| Control | Mapped finding(s) | Status | Observed evidence |
|---|---|---|---|
| stig:V-215287 | SSH root login | FAIL | permitrootlogin yes |
| stig:V-215231 | SNMP community strings | FAIL | default community in use |
| stig:V-215200 | Login banner | WARN | no herald set |
| stig:V-215171 | STIG account policy | FAIL | loginretries=0 (need le 3) |
| stig:V-215220 | STIG account policy | FAIL | mindiff=0 (need ge 8) |
| stig:V-215223 | STIG account policy | FAIL | maxage=13 (need le 8) |
| stig:V-215224 | STIG account policy | FAIL | histsize=4 (need ge 5) |
| stig:V-215226 | STIG account policy | FAIL | minlen=10 (need ge 15) |
| stig:V-215232 | STIG account policy | FAIL | maxrepeats=8 (need le 3) |
| stig:V-215337 | STIG account policy | FAIL | logindelay=0 (need ge 4) |
| stig:V-215399 | STIG network tunables | FAIL | clean_partial_conns=0 (need eq 1) |
| stig:V-215353 | STIG disabled services | FAIL | sendmail starts at boot in /etc/rc.tcpip |
| stig:V-215354 | STIG disabled services | FAIL | snmpd starts at boot in /etc/rc.tcpip |
| stig:V-215365 | STIG disabled services | FAIL | snmpmibd starts at boot in /etc/rc.tcpip |
| stig:V-215208 | Time synchronization (NTP) | FAIL | xntpd inoperative, 0 server(s) |
| stig:V-215402 | SSH ciphers | PASS | aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com |
| stig:V-215258 | Cleartext inetd services | PASS | telnet not enabled in inetd.conf |
| stig:V-215259 | Cleartext inetd services | PASS | ftp not enabled in inetd.conf |
| stig:V-215432 | Trust files (.rhosts) | PASS | none present |
| stig:V-215269 | STIG file permissions | PASS | /etc/inetd.conf 0644 u=0 g=0 |
| stig:V-215272 | STIG file permissions | PASS | /etc/ntp.conf 0640 u=0 g=0 |
| stig:V-215273 | STIG file permissions | PASS | /etc/ntp.conf 0640 u=0 g=0 |
| stig:V-215281 | STIG file permissions | PASS | /etc/ntp.conf 0640 u=0 g=0 |
| stig:V-215274 | STIG file permissions | PASS | /etc/group 0644 u=0 g=7 |
| stig:V-215275 | STIG file permissions | PASS | /etc/group 0644 u=0 g=7 |
| stig:V-215282 | STIG file permissions | PASS | /etc/group 0644 u=0 g=7 |
| stig:V-245558 | STIG file permissions | PASS | /etc/hosts 0640 u=0 g=0 |
| stig:V-245559 | STIG file permissions | PASS | /etc/hosts 0640 u=0 g=0 |
| stig:V-245562 | STIG file permissions | PASS | /etc/syslog.conf 0640 u=0 g=0 |
| stig:V-245563 | STIG file permissions | PASS | /etc/syslog.conf 0640 u=0 g=0 |
| stig:V-215172 | STIG account policy | NA | maxulogs unset |
| stig:V-215217 | STIG account policy | PASS | minupperalpha=1 (need ge 1) |
| stig:V-215218 | STIG account policy | PASS | minloweralpha=1 (need ge 1) |
| stig:V-215219 | STIG account policy | PASS | mindigit=1 (need ge 1) |
| stig:V-215222 | STIG account policy | PASS | minage=4 (need ge 1) |
| stig:V-215227 | STIG account policy | PASS | minspecialchar=1 (need ge 1) |
| stig:V-215263 | STIG network tunables | PASS | ipforwarding=0 (need eq 0) |
| stig:V-215265 | STIG network tunables | PASS | ip6forwarding=0 (need eq 0) |
| stig:V-215430 | STIG network tunables | PASS | bcastping=0 (need eq 0) |
| stig:V-215257 | STIG disabled services | PASS | exec not enabled in inetd.conf |
| stig:V-215334 | STIG disabled services | PASS | tftp not enabled in inetd.conf |
| stig:V-215346 | STIG disabled services | PASS | shell not enabled in inetd.conf |
| stig:V-215347 | STIG disabled services | PASS | login not enabled in inetd.conf |
| stig:V-215369 | STIG disabled services | PASS | daytime not enabled in inetd.conf |
| stig:V-215370 | STIG disabled services | PASS | cmsd not enabled in inetd.conf |
| stig:V-215371 | STIG disabled services | PASS | ttdbserver not enabled in inetd.conf |
| stig:V-215372 | STIG disabled services | PASS | uucp not enabled in inetd.conf |
