STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.

DISA Rule

SV-219057r508663_rule

Vulnerability Number

V-219057

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

AIX7-00-003143

Severity

CAT II

CCI(s)

• CCI-002080 - The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

From the command prompt, run the following commands to create and activate "ipsec_v4" and "ipsec_v6" devices:
# mkdev -l ipsec -t 4
# mkdev -l ipsec -t 6

From the command prompt, run the following commands to change the "all traffic" rules to block all packages:
# chfilt -a D -v 4 -n 0
# chfilt -a D -v 6 -n 0

Assume that the local host has IP address 10.10.10.10 and the remote host has IP address 11.11.11.11, run the following command to generate a user-defined filter rule that allow all IPv4 traffic between these 2 hosts:
# genfilt -w B -v 4 -s 10.10.10.10 -p 0 -P 0 -o any -O any -m 255.255.255.255 -M 255.255.255.255 -i all -g Y -d 11.11.11.11 -c all -a P

From the command prompt, run the following command to activate all the filter rules in the rule database:
# mkfilt -u

Check Contents

From the command prompt, run the following commands to check if the "all traffic" filter rules, the predefined rule with Rule-ID 0, are defined to deny all packages:

# lsfilt -v4 -n0
# lsfilt -v6 -n0

Rule 0:
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description : Default Rule

Rule 0:
Rule action : deny
Source Address : ::
Source Mask : 0
Destination Address : ::
Destination Mask : 0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description : Default Rule

If any of the "all traffic" rules has "Rule action : permit", this is a finding.

Vulnerability Number

V-219057

Documentable

False

Rule Version

AIX7-00-003143

Severity Override Guidance

From the command prompt, run the following commands to check if the "all traffic" filter rules, the predefined rule with Rule-ID 0, are defined to deny all packages:

# lsfilt -v4 -n0
# lsfilt -v6 -n0

Rule 0:
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description : Default Rule

Rule 0:
Rule action : deny
Source Address : ::
Source Mask : 0
Destination Address : ::
Destination Mask : 0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description : Default Rule

If any of the "all traffic" rules has "Rule action : permit", this is a finding.

Check Content Reference

M

Target Key

4012

Comments