CIS V2 specifications for VIOS server

The Center for Internet Security (CIS) develops benchmarks for the secure configuration of a target system. CIS benchmarks are consensus-based, best-practice security configuration guides that are developed and accepted by government, business, industry, and academia.

The CIS specifications for VIOS server provide guidance for establishing a secure configuration by applying the new profiles.
Table 1. Settings related to the CIS V2 specifications for VIOS server
Benchmark Group Implementation specification Location of the script that modifies the setting
AIX®7.2:2.3,2.4,2.5

Level 1

 System Integrity verification Maintaining the system integrity by detecting, removing and protecting against known types of malicious software. /etc/security/pscexpert/bin/manageITsecurity

Arguments: cisv2_sysintegrity
AIX7.2:2.7

Level 1

 System Integrity verification Remove Unused Symbolic Links. /etc/security/pscexpert/bin/findperms

Arguments: brokenlinks
AIX7.2:3.4

Level 1

 Permission Settings Remove group write permission from default groups - exceptions must be in TSD and audit. /etc/security/pscexpert/bin/findperms

Arguments: groupwritables
AIX7.2:3.5

Level 1

 Permission Settings Application Data with requirement for world writable directories. /etc/security/pscexpert/bin/findperms

Arguments: stickybit
AIX7.2:3.6

Level 1

 Permission Settings Ensure there are no world writable files - exceptions must be in TSD and audit. /etc/security/pscexpert/bin/findperms

Arguments: worldwritables
AIX7.2:3.7

Level 1

 Permission Settings Ensure there are no 'staff' writable files - exceptions must be in TSD and audit. /etc/security/pscexpert/bin/findperms

Arguments: staffwritables
AIX7.2:3.8

Level 1

 Permission Settings Ensure all files and directories are owned by a user (uid) and assigned to a group (gid). /etc/security/pscexpert/bin/findperms

Arguments: ownerless
AIX7.2:4.5.1.1

Level 1

 Manage filesets De-install CDE. /etc/security/pscexpert/bin/managefilesets

Arguments: uninstall like:CDE
AIX7.2:4.5.1.5

Level 1

 Permission Settings Remove setuid/setgid bit from /usr/dt/bin/dtappgather. /etc/security/pscexpert/bin/chperm

Arguments: sym:ug-s path:/usr/dt/bin/dtappgather
AIX7.2:4.5.1.5

Level 1

 Permission Settings Remove setuid/setgid bit from /usr/dt/bin/dtprintinfo. /etc/security/pscexpert/bin/chperm

Arguments: sym:ug-s path:/usr/dt/bin/dtprintinfo
AIX7.2:4.5.1.5

Level 1

 Permission Settings Remove setuid/setgid bit from /usr/dt/bin/dtsession. /etc/security/pscexpert/bin/chperm

Arguments: sym:ug-s path:/usr/dt/bin/dtsession
AIX7.2:4.5.1.7

Level 1

 Miscellaneous Rules CDE - screensaver lock. /etc/security/pscexpert/bin/cde_config

Arguments: create /etc/dt/config/*/sys.resources add dtsession*saverTimeout 10
AIX7.2:4.5.1.7

Level 1

 Miscellaneous Rules CDE - screensaver lock. /etc/security/pscexpert/bin/cde_config

Arguments: create /etc/dt/config/*/sys.resources add dtsession*lockTimeout 10
AIX7.2:4.5.1.8

Level 1

 Miscellaneous Rules CDE - login screen hostname masking. /etc/security/pscexpert/bin/cde_config

Arguments: copy /etc/dt/config/*/Xresources add Dtlogin*greeting.labelString "Authorized uses only. All activity may be monitored and reported."
AIX7.2:4.5.1.9

Level 1

 Permission Settings Set the read-only group and other permissions for /etc/dt/config/Xconfig. /etc/security/pscexpert/bin/chperm

Arguments: sym:g-w,o-w path:/etc/dt/config/Xconfig
AIX7.2:4.5.1.9

Level 1

 Ownership Settings Set the ownership root:bin for /etc/dt/config/Xconfig. /etc/security/pscexpert/bin/chowngrp

Arguments: root:bin path:/etc/dt/config/Xconfig
AIX7.2:4.5.1.10

Level 1

 Permission Settings Set the read-only group and other permissions for /etc/dt/config/Xservers. /etc/security/pscexpert/bin/chperm

Arguments: sym:g-w,o-w path:/etc/dt/config/Xservers
AIX7.2:4.5.1.10

Level 1

 Ownership Settings Set the ownership root:bin for /etc/dt/config/Xservers. /etc/security/pscexpert/bin/chowngrp

Arguments: root:bin path:/etc/dt/config/Xservers
AIX7.2:4.5.1.11

Level 1

 Permission Settings Set permissions for /etc/dt/config/*/Xresources. /etc/security/pscexpert/bin/chperm

Arguments: num:0644 path:/etc/dt/config/*/Xresources
AIX7.2:4.5.1.11

Level 1

 Ownership Settings Set the ownership root:sys for /etc/dt/config/*/Xresources. /etc/security/pscexpert/bin/chowngrp

Arguments: root:sys path:/etc/dt/config/*/Xresources
AIX7.2:4.5.2.1

Level 1

 Miscellaneous Rules Disable root access to ftpd. /etc/security/pscexpert/bin/chetcftpusers

Arguments: a cisv2_chetcftpusers
AIX7.2:4.5.2.2

Level 1

 Miscellaneous Rules Set an ftp login banner which displays the acceptable usage policy. /etc/security/pscexpert/bin/ftpbanner

Arguments: cisv2_ftpbanner
AIX7.2:4.5.2.3

Level 1

 /etc/inetd.conf Settings FTPD - prevent world access and group write to files. /etc/security/pscexpert/bin/inetd_config

Arguments: ftp tcp ftpd -l -u 027
AIX7.2:4.5.3.1

Level 1

 Remote access settings Minimum version is 8.1. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: VERSION 8.1 NA
AIX7.2:4.5.3.2

Level 1

 Remove unauthorized access Disable or comment out entries from /etc/hosts.equiv file. /etc/security/pscexpert/bin/rmetchostsequiv