| stig:V-215373 | STIG disabled services | PASS | time not enabled in inetd.conf |
| stig:V-215374 | STIG disabled services | PASS | talk not enabled in inetd.conf |
| stig:V-215375 | STIG disabled services | PASS | ntalk not enabled in inetd.conf |
| stig:V-215376 | STIG disabled services | PASS | chargen not enabled in inetd.conf |
| stig:V-215377 | STIG disabled services | PASS | discard not enabled in inetd.conf |
| stig:V-215378 | STIG disabled services | PASS | dtspc not enabled in inetd.conf |
| stig:V-215379 | STIG disabled services | PASS | pcnfsd not enabled in inetd.conf |
| stig:V-215380 | STIG disabled services | PASS | rstatd not enabled in inetd.conf |
| stig:V-215381 | STIG disabled services | PASS | rusersd not enabled in inetd.conf |
| stig:V-215382 | STIG disabled services | PASS | sprayd not enabled in inetd.conf |
| stig:V-215383 | STIG disabled services | PASS | klogin not enabled in inetd.conf |
| stig:V-215384 | STIG disabled services | PASS | kshell not enabled in inetd.conf |
| stig:V-215385 | STIG disabled services | PASS | rquotad not enabled in inetd.conf |
| stig:V-215386 | STIG disabled services | PASS | tftp not enabled in inetd.conf |
| stig:V-215387 | STIG disabled services | PASS | imap2 not enabled in inetd.conf |
| stig:V-215388 | STIG disabled services | PASS | pop3 not enabled in inetd.conf |
| stig:V-215389 | STIG disabled services | PASS | finger not enabled in inetd.conf |
| stig:V-215390 | STIG disabled services | PASS | instsrv not enabled in inetd.conf |
| stig:V-215391 | STIG disabled services | PASS | echo not enabled in inetd.conf |
| stig:V-215406 | STIG disabled services | PASS | rwalld not enabled in inetd.conf |
| stig:V-215358 | STIG disabled services | PASS | gated not started in /etc/rc.tcpip |
| stig:V-215361 | STIG disabled services | PASS | routed not started in /etc/rc.tcpip |
| stig:V-215362 | STIG disabled services | PASS | rwhod not started in /etc/rc.tcpip |
| stig:V-215363 | STIG disabled services | PASS | timed not started in /etc/rc.tcpip |
| Risk | Category | Finding | Observed |
|---|---|---|---|
| Critical | F. Availability & resilience | OS backup (mksysb) evidence | /image.data older than 90 days |
| Critical | G. Security & hardening | SSH root login | permitrootlogin yes |
| Critical | G. Security & hardening | root account controls | rlogin=true + sugroups=ALL (root wide open) |
| Critical | G. Security & hardening | STIG account policy | 5 of 12 rules compliant, 1 n/a; failing: V-215171 loginretries=0 (needs le 3), V-215220 mindiff=0 (needs ge 8), V-215223 maxage=13 (needs le 8), V-215224 histsize=4 (needs ge 5), V-215226 minlen=10 (needs ge 15), +2 more |
| Critical | G. Security & hardening | STIG network tunables | 3 of 4 rules compliant, 0 n/a; failing: V-215399 clean_partial_conns=0 (needs eq 1) |
| Critical | G. Security & hardening | STIG disabled services | 34 of 37 rules compliant, 0 n/a; failing: V-215353 sendmail, V-215354 snmpd, V-215365 snmpmibd |
| High | C. Storage & capacity | Other filesystems | /opt 94%; repo (informational): /usr/sys/inst.images 100% |
| High | F. Availability & resilience | rootvg redundancy | 1 disk, unmirrored |
| High | G. Security & hardening | Default password policy | weak: loginretries=0 |
| High | G. Security & hardening | SNMP community strings | default community in use |
| High | G. Security & hardening | Audit subsystem | auditing off |
| High | H. Config hygiene | Time synchronization (NTP) | xntpd inoperative, 0 server(s) |
| High | I. Monitoring & operational readiness | Monitoring agent | none detected |
| Risk | Finding | Observed | What it means & how to fix | Control tags |
|---|---|---|---|---|
