables/nextboot add the ipforwarding entry: no -p -o ipforwarding=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep ipforwarding" expect : "^[\\s]*ipforwarding[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "4.5.7 Ensure ip6forwarding is disabled" info : "The ip6forwarding parameter determines whether or not the system forwards IPv6 TCP/IP packets. The ip6forwarding parameter will be set to 0 to ensure that redirected packets do not reach remote networks. This should only be enabled if the system is performing the function of an IP router. This is typically handled by a dedicated network device." solution : "In /etc/tunables/nextboot add the ip6forwarding entry: no -p -o ip6forwarding=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep ip6forwarding" expect : "^[\\s]*ip6forwarding[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "4.5.8 Ensure ipignoreredirects is enabled" info : "The ipignoreredirects parameter determines whether or not the system will process IP redirects. The ipignoreredirects will be set to 1 to prevent IP re-directs being processed by the system." solution : "In /etc/tunables/nextboot add the ipignoreredirects entry: no -p -o ipignoreredirects=1 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep ipignoreredirects" expect : "^[\\s]*ipignoreredirects[\\s]*=[\\s]*1[\\s]*$" type : CMD_EXEC description : "4.5.9 Ensure ipsendredirects is disabled" info : "The ipsendredirects parameter determines whether or not the system forwards re-directed TCP/IP packets. The ipsendredirects parameter will be set to 0 to ensure that redirected packets do not reach remote networks." solution : "In /etc/tunables/nextboot add the ipsendredirects entry: no -p -o ipsendredirects=0 This makes the change permanent by adding the entry into /etc/tunables/nextboot" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/no -a | /usr/bin/grep ipsendredirects" expect : "^[\\s]*ipsendredirects[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "ipsec ipv4" cmd : "/usr/sbin/lsdev -C -c ipsec | /usr/bin/grep ipsec_v4 | /usr/bin/awk '{print} END {if (NR == 0) print \"not found\"}'" expect : "^[\\s]*ipsec_v4[\\s]+Available[\\s]+IP[\\s]+Version[\\s]+4[\\s]+Security[\\s]+Extension" type : CMD_EXEC description : "ipsec ipv6" cmd : "/usr/sbin/lsdev -C -c ipsec | /usr/bin/grep ipsec_v6 | /usr/bin/awk '{print} END {if (NR == 0) print \"not found\"}'" expect : "^[\\s]*ipsec_v6[\\s]+Available[\\s]+IP[\\s]+Version[\\s]+6[\\s]+Security[\\s]+Extension" description : "4.6.1 Ensure that IP Security is available" info : "In order to configure IP Security, the kernel extension and devices must first be loaded IP Security is not enabled out of the box on an AIX install, so must be enabled before further changes can be made" solution : "Enable IP Security with default Rule Permit and activate IPsec logging to syslog # Create the IPsec devices mkdev -c ipsec -t 4 mkdev -c ipsec -t 6 # Activate with default rule Permit mkfilt -v4 -z p mkfilt -v6 -z p # Start IPsec filtering mkfilt -g start Impact: Changing firewall settings while connected over the network can result in being locked out of the system." reference : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|9.4,CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "deny lo ipv4" cmd : "/usr/sbin/lsfilt -v 4 -O | /usr/bin/grep 127.0.0.0" expect : "deny.*127\\.0\\.0\\.0.*all" type : CMD_EXEC description : "deny lo ipv6" cmd : "/usr/sbin/lsfilt -v 6 -O | /usr/bin/grep ::1" expect : "deny.*::1.*all" description : "4.6.2 Ensure loopback traffic is blocked on external interfaces" info : "The loopback interface will accept traffic unconditionally. Configure all other interfaces to deny traffic to the loopback network. Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure." solution : "genfilt -v 4 -a D -s 127.0.0.0 -m 255.0.0.0 -l Y -i all genfilt -v 6 -a D -s ::1 -m 128 -l Y -i all" reference : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|9.4,CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "filters ipv6" cmd : "/usr/sbin/lsfilt -v6 -O -a 2>&1 | /usr/bin/grep -E '(inactive|Can not open device)' | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"}'" expect : "^pass$" type : CMD_EXEC description : "filters ipv4" cmd : "/usr/sbin/lsfilt -v4 -O -a 2>&1 | /usr/bin/grep -E '(inactive|Can not open device)' | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"}'" expect : "^pass$" description : "4.6.3 Ensure that IPsec filters are active" info : "Rules added to the filter list are not enabled automatically. Filters need to be activated and/or updated after changes to the ODM filter database. The filters must be active in order for IP Security to protect the system." solution : "mkfilt -u mkfilt -g start Impact: Changing firewall settings while connected over network can result in being locked out of the system. Ensure you have access to the console (e.g., via HMC) while developing and testing IPsec rule modifications." reference : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|9.4,CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "4.7.1.1 Ensure CDE is not installed" info : "The recommendation is to de-install CDE aka X11.Dt from the system, assuming that it is not required and is already installed. CDE has a history of security problems and should be disabled. NOTE: If CDE is required, it is vital to patch the software and consider TCP Wrappers to further enhance security." solution : "Identity if CDE is already installed: lslpp -L |grep -i X11.Dt If there are CDE filesets installed - de-install them if CDE is not required. For each fileset preview the de-installation: installp -up Review the fileset removal preview output, paying particular attention to the other pre-requisites that will also be removed. Typically only X11.Dt filesets should be de-installed as pre-requisites. Once reviewed, de-install the fileset and pre-requisites: installp -ug NOTE: Repeat until all CDE related filesets are de-installed" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lslpp -L X11.Dt.*" expect : "[\\s]*not[\\s]+installed\\.[\\s]*$" type : CMD_EXEC description : "X11" cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE" expect : "^[\\s]*X11\\.Dt\\." type : FILE_CHECK description : "Xservers" file : "/etc/dt/config/Xservers" type : FILE_CHECK description : "permissions and ownership" file : "/etc/dt/config/Xservers" owner : "root" mask : "133" group : "bin" type : FILE_CONTENT_CHECK description : "check for Dtlogin" file : "/etc/dt/config/Xconfig" regex : "^[\\s]*Dtlogin\\*servers:" expect : "^[\\s]*Dtlogin\\*servers:[\\s]*/etc/dt/config/Xservers$" description : "4.7.1.10 Ensure the file /etc/dt/config/Xservers is configured" info : "The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. Ensure this file is owned by root:bin and prevents group and other from writing to it. The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. The default file, /usr/dt/config/Xservers is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file." solution : "Check to see if the /etc/dt/config/Xservers exists: ls -l /etc/dt/config/Xservers If it exists ensure that it is explicitly defined in /etc/dt/config/Xconfig : vi /etc/dt/config/Xconfig Replace: Dtlogin*servers: Xservers With: Dtlogin*servers: /etc/dt/config/Xservers Apply the appropriate ownership and permissions to /etc/dt/config/Xservers : chown root:bin /etc/dt/config/Xservers chmod go-w /etc/dt/config/Xservers" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES description : "4.7.1.10 Ensure the file /etc/dt/config/Xservers is configured" info : "The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. Ensure this file is owned by root:bin and prevents group and other from writing to it. The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. The default file, /usr/dt/config/Xservers is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file." solution : "Check to see if the /etc/dt/config/Xservers exists: ls -l /etc/dt/config/Xservers If it exists ensure that it is explicitly defined in /etc/dt/config/Xconfig : vi /etc/dt/config/Xconfig Replace: Dtlogin*servers: Xservers With: Dtlogin*servers: /etc/dt/config/Xservers Apply the appropriate ownership and permissions to /etc/dt/config/Xservers : chown root:bin /etc/dt/config/Xservers chmod go-w /etc/dt/config/Xservers" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" description : "4.7.1.10 Ensure the file /etc/dt/config/Xservers is configured" info : "The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. Ensure this file is owned by root:bin and prevents group and other from writing to it. The /etc/dt/config/Xservers contains entries to start the Xserver on the local display. The default file, /usr/dt/config/Xservers is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file." solution : "Check to see if the /etc/dt/config/Xservers exists: ls -l /etc/dt/config/Xservers If it exists ensure that it is explicitly defined in /etc/dt/config/Xconfig : vi /etc/dt/config/Xconfig Replace: Dtlogin*servers: Xservers With: Dtlogin*servers: /etc/dt/config/Xservers Apply the appropriate ownership and permissions to /etc/dt/config/Xservers : chown root:bin /etc/dt/config/Xservers chmod go-w /etc/dt/config/Xservers" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "X11" cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE" expect : "^[\\s]*X11\\.Dt\\." type : FILE_CHECK description : "4.7.1.11 Ensure access to Xresources is configured" info : "The /etc/dt/config/*/Xresources file contains appearance and behavior resources for the Dtlogin login screen. The /etc/dt/config/*/Xresources file defines the customization of the Dtlogin screen. The default file, /usr/dt/config/*/Xresources is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file." solution : "Set the appropriate permissions and ownership on all Xresources files: chown root:sys /etc/dt/config/*/Xresources chmod u-x,go-wx /etc/dt/config/*/Xresources" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/dt/config/*/Xresources" owner : "root" mask : "133" group : "sys" description : "4.7.1.11 Ensure access to Xresources is configured" info : "The /etc/dt/config/*/Xresources file contains appearance and behavior resources for the Dtlogin login screen. The /etc/dt/config/*/Xresources file defines the customization of the Dtlogin screen. The default file, /usr/dt/config/*/Xresources is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file." solution : "Set the appropriate permissions and ownership on all Xresources files: chown root:sys /etc/dt/config/*/Xresources chmod u-x,go-wx /etc/dt/config/*/Xresources" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "X11" cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE" expect : "^[\\s]*X11\\.Dt\\." type : CMD_EXEC description : "4.7.1.2 Ensure the cmsd service is not available" info : "This entry starts the cmsd service when required. This is a calendar and appointment service. The cmsd service is utilized by CDE to provide calendar functionality. If CDE is not required, this service should be disabled." solution : "In /etc/inetd.conf comment out the cmsd entry: chsubserver -r inetd -C /etc/inetd.conf -d -v 'cmsd' -p 'tcsunrpc_udp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssrc -s inetd -l | /usr/bin/grep cms | /usr/bin/wc -l" expect : "^0$" description : "4.7.1.2 Ensure the cmsd service is not available" info : "This entry starts the cmsd service when required. This is a calendar and appointment service. The cmsd service is utilized by CDE to provide calendar functionality. If CDE is not required, this service should be disabled." solution : "In /etc/inetd.conf comment out the cmsd entry: chsubserver -r inetd -C /etc/inetd.conf -d -v 'cmsd' -p 'tcsunrpc_udp' refresh -s inetd" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "X11" cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE" expect : "^[\\s]*X11\\.Dt\\." type : CMD_EXEC description : "4.7.1.3 Ensure dtlogin service is not available" info : "Do not start CDE automatically on system boot. The implementation of the customized aixpert XML file disables CDE if there is not a graphical console attached to the system. If there is a graphical console or the XML file has not been executed, consider disabling CDE anyway." solution : "Disable CDE start up: /usr/dt/bin/dtconfig -d NOTE: If CDE is not installed the command will not be found" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsitab dt | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" description : "4.7.1.3 Ensure dtlogin service is not available" info : "Do not start CDE automatically on system boot. The implementation of the customized aixpert XML file disables CDE if there is not a graphical console attached to the system. If there is a graphical console or the XML file has not been executed, consider disabling CDE anyway." solution : "Disable CDE start up: /usr/dt/bin/dtconfig -d NOTE: If CDE is not installed the command will not be found" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "X11" cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE" expect : "^[\\s]*X11\\.Dt\\." type : FILE_CONTENT_CHECK_NOT description : "4.7.1.4 Ensure dtspc is not available" info : "This entry starts the dtspc service when required. This service is used in response to a CDE client request. The dtspc service deals with the CDE interface of the X11 daemon. It is started automatically by the inetd daemon in response to a CDE client requesting a process to be started on the daemon's host. This makes it vulnerable to buffer overflow attacks, which may allow an attacker to gain root privileges on a host. This service must be disabled unless it is absolutely required." solution : "In /etc/inetd.conf comment out the dtspc entry: chsubserver -r inetd -C /etc/inetd.conf -d -v 'dtspc' -p 'tcp'" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/inetd.conf" regex : "^[\\s]*dtspc.*/usr/dt/bin/dtspcd" expect : "^[\\s]*dtspc.