Arguments: cisv1_rmetchostsequiv
AIX7.2:4.5.3.3

Level 1

 Remote access settings Remove any existing .shosts files from all user home directories. /etc/security/pscexpert/bin/rmrhostsnetrc

Arguments: l cisv1_shosts
AIX7.2:4.5.3.6

Level 1

 Login policy rules sshd_config: Banner exists and message contains Only authorized users allowed. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: Banner /etc/motd.ssh /etc/ssh/sshd_config VIOS_CISv2
AIX7.2:4.5.3.7

Level 1

 Login policy rules sshd_config: HostbasedAuthentication is no. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: HostbasedAuthentication no /etc/ssh/sshd_config
AIX7.2:4.5.3.8

Level 1

 Login policy rules sshd_config: IgnoreRhosts is yes or shosts-only. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: MULTIPLE IgnoreRhosts yes shosts-only /etc/ssh/sshd_config
AIX7.2:4.5.3.9

Level 1

 Login policy rules sshd_config: PermitEmptyPasswords is no. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: PermitEmptyPasswords no /etc/ssh/sshd_config
AIX7.2:4.5.3.10

Level 1

 Login policy rules sshd_config: LogLevel is INFO or VERBOSE. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: MULTIPLE LogLevel INFO VERBOSE /etc/ssh/sshd_config
AIX7.2:4.5.3.11

Level 1

 Login policy rules sshd_config: sftp-server arguments include -u 027 -f AUTH -l INFO. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: MULTIPLE Subsystem "sftp /usr/sbin/sftp-server -u 027 -f AUTH -l INFO" "sftp /usr/sbin/sftp-server -u 027 -f AUTH -l DEBUG" /etc/ssh/sshd_config
AIX7.2:4.5.3.12

Level 1

 Login policy rules sshd_config: MaxAuthTries is 4. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: LE MaxAuthTries 4 4 /etc/ssh/sshd_config
AIX7.2:4.5.3.13

Level 1

 Login policy rules sshd_config: PermitUserEnvironment is no. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: PermitUserEnvironment no /etc/ssh/sshd_config
AIX7.2:4.5.3.15

Level 1

 Login policy rules sshd_config: KexAlgorithms. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: SET KexAlgorithms "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256" /etc/ssh/sshd_config
AIX7.2:4.5.3.16

Level 1

 Login policy rules sshd_config: Ciphers. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: SET Ciphers "aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com, aes128-gcm@openssh.com,aes256-gcm@openssh.com" /etc/ssh/sshd_config
AIX7.2:4.5.3.17

Level 1

 Login policy rules ssh_config: MACs - Message Authtification Codes. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: SET MACs "umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256, hmac-sha2-512,hmac-sha1" /etc/ssh/sshd_config
AIX7.2:4.5.3.18

Level 1

 Login policy rules ssh_config: ReKeyLimit. /etc/security/pscexpert/bin/ssh_config_rules

Arguments: RekeyLimit "1G 3600" /etc/ssh/sshd_config
AIX7.2:4.5.4.1

Level 1

 Miscellaneous Rules Hide sendmail version information. /etc/security/pscexpert/bin/sendmailcis

Arguments: SmtpGreetingMessage mailerready
AIX7.2:4.5.4.2

Level 1

 Miscellaneous Rules Ensure that PrivacyOptions includes at least authwarnings, noexpn, and novrfy. /etc/security/pscexpert/bin/sendmailcis

Arguments: PrivacyOptions
AIX7.2:4.5.4.3

Level 1

 Miscellaneous Rules Ensure that sendmail in MTA mode supports only local applications that require legacy MTA. /etc/security/pscexpert/bin/sendmailcis

Arguments: DaemonPortOptions
AIX7.2:4.5.4.4

Level 1

 Ownership Settings Set the ownership root for /etc/mail/sendmail.cf. /etc/security/pscexpert/bin/chowngrp

Arguments: root path:/etc/mail/sendmail.cf
AIX7.2:4.5.4.4

Level 1

 Ownership Settings Set the ownership root for /etc/mail/sendmail.cf. /etc/security/pscexpert/bin/chowngrp

Arguments: root path:/etc/mail/sendmail.cf
AIX7.2:4.5.4.4

Level 1

 Permission Settings Set the permissions u=rw,g=r,o= for /etc/mail/sendmail.cf. /etc/security/pscexpert/bin/chperm

Arguments: num:0640 path:/etc/mail/sendmail.cf
AIX7.2:4.5.4.5

Level 1

 Ownership Settings Set the ownership smmsp for /var/spool/clientmqueue. /etc/security/pscexpert/bin/chowngrp

Arguments: smmsp path:/var/spool/clientmqueue
AIX7.2:4.5.4.5

Level 1

 Permission Settings Set the permissions ug=rwx,o= for /var/spool/clientmqueue. /etc/security/pscexpert/bin/chperm

Arguments: num:0770 path:/var/spool/clientmqueue
AIX7.2:4.5.4.5

Level 1

 Permission Settings Set the permissions ug=rwx,o= for /var/spool/clientmqueue. /etc/security/pscexpert/bin/chperm

Arguments: num:0770 path:/var/spool/clientmqueue
AIX7.2:4.5.4.6

Level 1

 Ownership Settings Set the ownership root for /var/spool/mqueue. /etc/security/pscexpert/bin/chowngrp

Arguments: root path:/var/spool/mqueue
AIX7.2:4.5.4.6

Level 1

 Permission Settings Set the permissions u=rwx,go= for /var/spool/mqueue. /etc/security/pscexpert/bin/chperm

Arguments: num:0700 path:/var/spool/mqueue
AIX7.2:4.5.6

Level 1

 Manage filesets Uninstall snmp and snmpd. /etc/security/pscexpert/bin/managefilesets

Arguments: uninstall like:snmp
AIX7.2:4.5.7

Level 1

 Manage filesets Uninstall sendmail. /etc/security/pscexpert/bin/managefilesets

Arguments: uninstall like:sendmail
AIX7.2:4.6.1

Level 1

 Login policy recommendations Specifies the time interval (30 seconds) to type in a password. /etc/security/pscexpert/bin/chdefstanza

Arguments: /etc/security/login.cfg logintimeout=30 usw cisv2_logintimeout
AIX7.2:4.6.2

