STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 25 Apr 2019

CheckedNameTitle
SV-101311r1_ruleThe shipped /etc/security/mkuser.sys file on AIX must not be customized directly.
SV-101313r1_ruleAIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account.
SV-101315r1_ruleThe regular users default primary group must be staff (or equivalent) on AIX.
SV-101317r1_ruleAIX must automatically remove or disable temporary user accounts after 72 hours or sooner.
SV-101319r1_ruleAIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.
SV-101321r1_ruleAIX must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote login access to the system.
SV-101323r1_ruleThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts on AIX.
SV-101325r1_ruleThe Department of Defense (DoD) login banner must be displayed during SSH, sftp, and scp login sessions on AIX.
SV-101327r1_ruleAIX must limit the number of concurrent sessions to 10 for all accounts and/or account types.
SV-101329r1_ruleAIX must provide the lock command to let users retain their session lock until users are reauthenticated.
SV-101331r1_ruleAIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated.
SV-101333r1_ruleAIX must automatically lock after 15 minutes of inactivity in the CDE Graphical desktop environment.
SV-101335r1_ruleAIX must be configured to allow users to directly initiate a session lock for all connection types.
SV-101337r1_ruleAIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
SV-101339r1_ruleAIX must monitor and record successful remote logins.
SV-101341r1_ruleAIX must monitor and record unsuccessful remote logins.
SV-101343r1_ruleThe AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
SV-101345r1_ruleThe AIX SSH server must use SSH Protocol 2.
SV-101347r1_ruleAIX must produce audit records containing information to establish what the date, time, and type of events that occurred.
SV-101349r1_ruleAIX must produce audit records containing information to establish where the events occurred.
SV-101351r1_ruleAIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event.
SV-101353r1_ruleAIX must produce audit records containing information to establish the outcome of the events.
SV-101355r1_ruleAIX must produce audit records containing the full-text recording of privileged commands.
SV-101357r1_ruleAIX must be configured to generate an audit record when 75% of the audit file system is full.
SV-101359r1_ruleAIX must provide the function to filter audit records for events of interest based upon all audit fields within audit records, support on-demand reporting requirements, and an audit reduction function that supports on-demand audit review and analysis and after-the-fact investigations of security incidents.
SV-101363r1_ruleAudit logs on the AIX system must be owned by root.
SV-101365r1_ruleAudit logs on the AIX system must be group-owned by system.
SV-101367r1_ruleAudit logs on the AIX system must be set to 660 or less permissive.
SV-101369r1_ruleThe AIX audit configuration files must be owned by root.
SV-101371r1_ruleThe AIX audit configuration files must be group-owned by audit.
SV-101373r1_ruleThe AIX audit configuration files must be set to 640 or less permissive.
SV-101375r1_ruleIf the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.
SV-101377r1_ruleAIX SSH private host key files must have mode 0600 or less permissive.
SV-101379r1_ruleAIX must enforce password complexity by requiring that at least one upper-case character be used.
SV-101381r1_ruleAIX must enforce password complexity by requiring that at least one lower-case character be used.
SV-101383r1_ruleAIX must enforce password complexity by requiring that at least one numeric character be used.
SV-101385r1_ruleAIX must require the change of at least 50% of the total number of characters when passwords are changed.
SV-101387r1_ruleThe AIX system must have no .netrc files on the system.
SV-101389r1_ruleIf AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
SV-101391r1_ruleAIX root passwords must never be passed over a network in clear text form.
SV-101393r1_ruleAIX must disable /usr/bin/rcp, /usr/bin/rlogin, /usr/bin/rsh, /usr/bin/rexec and /usr/bin/telnet commands.
SV-101395r1_ruleIF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server.
SV-101397r1_ruleThe AIX rsh daemon must be disabled.
SV-101399r1_ruleThe AIX rlogind service must be disabled.
SV-101401r1_ruleThe AIX rexec daemon must not be running.
SV-101403r1_ruleAIX telnet daemon must not be running.
SV-101405r1_ruleAIX ftpd daemon must not be running.
SV-101407r1_ruleAIX Operating systems must enforce 24 hours/1 day as the minimum password lifetime.
SV-101409r1_ruleAIX Operating systems must enforce a 60-day maximum password lifetime restriction.
SV-101411r1_ruleAIX must prohibit password reuse for a minimum of five generations.
SV-101413r1_ruleAIX must use Loadable Password Algorithm (LPA) password hashing algorithm.
SV-101415r1_ruleAIX must enforce a minimum 15-character password length.
SV-101417r1_ruleAIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.