*/usr/dt/bin/dtspcd" description : "4.7.1.4 Ensure dtspc is not available" info : "This entry starts the dtspc service when required. This service is used in response to a CDE client request. The dtspc service deals with the CDE interface of the X11 daemon. It is started automatically by the inetd daemon in response to a CDE client requesting a process to be started on the daemon's host. This makes it vulnerable to buffer overflow attacks, which may allow an attacker to gain root privileges on a host. This service must be disabled unless it is absolutely required." solution : "In /etc/inetd.conf comment out the dtspc entry: chsubserver -r inetd -C /etc/inetd.conf -d -v 'dtspc' -p 'tcp'" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "X11" cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE" expect : "^[\\s]*X11\\.Dt\\." type : FILE_CHECK description : "dtaction" file : "/usr/dt/bin/dtaction" mask : "6000" required : NO type : FILE_CHECK description : "dtprintinfo" file : "/usr/dt/bin/dtprintinfo" mask : "6000" required : NO type : FILE_CHECK description : "dtsession" file : "/usr/dt/bin/dtsession" mask : "6000" required : NO type : FILE_CHECK description : "dtappgather" file : "/usr/dt/bin/dtappgather" mask : "6000" required : NO description : "4.7.1.5 Ensure CDE daemons have sgid and suid mode disabled" info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid / sgid programs owned by root:bin or root:sys CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid / sgid programs owned by root:bin or root:sys It is recommended that the CDE binaries have the suid / sgid removed." solution : "Remove the suid / sgid from the following CDE binaries: chmod ug-s /usr/dt/bin/dtaction chmod ug-s /usr/dt/bin/dtappgather chmod ug-s /usr/dt/bin/dtprintinfo chmod ug-s /usr/dt/bin/dtsession" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES description : "4.7.1.5 Ensure CDE daemons have sgid and suid mode disabled" info : "CDE buffer overflow vulnerabilities may be exploited by a local user to obtain root privilege via suid / sgid programs owned by root:bin or root:sys CDE has been associated with major security risks, most of which are buffer overflow vulnerabilities. These vulnerabilities may be exploited by a local user to obtain root privilege via suid / sgid programs owned by root:bin or root:sys It is recommended that the CDE binaries have the suid / sgid removed." solution : "Remove the suid / sgid from the following CDE binaries: chmod ug-s /usr/dt/bin/dtaction chmod ug-s /usr/dt/bin/dtappgather chmod ug-s /usr/dt/bin/dtprintinfo chmod ug-s /usr/dt/bin/dtsession" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "X11" cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE" expect : "^[\\s]*X11\\.Dt\\." type : FILE_CONTENT_CHECK description : "4.7.1.6 Ensure CDE remote GUI login is disabled" info : "The XDMCP service allows remote systems to start local X login sessions. The XDMCP service should be disabled unless there is a requirement to allow remote X servers to start login sessions. If the ability to host remote X servers is not required, disable the service." solution : "Copy /usr/dt/config/Xconfig to /etc/dt/config if it does not already exist: ls -l /etc/dt/config/Xconfig If the file does not exist, create it: mkdir -p /etc/dt/config cp /usr/dt/config/Xconfig /etc/dt/config Disable remote X sessions from being started: vi /etc/dt/config/Xconfig Replace: # Dtlogin.requestPort: 0 With: Dtlogin.requestPort: 0" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/dt/config/Xconfig" regex : "(?i)DtLogin.requestPort" expect : "(?i)^[\\s]*DtLogin[\\.]requestPort:[\\s]+0[\\s]*$" description : "4.7.1.6 Ensure CDE remote GUI login is disabled" info : "The XDMCP service allows remote systems to start local X login sessions. The XDMCP service should be disabled unless there is a requirement to allow remote X servers to start login sessions. If the ability to host remote X servers is not required, disable the service." solution : "Copy /usr/dt/config/Xconfig to /etc/dt/config if it does not already exist: ls -l /etc/dt/config/Xconfig If the file does not exist, create it: mkdir -p /etc/dt/config cp /usr/dt/config/Xconfig /etc/dt/config Disable remote X sessions from being started: vi /etc/dt/config/Xconfig Replace: # Dtlogin.requestPort: 0 With: Dtlogin.requestPort: 0" reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "X11" cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE" expect : "^[\\s]*X11\\.Dt\\." type : FILE_CONTENT_CHECK description : "saverTimeout" file : "/etc/dt/config/*/sys.resources" regex : "^[\\s]*dtsession[\\*]saverTimeout:" expect : "^[\\s]*dtsession[\\*]saverTimeout:[\\s]+([1-9]|1[1-5])[\\s]*$" type : FILE_CONTENT_CHECK description : "lockTimeout" file : "/etc/dt/config/*/sys.resources" regex : "^[\\s]*dtsession[\\*]lockTimeout:" expect : "^[\\s]*dtsession[\\*]lockTimeout:[\\s]+([1-9]|1[1-5])[\\s]*$" description : "4.7.1.7 Ensure CDE screensaver lock is enabled" info : "The default timeout is 30 minutes of keyboard and mouse inactivity before a password protected screensaver is invoked by the CDE session manager. The default timeout of 30 minutes prior to a password protected screensaver being invoked is too long. The recommendation is to set this to 10 minutes to protect from unauthorized access on unattended systems." solution : "Set the default timeout parameters dtsession*saverTimeout: and dtsession*lockTimeout : for file in /usr/dt/config/*/sys.resources; do dir=`dirname $file | sed -e s/usr/etc/` mkdir -p $dir echo 'dtsession*saverTimeout: 10' >> $dir/sys.resources echo 'dtsession*lockTimeout: 10' >> $dir/sys.resources done" reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES description : "4.7.1.7 Ensure CDE screensaver lock is enabled" info : "The default timeout is 30 minutes of keyboard and mouse inactivity before a password protected screensaver is invoked by the CDE session manager. The default timeout of 15 minutes prior to a password protected screensaver being invoked is too long. The recommendation is to set this to 10 minutes to protect from unauthorized access on unattended systems." solution : "Set the default timeout parameters dtsession*saverTimeout: and dtsession*lockTimeout : for file in /usr/dt/config/*/sys.resources; do dir=`dirname $file | sed -e s/usr/etc/` mkdir -p $dir echo 'dtsession*saverTimeout: 15' >> $dir/sys.resources echo 'dtsession*lockTimeout: 15' >> $dir/sys.resources done" reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "X11" cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE" expect : "^[\\s]*X11\\.Dt\\." type : FILE_CONTENT_CHECK description : "labelString" file : "/etc/dt/config/*/Xresources" regex : "^[\\s]*Dtlogin[\\*]greeting[\\.]labelString:" expect : "^[\\s]*Dtlogin[\\*]greeting[\\.]labelString:[\\s]+@CDE_LABEL_STRING@" type : FILE_CONTENT_CHECK description : "persLabelString" file : "/etc/dt/config/*/Xresources" regex : "^[\\s]*Dtlogin[\\*]greeting[\\.]persLabelString:" expect : "^[\\s]*Dtlogin[\\*]greeting[\\.]persLabelString:[\\s]+@CDE_PERSLABEL_STRING@" description : "4.7.1.8 Ensure CDE login screen hostname is masked" info : "The Dtlogin*greeting.labelString parameter is the message displayed in the first dialogue box on the CDE login screen. This is where the username is entered. The Dtlogin*greeting.persLabelString is the message displayed in the second dialogue box on the CDE login screen. This is where the password is entered. Potential hackers may gain access to valuable information such as the hostname and the version of the operating system from the default AIX login screen. This information would assist hackers in choosing the exploitation methods to break into the system. For security reasons, change the login screen default messages." solution : "Copy the files from /usr/dt/config/*/Xresources to /etc/dt/config/*/Xresources and add the Dtlogin*greeting.labelString and Dtlogin*greeting.persLabelString parameters to all copied Xresources files: for file in /usr/dt/config/*/Xresources; do dir=`dirname $file | sed s/usr/etc/` mkdir -p $dir if [ ! -f $dir/Xresources ]; then cp $file $dir/Xresources fi WARN=\"Authorized uses only. All activity may be monitored and reported.\" echo \"Dtlogin*greeting.labelString: $WARN\" >> $dir/Xresources echo \"Dtlogin*greeting.persLabelString: $WARN\" >> $dir/Xresources done" reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES description : "4.7.1.8 Ensure CDE login screen hostname is masked" info : "The Dtlogin*greeting.labelString parameter is the message displayed in the first dialogue box on the CDE login screen. This is where the username is entered. The Dtlogin*greeting.persLabelString is the message displayed in the second dialogue box on the CDE login screen. This is where the password is entered. Potential hackers may gain access to valuable information such as the hostname and the version of the operating system from the default AIX login screen. This information would assist hackers in choosing the exploitation methods to break into the system. For security reasons, change the login screen default messages." solution : "Copy the files from /usr/dt/config/*/Xresources to /etc/dt/config/*/Xresources and add the Dtlogin*greeting.labelString and Dtlogin*greeting.persLabelString parameters to all copied Xresources files: for file in /usr/dt/config/*/Xresources; do dir=`dirname $file | sed s/usr/etc/` mkdir -p $dir if [ ! -f $dir/Xresources ]; then cp $file $dir/Xresources fi WARN=\"Authorized uses only. All activity may be monitored and reported.\" echo \"Dtlogin*greeting.labelString: $WARN\" >> $dir/Xresources echo \"Dtlogin*greeting.persLabelString: $WARN\" >> $dir/Xresources done" reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "X11" cmd : "/usr/bin/lslpp -L | /usr/bin/grep -i CDE" expect : "^[\\s]*X11\\.Dt\\." type : FILE_CHECK description : "4.7.1.9 Ensure access to /etc/dt/config/Xconfig is configured" info : "The /etc/dt/config/Xconfig file is used to customize CDE DT login attributes. Ensure this file is owned by root:bin and permissions prevent group and other from writing to the file. The /etc/dt/config/Xconfig file can be used to customize CDE DT login attributes. The default file, /usr/dt/config/Xconfig is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file." solution : "Check to see if the /etc/dt/config/Xconfig exists: ls -l /etc/dt/config/Xconfig Apply the appropriate ownership and permissions to /etc/dt/config/Xconfig : chown root:bin /etc/dt/config/Xconfig chmod go-w /etc/dt/config/Xconfig" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/dt/config/Xconfig" owner : "root" mask : "333" group : "bin" description : "4.7.1.9 Ensure access to /etc/dt/config/Xconfig is configured" info : "The /etc/dt/config/Xconfig file is used to customize CDE DT login attributes. Ensure this file is owned by root:bin and permissions prevent group and other from writing to the file. The /etc/dt/config/Xconfig file can be used to customize CDE DT login attributes. The default file, /usr/dt/config/Xconfig is unconditionally overwritten upon subsequent installation. It is recommended that the appropriate permissions and ownership are applied to secure the file." solution : "Check to see if the /etc/dt/config/Xconfig exists: ls -l /etc/dt/config/Xconfig Apply the appropriate ownership and permissions to /etc/dt/config/Xconfig : chown root:bin /etc/dt/config/Xconfig chmod go-w /etc/dt/config/Xconfig" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : FILE_CONTENT_CHECK description : "4.7.2.1 Ensure root access to ftpd is disabled" info : "This change adds the root user to the /etc/ftpusers file, which disables ftp for root. This change ensures that direct root ftp access is disabled. As detailed previously, ftp as a service should be disabled. If the service has to be enabled then this change must be implemented to ensure that remote root file transfer access is not enabled." solution : "Add root to the /etc/ftpusers file: echo \"root\" >> /etc/ftpusers" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/ftpusers" regex : "^root$" expect : "^root$" type : FILE_CONTENT_CHECK description : "ftp" file : "/etc/inetd.conf" regex : "^ftp[\\s]+" expect : "^ftp[\\s]+" type : CMD_EXEC description : "4.7.2.2 Ensure ftpd login banner is configured" info : "Set an ftpd login banner which displays the acceptable usage policy. The message in banner.msg is displayed for FTP logins. Banners display necessary warnings to users trying to gain unauthorized access to the system and are required for legal purposes. The recommendation is to set the banner as: \"Authorized uses only. All activity will be monitored and reported\". The content may be changed to reflect any corporate AUP." solution : "Ensure that the bos.msg.en_US.net.tcp.client fileset is installed: lslpp -L \"bos.msg.en_US.net.tcp.client\" NOTE : If the fileset is not installed, install it from the AIX media or another software repository. The fileset should reflect the language used on the server. Once installed set the ftp AUP banner: dspcat -g /usr/lib/nls/msg/en_US/ftpd.cat > /tmp/ftpd.tmp sed \"s/\\\"\%s FTP server (\%s) ready.\\\"/\\\"\%s Authorized uses only. All activity may be monitored and reported\\\"/\" /tmp/ftpd.tmp > /tmp/ftpd.msg gencat /usr/lib/nls/msg/en_US/ftpd.cat /tmp/ftpd.msg rm /tmp/ftpd.tmp /tmp/ftpd.msg" reference : "800-171|3.1.9,800-53|AC-8,800-53r5|AC-8,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AC-8,LEVEL|1A,NESA|M1.3.6,TBA-FIISB|45.2.4" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/dspcat /usr/lib/nls/msg/en_US/ftpd.cat 1 9 | awk '{ print } END { if (NR==0) print \"blank\" }'" expect : "@FTP_LOGIN_TEXT@" description : "4.7.2.2 Ensure ftpd login banner is configured" info : "Set an ftpd login banner which displays the acceptable usage policy. The message in banner.msg is displayed for FTP logins. Banners display necessary warnings to users trying to gain unauthorized access to the system and are required for legal purposes. The recommendation is to set the banner as: \"Authorized uses only. All activity will be monitored and reported\". The content may be changed to reflect any corporate AUP." solution : "Ensure that the bos.msg.en_US.net.tcp.client fileset is installed: lslpp -L \"bos.msg.en_US.net.tcp.client\" NOTE : If the fileset is not installed, install it from the AIX media or another software repository. The fileset should reflect the language used on the server. Once installed set the ftp AUP banner: dspcat -g /usr/lib/nls/msg/en_US/ftpd.cat > /tmp/ftpd.tmp sed \"s/\\\"\%s FTP server (\%s) ready.\\\"/\\\"\%s Authorized uses only. All activity may be monitored and reported\\\"/\" /tmp/ftpd.tmp > /tmp/ftpd.msg gencat /usr/lib/nls/msg/en_US/ftpd.cat /tmp/ftpd.msg rm /tmp/ftpd.tmp /tmp/ftpd.msg" reference : "800-171|3.1.9,800-53|AC-8,800-53r5|AC-8,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AC-8,LEVEL|1A,NESA|M1.3.6,TBA-FIISB|45.2.4" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : FILE_CONTENT_CHECK description : "4.7.2.3 Ensure ftpd umask is configured" info : "The umask of the ftpd service should be set to at least 027 in order to prevent the FTP daemon process from creating world-accessable, group-writeable files by default. The umask of the ftpd service should be set to at least 027 in order to prevent the FTP daemon process from creating world-accessable and group-writeable files by default. These files could then be transferred over the network which could result in compromise of the critical information." solution : "Set the default umask of the ftp daemon: [[ $(grep -c \"^ftp[[:blank:]]\" /etc/inetd.conf) -gt 0 ]] && chsubserver -c -v ftp -p tcp \"ftpd -l -u 027\" && refresh -s inetd || RC=0 NOTE: The umask above restricts write permissions for both group and other. All access for other is removed." reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/inetd.conf" regex : "^ftp[\\s]+" expect : "^ftp[\\s]+.+/usr/sbin/ftpd.+-u[\\s]*[0-7][2-7]7" required : NO type : CMD_EXEC description : "4.7.3.1 Ensure latest version of openssh is installed" info : "OpenSSH is the expected program for remote command line access. It provides encrypted protocols such as SSH and SCP/SFTP. The recommended mechanism for remote access is to use encrypted protocols such as OpenSSH that are designed to prevent the interception of communications. OpenSSH is the standard replacement for clear-text protocols, such as Telnet and FTP. Clear-text protocols can be snooped and expose credentials and/or sensitive data to unauthorized parties. Additionally, servers that are configured with unique PKI keys can circumvent host impersonation and assure remote hosts/users that they are communicating with the intended device." solution : "Install OpenSSH version 9.2 (or later), depending on package source. The current version available from IBM via AIX Web Download Pack Programs is 9.2.112.2400 Impact: OpenBSD maintains the OpenSSH project regularly updates OpenSSH. The Major/Minor numbers OpenBSD publishes may be higher than the Major/Minor numbers an OS platform uses - due to differences in how they manage packages. The current OpenBSD release is: OpenSSH 9.8 released July 01, 2024. IBM's policy is to stay at a constant level (currently 9.2) and maintain a more stable set of configuration keywords or feature set. OpenBSD, never patches a release. Instead, OpenBSD releases a new version with the latest security fixes and/or feature changes. This means IBM does not automatically push OpenSSH feature changes - but does look at new OpenBSD releases and incorporates security fixes, if any. The current OpenSSH version maintained by IBM is OpenSSH 9.2. The openssh fileset VRMF number should start with 9.2" reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/test $(/usr/sbin/sshd -i type : CMD_EXEC description : "4.7.3.10 Ensure sshd LogLevel is configured" info : "SSH provides several logging levels with varying amounts of verbosity. The DEBUG options are specifically not recommended other than strictly for debugging SSH communications. These levels provide so much data that it is difficult to identify important security information, and may violate the privacy of users. The INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. The VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments." solution : "Edit the /etc/ssh/sshd_config file to set the parameter above any Match set entries as follows: LogLevel VERBOSE - OR - LogLevel INFO Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd startsrc -s sshd Note: First occurrence of a option takes precedence, Match set statements withstanding." reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv7|6.3,CSCv8|8.