EXAMPLE REPORT — real, unedited output (hostname sanitized) · AIX 7.3 compliance← all reports
AIXray
by PowerTrue Systems · AIX · IBM Power · VIOS
Compliance report

Compliance report — DISA STIG (IBM AIX 7.x) — aixdemo01

Host: aixdemo01  ·  Generated: 2026-07-03  ·  Reference data: 2026-07-01  ·  Standard: DISA STIG for IBM AIX 7.x  ·  READ-ONLY — nothing was changed
Automation coverage. AIXray automates 11 finding(s) mapped to this standard. A compliance program also requires manual/organizational review — see the manual-review section below. N is the count of findings carrying a DISA STIG (IBM AIX 7.x) control tag in this scan; no full control-set total is claimed.

Auditor control summary one row per mapped control · non-pass first

ControlMapped finding(s)StatusObserved evidence
stig:V-215287SSH root loginFAILpermitrootlogin yes
stig:V-215231SNMP community stringsFAILdefault community in use
stig:V-215200Login bannerWARNno herald set
stig:V-215171STIG account policyFAILloginretries=0 (need le 3)
stig:V-215220STIG account policyFAILmindiff=0 (need ge 8)
stig:V-215223STIG account policyFAILmaxage=13 (need le 8)
stig:V-215224STIG account policyFAILhistsize=4 (need ge 5)
stig:V-215226STIG account policyFAILminlen=10 (need ge 15)
stig:V-215232STIG account policyFAILmaxrepeats=8 (need le 3)
stig:V-215337STIG account policyFAILlogindelay=0 (need ge 4)
stig:V-215399STIG network tunablesFAILclean_partial_conns=0 (need eq 1)
stig:V-215353STIG disabled servicesFAILsendmail starts at boot in /etc/rc.tcpip
stig:V-215354STIG disabled servicesFAILsnmpd starts at boot in /etc/rc.tcpip
stig:V-215365STIG disabled servicesFAILsnmpmibd starts at boot in /etc/rc.tcpip
stig:V-215208Time synchronization (NTP)FAILxntpd inoperative, 0 server(s)
stig:V-215402SSH ciphersPASSaes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com
stig:V-215258Cleartext inetd servicesPASStelnet not enabled in inetd.conf
stig:V-215259Cleartext inetd servicesPASSftp not enabled in inetd.conf
stig:V-215432Trust files (.rhosts)PASSnone present
stig:V-215269STIG file permissionsPASS/etc/inetd.conf 0644 u=0 g=0
stig:V-215272STIG file permissionsPASS/etc/ntp.conf 0640 u=0 g=0
stig:V-215273STIG file permissionsPASS/etc/ntp.conf 0640 u=0 g=0
stig:V-215281STIG file permissionsPASS/etc/ntp.conf 0640 u=0 g=0
stig:V-215274STIG file permissionsPASS/etc/group 0644 u=0 g=7
stig:V-215275STIG file permissionsPASS/etc/group 0644 u=0 g=7
stig:V-215282STIG file permissionsPASS/etc/group 0644 u=0 g=7
stig:V-245558STIG file permissionsPASS/etc/hosts 0640 u=0 g=0
stig:V-245559STIG file permissionsPASS/etc/hosts 0640 u=0 g=0
stig:V-245562STIG file permissionsPASS/etc/syslog.conf 0640 u=0 g=0
stig:V-245563STIG file permissionsPASS/etc/syslog.conf 0640 u=0 g=0
stig:V-215172STIG account policyNAmaxulogs unset
stig:V-215217STIG account policyPASSminupperalpha=1 (need ge 1)
stig:V-215218STIG account policyPASSminloweralpha=1 (need ge 1)
stig:V-215219STIG account policyPASSmindigit=1 (need ge 1)
stig:V-215222STIG account policyPASSminage=4 (need ge 1)
stig:V-215227STIG account policyPASSminspecialchar=1 (need ge 1)
stig:V-215263STIG network tunablesPASSipforwarding=0 (need eq 0)
stig:V-215265STIG network tunablesPASSip6forwarding=0 (need eq 0)
stig:V-215430STIG network tunablesPASSbcastping=0 (need eq 0)
stig:V-215257STIG disabled servicesPASSexec not enabled in inetd.conf
stig:V-215334STIG disabled servicesPASStftp not enabled in inetd.conf
stig:V-215346STIG disabled servicesPASSshell not enabled in inetd.conf
stig:V-215347STIG disabled servicesPASSlogin not enabled in inetd.conf
stig:V-215369STIG disabled servicesPASSdaytime not enabled in inetd.conf
stig:V-215370STIG disabled servicesPASScmsd not enabled in inetd.conf
stig:V-215371STIG disabled servicesPASSttdbserver not enabled in inetd.conf
stig:V-215372STIG disabled servicesPASSuucp not enabled in inetd.conf
stig:V-215373STIG disabled servicesPASStime not enabled in inetd.conf
stig:V-215374STIG disabled servicesPASStalk not enabled in inetd.conf
stig:V-215375STIG disabled servicesPASSntalk not enabled in inetd.conf
stig:V-215376STIG disabled servicesPASSchargen not enabled in inetd.conf
stig:V-215377STIG disabled servicesPASSdiscard not enabled in inetd.conf
stig:V-215378STIG disabled servicesPASSdtspc not enabled in inetd.conf
stig:V-215379STIG disabled servicesPASSpcnfsd not enabled in inetd.conf
stig:V-215380STIG disabled servicesPASSrstatd not enabled in inetd.conf
stig:V-215381STIG disabled servicesPASSrusersd not enabled in inetd.conf
stig:V-215382STIG disabled servicesPASSsprayd not enabled in inetd.conf
stig:V-215383STIG disabled servicesPASSklogin not enabled in inetd.conf
stig:V-215384STIG disabled servicesPASSkshell not enabled in inetd.conf
stig:V-215385STIG disabled servicesPASSrquotad not enabled in inetd.conf
stig:V-215386STIG disabled servicesPASStftp not enabled in inetd.conf
stig:V-215387STIG disabled servicesPASSimap2 not enabled in inetd.conf
stig:V-215388STIG disabled servicesPASSpop3 not enabled in inetd.conf
stig:V-215389STIG disabled servicesPASSfinger not enabled in inetd.conf
stig:V-215390STIG disabled servicesPASSinstsrv not enabled in inetd.conf
stig:V-215391STIG disabled servicesPASSecho not enabled in inetd.conf
stig:V-215406STIG disabled servicesPASSrwalld not enabled in inetd.conf
stig:V-215358STIG disabled servicesPASSgated not started in /etc/rc.tcpip
stig:V-215361STIG disabled servicesPASSrouted not started in /etc/rc.tcpip
stig:V-215362STIG disabled servicesPASSrwhod not started in /etc/rc.tcpip
stig:V-215363STIG disabled servicesPASStimed not started in /etc/rc.tcpip