SV-101419r1_ruleThe AIX qdaemon must be disabled if local or remote printing is not required.
SV-101421r1_ruleIf AIX system does not act as a remote print server for other servers, the lpd daemon must be disabled.
SV-101423r1_ruleIf AIX system does not support either local or remote printing, the piobe service must be disabled.
SV-101425r1_ruleIf there are no X11 clients that require CDE on AIX, the dt service must be disabled.
SV-101427r1_ruleIf NFS is not required on AIX, the NFS daemon must be disabled.
SV-101429r1_ruleIf sendmail is not required on AIX, the sendmail service must be disabled.
SV-101431r1_ruleIf SNMP is not required on AIX, the snmpd service must be disabled.
SV-101433r1_ruleThe AIX DHCP client must be disabled.
SV-101435r1_ruleIf DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled.
SV-101437r1_ruleIf DHCP server is not required on AIX, the DHCP server must be disabled.
SV-101439r1_ruleIf IPv6 is not utilized on AIX server, the authoconf6 daemon must be disabled.
SV-101441r1_ruleIf AIX server is not functioning as a network router, the gated daemon must be disabled.
SV-101443r1_ruleIf AIX server is not functioning as a multicast router, the mrouted daemon must be disabled.
SV-101445r1_ruleIf AIX server is not functioning as a DNS server, the named daemon must be disabled.
SV-101447r1_ruleIf AIX server is not functioning as a network router, the routed daemon must be disabled.
SV-101449r1_ruleIf rwhod is not required on AIX, the rwhod daemon must be disabled.
SV-101451r1_ruleThe timed daemon must be disabled on AIX.
SV-101453r1_ruleIf AIX server does not host an SNMP agent, the dpid2 daemon must be disabled.
SV-101457r1_ruleIf SNMP is not required on AIX, the snmpmibd daemon must be disabled.
SV-101459r1_ruleThe aixmibd daemon must be disabled on AIX.
SV-101461r1_ruleThe ndpd-host daemon must be disabled on AIX.
SV-101463r1_ruleThe ndpd-router must be disabled on AIX.
SV-101465r1_ruleThe daytime daemon must be disabled on AIX.
SV-101467r1_ruleThe cmsd daemon must be disabled on AIX.
SV-101469r1_ruleThe ttdbserver daemon must be disabled on AIX.
SV-101471r1_ruleThe uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX.
SV-101473r1_ruleThe time daemon must be disabled on AIX.
SV-101475r1_ruleThe talk daemon must be disabled on AIX.
SV-101477r1_ruleThe ntalk daemon must be disabled on AIX.
SV-101479r1_ruleThe chargen daemon must be disabled on AIX.
SV-101481r1_ruleThe discard daemon must be disabled on AIX.
SV-101483r1_ruleThe dtspc daemon must be disabled on AIX.
SV-101485r1_ruleThe pcnfsd daemon must be disabled on AIX.
SV-101487r1_ruleThe rstatd daemon must be disabled on AIX.
SV-101489r1_ruleThe rusersd daemon must be disabled on AIX.
SV-101491r1_ruleThe rwalld daemon must be disabled on AIX.
SV-101493r1_ruleThe sprayd daemon must be disabled on AIX.
SV-101495r1_ruleThe klogin daemon must be disabled on AIX.
SV-101497r1_ruleThe kshell daemon must be disabled on AIX.
SV-101499r1_ruleThe rquotad daemon must be disabled on AIX.
SV-101501r1_ruleThe tftp daemon must be disabled on AIX.
SV-101503r1_ruleThe imap2 service must be disabled on AIX.
SV-101505r1_ruleThe pop3 daemon must be disabled on AIX.
SV-101507r1_ruleThe finger daemon must be disabled on AIX.
SV-101509r1_ruleThe instsrv daemon must be disabled on AIX.
SV-101511r1_ruleThe echo daemon must be disabled on AIX.
SV-101513r1_ruleThe Internet Network News (INN) server must be disabled on AIX.
SV-101515r1_ruleIf Stream Control Transmission Protocol (SCTP) must be disabled on AIX.
SV-101517r1_ruleThe Reliable Datagram Sockets (RDS) protocol must be disabled on AIX.
SV-101519r1_ruleAll accounts on AIX system must have unique account names.
SV-101521r1_ruleAll accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users).
SV-101523r1_ruleThe AIX SYSTEM attribute must not be set to NONE for any account.
SV-101525r1_ruleDirect logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts.
SV-101527r1_ruleAIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
SV-101535r1_ruleThe AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.