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -i loglevel)\"; done | /bin/awk 'BEGIN {f=0} /loglevel/i { if ($NF !~ /^(INFO|VERBOSE)$/) f++; print $0} END {if (NR == 0) print \"fail: no results returned\"; else if (f > 0) print \"fail\"; else print \"pass\" }' }" expect : "^pass$" type : CMD_EXEC description : "4.7.3.11 Ensure sshd MACs are configured" info : "This variable limits the types of MAC algorithms that SSH can use during communication. Notes: - Some organizations may have stricter requirements for approved MACs. - Ensure that MACs used are in compliance with site policy. - The only \"strong\" MACs currently FIPS 140 approved are: - HMAC-SHA1 - HMAC-SHA2-256 - HMAC-SHA2-384 - HMAC-SHA2-512 MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance." solution : "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site unapproved (weak) MACs preceded with a - : Example: MACs -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com - IF - CVE-2023-48795 has not been reviewed and addressed, the following etm MACs should be added to the exclude list: hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd startsrc -s sshd" reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-02,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -i MACs)\"; done | /usr/bin/grep -E \"(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1-96|umac-64@openssh\\.com|hmac-md5-etm@openssh\\.com|hmac-md5-96-etm@openssh\\.com|hmac-ripemd160-etm@openssh\\.com|hmac-sha1-96-etm@openssh\\.com|umac-64-etm@openssh\\.com|umac-128-etm@openssh\\.com)\" | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}' }" expect : "^pass$" severity : MEDIUM type : FILE_CONTENT_CHECK description : "4.7.3.12 Ensure sshd MaxAuthTries is configured" info : "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." solution : "Edit the /etc/ssh/sshd_config file to set the parameter as follows:: MaxAuthTries 4 Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd startsrc -s sshd" reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/ssh/sshd_config" regex : "^[\\s]*MaxAuthTries" expect : "^[\\s]*MaxAuthTries[\\s]+[1-4][\\s]*$" type : FILE_CONTENT_CHECK description : "4.7.3.13 Ensure sshd PermitEmptyPasswords is disabled" info : "The recommendation is to edit the /etc/ssh/sshd_config file to ensure that the SSH daemon does not authenticate users with a null password. If password authentication is used and an account has an empty password, the SSH server must be configured to disallow access to the account. Permitting empty passwords could create an easy path of access for hackers to enter the system." solution : "Edit the /etc/ssh/sshd_config file to disable the acceptance null passwords: vi /etc/ssh/sshd_config Replace: #PermitEmptyPasswords no With: PermitEmptyPasswords no Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd startsrc -s sshd" reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/ssh/sshd_config" regex : "^[\\s]*PermitEmptyPasswords" expect : "^[\\s]*PermitEmptyPasswords[\\s]+no[\\s]*$" type : FILE_CONTENT_CHECK description : "4.7.3.14 Ensure sshd PermitRootLogin is configured" info : "This recommendation disables direct root login via SSH using a password. To be absolutely certain direct login is disabled the recommendation requires this variable is set rather than rely on a default that might change after an update to SSH. The recommendation requires an edit of the file /etc/ssh/sshd_config file to disable direct root login. All root access should be facilitated through a local logon with a unique and identifiable user ID and then via the su command once locally authenticated. Direct root login using passwords is insecure and does not provide sufficient logging or audit trailing for accountability. Direct root login via SSH was enabled by default with prior versions of OpenSSH." solution : "#!/usr/bin/ksh PREFERRED_SETTING=\"prohibit-password\" umask 077 set $(/usr/bin/egrep \"^PermitRootLogin\" /etc/ssh/sshd_config) echo $? if [[ ! -z $1 ]]; then # Look for a setting and change to no if anything else if [[ $2 != ${PREFERRED_SETTING} ]]; then sed \"s/^PermitRootLogin \{1\}[^ ]\{1,\}/PermitRootLogin ${PREFERRED_SETTING}/\" /etc/ssh/sshd_config >/tmp/sshd_config.$$ fi else # Look for a comment and append sed \"/^# \{0,\}PermitRootLogin/ a\^JPermitRootLogin ${PREFERRED_SETTING}/\" /etc/ssh/sshd_config >/tmp/sshd_config.$$ fi if [[ -e /tmp/sshd_config.$$ ]]; then diff -u /tmp/sshd_config.$$ /etc/ssh/sshd_config rm /tmp/sshd_config.$$ elif # Verify setting is specified /usr/bin/egrep \"^PermitRootLogin\" /etc/ssh/sshd_config >>/dev/null if [[ $? -ne 0 ]]; then print \"PermitRootLogin ${PREFERRED_SETTING}\" >> /etc/ssh/sshd_config fi fi Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd sleep 5 startsrc -s sshd Impact: The level 1 recommendation does not require a setting of no - setting the attribute to no requires either sharing a root password (to use su ), the installation of sudo or a configuration using extended RBAC for actions that require enhanced privileges. The recommendation 4.3.6.10 specifies a LOG_LEVEL of INFO or DEBUG To resolve, partially, the accountability concerns, permitting publickey authentication as root together with LogLevel INFO (minimum) provides the following syslog information: Jun 25 09:26:41 x071 auth|security:info sshd[8323282]: Accepted publickey for michael from 192.168.129.11 port 54278 ssh2: RSA SHA256:dRHxa5CGr5HCdC89suwYIBtAT8lyogz4SErSxTq0JXk Jun 25 09:26:52 x071 auth|security:info sshd[8847396]: Accepted publickey for root from 192.168.129.11 port 54279 ssh2: RSA SHA256:dRHxa5CGr5HCdC89suwYIBtAT8lyogz4SErSxTq0JXk Jun 25 09:26:53 x071 auth|security:info sshd[9044142]: Accepted publickey for root from 192.168.129.11 port 54280 ssh2: RSA SHA256:dRHxa5CGr5HCdC89suwYIBtAT8lyogz4SErSxTq0JXk Local site policy might decide that publickey accountability is sufficient and a setting of PermitRootLogin prohibit-password (the new default) provides sufficient accountability and security. Note: only public keys in a file such as ~root/.ssh/authorized_keys will be able to connect." reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/ssh/sshd_config" regex : "^[\\s]*PermitRootLogin[\\s]+" expect : "^[\\s]*PermitRootLogin[\\s]+(no|prohibit-password|forced-commands-only)[\\s]*$" type : CMD_EXEC description : "4.7.3.16 Ensure sshd PermitUserEnvironment is disabled" info : "The PermitUserEnvironment option allows users to present environment options to the SSH daemon. Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has SSH executing trojan'd programs)" solution : "Edit the /etc/ssh/sshd_config file to set the parameter: PermitUserEnvironment no Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd startsrc -s sshd" reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,800-53r5|CM-7b.,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7a.,LEVEL|1A,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|2.2.4,QCSC-v1|3.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -i permituserenvironment)\"; done | /bin/awk 'BEGIN {f=0} /permituserenvironment/i { if ($NF != \"no\") f++; print $0} END {if (NR == 0) print \"fail: no results returned\"; else if (f > 0) print \"fail\"; else print \"pass\" }' }" expect : "^pass$" type : CMD_EXEC description : "4.7.3.17 Ensure sshd ReKeyLimit is configured" info : "This variable specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed by a maximum amount of time that may pass before the session key is renegotiated. This recommendation is based on the guidelines outlined in Chapter 9 in [RFC4253], i.e. the recommendation is to release/renew Session keys after one hour or after the transfer of one gigabyte (depending on whichever comes first)." solution : "Edit the /etc/ssh/sshd_config file to set the parameter as follows: RekeyLimit 1G 3600" reference : "800-171|3.1.13,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-171|3.7.5,800-171|3.13.8,800-53|AC-17(2),800-53|CM-7,800-53|IA-5,800-53|IA-5(1),800-53|MA-4,800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|CM-7,800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|MA-4,800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|9.2,CSCv7|14.4,CSCv8|3.10,CSCv8|4.6,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF|PR.PT-4,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-02,CSF2.0|PR.PS-01,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|CM-7,ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|MA-4,ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1A,NESA|T2.3.4,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T5.4.4,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS15a,NIAv2|SS24,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1,TBA-FIISB|45.2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -i rekeylimit)\"; done | /usr/bin/grep -E \"(.*?)(1G|1073741824)[[:blank:]]+3600[[:blank:]]*\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\"; else print \"fail\"}' }" expect : "^pass$" type : FILE_CHECK_NOT description : "rhosts" file : "/etc/rhosts.equiv" type : FILE_CHECK_NOT description : "shosts" file : "/etc/shosts.equiv" description : "4.7.3.2 Ensure /etc/shosts.equiv and /etc/rhosts.equiv are removed" info : "The recommendation is to remove both the /etc/shosts.equiv and /etc/rhosts.equiv file. This is a consequence of the recommendation to not use HostbasedAuthentification The recommendation is to not use HostbasedAuthentification unless there is a documented need already exists the logical consequence is to remove these files, if they exist, to lower the risk of accidental activation. In any case - the file /etc/rhosts.equiv should be removed - period. ( Note: This is also recommended elsewhere.)" solution : "Print (for review) and then remove the content of the /etc/[rs]hosts.equiv files: for file in /etc/[rs]hosts.equiv; do print \"+++ ${file} +++\" /usr/bin/cat -n ${file} /usr/bin/rm -f ${file} done Impact: The file /etc/shosts.equiv in combination with the OpenSSH sshd_config: HostbasedAuthentication can allow passwordless authentication between servers. Without HostbasedAuthentication the file /etc/shosts.equiv has no purpose." reference : "800-171|3.4.6,GDPR|32.1.b,800-171|3.4.7,NIAv2|SS14c,800-53|CM-7b.,HIPAA|164.306(a)(1),800-53r5|CM-7b.,SWIFT-CSCv1|2.3,CN-L3|7.1.3.5(c),ITSG-33|CM-7a.,CN-L3|7.1.3.7(d),PCI-DSSv3.2.1|2.2.2,CN-L3|8.1.4.4(b),NIAv2|SS13b,CSF|PR.IP-1,QCSC-v1|3.2,CSF|PR.PT-3,NIAv2|SS14a,CSF2.0|PR.PS-01,PCI-DSSv4.0|2.2.4" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : FILE_CONTENT_CHECK description : "4.7.3.3 Ensure sftp-server arguments are configured" info : "The sftp-server is started by the sshd server after authentication has been completed successfully. The process runs with the euid of the authenticated user. The sftp-server does not inherit the logging levels from sshd and they must be configured manually. SFTP provides several logging levels with varying amounts of verbosity. The DEBUG options are specifically not recommended other than strictly for debugging SSH communications. These levels provide so much data that it is difficult to identify important security information, and may violate the privacy of users. The INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. The VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments." solution : "Edit the /etc/ssh/sshd_config to set the sftp arguments as follows: Subsystem sftp /usr/sbin/sftp-server -u 027 -f AUTH -l INFO - OR - Subsystem sftp /usr/sbin/sftp-server -u 027 -f AUTH -l VERBOSE - Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd sleep 5 startsrc -s sshd" reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv7|6.3,CSCv8|8.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/ssh/sshd_config" regex : "^[\\s]*Subsystem[\\s]+sftp[\\s]+/usr/sbin/sftp-server[\\s]+-u[\\s]+027[\\s]+-f[\\s]+AUTH[\\s]+-l[\\s]+(INFO|VERBOSE)[\\s]*$" expect : "^[\\s]*Subsystem[\\s]+sftp[\\s]+/usr/sbin/sftp-server[\\s]+-u[\\s]+027[\\s]+-f[\\s]+AUTH[\\s]+-l[\\s]+(INFO|VERBOSE)[\\s]*$" type : CMD_EXEC description : "4.7.3.4 Ensure sshd access is configured" info : "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers : - The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups : - The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers : - The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups : - The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. By default, login is allowed for all users and all groups. Restricting which users can access the system via OpenSSH will help ensure that only authorized users access the system." solution : "Edit the /etc/ssh/sshd_config file to set one or more of the parameter above any Match set entries as follows: AllowUsers -OR- AllowGroups -OR- DenyUsers -OR- DenyGroups Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd startsrc -s sshd Note: First occurrence of a option takes precedence, Match set statements withstanding." reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -iE \"(allow|deny)(users|groups)\")\"; done | /usr/bin/grep -iE \"(AllowUsers|AllowGroups|DenyUsers|DenyGroups)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\"; else print \"fail\"}' }" expect : "^pass$" type : CMD_EXEC description : "banner configured for match entries" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -i ^banner)\"; done | /usr/bin/grep -E \"@BANNER_FILE@\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\"; else print \"fail\"}' }" expect : "^pass$" type : BANNER_CHECK description : "banner_text" file : "@BANNER_FILE@" content : "@BANNER_TEXT@" type : FILE_CONTENT_CHECK_NOT description : "sshd_config banner not disabled" file : "/etc/ssh/sshd_config" regex : "^[\\s]*Banner[\\s]+\"?none\"?[\\s]*$" expect : "^[\\s]*Banner[\\s]+\"?none\"?[\\s]*$" description : "4.7.3.5 Ensure sshd Banner is configured" info : "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed. Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." solution : "Edit the /etc/ssh/sshd_config file to set the parameter above any Match set entries as follows: Banner /etc/ssh/ssh_banner Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd startsrc -s sshd Note: First occurrence of a option takes precedence, Match set statements withstanding. Edit the file being called by the Banner argument with the appropriate contents according to your site policy." reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "chacha20-poly1305@openssh.com" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -i ciphers)\"; done | /usr/bin/grep -E \"chacha20-poly1305@openssh\\.com\" }" expect : "chacha20-poly1305@openssh\\.com" type : CMD_EXEC description : "4.7.3.6 Ensure sshd Ciphers are configured" info : "This variable limits the ciphers that SSH can use during communication. Notes: - Some organizations may have stricter requirements for approved ciphers. - Ensure that ciphers used are in compliance with site policy. - The only \"strong\" ciphers currently FIPS 140 compliant are: - aes256-gcm@openssh.com - aes128-gcm@openssh.com - aes256-ctr - aes192-ctr - aes128-ctr Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. - The Triple DES ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain clear text data via a birthday attack against a long-duration encrypted session, aka a \"Sweet32\" attack. - Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plain text data from an arbitrary block of cipher text in an SSH session via unknown vectors. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance." solution : "Edit the /etc/ssh/sshd_config file and add/modify the Ciphers line to contain a comma separated list of the site unapproved (weak) Ciphers preceded with a - : Example: Ciphers -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,chacha20-poly1305@openssh.com Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd startsrc -s sshd" reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-02,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -i ciphers)\"; done | /usr/bin/grep -E \"(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator\\.liu\\.se|chacha20-poly1305@openssh\\.com)\" }" expect : "^Manual Review Required$" severity : MEDIUM type : CMD_EXEC description : "4.7.3.6 Ensure sshd Ciphers are configured" info : "This variable limits the ciphers that SSH can use during communication. Notes: - Some organizations may have stricter requirements for approved ciphers. - Ensure that ciphers used are in compliance with site policy. - The only \"strong\" ciphers currently FIPS 140 compliant are: - aes256-gcm@openssh.com - aes128-gcm@openssh.com - aes256-ctr - aes192-ctr - aes128-ctr Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. - The Triple DES ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain clear text data via a birthday attack against a long-duration encrypted session, aka a \"Sweet32\" attack. - Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plain text data from an arbitrary block of cipher text in an SSH session via unknown vectors." solution : "Edit the /etc/ssh/sshd_config file and add/modify the Ciphers line to contain a comma separated list of the site unapproved (weak) Ciphers preceded with a - : Example: Ciphers -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,chacha20-poly1305@openssh.com Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd startsrc -s sshd" reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-02,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -i ciphers)\"; done | /usr/bin/grep -E \"(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator\\.liu\\.se)\" | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}' }" expect : "^pass$" type : FILE_CONTENT_CHECK_NOT description : "sshd_config HostbasedAuthentication not disabled" file : "/etc/ssh/sshd_config" regex : "^[\\s]*HostbasedAuthentication[\\s]+\"?yes\"?[\\s]*$" expect : "^[\\s]*HostbasedAuthentication[\\s]+\"?yes\"?[\\s]*$" type : CMD_EXEC description : "sshd -T HostbasedAuthentication is disabled" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -i hostbasedauthentication)\"; done | /bin/awk 'BEGIN {f=0} /hostbasedauthentication/i { if ($NF != \"no\") f++; print $0} END {if (NR == 0) print \"fail: no results returned\"; else if (f > 0) print \"fail\"; else print \"pass\" }' }" expect : "^pass$" description : "4.7.3.7 Ensure sshd HostbasedAuthentication is disabled" info : "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user ofrhosts or /etc/hosts.equiv along with successful public key client host authentication. Host-based authentication is a method to authenticate users (rather than requiring password or key-based authentication method).Used at a system level by OpenSSH requires the file /etc/shosts.equiv to contain a list of so-called trusted hosts.When this method is active any user on a trusted host can login to the server as authenticated because the server identity the user imitates the connection from (aka the OpenSSH client) authentificatees the user as trusted . Since this feature disables user-based authentication from some hosts - our recommendation is to disable host-based authentication." solution : "Edit the /etc/ssh/sshd_config file to set the parameter above any Match entries as follows: HostbasedAuthentication no Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd startsrc -s sshd Note: First occurrence of a option takes precedence, Match set statements withstanding." reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-6,800-53|CM-7,800-53|MA-4,800-53r5|CM-6,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "sshd -T IgnoreRhosts is enabled" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -i ignorerhosts)\"; done | /bin/awk 'BEGIN {f=0} /ignorerhosts/i { if ($NF != \"yes\") f++; print $0} END {if (NR == 0) print \"fail: no results returned\"; else if (f > 0) print \"fail\"; else print \"pass\" }' }" expect : "^pass$" type : FILE_CONTENT_CHECK_NOT description : "sshd_config IgnoreRhosts not enabled" file : "/etc/ssh/sshd_config" regex : "^[\\s]*IgnoreRhosts[\\s]+\"?no\"?[\\s]*$" expect : "^[\\s]*IgnoreRhosts[\\s]+\"?no\"?[\\s]*$" description : "4.7.3.8 Ensure sshd IgnoreRhosts is enabled" info : "The IgnoreRhosts parameter specifies thatrhosts andshosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication Setting this parameter forces users to enter a password or provide an SSH key when authenticating with SSH, rather than trusting the remote host." solution : "Edit the /etc/ssh/sshd_config file to set the parameter above any Match set entries as follows: IgnoreRhosts yes Re-cycle the sshd daemon to pick up the configuration changes: stopsrc -s sshd startsrc -s sshd Note: First occurrence of a option takes precedence, Match set statements withstanding." reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-6,800-53|CM-7,800-53|MA-4,800-53r5|CM-6,800-53r5|CM-7,800-53r5|MA-4,CSCv7|9.2,CSCv8|4.6,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1A,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "4.7.3.9 Ensure sshd KexAlgorithms is configured" info : "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received Notes : - Kex algorithms have a higher preference the earlier they appear in the list - Some organizations may have stricter requirements for approved Key exchange algorithms - Ensure that Key exchange algorithms used are in compliance with site policy - The only Key Exchange Algorithms currently FIPS 140-2 approved are:- ecdh-sha2-nistp256- ecdh-sha2-nistp384- ecdh-sha2-nistp521- diffie-hellman-group-exchange-sha256- diffie-hellman-group16-sha512- diffie-hellman-group18-sha512- diffie-hellman-group14-sha256 - The Key Exchange algorithms supported by OpenSSH 8.2 are: curve25519-sha256 curve25519-sha256@libssh.org diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 sntrup4591761x25519-sha512@tinyssh.org Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks" solution : "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Impact: Weak clients no longer connect." reference : "800-171|3.1.13,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-171|3.7.5,800-171|3.13.8,800-53|AC-17(2),800-53|CM-7,800-53|IA-5,800-53|IA-5(1),800-53|MA-4,800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|CM-7,800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|MA-4,800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|9.2,CSCv7|16.4,CSCv8|3.10,CSCv8|4.6,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,CSF|PR.PT-4,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-02,CSF2.0|PR.PS-01,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|CM-7,ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|MA-4,ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1A,NESA|T2.3.4,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T5.4.4,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS15a,NIAv2|SS24,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1,TBA-FIISB|45.2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "#!/usr/bin/ksh { ports=$(/usr/bin/awk '/^Port / { print $2 } /^Match (.* )?LocalPort / { for(x=2; x<=NF; x+=2) if ($x == \"LocalPort\") print $(x+1) }' /etc/ssh/sshd_config | /usr/bin/awk '{print $0}; END {if (NR == 0) print \"22\"}' | uniq); for port in ${ports[@]}; do /usr/sbin/sshd -T -C user=root -C host=\"$(hostname)\" -C addr=\"$(/usr/bin/grep $(hostname) /etc/hosts | /usr/bin/awk '{print $1}')\" -C lport=$port | echo \"port $port: $(/usr/bin/grep -i kexalgorithms)\"; done | /usr/bin/grep -E \"(.*?)(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1)\" | /usr/bin/awk '{print} END {if (NR == 0) print \"pass\"; else print \"fail\"}' }" expect : "^pass$" type : CMD_EXEC description : "sendmail installed" cmd : "/usr/bin/lslpp -Lcq | /usr/bin/grep -i 'sendmail' | /usr/bin/awk '{print} END {if (NR != 0) print \"installed\"}'" expect : "^installed$" type : FILE_CONTENT_CHECK description : "SmtpGreetingMessage set" file : "/etc/mail/sendmail.cf" regex : "^[^#\\n]*SmtpGreetingMessage" expect : "^[\\s]*O[\\s]+SmtpGreetingMessage[\\s]*=" type : FILE_CHECK description : "helpfile" file : "/etc/mail/helpfile" type : FILE_CONTENT_CHECK_NOT description : "SmtpGreetingMessage not misconfigured" file : "/etc/mail/sendmail.cf" regex : "^[^#\\n]*SmtpGreetingMessage" expect : "^[\\s]*O[\\s]+SmtpGreetingMessage[\\s]*=[\\s]*\\$j[\\s]*Sendmail[\\s]*\\$b[\\s]*$" description : "4.7.4.1 Ensure sendmail version information is hidden" info : "The recommendation is to change both the default sendmail greeting and HELP output to not display the sendmail version. The sendmail deamon has a history of security vulnerabilities. The recommendation is to change the default sendmail settings that display the sendmail version and other related information. Sendmail version information can be used by an attacker for fingerprinting purposes." solution : "Create a backup copy of /etc/mail/sendmail.cf : cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.pre_cis Edit: vi /etc/mail/sendmail.cf Replace: O SmtpGreetingMessage=$j Sendmail $b With: O SmtpGreetingMessage=mailerready - Ensure Sendmail helpfile exists test -e /etc/mail/helpfile || touch /etc/mail/helpfile" reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES description : "4.7.4.1 Ensure sendmail version information is hidden" info : "The recommendation is to change both the default sendmail greeting and HELP output to not display the sendmail version. The sendmail deamon has a history of security vulnerabilities. The recommendation is to change the default sendmail settings that display the sendmail version and other related information. Sendmail version information can be used by an attacker for fingerprinting purposes." solution : "Create a backup copy of /etc/mail/sendmail.cf : cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.pre_cis Edit: vi /etc/mail/sendmail.cf Replace: O SmtpGreetingMessage=$j Sendmail $b With: O SmtpGreetingMessage=mailerready - Ensure Sendmail helpfile exists test -e /etc/mail/helpfile || touch /etc/mail/helpfile" reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "sendmail installed" cmd : "/usr/bin/lslpp -Lcq | /usr/bin/grep -i 'sendmail' | /usr/bin/awk '{print} END {if (NR != 0) print \"installed\"}'" expect : "^installed$" type : FILE_CONTENT_CHECK description : "PrivacyOptions - authwarnings" file : "/etc/mail/sendmail.cf" regex : "^[\\s]*O[\\s]PrivacyOptions[\\s]*=" expect : "^[\\s]*O[\\s]PrivacyOptions[\\s]*=[\\s]*.*authwarnings" type : FILE_CONTENT_CHECK description : "PrivacyOptions - novrfy" file : "/etc/mail/sendmail.cf" regex : "^[\\s]*O[\\s]PrivacyOptions[\\s]*=" expect : "^[\\s]*O[\\s]PrivacyOptions[\\s]*=[\\s]*.*novrfy" type : FILE_CONTENT_CHECK description : "PrivacyOptions - noexpn" file : "/etc/mail/sendmail.cf" regex : "^[\\s]*O[\\s]PrivacyOptions[\\s]*=" expect : "^[\\s]*O[\\s]PrivacyOptions[\\s]*=[\\s]*.*noexpn" description : "4.7.4.2 Ensure sendmail PrivacyOptions is configured" info : "The recommendation is to ensure that PrivacyOptions includes at least three settings: - authwarnings (a default) - novrfy - noexpn The sendmail deamon has a history of security vulnerabilities. The recommendation is to modify default sendmail settings that otherwise may provide information that can be used by an attacker. - novrfy: No Verify: do not verify valid email addresses. This can be used by attackers, e.g., phishing attacks. - noexpn: no expansion: do not verify/expand email list addresses - providing attackers with a list of valid email addresses." solution : "Create a backup copy of /etc/mail/sendmail.cf : cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.pre_cis Edit: vi /etc/mail/sendmail.cf Replace: O PrivacyOptions=authwarnings With: O PrivacyOptions=authwarnings,noexpn,novrfy Or - append noexpn,novrfy at then end of the current PrivacyOptions settings (assuming authwarnings is already included)." reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES description : "4.7.4.2 Ensure sendmail PrivacyOptions is configured" info : "The recommendation is to ensure that PrivacyOptions includes at least three settings: - authwarnings (a default) - novrfy - noexpn The sendmail deamon has a history of security vulnerabilities. The recommendation is to modify default sendmail settings that otherwise may provide information that can be used by an attacker. - novrfy: No Verify: do not verify valid email addresses. This can be used by attackers, e.g., phishing attacks. - noexpn: no expansion: do not verify/expand email list addresses - providing attackers with a list of valid email addresses." solution : "Create a backup copy of /etc/mail/sendmail.cf : cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.pre_cis Edit: vi /etc/mail/sendmail.cf Replace: O PrivacyOptions=authwarnings With: O PrivacyOptions=authwarnings,noexpn,novrfy Or - append noexpn,novrfy at then end of the current PrivacyOptions settings (assuming authwarnings is already included)." reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "sendmail installed" cmd : "/usr/bin/lslpp -Lcq | /usr/bin/grep -i 'sendmail' | /usr/bin/awk '{print} END {if (NR != 0) print \"installed\"}'" expect : "^installed$" type : FILE_CONTENT_CHECK description : "4.7.4.3 Ensure sendmail DaemonPortOptions is configured" info : "The recommendation is to enable running sendmail in MTA mode to support local applications that require legacy MTA (i.e., connection via port 25) support. Recall the preferred recommendation is to not run sendmail locally ." solution : "Create a backup copy of /etc/mail/sendmail.cf : cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.pre_cis Edit: vi /etc/mail/sendmail.cf Replace: (assuming the default configuration) O DaemonPortOptions=Name=MTA with O DaemonPortOptions=Name=MTA,Addr=localhost" reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/mail/sendmail.cf" regex : "^O[\\s]*DaemonPortOptions[\\s]*=" expect : "^O[\\s]*DaemonPortOptions[\\s]*=[\\s]*.