| Medium | Hardware generation | 9009-22A (POWER9) — hardware support ended 2026-01-31 (fully-virtual LPAR) | This hardware generation is past IBM support, but this LPAR has no physical I/O adapters — the hardware is the host provider's to maintain (PowerVS or your VIOS estate). Confirm whose problem this is. Fix: confirm who owns the hardware (IBM on PowerVS; your team on-prem) — no action is possible inside this LPAR. | ffiec:II.C.11 |
| Risk | Finding | Observed | What it means & how to fix | Control tags |
|---|---|---|---|---|
| High | Other filesystems | /opt 94%; repo (informational): /usr/sys/inst.images 100% | One or more non-system filesystems are critically full. Fix: free space or extend them; add monitoring. | — |
| Risk | Finding | Observed | What it means & how to fix | Control tags |
|---|---|---|---|---|
| Medium | Memory composition | computational 94%, file/numperm 5.4%, 48MB avail (2%), 1820MB pinned of 2048MB | Nearly all memory is computational (working) pages, not file cache (numperm 5.4%) — this is genuine in-use memory the VMM cannot reclaim, so the tight look is real, not just cache. Only 48MB is available. Whether it is actually hurting depends on the paging-activity check; composition alone says there is little slack. Fix: if the working set grows, add RAM or trim the top consumers ('svmon -P -O unit=MB | head'); reclaimable file cache is already at its floor, so there is nothing to give back. | — |
| Medium | JFS2 filesystem-buffer blocking | blocked since boot: jfs2 fsbuf 1656, external-pager 518, client 0 | Filesystem I/O has been blocked waiting for JFS2 filesystem buffers (fsbuf) 2174 time(s) since boot — the buffer pool ran dry under I/O load and requests had to wait, adding latency that CPU/memory graphs never reveal. The count is cumulative since boot. Fix: re-read 'vmstat -v' after a busy period: if the number is still climbing, raise JFS2 buffers with 'ioo -p -o j2_dynamicBufferPreallocation=<n>' (default 16, in 16KB units) and/or 'ioo -p -o numfsbufs=<n>'; a static non-zero count from a past burst is usually benign. | — |
| Risk | Finding | Observed | What it means & how to fix | Control tags |
|---|---|---|---|---|
| Medium | Error log (7 days) | 2 error entries (11 informational ignored) | Errors are the box telling you something — read them before they escalate. Fix: review 'errpt -a' for these entries; fix or explain each recurring one. | — |
| Low | Error notification methods | default errnotify only (diagela call-home present, no site paging) | The default diagela stanzas forward hardware errors to the diagnostics / Service Focal Point path (call-home, if enabled on the HMC/service processor), but no stanza runs a site alert script — nothing pages or mails your on-call on a critical or disk error. Fix: add an errnotify ODM stanza (odmadd) whose en_method pages/mails on class=H PERM and disk labels (e.g. SC_DISK_ERR*, LVM_SA_QUORCLOSE). | — |
| Risk | Finding | Observed | What it means & how to fix | Control tags |
|---|---|---|---|---|
| Critical | OS backup (mksysb) evidence | /image.data older than 90 days | No recent OS backup evidence on this box — a rootvg loss means rebuild-from-scratch. (Local evidence only; confirm where mksysb lands and when it last ran.) Fix: run a mksysb now; schedule it; verify the target is itself backed up. | ffiec:II.C.21 |
| High | rootvg redundancy | 1 disk, unmirrored | The OS lives on one disk — a single point of failure unless the backing storage is RAID/SAN-protected. Verify which. Fix: mirror rootvg (mirrorvg + bosboot + bootlist) or document the storage-level protection. | — |