SV-101537r1_ruleAIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
SV-101541r1_ruleAIX must set Stack Execution Disable (SED) system wide mode to all.
SV-101545r1_ruleAIX must terminate all SSH login sessions after 10 minutes of inactivity.
SV-101547r1_ruleAIX must protect the confidentiality and integrity of all information at rest.
SV-101549r1_ruleAIX log files must have mode 0640 or less permissive.
SV-101551r1_ruleAIX log files must be owned by root.
SV-101553r1_ruleAIX log files must be owned by privileged groups.
SV-101555r1_ruleAIX log files must not have extended ACLs, except as needed to support authorized software.
SV-101557r1_ruleAny publically accessible connection to AIX operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
SV-101559r1_ruleIf LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.
SV-101561r1_ruleAIX must start audit at boot.
SV-101565r1_ruleAIX audit tools must be owned by root.
SV-101567r1_ruleAIX audit tools must be group-owned by audit.
SV-101569r1_ruleAIX audit tools must be set to 4550 or less permissive.
SV-101571r1_ruleAIX system files, programs, and directories must be group-owned by a system group.
SV-101573r1_ruleAll system files, programs, and directories must be owned by a system account.
SV-101575r1_ruleAIX library files must have mode 0755 or less permissive.
SV-101577r1_ruleAll system command files must not have extended ACLs.
SV-101579r1_ruleAll library files must not have extended ACLs.
SV-101581r1_ruleAIX device files and directories must only be writable by users with a system account or as configured by the vendor.
SV-101583r1_ruleAIX must enforce password complexity by requiring that at least one special character be used.
SV-101585r1_ruleIn the event of a system failure, AIX must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
SV-101587r1_ruleAIX must verify the hash of audit tools.
SV-101589r1_ruleAIX must config the SSH idle timeout interval.
SV-101591r1_ruleAIX must set inactivity time-out on login sessions and terminate all login sessions after 10 minutes of inactivity.
SV-101593r1_ruleIf bash is used, AIX must display logout messages.
SV-101595r1_ruleIf Bourne / ksh shell is used, AIX must display logout messages.
SV-101597r1_ruleIf csh/tcsh shell is used, AIX must display logout messages.
SV-101599r1_ruleSSH must display the date and time of the last successful account login to AIX system upon login.
SV-101601r1_ruleAIX must be able to control the ability of remote login for users.
SV-101603r1_ruleAIX must allow admins to send a message to all the users who logged in currently.
SV-101605r1_ruleAIX must allow admins to send a message to a user who logged in currently.
SV-101607r1_ruleAIX must use Trusted Execution (TE) Check policy.
SV-101609r1_ruleNFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs.
SV-101613r1_ruleAIX must provide the function for assigned ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.
SV-101615r1_ruleAIX must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
SV-101619r1_ruleAIX must provide a report generation function that supports on-demand audit review and analysis, on-demand reporting requirements, and after-the-fact investigations of security incidents.
SV-101621r1_ruleAIX must provide time synchronization applications that can synchronize the system clock to external time sources at least every 24 hours.
SV-101625r1_ruleAIX must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-101627r1_ruleAIX must disable Kerberos Authentication in ssh config file to enforce access restrictions.
SV-101629r1_ruleAIX must disable trivial file transfer protocol.
SV-101631r1_ruleAIX must be configured to use syslogd to log events by TCPD.
SV-101633r1_ruleAIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
SV-101635r1_ruleAIX must remove NOPASSWD tag from sudo config files.
SV-101637r1_ruleAIX must remove !authenticate option from sudo config files.
SV-101639r1_ruleIf GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication.
SV-101641r1_ruleIf automated file system mounting tool is not required on AIX, it must be disabled.
SV-101643r1_ruleAIX must implement a way to force an identified temporary user to renew their password at next login.
SV-101645r1_ruleIf LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day.
SV-101647r1_ruleAIX must setup SSH daemon to disable revoked public keys.
SV-101653r1_ruleAIX must request and perform data origin and integrity authentication verification on the name/address resolution responses the system receives from authoritative sources.
SV-101655r1_ruleAIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
SV-101657r1_ruleAIX must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring AIX is implementing rate-limiting measures on impacted network interfaces.
SV-101659r1_ruleAIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods.
SV-101661r1_ruleAIX must remove all software components after updated versions have been installed.
SV-101663r1_ruleAIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SV-101665r1_ruleAIX must prevent the use of dictionary words for passwords.
SV-101667r1_ruleAIX must enforce a delay of at least 4 seconds between login prompts following a failed login attempt.