Level 1

 Login policy recommendations Specifies the delay between unsuccessful logins to 10 seconds. /etc/security/pscexpert/bin/chdefstanza

Arguments: /etc/security/login.cfg logindelay=10 default cisv2_logindelay
AIX7.2:4.6.4

Level 1

 Password policy recommendations Specifies the number of consecutive unsuccessful login attempts to 5, for each non-root user account before the account is disabled. /etc/security/pscexpert/bin/chusrattr

Arguments: loginretries=5 NONROOT cisv2_loginretries
AIX7.2:4.6.3

Level 1

 Miscellaneous Rules Adds a default herald to /etc/security/login.cfg. /etc/security/pscexpert/bin/loginherald

Arguments: a cisv2_loginherald
AIX7.2:4.7.1.1,4.7.1.2

Level 1

 Miscellaneous Settings Home directory must exist and Home directory must be owned by account, or special account. /etc/security/pscexpert/bin/homedirectories

Arguments: users
AIX7.2:4.7.1.3

Level 1

 Permission Settings Set the permissions g-w,o-w for all user home directories. /etc/security/pscexpert/bin/chperm

Arguments: add:0755 path:/home/*/
AIX7.2:4.7.1.4

Level 1

 Ownership Settings Set the ownership root:audit for /audit. /etc/security/pscexpert/bin/chowngrp

Arguments: root:audit path:/audit
AIX7.2:4.7.1.4

Level 1

 Permission Settings Set the permissions u=rwx,g=rs,o= for /audit. /etc/security/pscexpert/bin/chperm

Arguments: num:2750 path:/audit
AIX7.2:4.7.1.4

Level 1

 Permission Settings Set the permissions u=rw,g=r,o= for all /audit/* objects and the children objects recursively. /etc/security/pscexpert/bin/chperm

Arguments: num:0640 recursiveexcl:/audit
AIX7.2:4.7.1.5

Level 1

 Permission Settings SECURITY Subsystems: /etc/security. /etc/security/pscexpert/bin/securitydirs
AIX7.2:4.7.1.6

Level 1

 Permission Settings Set the permissions o-rw for /var/adm/ras/*. /etc/security/pscexpert/bin/chperm

Arguments: sym:o-rw recursiveexcl:/var/adm/ras
AIX7.2:4.7.1.7

Level 1

 Ownership Settings Set the ownership adm:adm for /var/adm/sa. /etc/security/pscexpert/bin/chperm

Arguments: num:0755 path:/var/adm/sa
AIX7.2:4.7.1.7

Level 1

 Permission Settings Set the permissions u=rwx,go=rx for /var/adm/sa. /etc/security/pscexpert/bin/chowngrp

Arguments: adm:adm path:/var/adm/sa
AIX7.2:4.7.1.8

Level 1

 Permission Settings Set the permissions o= for the children objects of /var/spool/cron/crontabs recursively. /etc/security/pscexpert/bin/chperm

Arguments: sym:o-rwx recursiveexcl:/var/spool/cron/crontabs
AIX7.2:4.7.1.8

Level 1

 Ownership Settings Set the group cron for all /var/spool/cron/crontabs directory tree objects. /etc/security/pscexpert/bin/chowngrp

Arguments: :cron recursiveincl:/var/spool/cron/crontabs
AIX7.2:4.7.1.9

Level 1

 Permission Settings Set the permissions g-w,o-w for all the directories in root user PATH environment variable. /etc/security/pscexpert/bin/chpermpath

Arguments: cisv1_chpermpath
AIX7.2:4.7.1.10

Level 1

 Miscellaneous Settings Ensure root user has a dedicated home directory. /etc/security/pscexpert/bin/homedirectories

Arguments: root
AIX7.2:4.7.1.11

Level 1

 Ownership Settings Set the ownership root:audit for all /etc/security/audit directory tree objects. /etc/security/pscexpert/bin/chowngrp

Arguments: root:audit recursiveincl:/etc/security/audit
AIX7.2:4.7.1.11

Level 1

 Permission Settings Set the permissions u=rwx,g=rx,o= for/etc/security/audit. /etc/security/pscexpert/bin/chperm

Arguments: num:0750 path:/etc/security/audit
AIX7.2:4.7.1.11

Level 1

 Permission Settings Set the permissions u=rw,g=r,o= for all /etc/security/audit/* objects and the children objects recursively. /etc/security/pscexpert/bin/chperm

Arguments: num:0640 recursiveexcl:/etc/security/audit
AIX7.2:4.7.2.1

Level 1

 Permission Settings New configuration file for sendmail /etc/mail/submit.cf. /etc/security/pscexpert/bin/chperm

Arguments: num:0640 path:/etc/mail/submit.cf
AIX7.2:4.7.2.2

Level 1

 Permission Settings Verify Trust of suid, sgid, acl, and trusted-bit files and programs. /etc/security/pscexpert/bin/findperms

Arguments: setuid
AIX7.2:4.7.2.3

Level 1

 Miscellaneous Enhancements Make sure the permissions of all the root crontab entries are owned and writable by the root user only. /etc/security/pscexpert/bin/rootcrnjobck

Arguments: cisv1_rootcrnjobck
AIX7.2:4.7.2.4

Level 1

 Permission Settings Set the permissions g-w,o-w for all user configuration files in each home directory. /etc/security/pscexpert/bin/chperm

Arguments: sym:g-w,o-w path:/home/*/.*/
AIX7.2:4.7.2.5

Level 1

 Permission Settings Set the permissions o-rw for /smit.log. /etc/security/pscexpert/bin/chperm

Arguments: sym:o-rw path:/{,root/}smit.log
AIX7.2:4.7.2.6

Level 1

 Ownership Settings Set the ownership root:security for /etc/group. /etc/security/pscexpert/bin/chowngrp

Arguments: root:security path:/etc/group
AIX7.2:4.7.2.6

Level 1

 Permission Settings Set the permissions u=rw,go=r for /etc/group. /etc/security/pscexpert/bin/chperm

Arguments: num:0644 path:/etc/group
AIX7.2:4.7.2.7

Level 1

 Permission Settings Set the permissions u=rw,go=r for /etc/inetd.conf. /etc/security/pscexpert/bin/chperm