| Medium | Dump copy directory | copy dir /var/adm/ras has 102 MB free, estimated dump 1241 MB | The dump device can capture the dump, but the copy directory (/var/adm/ras, 102 MB free) is too small to hold a dump of the estimated size (1241 MB). On reboot the copy off the device fails, so the image is lost before anyone can analyze it — the same forensic loss as an undersized device, one step later. Fix: free space in /var/adm/ras or point the copy directory at a filesystem with room for the dump ('sysdumpdev -D <dir>'), sized to 'sysdumpdev -e'. | ffiec:II.C.21 |
| Risk | Finding | Observed | What it means & how to fix | Control tags |
|---|---|---|---|---|
| Critical | SSH root login | permitrootlogin yes | Direct SSH root login is open — a single brute-forceable credential with no accountability. Fix: set 'PermitRootLogin no' (or prohibit-password) in sshd_config and restart sshd. | stig:V-215287, cis-l1, ffiec:II.C.7 |
| High | Default password policy | weak: loginretries=0 | The default password rules are weaker than any standard requires — every new account inherits them. Fix: tighten the /etc/security/user default stanza (maxage 1-13wk, minlen>=8, loginretries>0, histsize>0). | cis-l1, ffiec:II.C.15 |
| High | SNMP community strings | default community in use | SNMP uses a default community string (public/private) — anyone on the network can read, or write, system data. Fix: replace public/private with a strong community in /etc/snmpd.conf and refresh snmpd. | stig:V-215231, cis-l1 |
| High | Audit subsystem | auditing off | No audit trail — you cannot answer 'who did what' after an incident. Fix: configure and start audit ('audit start'; set it to start at boot). | cis-l1, ffiec:II.C.22 |
| Low | Trusted Execution | TE=OFF | Trusted Execution is off (informational) — no runtime binary-integrity enforcement. Fix: consider enabling TE ('trustchk -p TE=ON') if your change control supports it. | — |
| Low | Login banner | no herald set | No legal login banner is set — auditors ask for one and it deters casual access. Fix: set a herald in the /etc/security/login.cfg default stanza (chsec -a herald=...). | stig:V-215200 |
| Critical | root account controls | rlogin=true + sugroups=ALL (root wide open) | root can log in directly over the network (rlogin=true) AND any user may attempt su to root (sugroups=ALL) — the classic 'root wide open' pair. Either alone is a gap; together, root is one guessed password away from a network login with no accountability. This is the OS account gate in /etc/security/user, separate from sshd's PermitRootLogin. Fix: restrict both: 'chsec -f /etc/security/user -s root -a rlogin=false' (admins log in as themselves and su/sudo to root) and '-a sugroups=<sysadmin-group>' so only a named group may su to root. | cis-l1, ffiec:II.C.7 |
| Medium | Network exposure vs filtering | 10 external listener(s) on ports 22,25,111,199,657,1334,32768,32769 +1 more; host IP filtering INACTIVE | 10 services listen on non-loopback addresses (reachable from the network) and AIX host packet filtering (IP Security) is not active — the box relies entirely on the upstream network/firewall. One perimeter mistake, VLAN change, or misrouted subnet exposes every one of these ports directly. Fix: reduce the surface first (stop services you do not need — see the listeners and cleartext-inetd checks), then, if the box must self-defend, define rules with 'genfilt'/'mkfilt' and activate host filtering with 'mkfilt -v4 -u'. | — |