SV-101669r1_ruleSamba packages must be removed from AIX.
SV-101671r1_ruleThe password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
SV-101673r1_ruleAIX system must require authentication upon booting into single-user and maintenance modes.
SV-101675r1_ruleOn AIX, the SSH server must not permit root logins using remote access programs.
SV-101677r1_ruleAIX system must prevent the root account from directly logging in except from the system console.
SV-101679r1_ruleAIX system must restrict the ability to switch to the root user to members of a defined group.
SV-101681r1_ruleIf SNMP service is enabled on AIX, the default SNMP password must not be used in the /etc/snmpd.conf config file.
SV-101683r1_ruleAIX SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-101685r1_ruleThe inetd.conf file on AIX must be owned by root and system group.
SV-101687r1_ruleAll AIX public directories must be owned by root or an application account.
SV-101689r1_ruleAll AIX NFS anonymous UIDs and GIDs must be configured to values without permissions.
SV-101691r1_ruleAIX nosuid option must be enabled on all NFS client mounts.
SV-101693r1_ruleAIX cron and crontab directories must be owned by root or bin.
SV-101695r1_ruleAIX audio devices must be group-owned by root, sys, bin, or system.
SV-101697r1_ruleAIX passwd.nntp file must have mode 0600 or less permissive.
SV-101699r1_ruleAIX time synchronization configuration file must be owned by root.
SV-101701r1_ruleAIX time synchronization configuration file must be group-owned by bin, or system.
SV-101703r1_ruleAIX time synchronization configuration file must have mode 0640 or less permissive.
SV-101705r1_ruleAIX administrative accounts must not run a web browser, except as needed for local service administration.
SV-101707r1_ruleAIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
SV-101709r1_ruleThe AIX /etc/group file must be owned by root.
SV-101711r1_ruleThe AIX /etc/group file must be group-owned by security.
SV-101713r1_ruleThe AIX /etc/group file must have mode 0644 or less permissive.
SV-101715r1_ruleThe AIX /etc/group file must not have an extended ACL.
SV-101717r1_ruleThe AIX ldd command must be disabled.
SV-101719r1_ruleThe AIX root account must not have world-writable directories in its executable search path.
SV-101721r1_ruleThe Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID.
SV-101723r1_ruleAll AIX Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.
SV-101725r1_ruleAll AIX files and directories must have a valid owner.
SV-101727r1_ruleThe sticky bit must be set on all public directories on AIX systems.
SV-101729r1_ruleThe AIX global initialization files must contain the mesg -n or mesg n commands.
SV-101731r1_ruleThe AIX hosts.lpd file must not contain a + character.
SV-101733r1_ruleAIX sendmail logging must not be set to less than nine in the sendmail.cf file.
SV-101735r1_ruleAIX run control scripts executable search paths must contain only absolute paths.
SV-101737r1_ruleThe /etc/shells file must exist on AIX systems.
SV-101739r1_ruleAll AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins.
SV-101741r1_ruleAIX NFS server must be configured to restrict file system access to local hosts.
SV-101743r1_ruleAIX public directories must be the only world-writable directories and world-writable files must be located only in public directories.
SV-101745r1_ruleAIX must be configured to only boot from the system boot device.
SV-101747r1_ruleAIX must not use removable media as the boot loader.
SV-101749r1_ruleAIX audit logs must be rotated daily.
SV-101751r1_ruleIf the AIX host is running an SMTP service, the SMTP greeting must not provide version information.
SV-101753r1_ruleAIX must contain no .forward files.
SV-101755r1_ruleAIX must implement a remote syslog server that is documented using site-defined procedures.
SV-101757r1_ruleAIX must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
SV-101759r1_ruleThe sendmail server must have the debug feature disabled on AIX systems.
SV-101761r1_ruleSMTP service must not have the EXPN or VRFY features active on AIX systems.
SV-101763r1_ruleUIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems.
SV-101765r1_ruleAIX must require passwords to contain no more than three consecutive repeating characters.
SV-101767r1_ruleAll global initialization file executable search paths must contain only absolute paths.
SV-101769r1_ruleThe AIX /etc/passwd, /etc/security/passwd, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups or LDAP netgroups.
SV-101771r1_ruleAIX process core dumps must be disabled.
SV-101773r1_ruleThe SMTP service HELP command must not be enabled on AIX.
SV-101775r1_ruleThe AIX syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
SV-101777r1_ruleThe AIX SSH daemon must be configured for IP filtering.
SV-101779r1_ruleIP forwarding for IPv4 must not be enabled on AIX unless the system is a router.