Arguments: num:0644 path:/etc/inetd.conf
AIX7.2:4.7.2.7

Level 1

 Ownership Settings Set the ownership root:system for /etc/inetd.conf. /etc/security/pscexpert/bin/chowngrp

Arguments: root:system path:/etc/inetd.conf
AIX7.2:4.7.2.8

Level 1

 Ownership Settings Set the ownership bin:bin for /etc/motd. /etc/security/pscexpert/bin/chowngrp

Arguments: bin:bin path:/etc/motd
AIX7.2:4.7.2.8

Level 1

 Permission Settings Set the permissions u=rw,go=r for /etc/motd. /etc/security/pscexpert/bin/chperm

Arguments: num:0644 path:/etc/motd
AIX7.2:4.7.2.9

Level 1

 Ownership Settings Set the ownership root:security for /etc/passwd. /etc/security/pscexpert/bin/chowngrp

Arguments: root:security path:/etc/passwd
AIX7.2:4.7.2.9

Level 1

 Permission Settings Set the permissions u=rw,go=r for /etc/passwd. /etc/security/pscexpert/bin/chperm

Arguments: num:0644 path:/etc/passwd
AIX7.2:4.7.2.10

Level 1

 Permission Settings Set the permissions u=rw,go=r for /etc/ssh/ssh_config. /etc/security/pscexpert/bin/chperm

Arguments: num:0644 path:/etc/ssh/ssh_config
AIX7.2:4.7.2.11

Level 1

 Permission Settings Set the permissions u=rw,go= for /etc/ssh/sshd_config. /etc/security/pscexpert/bin/chperm

Arguments: num:0600 path:/etc/ssh/sshd_config
AIX7.2:4.7.2.12

Level 1

 Ownership Settings Set the ownership root:sys for /var/adm/cron/at.allow. /etc/security/pscexpert/bin/chowngrp

Arguments: root:sys path:/var/adm/cron/at.allow
AIX7.2:4.7.2.12

Level 1

 Ownership Settings Set the ownership root:sys for /var/adm/cron/at.allow. /etc/security/pscexpert/bin/chowngrp

Arguments: root:sys path:/var/adm/cron/at.allow
AIX7.2:4.7.2.12

Level 1

 Permission Settings Set the permissions u=r,go= for /var/adm/cron/at.allow. /etc/security/pscexpert/bin/chperm

Arguments: num:0400 path:/var/adm/cron/at.allow
AIX7.2:4.7.2.13

Level 1

 Ownership Settings Set the ownership root:sys for /var/adm/cron/cron.allow. /etc/security/pscexpert/bin/chowngrp

Arguments: root:sys path:/var/adm/cron/cron.allow
AIX7.2:4.7.2.13

Level 1

 Permission Settings Set the permissions u=r,go= for /var/adm/cron/cron.allow. /etc/security/pscexpert/bin/chperm

Arguments: num:0400 path:/var/adm/cron/cron.allow
AIX7.2:4.7.2.14

Level 1

 Permission Settings Set the permissions o-rw for /var/ct/RMstart.log. /etc/security/pscexpert/bin/chperm

Arguments: sym:o-rw path:/var/ct/RMstart.log
AIX7.2:4.7.2.15

Level 1

 Permission Settings Set the permissions o-rw for /var/adm/cron/log. /etc/security/pscexpert/bin/chperm

Arguments: sym:o-rw path:/var/adm/cron/log
AIX7.2:4.7.2.16

Level 1

 Permission Settings Set the permissions o-rw for /var/tmp/dpid2.log. /etc/security/pscexpert/bin/chperm

Arguments: sym:o-rw path:/var/tmp/dpid2.log
AIX7.2:4.7.2.17

Level 1

 Permission Settings Set the permissions o-rw for /var/tmp/hostmibd.log. /etc/security/pscexpert/bin/chperm

Arguments: sym:o-rw path:/var/tmp/hostmibd.log
AIX7.2:4.7.2.18

Level 1

 Permission Settings Set the permissions o-rw for /var/tmp/snmpd.log. /etc/security/pscexpert/bin/chperm

Arguments: sym:o-rw path:/var/tmp/snmpd.log
AIX7.2:4.11

Level 1

 Miscellaneous Config Removes the dot from the PATH variable in /etc/environment file. /etc/security/pscexpert/bin/rmdotfrmpathetcenv

Arguments: r cisv2_rmdotfrmpathetcenv
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user daemon. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true daemon cisv2_lockdaemon
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user bin. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true bin cisv2_lockbin
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user sys. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true sys cisv2_locksys
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user adm. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true adm cisv2_lockadm
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user uucp. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true uucp cisv2_lockuucp
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user nobody. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true nobody cisv2_locknobody
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user lpd. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true lpd cisv2_locklpd
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user lp. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true lp cisv2_locklp
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user invscout. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true invscout cisv2_lockinvscout
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user ipsec. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true ipsec cisv2_lockipsec
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user nuucp. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true nuucp cisv2_locknuucp
AIX7.2:4.12

Level 1

 Login policy recommendations Lock historical user sshd. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user account_locked=true sshd cisv2_locksshd
AIX7.2:4.13

Level 1

 Miscellaneous Rules Remove current working directory from root's PATH. /etc/security/pscexpert/bin/rmdotfrmpathroot

Arguments: cisv2_rmdotfrmpathroot
AIX7.2:5.1.1.1

Level 1

 Password policy rules Specifies the number of weeks before a password can be reused to 52. /etc/security/pscexpert/bin/chusrattr

Arguments: histexpire=52 ALL cisv2_histexpire
AIX7.2:5.1.1.2

Level 1

 Password policy rules Specifies the number of previous passwords a user cannot reuse to 0. /etc/security/pscexpert/bin/chusrattr

Arguments: histsize=0 ALL cisv2_histsize
AIX7.2:5.1.1.3

Level 1

 Password policy rules Specifies the minimum number of weeks to 1 week, before a password can be changed. /etc/security/pscexpert/bin/chusrattr

Arguments: minage=1 ALL cisv2_minage
AIX7.2:5.1.2

Level 1

 Password policy rules All accounts must have a hashed password. /etc/security/pscexpert/bin/chksecpasswd