Critical-first queue Critical then High risk · work top-down

RiskCategoryFindingObserved
CriticalF. Availability & resilienceOS backup (mksysb) evidence/image.data older than 90 days
CriticalG. Security & hardeningSSH root loginpermitrootlogin yes
CriticalG. Security & hardeningroot account controlsrlogin=true + sugroups=ALL (root wide open)
CriticalG. Security & hardeningSTIG account policy5 of 12 rules compliant, 1 n/a; failing: V-215171 loginretries=0 (needs le 3), V-215220 mindiff=0 (needs ge 8), V-215223 maxage=13 (needs le 8), V-215224 histsize=4 (needs ge 5), V-215226 minlen=10 (needs ge 15), +2 more
CriticalG. Security & hardeningSTIG network tunables3 of 4 rules compliant, 0 n/a; failing: V-215399 clean_partial_conns=0 (needs eq 1)
CriticalG. Security & hardeningSTIG disabled services34 of 37 rules compliant, 0 n/a; failing: V-215353 sendmail, V-215354 snmpd, V-215365 snmpmibd
HighC. Storage & capacityOther filesystems/opt 94%; repo (informational): /usr/sys/inst.images 100%
HighF. Availability & resiliencerootvg redundancy1 disk, unmirrored
HighG. Security & hardeningDefault password policyweak: loginretries=0
HighG. Security & hardeningSNMP community stringsdefault community in use
HighG. Security & hardeningAudit subsystemauditing off
HighH. Config hygieneTime synchronization (NTP)xntpd inoperative, 0 server(s)
HighI. Monitoring & operational readinessMonitoring agentnone detected