SV-101781r1_ruleNIS maps must be protected through hard-to-guess domain names on AIX.
SV-101783r1_ruleThe AIX systems access control program must be configured to grant or deny system access to specific hosts.
SV-101785r1_ruleThe AIX root accounts list of preloaded libraries must be empty.
SV-101787r1_ruleAll AIX files and directories must have a valid group owner.
SV-101789r1_ruleAIX control scripts library search paths must contain only absolute paths.
SV-101791r1_ruleThe control script lists of preloaded libraries must contain only absolute paths on AIX systems.
SV-101793r1_ruleThe global initialization file lists of preloaded libraries must contain only absolute paths on AIX.
SV-101795r1_ruleThe local initialization file library search paths must contain only absolute paths on AIX.
SV-101797r1_ruleThe local initialization file lists of preloaded libraries must contain only absolute paths on AIX.
SV-101799r1_ruleAIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option.
SV-101801r1_ruleAIX kernel core dumps must be disabled unless needed.
SV-101803r1_ruleThe AIX SSH daemon must not allow compression.
SV-101805r1_ruleAIX must be configured with a default gateway for IPv6 if the system uses IPv6 unless the system is a router.
SV-101807r1_ruleAIX must not have IP forwarding for IPv6 enabled unless the system is an IPv6 router.
SV-101809r1_ruleAIX package management tool must be used daily to verify system software.
SV-101813r1_ruleThe AIX DHCP client must not send dynamic DNS updates.
SV-101815r1_ruleAIX must not run any routing protocol daemons unless the system is a router.
SV-101817r1_ruleAIX must not process ICMP timestamp requests.
SV-101819r1_ruleAIX must not respond to ICMPv6 echo requests sent to a broadcast address.
SV-101821r1_ruleAIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required.
SV-101823r1_ruleAIX must turn on SSH daemon privilege separation.
SV-101825r1_ruleAIX must turn on SSH daemon reverse name checking.
SV-101827r1_ruleAIX SSH daemon must perform strict mode checking of home directory configuration files.
SV-101829r1_ruleAIX must turn off X11 forwarding for the SSH daemon.
SV-101831r1_ruleAIX must turn off TCP forwarding for the SSH daemon.
SV-101833r1_ruleAIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
SV-101835r1_ruleAIX must not have accounts configured with blank or null passwords.
SV-101837r1_ruleThere must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the AIX system.
SV-101839r1_ruleThe .rhosts file must not be supported in AIX PAM.
SV-101841r1_ruleThe AIX SSH daemon must be configured to disable empty passwords.
SV-101843r1_ruleThe AIX SSH daemon must be configured to disable user .rhosts files.
SV-101845r1_ruleThe AIX SSH daemon must be configured to not use host-based authentication.
SV-101847r1_ruleThe AIX SSH daemon must not allow RhostsRSAAuthentication.
SV-101849r1_ruleThe AIX root user home directory must not be the root directory (/).
SV-101851r1_ruleThe AIX root accounts home directory (other than /) must have mode 0700.
SV-101853r1_ruleAll AIX interactive users must be assigned a home directory in the passwd file and the directory must exist.
SV-101857r1_ruleAll AIX users home directories must have mode 0750 or less permissive.
SV-101859r1_ruleAll AIX interactive users home directories must be owned by their respective users.
SV-101861r1_ruleAll AIX interactive users home directories must be group-owned by the home directory owner primary group.
SV-101863r1_ruleThe AIX root accounts home directory must not have an extended ACL.
SV-101865r1_ruleThe AIX user home directories must not have extended ACLs.
SV-101867r1_ruleAll files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member.
SV-101869r1_ruleAIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
SV-101871r1_ruleIf AIX SSH daemon is required, the SSH daemon must only listen on the approved listening IP addresses.
SV-101873r1_ruleAIX must provide audit record generation functionality for DoD-defined auditable events.
SV-102347r1_ruleAIX must configure the ttys value for all interactive users.
SV-103029r1_ruleThe AIX operating system must use Multi Factor Authentication.
SV-103031r1_ruleThe AIX operating system must be configured to authenticate using Multi Factor Authentication.
SV-103033r1_ruleThe AIX operating system must be configured to use Multi Factor Authentication for remote connections.
SV-103035r1_ruleAIX must have the have the PowerSC Multi Factor Authentication Product configured.
SV-103037r1_ruleThe AIX operating system must be configured to use a valid server_ca.pem file.
SV-103039r1_ruleThe AIX operating system must accept and verify Personal Identity Verification (PIV) credentials.