*[\\s]*Addr=(127\\.0\\.0\\.1|localhost)[\\s]*" description : "4.7.4.3 Ensure sendmail DaemonPortOptions is configured" info : "The recommendation is to enable running sendmail in MTA mode to support local applications that require legacy MTA (i.e., connection via port 25) support. Recall the preferred recommendation is to not run sendmail locally ." solution : "Create a backup copy of /etc/mail/sendmail.cf : cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.pre_cis Edit: vi /etc/mail/sendmail.cf Replace: (assuming the default configuration) O DaemonPortOptions=Name=MTA with O DaemonPortOptions=Name=MTA,Addr=localhost" reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "sendmail installed" cmd : "/usr/bin/lslpp -Lcq | /usr/bin/grep -i 'sendmail' | /usr/bin/awk '{print} END {if (NR != 0) print \"installed\"}'" expect : "^installed$" type : FILE_CHECK description : "4.7.4.4 Ensure access to /etc/mail/sendmail.cf is configured" info : "The access controls for /etc/mail/sendmail.cf are applied. The /etc/mail/sendmail.cf file is used by the sendmail daemon to determine its default configuration. This file must be protected from unauthorized access and modifications." solution : "Set the recommended permissions and ownership on /etc/mail/sendmail.cf : chmod u=rw,g=r,o= /etc/mail/sendmail.cf chown root.system /etc/mail/sendmail.cf trustchk -u /etc/mail/sendmail.cf mode owner group" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/mail/sendmail.cf" owner : "root" mask : "137" group : "system" description : "4.7.4.4 Ensure access to /etc/mail/sendmail.cf is configured" info : "The access controls for /etc/mail/sendmail.cf are applied. The /etc/mail/sendmail.cf file is used by the sendmail daemon to determine its default configuration. This file must be protected from unauthorized access and modifications." solution : "Set the recommended permissions and ownership on /etc/mail/sendmail.cf : chmod u=rw,g=r,o= /etc/mail/sendmail.cf chown root.system /etc/mail/sendmail.cf trustchk -u /etc/mail/sendmail.cf mode owner group" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "sendmail installed" cmd : "/usr/bin/lslpp -Lcq | /usr/bin/grep -i 'sendmail' | /usr/bin/awk '{print} END {if (NR != 0) print \"installed\"}'" expect : "^installed$" type : FILE_CHECK description : "4.7.4.5 Ensure access to /var/spool/clientmqueue is configured" info : "The recommended DAC (discretionary access control) settings for the /var/spool/clientmqueue directory are applied. Queued messages are the messages that have not yet reached their final destination. To ensure the integrity of the messages during storage, the mail queue directory must be secured from unauthorized access.The clientmqueue ( /var/spool/clientmqueue ) is the mail queue for handling locally generated outbound emails. This queue is used when mail is submitted to sendmail as an MSP rather than as an MTA Note: It is possible to specify an alternate spool directory in the /etc/mail/submit.cf file via the QueueDirectory parameter. When this is used that directory name needs identical DAC settings." solution : "Set the recommended permissions and ownership on /var/spool/mqueue : chmod ug=rwx,o= /var/spool/clientmqueue chown smmsp.smmsp /var/spool/clientmqueue" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/var/spool/clientmqueue" owner : "smmsp" mask : "007" group : "smmsp" description : "4.7.4.5 Ensure access to /var/spool/clientmqueue is configured" info : "The recommended DAC (discretionary access control) settings for the /var/spool/clientmqueue directory are applied. Queued messages are the messages that have not yet reached their final destination. To ensure the integrity of the messages during storage, the mail queue directory must be secured from unauthorized access.The clientmqueue ( /var/spool/clientmqueue ) is the mail queue for handling locally generated outbound emails. This queue is used when mail is submitted to sendmail as an MSP rather than as an MTA Note: It is possible to specify an alternate spool directory in the /etc/mail/submit.cf file via the QueueDirectory parameter. When this is used that directory name needs identical DAC settings." solution : "Set the recommended permissions and ownership on /var/spool/mqueue : chmod ug=rwx,o= /var/spool/clientmqueue chown smmsp.smmsp /var/spool/clientmqueue" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "sendmail installed" cmd : "/usr/bin/lslpp -Lcq | /usr/bin/grep -i 'sendmail' | /usr/bin/awk '{print} END {if (NR != 0) print \"installed\"}'" expect : "^installed$" type : FILE_CHECK description : "4.7.4.6 Ensure access to /var/spool/mqueue is configured" info : "The recommended DAC (discretionary access control) settings for the /var/spool/mqueue directory are applied. The sendmail daemon stores its queued mail in the /var/spool/mqueue directory. Queued messages are the messages that have not yet reached their final destination. To ensure the integrity of the messages during storage, the mail queue directory must be secured from unauthorized access. NOTE: It is possible to specify an alternate spool directory in the /etc/mail/sendmail.cf file via the QueueDirectory parameter. When this is used that directory name needs identical DAC settings." solution : "Set the recommended permissions and ownership on /var/spool/mqueue : chmod u=rwx,go= /var/spool/mqueue chown root /var/spool/mqueue" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/var/spool/mqueue" owner : "root" mask : "077" group : "system" description : "4.7.4.6 Ensure access to /var/spool/mqueue is configured" info : "The recommended DAC (discretionary access control) settings for the /var/spool/mqueue directory are applied. The sendmail daemon stores its queued mail in the /var/spool/mqueue directory. Queued messages are the messages that have not yet reached their final destination. To ensure the integrity of the messages during storage, the mail queue directory must be secured from unauthorized access. NOTE: It is possible to specify an alternate spool directory in the /etc/mail/sendmail.cf file via the QueueDirectory parameter. When this is used that directory name needs identical DAC settings." solution : "Set the recommended permissions and ownership on /var/spool/mqueue : chmod u=rwx,go= /var/spool/mqueue chown root /var/spool/mqueue" reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : BANNER_CHECK description : "4.8.1 Ensure herald is configured" info : "This change adds a default herald to /etc/security/login.cfg This change puts into place a suggested login herald to replace the default entry. A herald should not provide any information about the operating system or version. Instead, it should detail a company standard acceptable use policy This suggestion for a herald should be tailored to reflect your corporate standard policy." solution : "Add a default login herald to /etc/security/login.cfg : chsec -f /etc/security/login.cfg -s default -a herald=\"Unauthorized use of this system is prohibited.\\nlogin:\"" reference : "800-171|3.1.9,800-53|AC-8,800-53r5|AC-8,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AC-8,LEVEL|1A,NESA|M1.3.6,TBA-FIISB|45.2.4" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/security/login.cfg" content : "@LOGIN_HERALD_TEXT@" is_substring : YES type : CMD_EXEC description : "4.8.2 Ensure logindelay is configured" info : "Defines the number of seconds delay between each failed login attempt. This works as a multiplier, so if the parameter is set to 10, after the first failed login it would delay for 10 seconds, after the second failed login 20 seconds etc. In setting the logindelay attribute, this implements a delay multiplier in-between unsuccessful login attempts." solution : "In /etc/security/login.cfg set the default stanza logindelay attribute to 10 or greater: chsec -f /etc/security/login.cfg -s default -a logindelay=10 This means that a user will have to wait 10 seconds before being able to re-enter their password. During subsequent attempts this delay will increase as a multiplier of (the number of failed login attempts * logindelay)" reference : "800-171|3.1.8,800-53|AC-7b.,800-53r5|AC-7b.,CN-L3|7.1.2.7(f),CN-L3|7.1.3.1(c),CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|AC-7b.,LEVEL|1A,NESA|T5.5.1,NIAv2|AM24,PCI-DSSv3.2.1|8.1.7,PCI-DSSv4.0|8.3.4,TBA-FIISB|36.2.4,TBA-FIISB|45.1.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/login.cfg -s default -a logindelay" expect : "^default[\\s]+logindelay[\\s]*=[\\s]*[1-9][0-9]+[\\s]*$" type : CMD_EXEC description : "4.8.3 Ensure loginretries is configured" info : "Defines the number of attempts a user has to login to the system before their account is disabled. In setting the loginretries attribute, this ensures that a user can have a pre-defined number of attempts to get their password right, prior to locking the account." solution : "In /etc/security/user set the default stanza loginretries attribute to 5 : chsec -f /etc/security/user -s default -a loginretries=5 This means that a user will have 5 attempts to enter the correct password. This does not apply to the root user, which has its own stanza entry disabling this feature. Impact: The setting chosen here (5) is a group consensus as secure enough. ob体育ever, a local site-policy may have a more strict requirement for all, or some systems. While the audit and artifact currently test for exactly 5 - the actual recommendation is: greater than 0 (zero) AND (less than or equal to 5 (five) or greater than 0 (zero) AND not greater than 5 (five)" reference : "800-171|3.1.8,800-171|3.1.18,800-53|AC-7,800-53|AC-19,800-53r5|AC-7,800-53r5|AC-19,CN-L3|8.1.4.1(b),CSCv8|4.10,CSF|PR.AC-3,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.6.2.1,ITSG-33|AC-7,ITSG-33|AC-19,LEVEL|1A,NIAv2|AM24,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|36.2.4,TBA-FIISB|45.1.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a loginretries" expect : "^[\\s]*default[\\s]+loginretries[\\s]*=[\\s]*[1-5][\\s]*$" type : CMD_EXEC description : "4.8.4 Ensure logintimeout is configured" info : "Defines the number of seconds during which the password must be typed at login. In setting the logintimeout attribute, a password must be entered within a specified time period." solution : "In /etc/security/login.cfg set the usw stanza logintimeout attribute to 30 or less: chsec -f /etc/security/login.cfg -s usw -a logintimeout=30 This means that a user will have 30 seconds, from prompting, in which to type in their password." reference : "800-171|3.1.11,800-53|AC-12,800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(iii),ITSG-33|AC-12,LEVEL|1A,NIAv2|NS49" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/login.cfg -s usw -a logintimeout" expect : "^usw[\\s]+logintimeout[\\s]*=[\\s]*([1-9]|[12][0-9]|30)[\\s]*$" type : CMD_EXEC description : "4.8.5 Ensure administrative user accounts are locked" info : "Lock OS administrative accounts to further enhance security. Lock administrative user accounts. Generic OS administrative user accounts are targeted by hackers in an attempt to gain unauthorized access to a server." solution : "Lock standard accounts using chuser: ACCOUNTS=daemon,bin,sys,adm,uucp,nobody,lpd,lp,invscout,ipsec,nuucp,sshd lsuser -a account_locked ${ACCOUNTS} | grep -v account_locked=true | while read account attributes; do chuser account_locked=true ${account} done" reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv7|16.8,CSCv7|16.9,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a account_locked daemon,bin,sys,adm,uucp,nobody,lpd,lp,invscout,ipsec,nuucp,sshd | /usr/bin/grep -v account_locked=true | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" type : FILE_CONTENT_CHECK description : "readonly" file : "/etc/profile" regex : "^[\\s]*TMOUT" expect : "^[\\s]*TMOUT[\\s]*=[\\s]*([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[1-7][0-9]{2}|1800)[\\s]*$" type : FILE_CONTENT_CHECK description : "TIMEOUT" file : "/etc/profile" regex : "^[\\s]*TIMEOUT" expect : "^[\\s]*TIMEOUT[\\s]*=[\\s]*([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[1-7][0-9]{2}|1800)[\\s]*$" type : FILE_CONTENT_CHECK description : "TMOUT" file : "/etc/profile" regex : "^[\\s]*readonly[\\s]+(TMOUT[\\s]+TIMEOUT[\\s]*|TIMEOUT[\\s]+TMOUT[\\s]*)$" expect : "^[\\s]*readonly[\\s]+(TMOUT[\\s]+TIMEOUT[\\s]*|TIMEOUT[\\s]+TMOUT[\\s]*)$" description : "4.8.6 Ensure session timeout is configured" info : "TMOUT and TIMEOUT are environmental setting that activate the timeout of a shell. The value is in seconds. - TMOUT= n - Sets the shell timeout to n seconds. A setting of TMOUT=0 or unset TMOUT disables the automatic session timeout. - readonly TMOUT- Both export and lock TMOUT environmental variable to it's present value, preventing unwanted modification during run-time. All systems are vulnerable if terminals are left logged in and unattended. The most serious problem occurs when a system manager leaves a terminal unattended that has been enabled with root authority. In general, users should log out anytime they leave their terminals. You can force a terminal to log out after a period of inactivity by setting the TMOUT and TIMEOUT parameters in the /etc/profile file. The TMOUT parameter works in the ksh (Korn) shell, and the TIMEOUT parameter works in the bsh (Bourne) shell." solution : "Review /etc/profile to verify that TMOUT and TIMEOUT are configured to: - include a timeout of no more than 900 seconds - to be readonly - verify readonly statement is the last statement /usr/bin/egrep -e \"TMOUT|TIMEOUT\" /etc/profile This should return something similar to: # TMOUT=1800 TMOUT=1800 TIMEOUT=1800 readonly TMOUT TIMEOUT If either setting is missing, and/or the readonly statement, add these to /etc/profile. Impact: This duplicates a recommendation with the addition that the variables are set to readonly (rather than export ). And the recommendation level is set to level 2." reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "login rlogin su" cmd : "/usr/sbin/lsuser -a login rlogin su root" expect : "^[\\s]*root[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]+su[\\s]*=[\\s]*true[\\s]*$" type : CMD_EXEC description : "sugroups" cmd : "/usr/sbin/lsuser -a sugroups root" expect : "^[\\s]*root[\\s]+sugroups[\\s]*=[\\s]*((?!ALL).)