| Critical | STIG account policy | 5 of 12 rules compliant, 1 n/a; failing: V-215171 loginretries=0 (needs le 3), V-215220 mindiff=0 (needs ge 8), V-215223 maxage=13 (needs le 8), V-215224 histsize=4 (needs ge 5), V-215226 minlen=10 (needs ge 15), +2 more | One or more account/password-policy attributes in /etc/security are weaker than the DISA STIG for IBM AIX 7.x mandates — each is a documented hardening gap an auditor will flag, and it applies to every account inheriting the default stanza. Fix: tighten the failing attributes with chsec (chsec -f <file> -s default -a <attr>=<value>); the compliance report lists every rule, the required value, and the observed value. | stig:V-215171, stig:V-215172, stig:V-215217, stig:V-215218, stig:V-215219, stig:V-215220, stig:V-215222, stig:V-215223, stig:V-215224, stig:V-215226, stig:V-215227, stig:V-215232, stig:V-215337 |
| Critical | STIG network tunables | 3 of 4 rules compliant, 0 n/a; failing: V-215399 clean_partial_conns=0 (needs eq 1) | One or more kernel network options are set to a value the DISA STIG for IBM AIX 7.x flags — e.g. IP forwarding on a non-router, or TCP half-open connection cleanup disabled. Each is a documented hardening gap an auditor will flag. Fix: set the failing tunables with 'no -p -o <tunable>=<value>' (nfso for NFS options) so the change persists across reboot; the compliance report lists every rule, the required value, and the observed value. | stig:V-215263, stig:V-215265, stig:V-215399, stig:V-215430 |
| Critical | STIG disabled services | 34 of 37 rules compliant, 0 n/a; failing: V-215353 sendmail, V-215354 snmpd, V-215365 snmpmibd | One or more legacy network services the DISA STIG for IBM AIX 7.x requires disabled are still enabled or running — each is an unneeded, often unauthenticated, network-facing daemon an auditor will flag. Fix: comment the service out of /etc/inetd.conf and 'refresh -s inetd' (inetd services), or 'stopsrc -s <subsystem>' and disable it at boot (SRC subsystems); the compliance report lists every rule and its evidence. | stig:V-215257, stig:V-215258, stig:V-215259, stig:V-215334, stig:V-215346, stig:V-215347, stig:V-215369, stig:V-215370, stig:V-215371, stig:V-215372, stig:V-215373, stig:V-215374, stig:V-215375, stig:V-215376, stig:V-215377, stig:V-215378, stig:V-215379, stig:V-215380, stig:V-215381, stig:V-215382, stig:V-215383, stig:V-215384, stig:V-215385, stig:V-215386, stig:V-215387, stig:V-215388, stig:V-215389, stig:V-215390, stig:V-215391, stig:V-215406, stig:V-215353, stig:V-215354, stig:V-215365, stig:V-215358, stig:V-215361, stig:V-215362, stig:V-215363 |
| Risk | Finding | Observed | What it means & how to fix | Control tags |
|---|---|---|---|---|
| High | Time synchronization (NTP) | xntpd inoperative, 0 server(s) | No working time sync — clock drift breaks log correlation, Kerberos and TLS. Fix: configure /etc/ntp.conf with a server and start xntpd ('startsrc -s xntpd'; enable at boot). | stig:V-215208, cis-l1 |
| Low | Kernel tunables (nextboot) | 1 changed tunable line(s) | Kernel tunables are changed from default for next boot — deliberate tuning or archaeology? document each. Fix: review /etc/tunables/nextboot; record why each change exists, or revert to default. | — |
| Low | Host self-resolution | does not resolve | Tools and certs misbehave when the box can't resolve itself. Fix: add this host to DNS or /etc/hosts. | — |
| Risk | Finding | Observed | What it means & how to fix | Control tags |
|---|---|---|---|---|
| High | Monitoring agent | none detected | Nothing is watching this box — every finding in this report goes unnoticed until someone runs it again. Fix: install and point a monitoring agent (Zabbix/NRPE/Datadog/njmon) at this LPAR. | ffiec:III.B |
| Low | Remote syslog | no remote target | No remote syslog target — logs die with the box, exactly when you need them. Fix: add an '@loghost' line to /etc/syslog.conf and 'refresh -s syslogd'. | ffiec:II.C.22 |
| Medium | Scheduled backup job | no backup in crontab | No scheduled backup in root's crontab — where does the mksysb come from? Fix: schedule mksysb/savevg in root's crontab, or confirm NIM/central backup owns it. | — |