Arguments: hashed
AIX7.2:5.1.3

Level 1

 Password Policy Settings Ensure all users have a unique UID and name on the system. /etc/security/pscexpert/bin/checkuid

Arguments: uid cisv2_checkuid
AIX7.2:5.1.4

Level 1

 Password Policy Settings Ensure all groups have a unique GID and name on the system. /etc/security/pscexpert/bin/checkgid

Arguments: gid cisv2_checkgid
AIX7.2:5.2.1,5.2.4

Level 1

 Password policy rules Ensure password policy is enforced for all users. /etc/security/pscexpert/bin/chksecpasswd

Arguments: policy
AIX7.2:5.2.2

Level 1

 Login policy recommendations Set the system password algorithm to a stronger cryptographic hash algorithm. /etc/security/pscexpert/bin/chdefstanza

Arguments: /etc/security/login.cfg pwd_algorithm=ssha256 usw cisv2_pwdalgorithm
AIX7.2:5.2.3

Level 1

 Password policy rules Ensure passwords are not hashed using 'crypt'. /etc/security/pscexpert/bin/chksecpasswd

Arguments: nocrypt
AIX7.2:5.2.5

Level 1

 Password policy rules Specifies the minimum length of a password to 14 characters. /etc/security/pscexpert/bin/chusrattr

Arguments: minlen=14 ALL cisv2_minlen
AIX7.2:5.2.6

Level 1

 Password policy rules Specifies the minimum number of characters that were present in the previous password that cannot be used in the new password to 4. /etc/security/pscexpert/bin/chusrattr

Arguments: mindiff=4 ALL cisv1_mindiff
AIX7.2:5.2.7

Level 1

 Password policy rules Specifies the minimum number of alphabetic characters in a password to 3. /etc/security/pscexpert/bin/chusrattr

Arguments: minalpha=3 ALL cisv2_minalpha
AIX7.2:5.2.8

Level 1

 Password policy rules Specifies the minimum number of non-alphabetic characters in a password to 3. /etc/security/pscexpert/bin/chusrattr

Arguments: minother=3 ALL cisv2_minother
AIX7.2:5.2.9

Level 1

 Password policy rules Specifies the maximum number of times a character can appear in a password to 4. /etc/security/pscexpert/bin/chusrattr

Arguments: maxrepeats=4 ALL cisv2_maxrepeats
AIX7.2:5.2.10

Level 1

 Password policy rules Specifies the minimum number of digits in a password to 1. /etc/security/pscexpert/bin/chusrattr

Arguments: mindigit=1 ALL cisv2_mindigit
AIX7.2:5.2.11

Level 1

 Password policy rules Specifies the minimum number of lowercase alphabetic characters in a password to 1. /etc/security/pscexpert/bin/chusrattr

Arguments: minloweralpha=1 ALL cisv2_minloweralpha
AIX7.2:5.2.12

Level 1

 Password policy rules Specifies the minimum number of uppercase alphabetic characters in a password to 1. /etc/security/pscexpert/bin/chusrattr

Arguments: minupperalpha=1 ALL cisv2_minupperalpha
AIX7.2:5.2.13

Level 1

 Password policy rules Specifies the minimum number of special characters in a password to 1. /etc/security/pscexpert/bin/chusrattr

Arguments: minspecialchar=1 ALL cisv3_minspecialchar
AIX7.2:5.3.1

Level 1

 Login policy recommendations Specifies the minimum number of special characters in a password to 1. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user login=false adm cisv2_loginadm
AIX7.2:5.3.1

Level 1

 Login policy recommendations Set remote login (rlogin) for user adm to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user rlogin=false adm cisv2_rloginadm
AIX7.2:5.3.2

Level 1

 Login policy recommendations Set local login (login) for user bin to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user login=false bin cisv2_loginbin
AIX7.2:5.3.2

Level 1

 Login policy recommendations Set remote login (rlogin) for user bin to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user rlogin=false bin cisv2_rloginbin
AIX7.2:5.3.3

Level 1

 Login policy recommendations Set local login (login) for user daemon to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user login=false daemon cisv2_logindaemon
AIX7.2:5.3.3

Level 1

 Login policy recommendations Set remote login (rlogin) for user daemon to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user rlogin=false daemon cisv2_rlogindaemon
AIX7.2:5.3.4

Level 1

 Login policy recommendations Set local login (login) for user guest to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user login=false guest cisv2_loginguest
AIX7.2:5.3.4

Level 1

 Login policy recommendations Set remote login (rlogin) for user guest to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user rlogin=false guest cisv2_rloginguest
AIX7.2:5.3.5

Level 1

 Login policy recommendations Set local login (login) for user lpd to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user login=false lpd cisv2_loginlpd
AIX7.2:5.3.6

Level 1

 Login policy recommendations Set local login (login) for user nobody to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user login=false nobody cisv2_loginnobody
AIX7.2:5.3.6

Level 1

 Login policy recommendations Set remote login (rlogin) for user nobody to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user rlogin=false nobody cisv2_rloginnobody
AIX7.2:5.3.7

Level 1

 Login policy recommendations Set local login (login) for user nuucp to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user login=false nuucp cisv2_loginnuucp
AIX7.2:5.3.7

Level 1

 Login policy recommendations Set remote login (rlogin) for user nuucp to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user rlogin=false nuucp cisv2_rloginnuucp
AIX7.2:5.3.8

Level 1

 Login policy recommendations Set local login (login) for user sys to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user login=false sys cisv2_loginsys8
AIX7.2:5.3.8

Level 1

 Login policy recommendations Set remote login (rlogin) for user sys to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user rlogin=false sys cisv2_rloginsys
AIX7.2:5.3.9

Level 1

 Login policy recommendations Set local login (login) for user uucp to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user login=false uucp cisv2_loginuucp
AIX7.2:5.3.9

Level 1

 Login policy recommendations Set remote login (rlogin) for user uucp to false. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user rlogin=false uucp cisv2_rloginuucp
AIX7.2:5.3.10

Level 1

 Permission Settings Add all users with a UID less than 200 to /etc/ftpusers file. /etc/security/pscexpert/bin/uidftpusers

Arguments: cisv2_uidftpusers
AIX7.2:5.6

Level 1

 Password policy rules Specifies the maximum number of weeks (13 weeks) that a password is valid. /etc/security/pscexpert/bin/chusrattr