*$" description : "4.9.1 Ensure root access is controlled" info : "Restricts access to root via su to members of a specific group. Direct login via console and/or remote login via telnet is blocked. - For accountability, no direct access to root is allowed. - The attributes here control access to root for programs other than OpenSSH. - Setting the sugroups attribute to SUADMIN ensures that only members of the this group are able to su root. This makes it more difficult for an attacker to use a stolen root password as the attacker first has to get access to a system user ID. - Access via a console (e.g., /dev/vty0 or /dev/tty0) is only permitted when there are external controls managing accountability of access to the console. For example, HMC access must not be via the account hscroot ; a physical console is accessible only after a hard-copy log has been entered and verified before physical access is granted to the (data center) console terminal. - The group system is not recommended as it is not uncommon for other accounts to be included in this OS-provided group (gid==0)." solution : "In /etc/security/user set the root stanza sugroups attribute to SUADMIN and ensure the login and rlogin attributes are set to false : lsgroup SUADMIN >/dev/null || mkgroup -a SUADMIN chuser login=false rlogin=false sugroups=SUADMIN root - NOTE: For the remediation the setting of su is irrelevant. Impact: - When scoring - the attribute login may be true as long as access to the HMC is not via the account name hscroot - In any case, sugroups should not equal ALL" reference : "800-171|3.1.5,800-171|3.1.6,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.5.2,800-171|3.13.1,800-171|3.13.2,800-53|AC-6(2),800-53|AC-6(5),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|IA-5,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|AC-6(2),800-53r5|AC-6(5),800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|IA-5,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.1,CSCv7|5.1,CSCv8|4.1,CSCv8|4.7,CSCv8|5.4,CSF|DE.AE-1,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|ID.AM-08,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-09,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-03,CSF2.0|PR.PS-01,CSF2.0|PR.PS-06,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|IA-5,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.2.3,NESA|T5.6.1,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS3,NIAv2|SS13c,NIAv2|SS15a,NIAv2|SS15c,NIAv2|SS16,NIAv2|VL2,NIAv2|VL3a,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "4.9.2 Ensure root user default shell is ksh" info : "Ensure that the shell for the root user is set to /usr/bin/ksh Although the bash shell is available there are administrative processes that require the root user to be configured with the ksh shell as its default shell. If the root user is configured with a different default shell, these processes will not work as expected." solution : "Execute the following command chuser shell=/usr/bin/ksh root" reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a shell root" expect : "^[\\s]*root[\\s]+shell[\\s]*=[\\s]*/usr/bin/ksh[\\s]*$" type : CMD_EXEC description : "lsattr fullcore" cmd : "/usr/sbin/lsattr -El sys0 -a fullcore" expect : "^[\\s]*fullcore[\\s]+false[\\s]+Enable[\\s]+full[\\s]+CORE[\\s]+dump[\\s]+True[\\s]*$" type : CMD_EXEC description : "lssec limits" cmd : "/usr/bin/lssec -f /etc/security/limits -s default -a core -a core_hard" expect : "^[\\s]*default[\\s]+core[\\s]*=[\\s]*0[\\s]+core_hard[\\s]*=[\\s]*0[\\s]*$" description : "4.9.3 Ensure core dumps are disabled" info : "This change disables core dumps in the default user stanza of /etc/security/limits and also ensures the fullcore kernel parameter is set to false. The creation of core dumps can reveal pertinent system information, potentially even passwords, within the core file. The ability to create a core dump is also a vulnerability to be exploited by a hacker. The commands below disable core dumps by default, but they may be specifically enabled for a particular user in /etc/security/limits" solution : "Change the default user stanza attributes core and core_hard in /etc/security/limits and then set the fullcore kernel parameter to false: chsec -f /etc/security/limits -s default -a core=0 -a core_hard=0 chdev -l sys0 -a fullcore=false" reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|ID.AM-08,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-09,CSF2.0|PR.DS-10,CSF2.0|PR.IR-03,CSF2.0|PR.PS-01,CSF2.0|PR.PS-06,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : FILE_CONTENT_CHECK_NOT description : "4.9.4 Ensure default path does not include current working directory" info : "This change removes any \".\" or \"::\" entries from /etc/environment If a \".\" or \"::\" is present the current working directory is included in the default search path. Any \".\" and \"::\" will be removed from /etc/environment This means that any harmful programs placed in common PATH locations, would never be automatically executed. All directories must be explicitly defined within the PATH variable." solution : "Examine PATH in /etc/environment to see if it contains any \".\" or \"::\" entries: grep \"^PATH=\" /etc/environment |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/' If the command above yields output, remove the \".\" and \"::\" entries from: vi /etc/environment" reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/environment" regex : "^PATH=" expect : "((:[ \\t]*:)|(:[ \\t]*$)|(^[ \\t]*:)|(^.:)|(:.$)|(:.:))" type : CMD_EXEC description : "4.9.5 Ensure root user path does not include current working directory" info : "This change removes any \".\" or \"::\" entries from the root PATH. If a \".\" or \"::\" is present the current working directory is included in the search path. Any \".\" and \"::\" will be removed from the root PATH. This means that any harmful programs placed in common PATH locations, would never be automatically executed. All directories must be explicitly defined within the PATH variable." solution : "Examine root's PATH to see if it contains any \".\" or \"::\" entries: su - root -c \"echo ${PATH}\" |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[ \t]*:)|(^.:)|(:.$)|(:.:))/' If the command above yields output, remove the \".\" and \"::\" entries from the relevant initialization files. The files to examine are dependant on the root users shell definition in /etc/passwd Once the file or files have been identified remove the \".\" and \"::\" from the PATH variable vi " reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/su - root -c \"echo ${PATH}\" 2>&1 | /usr/bin/awk '/((:[ \\t]*:)|(:[ \\t]*$)|(^[ \\t]*:)|(^.:)|(:.$)|(:.:))/' | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "(?i)^[\\s]*\\**[\\s]*pass:?[\\s]*\\**$" type : FILE_CHECK description : "4.9.6 Ensure motd is configured" info : "Create a /etc/motd file which displays, post initial logon, a statutory warning message. The creation of a /etc/motd file which contains a statutory warning message could aid in the prosecution of offenders guilty of unauthorized system access. The /etc/motd is displayed after successful logins from the console, SSH and other system access protocols." solution : "Create a /etc/motd file: touch /etc/motd chmod u=rw,go=r /etc/motd chown bin:bin /etc/motd Below is a sample banner: ` NOTICE TO USERS This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring,recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. * NOTE: Replace \"its owner\" with the relevant company name" reference : "800-171|3.4.2,800-53|CM-6b.,800-53r5|CM-6b.,CN-L3|8.1.10.6(d),CSF|PR.IP-1,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6b.,LEVEL|1A,NESA|T3.2.1,SWIFT-CSCv1|2.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" file : "/etc/motd" owner : "bin" mask : "133" group : "bin" type : CMD_EXEC description : "5.1.1 Ensure all local user accounts have a hashed password" info : "All (unlocked) accounts on the server must have a password. For this recommendation we look at the so-called files registery - as we cannot reliably review the entries kept in a centralized authentication system such as LDAP or Kerberos An account password is a secret code word that must be entered to gain access to the account. If an account exists that has a blank password, multiple users may access the account without authentication and leave a weak audit trail. An attacker may gain unauthorized system access or perform malicious actions, which then cannot be attributed to any specific individual." solution : "Check for accounts with an empty password field. If any, lock the account and assign an impossible password hash , as well as flag admin change ( ADMCHG ) to the password record. set $(/usr/bin/egrep -c -p \"password = +$\" /etc/security/passwd) if [[ $1 != \"0\" ]]; then # get seconds since epoch now=$(date +\"%s\") # copy everything except entries without password /usr/bin/egrep -v -p \"password = +$\" /etc/security/passwd > /etc/security/passwd.cis # create new entries with an impossible password hash and append to password.cis /usr/bin/egrep -p \"password = +$\" /etc/security/passwd | grep \":\" | awk -F: '{ print $1 } ' | \ while read user; do print \"Locking and giving account ${user} impossible password hash\" /usr/bin/chuser account_locked='true' expires=0101000070 ${user} printf \"%s:\n\tpassword = *\n\" ${user} >> /etc/security/passwd.cis printf \"\tflags = ADMCHG\n\tlastupdate=%s\n\n\" ${now} >> /etc/security/passwd.cis done cat /etc/security/passwd.cis > /etc/security/passwd rm /etc/security/passwd.cis fi Impact: If no password hash is available and a locked account gets unlocked then the account is available without any verification aka authentication." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/egrep -p \"password = +$\" /etc/security/passwd | /usr/bin/grep \":\" | awk -F: '{ print $1 } ' | /usr/bin/awk '{print} END {if (NR==0) print \"none\"}'" expect : "^none$" type : CMD_EXEC description : "UID" cmd : "/usr/bin/cut -d: -f 3 /etc/passwd | /usr/bin/sort -n | /usr/bin/uniq -d | /usr/bin/awk '{print} END {if (NR==0) print \"pass\"}'" expect : "^pass$" type : CMD_EXEC description : "username" cmd : "/usr/bin/cut -d: -f 1 /etc/passwd | /usr/bin/sort | /usr/bin/uniq -d | /usr/bin/awk '{print} END {if (NR==0) print \"pass\"}'" expect : "^pass$" description : "5.1.2 Ensure usernames and UIDs are unique" info : "All users should have a unique UID. In particular the only user on the system to have a UID of 0 should be the root user. Likewise, usernames need to be verified as unique. The only user with a UID of 0 on the system must be the root account. Any account (username) with a UID of 0 has super user privileges on the system and becomes root at login. Access to the root account should be via su sudo or PKI fingerprint.Logging must include sufficient information such that each action taken with root authority can be accounted to a specific account. All accounts (or users) must have a unique UID to ensure that file and directory security is not compromised." solution : "- Examine the user IDs of all configured accounts: cut -d: -f 3 /etc/passwd | sort -n | uniq -d If a number, or numbers are returned from the command above, these are UID values which are not unique within the /etc/passwd file. Determine the effected accounts/s: cut -d: -f 1 /etc/passwd | sort -n | uniq -d | while read UID; do cut -f \"1 3\" -d : /etc/passwd |grep \":${UID}\" done - Examine the usernames IDs of all configured accounts: cut -d: -f 1 /etc/passwd | sort -n | uniq -d If a username, or usernames are returned from the command above, these are username values which are not unique within the /etc/passwd file. Determine the effected accounts/s: cut -d: -f 1 /etc/passwd | sort -n | uniq -d | while read username; do cut -f \"1 3\" -d : /etc/passwd |grep \"${username}:\" done NOTE : Any account names returned should either be deleted or have the UID changed To remove: rmuser To change the UID: chuser id= Impact: Identification is the basis of Access Control. What you can access is determined by who you are ( uid ), OR by a group you belong to (resource GID and your group list) OR access is permitted to all (i.e., your UID and group list) do not match the resource UID and GID values." reference : "800-171|3.5.1,800-53|IA-2,800-53r5|IA-2,CN-L3|7.1.3.1(a),CN-L3|7.1.3.1(e),CN-L3|8.1.4.1(a),CN-L3|8.1.4.2(a),CN-L3|8.5.4.1(a),CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-2,ITSG-33|IA-2a.,LEVEL|1A,NESA|T2.3.8,NESA|T5.3.1,NESA|T5.4.2,NESA|T5.5.1,NESA|T5.5.2,NESA|T5.5.3,NIAv2|AM2,NIAv2|AM8,NIAv2|AM14b,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|35.1,TBA-FIISB|36.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES type : CMD_EXEC description : "GID" cmd : "/usr/bin/cut -d: -f 3 /etc/group | /usr/bin/sort -n | /usr/bin/uniq -d | /usr/bin/awk '{print} END {if (NR==0) print \"pass\"}'" expect : "^pass$" type : CMD_EXEC description : "group" cmd : "/usr/bin/cut -d: -f 1 /etc/group | /usr/bin/sort | /usr/bin/uniq -d | /usr/bin/awk '{print} END {if (NR==0) print \"pass\"}'" expect : "^pass$" description : "5.1.3 Ensure group names and GIDs are unique" info : "All groups should have a unique GID on the system. All groups should have an individual and unique GID. If GID numbers are shared this could lead to undesirable file and directory access." solution : "- Examine the group IDs (GID) of all locally configured accounts: cut -d: -f 3 /etc/group |sort -n | uniq -d If the command has output there is at least one duplicate GID number. Determine any duplicates within the /etc/group file: cut -d: -f 1 /etc/group | sort -n | uniq -d | while read GID; do cut -f \"1 3 4\" -d : /etc/group | /usr/bin/sort -t: -k2n | grep \":${GID}:\" done - Examine the names of all locally configured groups: cut -d: -f 1 /etc/group |sort -n | uniq -d If the command has output there is at least one duplicate group name. Determine any duplicates within the /etc/group file: cut -d: -f 1 /etc/passwd | sort -n | uniq -d | while read groupname; do cut -f \"1 3 4\" -d : /etc/group | /usr/bin/sort -t: -k2n | grep \"${groupname}:\" done NOTE : Any duplicates returned should either be deleted or have the GID changed. Be careful. We recommend you examine any accounts assigned to a duplicate and ensure the account is neither losing nor gaining authorized group access through any remedial action. To remove: rmgroup To change the UID: chgroup id= " reference : "800-171|3.1.1,800-53|AC-2,800-53r5|AC-2,CN-L3|7.1.3.2(d),CSCv7|16.6,CSCv8|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" show_output : YES description : "5.1.4 Ensure an Inventory of Administrator accounts is established and maintained" info : "AIX defines Administrator accounts with the with the attribute admin . When true the account is Administrator and when false the account is considered User An inventory of accounts with the attribute \"admin=true\" allows verification that all accounts considered administrative are so labeled by the system. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance." solution : "A printable report can be prepared using the following example: cnt=0 printf \"%4s%68s\n\" \"AIX\" \"Administator Accounts\" lsuser -R files -a admin ALL | while read usr adm; do if [[ ${adm} = \"admin=true\" ]] ; then printf \"%12s\" ${usr} let cnt=cnt+1 [[ $(expr ${cnt} % 6) == 0 ]] && print fi done [[ $(expr ${cnt} % 6) != 0 ]] && print Impact: The impact of 'admin=true' is two-fold.a) a label for identifying accounts considered related to system administrationb) providing additional controls for account management.On AIX, an account with the attribute 'admin=true' requires a security role of Senior Security Admin to make modifications to the account attributes." reference : "800-171|3.1.1,800-53|AC-2,800-53r5|AC-2,CN-L3|7.1.3.2(d),CSCv7|4.1,CSCv8|5.1,CSCv8|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1M,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" description : "5.1.5 Ensure an Inventory of user accounts is established and maintained" info : "AIX defines Administrator accounts with the with the attribute admin . When true the account is Administrator and when false the account is considered User An inventory of accounts with the attribute \"admin=true\" allows verification that all accounts considered administrative are so labeled by the system. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance." solution : "A printable report can be prepared using the following example: cnt=0 printf \"%4s%68s\n\" \"AIX\" \"User Accounts\" lsuser -R files -a admin ALL | while read usr adm; do if [[ ${adm} = \"admin=false\" ]] ; then printf \"%12s\" ${usr} let cnt=cnt+1 [[ $(expr ${cnt} % 6) == 0 ]] && print fi done [[ $(expr ${cnt} % 6) != 0 ]] && print Impact: The impact of 'admin=true' is two-fold.a) a label for identifying accounts considered related to system administrationb) providing additional controls for account management.On AIX, an account with the attribute 'admin=true' requires a security role of Senior Security Admin to make modifications to the account attributes." reference : "800-171|3.1.1,800-53|AC-2,800-53r5|AC-2,CN-L3|7.1.3.2(d),CSCv8|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1M,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "5.2.1 Ensure histsize is configured" info : "Defines the number of previous passwords that a user may not reuse. In setting the histsize attribute, it enforces a minimum number of previous passwords a user cannot reuse." solution : "In /etc/security/user set the default user stanza histsize attribute to be 0 : chsec -f /etc/security/user -s default -a histsize=0 This means that this setting is not being used for password management. Impact: The recommendation is to not use this attribute. This attribute was traditionally used together with minage to prevent rapid reuse of old passwords. Instead _Unique Passwords\" relies solely on the time-based histexpire attribute." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a histsize" expect : "^default[\\s]+histsize[\\s]*=[\\s]*0[\\s]*$" type : CMD_EXEC description : "5.2.10 Ensure password number of changed characters is configured" info : "The mindiff option sets the number of characters in a password that must not be present in the old password. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised." solution : "In /etc/security/user set the default user stanza mindiff attribute to be greater than or equal to 2 : chsec -f /etc/security/user -s default -a mindiff=2" reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a mindiff" expect : "^[\\s]*default[\\s]+mindiff[\\s]*=[\\s]*@PASSWORD_MINIMUM_DIFF@[\\s]*$" type : CMD_EXEC description : "5.2.11 Ensure minalpha is configured" info : "Defines the minimum number of alphabetic characters in a password. In setting the minalpha attribute, it ensures that passwords have a minimum number of alphabetic characters." solution : "In /etc/security/user set the default user stanza minalpha attribute to be greater than or equal to 3 : chsec -f /etc/security/user -s default -a minalpha=3 This means that there must be at least 3 alphabetic characters (upper or lowercase) within a password." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minalpha" expect : "^[\\s]*default[\\s]+minalpha[\\s]*=[\\s]*@PASSWORD_MINIMUM_ALPHA@[\\s]*$" type : CMD_EXEC description : "5.2.12 Ensure minother is configured" info : "Defines the number of characters within a password which must be non-alphabetic. In setting the minother attribute, it increases password complexity by enforcing the use of non-alphabetic characters in every user password." solution : "In /etc/security/user set the default user stanza minother attribute to be greater than or equal to 3 : chsec -f /etc/security/user -s default -a minother=3 This means that there must be at least 3 non-alphabetic characters within a password." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minother" expect : "^[\\s]*default[\\s]+minother[\\s]*=[\\s]*@PASSWORD_MINIMUM_OTHER@[\\s]*$" type : CMD_EXEC description : "5.2.13 Ensure password maximum repeated characters is configured" info : "maxrepeats defines the maximum number of times a character may appear in a password. Use of a complex password helps to increase the time and resources required to compromise the password. Passwords which consist of too many repeated characters have lower complexity and thus are easier to compromise." solution : "In /etc/security/user set the default user stanza maxrepeats attribute to 4 : chsec -f /etc/security/user -s default -a maxrepeats=4 This means that a user may not use the same character more than four (4) times in a password. Impact: Setting maxrepeats too low can prevent passwords which are sufficiently complex from being accepted. This value has been selected with respect to the recommended value of 14 for minlen If local site policy requires a longer minimum password length, you should review this value." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a maxrepeats" expect : "^[\\s]*default[\\s]+maxrepeats[\\s]*=[\\s]*@PASSWORD_MAXREPEAT@[\\s]*$" type : CMD_EXEC description : "5.2.14 Ensure mindigit is configured" info : "Defines the minimum number of digits in a password. In setting the mindigit attribute, the password must contain a digit when it is changed by the user." solution : "In /etc/security/user set the default user stanza mindigit attribute to 1 : chsec -f /etc/security/user -s default -a mindigit=1 This means that there must be at least 1 digit within a password." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a mindigit" expect : "^[\\s]*default[\\s]+mindigit[\\s]*=[\\s]*@PASSWORD_MINIMUM_DIGIT@[\\s]*$" type : CMD_EXEC description : "5.2.15 Ensure minloweralpha is configured" info : "Defines the minimum number of lower case alphabetic characters in a password. In setting the minloweralpha attribute, the password must contain a lower case alphabetic character when it is changed by the user." solution : "In /etc/security/user set the default user stanza minloweralpha attribute to 1 : chsec -f /etc/security/user -s default -a minloweralpha=1 This means that there must be at least 1 lower case alphabetic character within a password." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minloweralpha" expect : "^[\\s]*default[\\s]+minloweralpha[\\s]*=[\\s]*@PASSWORD_MINIMUM_L_ALPHA@[\\s]*$" type : CMD_EXEC description : "5.2.16 Ensure minupperalpha is configured" info : "Defines the minimum number of upper case alphabetic characters in a password. In setting the minupperalpha attribute, the password must contain an upper case alphabetic character when it is changed by the user." solution : "In /etc/security/user set the default user stanza minupperalpha attribute to 1 : chsec -f /etc/security/user -s default -a minupperalpha=1 This means that there must be at least 1 upper case alphabetic character within a password." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minupperalpha" expect : "^[\\s]*default[\\s]+minupperalpha[\\s]*=[\\s]*@PASSWORD_MINIMUM_U_ALPHA@[\\s]*$" type : CMD_EXEC description : "5.2.17 Ensure minspecialchar is configured" info : "Defines the minimum number of special characters in a password. In setting the minspecialchar attribute, the password must contain a special character when it is changed by the user." solution : "In /etc/security/user set the default user stanza minspecialchar attribute to 1 : chsec -f /etc/security/user -s default -a minspecialchar=1 This means that there must be at least 1 special character within a password." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minspecialchar" expect : "^[\\s]*default[\\s]+minspecialchar[\\s]*=[\\s]*@PASSWORD_MINIMUM_S_CHAR@[\\s]*$" type : CMD_EXEC description : "5.2.3 Ensure password history expiry is configured" info : "The history expiry determines the number of weeks that a user will not be able to reuse a password. Users may have favourite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords are compromised and if an attacker is targeting a specific individual user account, with foreknowledge of data about that user, reuse of old, potentially compromised passwords, may cause a security breach. By restricting the time period before a password can be re-used, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." solution : "In /etc/security/user set the default user stanza histexpire attribute to be greater than or equal to 52 : chsec -f /etc/security/user -s default -a histexpire=52 This means that a user will not be able to reuse any password set in the last 52 weeks (one year)." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a histexpire" expect : "^[\\s]*default[\\s]+histexpire[\\s]*=[\\s]*@HIST_EXPIRE@[\\s]*$" type : CMD_EXEC description : "5.2.4 Ensure passwords are controlled by password attributes" info : "Ensure passwords are required to pass password attribute controls. If password restrictions are not enforced for some accounts, those accounts represent a much greater risk of being compromised by an attacker as they may have weaker passwords vulnerable to brute force attack or provide an indefinite window of opportunity for the use of already compromised credentials if the same password has been used on multiple systems." solution : "In the file /etc/security/passwd clear the NOCHECK attribute from all users: #!/usr/bin/ksh -e # Copyright AIXTools, 2022 /usr/bin/grep -p NOCHECK /etc/security/passwd | /usr/bin/egrep \":$\" | sed -e 's/://' | while read USER; do /usr/bin/pwdadm -c $USER /usr/bin/pwdadm -f ADMCHG $USER done Impact: When exceptions to the defaults are required - rather than disable all password checking - an account needs to have the attribute redefined per account . SHA512 password encryption is recommended as the most secure." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/grep NOCHECK /etc/security/passwd | /usr/bin/awk '{ print } END { if (NR==0) print \"pass\" }'" expect : "^pass$" type : CMD_EXEC description : "5.2.5 Ensure maxexpired is configured" info : "Defines the number of weeks after maxage that a password can be reset by the user. The maxexpired attribute limits the number of weeks after password expiry that a password may be changed by the user." solution : "In /etc/security/user set the default user stanza maxexpired attribute to 4 : chsec -f /etc/security/user -s default -a maxexpired=4 This means that a user can reset their password up to 4 weeks after it has expired. After this an administrative user would need to reset the password." reference : "800-171|3.1.1,800-53|AC-2(3),800-53r5|AC-2(3),CN-L3|7.1.3.2(e),CN-L3|8.1.4.2(c),CSCv8|5.3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.2.6,ITSG-33|AC-2(3),LEVEL|1A,NIAv2|AM26,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a maxexpired" expect : "^[\\s]*default[\\s]+maxexpired[\\s]*=[\\s]*@PASSWORD_MAX_EXPIRED@[\\s]*$" type : CMD_EXEC description : "5.2.6 Ensure maxage is configured" info : "Defines the maximum number of weeks that a password is valid. The maxage attribute enforces regular password changes. We recommend this to be 13 or less, but not 0 which disables this setting." solution : "In /etc/security/user set the default user stanza maxage attribute to a number greater than 0 but less than or equal to 13 : chsec -f /etc/security/user -s default -a maxage=13 This means that a user password must be changed 13 weeks after being set. If 0 is set then this effectively disables password ageing. Impact: Historically, this recommendation has been to set maxage=13 In recent years several communities (e.g., Windows, DoD) have concluded that too frequent forced password changes leads to both weaker passwords and weaker/bad password discipline. An initial proposal to increase the maxage to 52 is not unnamimous within the AIX community - so the recommendation, for now, remains at 13 Local Policy may decide to follow the other communities and set this value as 52. Due to this lack of consensus this control is being set at Level 2. The value chosen by an organization is to maintain overall password quality and secrecy." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a maxage" expect : "^[\\s]*default[\\s]+maxage[\\s]*=[\\s]*@PASSWORD_MAX_AGE@[\\s]*$" type : CMD_EXEC description : "5.2.7 Ensure pwd_algorithm is configured" info : "Defines the loadable password algorithm used when storing user passwords. A development since AIX 5.1 was the ability to use different password algorithms as defined in /etc/security/pwdalg.cfg The traditional UNIX password algorithm is crypt which is a one-way hash function supporting only 8 character passwords. The use of brute force password guessing attacks means that crypt no longer provides an appropriate level of security and so other encryption mechanisms are recommended. The recommendation of this benchmark is to set the password algorithm to ssha512 This algorithm supports long passwords, up to 255 characters in length and allows passphrases including the use of the extended ASCII table and the space character. Any passwords already set using crypt will be recognized. When the password is reset the new password hash algorithm will be used to encrypt the password." solution : "In the file /etc/security/login.cfg set the usw stanza attribute pwd_algorithm to ssha512 : #!/usr/bin/ksh -e # chk_algorithm:5.2.1 # Provided to CIS by AIXTools # Copyright AIXTools, 2022 EXPECT=\"usw pwd_algorithm=ssha512\" CMD=\"lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm\" TST=$(${CMD}) [[ ${TST} == ${EXPECT} ]] && exit 0 chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512 exit $? Impact: A password algorithm other than crypt is required to support a password minlen greater than 8 (eight) characters. SHA512 password encryption is recommended as the most secure." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv7|16.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm" expect : "^usw[\\s]+pwd_algorithm[\\s]*=[\\s]*ssha512[\\s]*$" type : CMD_EXEC description : "5.2.8 Ensure a strong password hashing algorithm is configured" info : "The recommendation is to change the default password hash algorithm to ssha512 (see paragraph 5.2.1). ob体育ever, changing the default algorithm away from crypt is not enough. The user must supply a new password before a new hashed version of the password is stored in the shadow password file /etc/security/password The hash algorithm crypt is known by all *nix versions - so it has provided portability. And in the '70's processor power was weak enough that the mere 56 bits protection against brute-force attacks was reasonable to sufficient. Fifty (50) years later - this is not the case." solution : "Execute the following command to enable an administrative requirement to update password on next login - when current password is still hashed using the crypt algorithm. #!/usr/bin/ksh -e # hash_chk:5.2.12 # Provided to CIS by AIXTools # Copyright AIXTools, 2022 #SystemAccounts are skipped, root is treated a regular account #pconsole is no longer a system account - being deprecated/removed SACTS1=\"(adm|bin|daemon|invscout|ipsec|lp|lpd|nobody|nuucp|sshd|sys|uucp)\" SACTS2=\"(esa|srvproxy|imnadm|anonymou|ftp)\" grep 'password[[:blank:]]= .............$' /etc/security/passwd | \ while read pass equals cryptedhash; do user=$(/usr/bin/grep -p $cryptedhash /etc/security/passwd |\ /usr/bin/egrep -vp \"${SACTS1}:$\" |\ /usr/bin/egrep -vp \"${SACTS2}:$\" |\ /usr/bin/egrep '[a-zA-z0-9]+:$' | sed -e s/:$//) print ${user}: needs to update passwd set -x /usr/bin/pwdadm -c ${user} /usr/bin/pwdadm -f ADMCHG ${user} set +x done Impact: The audit looks for hashed passwords that are 14 (fourteen) characters long. That is the length of the crypt hash. The remediation neither changes the password nor locks the account. ob体育ever, it does clear (if present) and password flags (notably NOCHECK needs to be removed) and sets the flag ADMCHG so that the account will be required to reset their password during the next login." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv7|16.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/grep 'password[[:blank:]]= .............