Arguments: maxage=13 ALL cisv2_maxage
AIX7.2:5.7

Level 1

 Password policy rules Specifies the maximum time (in weeks) beyond the maxage value that a user can change an expired password to 4. /etc/security/pscexpert/bin/chusrattr

Arguments: maxexpired=4 ALL cisv2_maxexpired
AIX7.2:5.7

Level 1

 Password policy rules Specifies the maximum time (in weeks) beyond the maxage value that a user can change an expired password to 4. /etc/security/pscexpert/bin/chusrattr

Arguments: maxexpired=4 ALL cisv2_maxexpired
AIX7.2:4.1.1.1

Level 1

 Rules for /etc/inittab Comment the entry for writesrc in /etc/inittab. /etc/security/pscexpert/bin/comntrows

Arguments: writesrv: /etc/inittab : d cisv2_writesrv
AIX7.2:4.1.1.2

Level 1

 Permission Settings Block attempts to use the talk and write command. /etc/security/pscexpert/bin/chperm

Arguments: num:0000 path:/usr/bin/talk
AIX7.2:4.1.1.2

Level 1

 Permission Settings Block attempts to use the talk and write command. /etc/security/pscexpert/bin/chperm

Arguments: num:0000 path:/usr/sbin/writesrc
AIX7.2:4.1.1.3

Level 1

 Rules for /etc/inittab Comment the entry for dt in /etc/inittab. /etc/security/pscexpert/bin/comntrows

Arguments: dt: /etc/inittab : d cisv2_dt
AIX7.2:4.1.1.4

Level 1

 Rules for /etc/inittab Comment the entry for piobe in /etc/inittab. /etc/security/pscexpert/bin/comntrows

Arguments: piobe: /etc/inittab : d cisv2_piobe
AIX7.2:4.1.1.5

Level 1

 Rules for /etc/inittab Comment the entry for piobe in /etc/inittab. /etc/security/pscexpert/bin/comntrows

Arguments: qdaemon: /etc/inittab : d cisv2_qdaemon
AIX7.2:4.1.1.6

Level 1

 Rules for /etc/inittab Comment the entry for rcnfs in /etc/inittab. /etc/security/pscexpert/bin/comntrows

Arguments: rcnfs: /etc/inittab : d cisv2_rcnfs
AIX7.2:4.1.1.7

Level 1

 Manage filesets Uninstall cas_agent. /etc/security/pscexpert/bin/managefilesets

Arguments: uninstall like:cas.agent
AIX7.2:4.1.2.1

Level 1

 /etc/rc.tcpip Settings Disable inetd daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: inetd d cisv2_inetd
AIX7.2:4.1.2.2

Level 1

 /etc/rc.tcpip Settings Disable aixmibd daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: aixmibd d cisv2_aixmibd
AIX7.2:4.1.2.3

Level 1

 /etc/rc.tcpip Settings Disable dhcpcd daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: dhcpcd d cisv2_dhcpcd
AIX7.2:4.1.2.4

Level 1

 /etc/rc.tcpip Settings Disable dhcprd daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: dhcprd d cisv2_dhcprd
AIX7.2:4.1.2.5

Level 1

 /etc/rc.tcpip Settings Disable dhcpsd daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: dhcpsd d cisv2_dhcpsd
AIX7.2:4.1.2.6

Level 1

 /etc/rc.tcpip Settings Disable dpid2 daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: dpid2 d cisv2_dpid2
AIX7.2:4.1.2.7

Level 1

 /etc/rc.tcpip Settings Disable gated daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: gated d cisv2_gated
AIX7.2:4.1.2.8

Level 1

 /etc/rc.tcpip Settings Disable hostmibd daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: hostmibd d cisv2_hostmibd
AIX7.2:4.1.2.9

Level 1

 /etc/rc.tcpip Settings Disable mrouted daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: mrouted d cisv2_mrouted
AIX7.2:4.1.2.10

Level 1

 /etc/rc.tcpip Settings Disable named daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: named d cisv2_named
AIX7.2:4.1.2.11

Level 1

 /etc/rc.tcpip Settings Disable portmap daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: portmap d cisv2_portmap
AIX7.2:4.1.2.12

Level 1

 /etc/rc.tcpip Settings Disable routed daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: routed d cisv2_routed
AIX7.2:4.1.2.13

Level 1

 /etc/rc.tcpip Settings Disable rwhod daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: rwhod d cisv2_rwhod
AIX7.2:4.1.2.14

Level 1

 /etc/rc.tcpip Settings Disable sendmail daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: sendmail d cisv2_sendmail
AIX7.2:4.1.2.15

Level 1

 /etc/rc.tcpip Settings Disable snmpd daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: snmpd d cisv2_snmpd
AIX7.2:4.1.2.16

Level 1

 /etc/rc.tcpip Settings Disable snmpmibd daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: snmpmibd d cisv2snmpmibd
AIX7.2:4.1.2.17

Level 1

 /etc/rc.tcpip Settings Disable timed daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: timed d cisv2_timed
AIX7.2:4.1.3.1

Level 1

 /etc/rc.tcpip Settings Disable autoconf6 daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: autoconf6 d cisv2_autoconf6
AIX7.2:4.1.3.2

Level 1

 /etc/rc.tcpip Settings Disable ndpd-host daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: ndpd-host d cisv2_ndpdhost
AIX7.2:4.1.3.3

Level 1

 /etc/rc.tcpip Settings Disable ndpd-router daemon and comment its entry in /etc/rc/tcpip. /etc/security/pscexpert/bin/rctcpip

Arguments: ndpd-router d cisv2_ndpdrouter
AIX7.2:4.1.4.1

Level 1

 Permission Settings NFS - de-install NFS client. /etc/security/pscexpert/bin/uninstallNFSclient
AIX7.2:4.1.4.3

Level 1

 Permission Settings NFS - enable both nosuid and nodev options on NFS client mounts. /etc/security/pscexpert/bin/disableNFSsuid
AIX7.2:4.1.4.4

Level 1

 Permission Settings NFS - localhost removal. /etc/security/pscexpert/bin/disableNFSlocal
AIX7.2:4.1.4.6

Level 1

 Permission Settings NFS - no_root_squash option. /etc/security/pscexpert/bin/rootsquashNFS
AIX7.2:4.1.5.1

Level 1

 /etc/inetd.conf Settings Comment the entry for bootps service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: bootps udp d cisv2_bootps
AIX7.2:4.1.5.2

Level 1

 /etc/inetd.conf Settings Comment the entry for chargen service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: chargen udp d cisv2_chargen
AIX7.2:4.1.5.3

Level 1

 /etc/inetd.conf Settings Comment the entry for comsat service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: comsat udp d cisv2_comsat
AIX7.2:4.1.5.4

Level 1

 /etc/inetd.conf Settings Comment the entry for daytime service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: daytime tcp d cisv2_tcpdaytime
AIX7.2:4.1.5.4

Level 1

 /etc/inetd.conf Settings Comment the entry for daytime service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: daytime udp d cisv2_tcpdaytime
AIX7.2:4.1.5.5

Level 1

 /etc/inetd.conf Settings Comment the entry for discard service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: discard udp d cisv2_discard
AIX7.2:4.1.5.6

Level 1

 /etc/inetd.conf Settings Comment the entry for echo service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: echo tcp d cisv2_tcpecho
AIX7.2:4.1.5.6

Level 1

 /etc/inetd.conf Settings Comment the entry for echo service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: echo udp d cisv2_udpecho
AIX7.2:4.1.5.7

Level 1

 /etc/inetd.conf Settings Comment the entry for exec service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: exec tcp6 d cisv2_exec
AIX7.2:4.1.5.8

Level 1

 /etc/inetd.conf Settings Comment the entry for finger service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: finger tcp d cisv2_finger
AIX7.2:4.1.5.9

Level 1

 /etc/inetd.conf Settings Comment the entry for ftp service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: ftp tcp6 d cisv2_ftp
AIX7.2:4.1.5.10

Level 1

 /etc/inetd.conf Settings Comment the entry for imap2 service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: imap2 tcp d cisv2_imap2
AIX7.2:4.1.5.11

Level 1

 /etc/inetd.conf Settings Comment the entry for instsrv service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: instsrv tcp d cisv2_instsrv
AIX7.2:4.1.5.12

Level 1

 /etc/inetd.conf Settings Comment the entry for klogin service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: klogin tcp d cisv2_klogin
AIX7.2:4.1.5.13

Level 1

 /etc/inetd.conf Settings Comment the entry for kshell service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: kshell tcp d cisv2_kshell
AIX7.2:4.1.5.14

Level 1

 /etc/inetd.conf Settings Comment the entry for rlogin service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: rlogin tcp6 d cisv2_rlogin
AIX7.2:4.1.5.15

Level 1

 /etc/inetd.conf Settings Comment the entry for netstat service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: netstat tcp d cisv2_netstat
AIX7.2:4.1.5.16

Level 1

 /etc/inetd.conf Settings Comment the entry for ntalk service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: ntalk udp d cisv2_ntalk
AIX7.2:4.1.5.17

Level 1

 /etc/inetd.conf Settings Comment the entry for pcnfsd service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: pcnfsd udp d cisv2_pcnfsd
AIX7.2:4.1.5.18

Level 1

 /etc/inetd.conf Settings Comment the entry for pop3d service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: pop3 tcp d cisv2_pop3
AIX7.2:4.1.5.19

Level 1

 /etc/inetd.conf Settings Comment the entry for rexd service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: rexd tcp d cisv2_rexd
AIX7.2:4.1.5.20

Level 1

 /etc/inetd.conf Settings Comment the entry for rquotad service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: rquotad udp d cisv2_rquotad
AIX7.2:4.1.5.21

Level 1

 /etc/inetd.conf Settings Comment the entry for rquotad service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: rquotad udp d cisv2_rquotad
AIX7.2:4.1.5.21

Level 1

 /etc/inetd.conf Settings Comment the entry for rstatd service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: rstatd udp d cisv2_rstatd
AIX7.2:4.1.5.22

Level 1

 /etc/inetd.conf Settings Comment the entry for ruserd service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: ruserd udp d cisv2_ruserd
AIX7.2:4.1.5.23

Level 1

 /etc/inetd.conf Settings Comment the entry for rwalld service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: rwalld udp d cisv2_rwalld
AIX7.2:4.1.5.24

Level 1

 /etc/inetd.conf Settings Comment the entry for shell service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: shell tcp6 d cisv2_shell
AIX7.2:4.1.5.25

Level 1

 /etc/inetd.conf Settings Comment the entry for sprayd service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: sprayd udp d cisv2_sprayd
AIX7.2:4.1.5.26

Level 1

 /etc/inetd.conf Settings Comment the entry for xmquery service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: xmquery udp d cisv2_xmquery
AIX7.2:4.1.5.27

Level 1

 /etc/inetd.conf Settings Comment the entry for talk service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: talk udp d cisv2_talk
AIX7.2:4.1.5.28

Level 1

 /etc/inetd.conf Settings Comment the entry for telnet service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: telnet tcp6 d cisv2_telnet
AIX7.2:4.1.5.29

Level 1

 /etc/inetd.conf Settings Comment the entry for tftp service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: tftp udp6 d cisv2_tftp
AIX7.2:4.1.5.30

Level 1

 /etc/inetd.conf Settings Comment the entry for time service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: time tcp d cisv2_tcptime
AIX7.2:4.1.5.30

Level 1

 /etc/inetd.conf Settings Comment the entry for time service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: time udp d cisv2_udptime
AIX7.2:4.1.5.31

Level 1

 /etc/inetd.conf Settings Comment the entry for uucp service in /etc/inetd.conf and refresh inetd process. /etc/security/pscexpert/bin/cominetdconf

Arguments: uucp tcp d cisv2_uucp
AIX7.2:4.2.1

Level 1

 Tune network options Set the value of the network option clean_partial_conns to 1. /etc/security/pscexpert/bin/ntwkopts

Arguments: clean_partial_conns=1 s cisv2_clean_partial_conns
AIX7.2:4.2.2

Level 1

 Tune network options Set the value of the network option bcastping to 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: bcastping=0 s cisv2_bcastping
AIX7.2:4.2.3