$' /etc/security/passwd | \ while read pass equals cryptedhash; do user=$(/usr/bin/grep -p $cryptedhash /etc/security/passwd | /usr/bin/egrep '[a-zA-z0-9]+:$' | /usr/bin/sed -e s/:$//) /usr/bin/echo ${user}: needs to update passwd done | /usr/bin/awk '{ print } END { if (NR==0) print \"none found\" }'" expect : "none found" type : CMD_EXEC description : "5.2.9 Ensure minimum password length is configured" info : "The minimum password length setting determines the lowers number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps \"passphrase\" is a better term than \"password\". The minlen option sets the minimum acceptable size for the new password. Strong passwords help protect systems from password attacks. Types of password attacks include dictionary attacks, which attempt to use common words and phrases, and brute force attacks, which try every possible combination of characters. Also attackers may try to obtain the account database so they can use tools to discover the accounts and passwords." solution : "In /etc/security/user set the default user stanza minlen attribute to be greater than or equal to 14 : chsec -f /etc/security/user -s default -a minlen=14 This means that all user passwords must be at least 14 characters in length. NOTE : To support a password length greater than 8 characters the default algorithm must be changed. If the command above returns an error ( 3004-692 Error changing \"minlen\" to \"14\" : Value is invalid. ) the recommendation 3.1.15 /etc/security/login.cfg - pwd_algorithm needs to be completed first. Impact: In general, it is true that longer passwords are better (harder to crack), but it is also true that forced password length requirements can cause user behavior that is predictable and undesirable. For example, requiring users to have a minimum 16-character password may cause them to choose repeating patterns like fourfourfourfour or passwordpassword that meet the requirement but aren't hard to guess. Additionally,length requirements increase the chances that users will adopt other insecure practices, like writing them down, re-using them or storing them unencrypted in their documents. Having a reasonable minimum length with no maximum character limit increases the resulting average password length used (and therefore the strength)." reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/lssec -f /etc/security/user -s default -a minlen" expect : "^[\\s]*default[\\s]+minlen[\\s]*=[\\s]*@PASSWORD_MINIMUM_LENGTH@[\\s]*$" type : CMD_EXEC description : "5.3.1 Ensure user adm is secured" info : "This change locks and disables login access for the adm user account. This change disables direct local and remote login to the adm user account. Do not set a password on this account to ensure that the only access is via su from the root account. There should not be a requirement to log in as the adm user directly. All users should be given unique logon ids to ensure traceability and accountability." solution : "Change the following user attributes to adm user: chuser account_locked=true login=false rlogin=false adm" reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a account_locked login rlogin adm" expect : "^([\\s]*adm[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*|User \"adm\" does not exist\\.)$" type : FILE_CONTENT_CHECK description : "ftp enabled" file : "/etc/inetd.conf" regex : "^ftp[\\s]+" expect : "^ftp[\\s]+" type : CMD_EXEC description : "5.3.10 Ensure System Accounts cannot access system using ftp." info : "If ftp is active on the system, the file /etc/ftpusers is a deny list used by ftp daemon containing a list of users who are not allowed to access the system via ftp The /etc/ftpusers file contains a list of users who are not allowed to access the system via ftp All users with a UID less than 200 should typically be added into the file. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance." solution : "List all users with a UID less than 200 to the /etc/ftpusers file: lsuser -c ALL | grep -v ^#name |grep -v root | cut -f1 -d: | while read NAME; do if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -lt 200 ] > /dev/null 2>&1; then echo \"Would add $NAME to /etc/ftpusers\" fi done NOTE: Review the list of users Add all relevant users with a UID of less that 200 to the /etc/ftpusers file: lsuser -c ALL | grep -v ^#name |grep -v root | cut -f1 -d: | while read NAME; do if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -lt 200 ] > /dev/null 2>&1; then echo $NAME >> /etc/ftpusers fi done" reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/cat /etc/ftpusers" expect : "^Manual Review Required$" severity : MEDIUM description : "5.3.10 Ensure System Accounts cannot access system using ftp." info : "If ftp is active on the system, the file /etc/ftpusers is a deny list used by ftp daemon containing a list of users who are not allowed to access the system via ftp The /etc/ftpusers file contains a list of users who are not allowed to access the system via ftp All users with a UID less than 200 should typically be added into the file." solution : "List all users with a UID less than 200 to the /etc/ftpusers file: lsuser -c ALL | grep -v ^#name |grep -v root | cut -f1 -d: | while read NAME; do if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -lt 200 ] > /dev/null 2>&1; then echo \"Would add $NAME to /etc/ftpusers\" fi done NOTE: Review the list of users Add all relevant users with a UID of less that 200 to the /etc/ftpusers file: lsuser -c ALL | grep -v ^#name |grep -v root | cut -f1 -d: | while read NAME; do if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -lt 200 ] > /dev/null 2>&1; then echo $NAME >> /etc/ftpusers fi done" reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" type : CMD_EXEC description : "5.3.2 Ensure user bin is secured" info : "This change locks and disables login access for the bin user account. This change disables direct local and remote login to the bin user account. Do not set a password on this account to ensure that the only access is via su from the root account. There should not be a requirement to log in as the bin user directly. All users should be given unique logon ids to ensure traceability and accountability." solution : "Change the login and remote login user flags to disable bin user access: chuser account_locked=true login=false rlogin=false bin" reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a account_locked login rlogin bin" expect : "^([\\s]*bin[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*|User \"bin\" does not exist\\.)$" type : CMD_EXEC description : "5.3.3 Ensure user daemon is secured" info : "This change locks and disables login access for the daemon user account. This change disables direct local and remote login to the daemon user account. Do not set a password on this account to ensure that the only access is via su from the root account. There should not be a requirement to log in as the daemon user directly. All users should be given unique logon ids to ensure traceability and accountability." solution : "Change the login and remote login user flags to disable daemon user access: chuser account_locked=true login=false rlogin=false daemon" reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a account_locked login rlogin daemon" expect : "^([\\s]*daemon[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*|User \"daemon\" does not exist\\.)$" type : CMD_EXEC description : "5.3.4 Ensure user guest is secured" info : "This change locks and disables login access for the guest user account. This change disables direct local and remote login to the guest user account. Do not set a password on this account to ensure that the only access is via su from the root account. There should not be a requirement to log in as the guest user directly. All users should be given unique logon ids to ensure traceability and accountability." solution : "Change the following user attributes to guest user: chuser account_locked=true login=false rlogin=false adm Impact: Historically the guest user account was to provide access to unknown users, i.e., the user identity was not important. Today the guest account should not be used. The numeric userid is reserved by the OS. All authorized users should be given specific logon ids to ensure traceability and accountability." reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a account_locked login rlogin guest" expect : "^([\\s]*guest[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*|User \"guest\" does not exist\\.)$" type : CMD_EXEC description : "5.3.5 Ensure user lpd is secured" info : "This change locks and disables login access for the lpd user account. This change disables direct local and remote login to the lpd user account. Do not set a password on this account to ensure that the only access is via su from the root account. There should not be a requirement to log in as the lpd user directly. All users should be given unique logon ids to ensure traceability and accountability." solution : "Change the following user attributes to lpd user: chuser account_locked=true login=false rlogin=false lpd" reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a account_locked login rlogin lpd" expect : "^([\\s]*lpd[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*|User \"lpd\" does not exist\\.)$" type : CMD_EXEC description : "5.3.6 Ensure user nobody is secured" info : "This change locks and disables login access for the nobody user account. This change disables direct local and remote login to the nobody user account. Do not set a password on this account to ensure that the only access is via su from the root account. There should not be a requirement to log in as the nobody user directly. All users should be given unique logon ids to ensure traceability and accountability." solution : "Change the login and remote login user flags to disable nobody user access: chuser account_locked=true login=false rlogin=false nobody" reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a account_locked login rlogin nobody" expect : "^([\\s]*nobody[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*|User \"nobody\" does not exist\\.)$" type : CMD_EXEC description : "5.3.7 Ensure user nuucp is secured" info : "This change locks and disables login access for the nuucp user account. This change disables direct local and remote login to the nuucp user account. Do not set a password on this account to ensure that the only access is via su from the root account. There should not be a requirement to log in as the nuucp user directly. All users should be given unique logon ids to ensure traceability and accountability." solution : "Change the following user attributes to nuucp user:: chuser account_locked=true login=false rlogin=false nuucp" reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a account_locked login rlogin nuucp" expect : "^([\\s]*nuucp[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*|User \"nuucp\" does not exist\\.)$" type : CMD_EXEC description : "5.3.8 Ensure user sys is secured" info : "This change locks and disables login access for the sys user account. This change disables direct local and remote login to the sys user account. Do not set a password on this account to ensure that the only access is via su from the root account. There should not be a requirement to log in as the sys user directly. All users should be given unique logon ids to ensure traceability and accountability." solution : "Change the following user attributes to sys user: chuser account_locked=true login=false rlogin=false sys" reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a account_locked login rlogin sys" expect : "^([\\s]*sys[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*|User \"sys\" does not exist\\.)$" type : CMD_EXEC description : "5.3.9 Ensure user uucp is secured" info : "This change locks and disables login access for the uucp user account. This change disables direct local and remote login to the uucp user account. Do not set a password on this account to ensure that the only access is via su from the root account. There should not be a requirement to log in as the uucp user directly. All users should be given unique logon ids to ensure traceability and accountability." solution : "Change the following user attributes to uucp user: chuser account_locked=true login=false rlogin=false uucp" reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv8|4.7,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/sbin/lsuser -a account_locked login rlogin uucp" expect : "^([\\s]*uucp[\\s]+account_locked[\\s]*=[\\s]*true[\\s]+login[\\s]*=[\\s]*false[\\s]+rlogin[\\s]*=[\\s]*false[\\s]*|User \"uucp\" does not exist\\.)$" type : CMD_EXEC description : "6.2.2 Ensure at.allow is configured" info : "The /var/adm/cron/at.allow file defines which users on the system are able to schedule jobs via at The /var/adm/cron/at.allow file defines which users are able to schedule jobs via at Review the current at files and add any relevant users to the /var/adm/cron/at.allow file. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance." solution : "Review the current at files: ls -l /var/spool/cron/atjobs cat /var/spool/cron/atjobs/* NOTE: Review the list of at schedules and remove any files which should not be there, or have no content Add the recommended system users to the at.allow list: echo \"adm\" >> /var/adm/cron/at.allow echo \"sys\" >> /var/adm/cron/at.allow Add any other users who require permissions to use the at scheduler: echo >> /var/adm/cron/at.allow NOTE: Where is the username." reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv8|5.4,CSF|PR.AC-4,CSF2.0|PR.AA-05,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1M,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/cat /var/adm/cron/at.allow" expect : "^Manual Review Required$" severity : MEDIUM type : CMD_EXEC description : "6.2.4 Ensure cron.allow is configured" info : "The /var/adm/cron/cron.allow file defines which users on the system are able to schedule jobs via cron The /var/adm/cron/cron.allow file defines which users are able to schedule jobs via cron Review the current cron files and add any relevant users to the /var/adm/cron/cron.allow file. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance." solution : "Review the current cron files: ls -l /var/spool/cron/crontabs/ cat /var/spool/cron/crontabs/* Note: Review the list of cron schedules and remove any files which should not be there, or have no content. Add the recommended system users to the cron.allow list: echo \"sys\" >> /var/adm/cron/cron.allow echo \"adm\" >> /var/adm/cron/cron.allow Add any other users who require permissions to use the cron scheduler: echo >> /var/adm/cron/cron.allow Note: Where is the username." reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv8|5.4,CSF|PR.AC-4,CSF2.0|PR.AA-05,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3" see_also : "https://workbench.cisecurity.org/benchmarks/10385" cmd : "/usr/bin/cat /var/adm/cron/cron.allow" expect : "^Manual Review Required$" severity : MEDIUM description : "7.2.1 Ensure syslog local logging is configured" info : "This recommendation implements a local syslog configuration. Establishing a logging process via syslog provides system and security administrators with pertinent information relating to: login, mail, daemon, user and kernel activity. The recommendation is to enable local syslog logging, with a weekly rotation policy in a four weekly cycle. The log rotation isolates historical data which can be reviewed retrospectively if an issue is uncovered at a later date. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance." solution : "Explicitly define a log file for the auth.info output in /etc/syslog.conf : printf \"auth.info\t\t/var/adm/authlog rotate time 1w files 4\n\" >> /etc/syslog.conf NOTE: This ensures that remote login, sudo or su attempts are logged separately Create the authlog file and make it readable by root only: touch /var/adm/authlog chown root:system /var/adm/authlog chmod u=rw,go= /var/adm/authlog Create an entry in /etc/syslog.conf to capture all other output of level info or higher, excluding authentication information, as this is to be captured within /var/adm/authlog : printf \"*.info;auth.none\t/var/adm/syslog rotate time 1w files 4\n\" >> /etc/syslog.conf Create the syslog file: touch /var/adm/syslog chmod u=rw,g=r,o= /var/adm/syslog Refresh syslogd to force the daemon to read the edited /etc/syslog.conf : refresh -s syslogd Impact: This recommendation is manual because there are likely local requirements that surpass the basic recommendation here." reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-2,800-53r5|AU-2,CN-L3|8.1.4.3(a),CSF|PR.PT-1,CSF2.0|PR.PS-04,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,LEVEL|1M,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4" see_also : "https://workbench.cisecurity.org/benchmarks/10385" description : "Safeguard IBM AIX 7 v1.0.0 Audit File v1.0.0" info : "NOTE: Nessus has not identified that the chosen audit applies to the target device." see_also : "https://workbench.cisecurity.org/benchmarks/10385"