Level 1

 Tune network options Set the value of the network option directed_broadcast to 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: directed_broadcast=0 s cisv2_directedbcast
AIX7.2:4.2.4

Level 1

 Tune network options Set the value of the network option icmpaddressmask to 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: icmpaddressmask=0 s cisv2_icmpaddrmask
AIX7.2:4.2.5

Level 1

 Tune network options Set the value of the network option ipforwarding to 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: ipforwarding=0 s cisv2_ipforwarding
AIX7.2:4.2.6

Level 1

 Tune network options Set the value of the network option ipignoredirects 1. /etc/security/pscexpert/bin/ntwkopts

Arguments: ipignoreredirects=1 s cisv2_ipignoredirects
AIX7.2:4.2.7

Level 1

 Tune network options Set the value of the network option ipsendredirects 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: ipsendredirects=0 s cisv2_ipsendredirects
AIX7.2:4.2.8

Level 1

 Tune network options Set the value of the network option ipsrcrouteforward 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: ipsrcrouteforward=0 s cisv2_ipsrcrouteforward
AIX7.2:4.2.9

Level 1

 Tune network options Set the value of the network option ipsrcrouterecv 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: ipsrcrouterecv=0 s cisv2_ipsrcrouterecv
AIX7.2:4.2.10

Level 1

 Tune network options Set the value of the network option ipsrcroutesend 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: ipsrcroutesend=0 s cisv2_ipsrcroutesend
AIX7.2:4.2.11

Level 1

 Tune network options Set the value of the network option ip6srcrouteforward 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: ip6srcrouteforward=0 s cisv2_ip6srcrouteforward
AIX7.2:4.2.12

Level 1

 Tune network options Set the value of the network option nfs_use_reserved_ports 1. /etc/security/pscexpert/bin/ntwkfsopts

Arguments: nfs_use_reserved_ports=1 s cisv2_nfsusereservedports
AIX7.2:4.2.13

Level 1

 Tune network options Set the value of the network option nonlocsrcroute 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: nonlocsrcroute=0 s cisv2_nonlocsrcroute
AIX7.2:4.2.14

Level 1

 Tune network options Set the value of the network option sockthresh 60. /etc/security/pscexpert/bin/ntwkopts

Arguments: sockthresh=60 s cisv2_sockthresh
AIX7.2:4.2.15

Level 1

 Tune network options Set the value of the network option tcp_pmty_discover 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: tcp_pmtu_discover=0 s cisv2_tcppmtudiscover
AIX7.2:4.2.16

Level 1

 Tune network options Set the value of the network option tcp_tcpsecure to 7. /etc/security/pscexpert/bin/ntwkopts

Arguments: tcp_tcpsecure=7 s cisv2_tcpsecure
AIX7.2:4.2.17

Level 1

 Tune network options Set the value of the network option tcp_pmty_discover 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: udp_pmtu_discover=0 s cisv2_udppmtudiscover
AIX7.2:4.2.18

Level 1

 Tune network options Set the value of the network option ip6forwarding 0. /etc/security/pscexpert/bin/ntwkopts

Arguments: ip6forwarding=0 s cisv2_ip6forwarding
AIX7.2:4.9

Level 1

 Tune network options Restrict access to root, via su, to members of a specific group by setting su attribute to true. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user su=true root cisv2_rootsu
AIX7.2:4.9

Level 1

 Login policy recommendations Restrict access to root, via su, to members of a specific group by disabling console login for root. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user login=false root cisv2_rootlogin
AIX7.2:4.9

Level 1

 Login policy recommendations Restrict access to root, via su, to members of a specific group by disabling remote login for root. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user rlogin=false root cisv2_rootrlogin
AIX7.2:4.9

Level 1

 Login policy recommendations Restrict access to root, via su, to members of a specific group by setting sugroups attribute to SUADMIN. /etc/security/pscexpert/bin/chuserstanza

Arguments: /etc/security/user sugroups=SUADMIN root cisv2_rootsugroups
AIX7.2:4.10

Level 1

 Resource limits recommendations Set the core limit in the default stanza to 0 in /etc/security/limits. /etc/security/pscexpert/bin/chdefstanza

Arguments: /etc/security/limits core=0 default cisv2_corelimit
AIX7.2:4.10

Level 1

 Resource limits recommendations Set the core_hard limit in the default stanza to 0 in /etc/security/limits. /etc/security/pscexpert/bin/chdefstanza

Arguments: /etc/security/limits core_hard=0 default cisv2_corehardlimit
AIX7.2:4.10

Level 1

 Resource limits recommendations Set the fullcore kernel parameter to false. /etc/security/pscexpert/bin/chdevattr

Arguments: sys0 fullcore=false
AIX7.2:4.14

Level 1

 Miscellaneous Rules Create a /etc/motd file which displays, post initial logon, a statutory warning message. /etc/security/pscexpert/dodv7/checkdata

Arguments: /etc/motd "Authorized" cisv2_chketcmotd
AIX7.2:3.3

Level 1

 Password policy rules Ensure default umask is 027 or more restrictive. /etc/security/pscexpert/bin/chusrattr

Arguments: umask=27 ALL cisv1_umask
AIX7.2:6.4,6.6

Level 1

 Miscellaneous Rules Review the current at/cron files and add any relevant users to the /var/adm/cron/at.allow and /var/adm/cron/cron.allow files. /etc/security/pscexpert/bin/limitcissysacc

Arguments: h cisv2_limiticissysacc
AIX7.2:7.2

Level 1

 Manage filesets Install flrtvc tool. /etc/security/pscexpert/dodv7/checkcmd

Arguments: flrtvc.ksh
AIX7.2:4.3.1

Level 1

 IPSec Filter Rules Ensure that IP Security is available. /etc/security/pscexpert/bin/ipsec_config

Arguments: enable
AIX7.2:4.3.2

Level 1

 IPSec Filter Rules Ensure loopback is blocked on external interfaces. /etc/security/pscexpert/bin/ipsecshunhostcis

Arguments: cisv2_ipsecloopbk
AIX7.2:4.3.3

Level 1

 IPSec Filter Rules Ensure filters are active. /etc/security/pscexpert/bin/ipsecshunhostcis

Arguments: cisv2_ipsecfilter