Remediation worklist every open finding, grouped by category

A. Lifecycle & support
RiskFindingObservedWhat it means & how to fixControl tags
MediumHardware generation9009-22A (POWER9) — hardware support ended 2026-01-31 (fully-virtual LPAR)This hardware generation is past IBM support, but this LPAR has no physical I/O adapters — the hardware is the host provider's to maintain (PowerVS or your VIOS estate). Confirm whose problem this is.
Fix: confirm who owns the hardware (IBM on PowerVS; your team on-prem) — no action is possible inside this LPAR.
ffiec:II.C.11
C. Storage & capacity
RiskFindingObservedWhat it means & how to fixControl tags
HighOther filesystems/opt 94%; repo (informational): /usr/sys/inst.images 100%One or more non-system filesystems are critically full.
Fix: free space or extend them; add monitoring.
D. Performance & sizing
RiskFindingObservedWhat it means & how to fixControl tags
MediumMemory compositioncomputational 94%, file/numperm 5.4%, 48MB avail (2%), 1820MB pinned of 2048MBNearly all memory is computational (working) pages, not file cache (numperm 5.4%) — this is genuine in-use memory the VMM cannot reclaim, so the tight look is real, not just cache. Only 48MB is available. Whether it is actually hurting depends on the paging-activity check; composition alone says there is little slack.
Fix: if the working set grows, add RAM or trim the top consumers ('svmon -P -O unit=MB | head'); reclaimable file cache is already at its floor, so there is nothing to give back.
MediumJFS2 filesystem-buffer blockingblocked since boot: jfs2 fsbuf 1656, external-pager 518, client 0Filesystem I/O has been blocked waiting for JFS2 filesystem buffers (fsbuf) 2174 time(s) since boot — the buffer pool ran dry under I/O load and requests had to wait, adding latency that CPU/memory graphs never reveal. The count is cumulative since boot.
Fix: re-read 'vmstat -v' after a busy period: if the number is still climbing, raise JFS2 buffers with 'ioo -p -o j2_dynamicBufferPreallocation=<n>' (default 16, in 16KB units) and/or 'ioo -p -o numfsbufs=<n>'; a static non-zero count from a past burst is usually benign.
E. Errors & events
RiskFindingObservedWhat it means & how to fixControl tags
MediumError log (7 days)2 error entries (11 informational ignored)Errors are the box telling you something — read them before they escalate.
Fix: review 'errpt -a' for these entries; fix or explain each recurring one.
LowError notification methodsdefault errnotify only (diagela call-home present, no site paging)The default diagela stanzas forward hardware errors to the diagnostics / Service Focal Point path (call-home, if enabled on the HMC/service processor), but no stanza runs a site alert script — nothing pages or mails your on-call on a critical or disk error.
Fix: add an errnotify ODM stanza (odmadd) whose en_method pages/mails on class=H PERM and disk labels (e.g. SC_DISK_ERR*, LVM_SA_QUORCLOSE).
F. Availability & resilience
RiskFindingObservedWhat it means & how to fixControl tags
CriticalOS backup (mksysb) evidence/image.data older than 90 daysNo recent OS backup evidence on this box — a rootvg loss means rebuild-from-scratch. (Local evidence only; confirm where mksysb lands and when it last ran.)
Fix: run a mksysb now; schedule it; verify the target is itself backed up.
ffiec:II.C.21
Highrootvg redundancy1 disk, unmirroredThe OS lives on one disk — a single point of failure unless the backing storage is RAID/SAN-protected. Verify which.
Fix: mirror rootvg (mirrorvg + bosboot + bootlist) or document the storage-level protection.
MediumDump copy directorycopy dir /var/adm/ras has 102 MB free, estimated dump 1241 MBThe dump device can capture the dump, but the copy directory (/var/adm/ras, 102 MB free) is too small to hold a dump of the estimated size (1241 MB). On reboot the copy off the device fails, so the image is lost before anyone can analyze it — the same forensic loss as an undersized device, one step later.
Fix: free space in /var/adm/ras or point the copy directory at a filesystem with room for the dump ('sysdumpdev -D <dir>'), sized to 'sysdumpdev -e'.
ffiec:II.C.21
G. Security & hardening
RiskFindingObservedWhat it means & how to fixControl tags
CriticalSSH root loginpermitrootlogin yesDirect SSH root login is open — a single brute-forceable credential with no accountability.
Fix: set 'PermitRootLogin no' (or prohibit-password) in sshd_config and restart sshd.
stig:V-215287, cis-l1, ffiec:II.C.7
HighDefault password policyweak: loginretries=0The default password rules are weaker than any standard requires — every new account inherits them.
Fix: tighten the /etc/security/user default stanza (maxage 1-13wk, minlen>=8, loginretries>0, histsize>0).
cis-l1, ffiec:II.C.15
HighSNMP community stringsdefault community in useSNMP uses a default community string (public/private) — anyone on the network can read, or write, system data.
Fix: replace public/private with a strong community in /etc/snmpd.conf and refresh snmpd.
stig:V-215231, cis-l1
HighAudit subsystemauditing offNo audit trail — you cannot answer 'who did what' after an incident.
Fix: configure and start audit ('audit start'; set it to start at boot).
cis-l1, ffiec:II.C.22
LowTrusted ExecutionTE=OFFTrusted Execution is off (informational) — no runtime binary-integrity enforcement.
Fix: consider enabling TE ('trustchk -p TE=ON') if your change control supports it.
LowLogin bannerno herald setNo legal login banner is set — auditors ask for one and it deters casual access.
Fix: set a herald in the /etc/security/login.cfg default stanza (chsec -a herald=...).
stig:V-215200
Criticalroot account controlsrlogin=true + sugroups=ALL (root wide open)root can log in directly over the network (rlogin=true) AND any user may attempt su to root (sugroups=ALL) — the classic 'root wide open' pair. Either alone is a gap; together, root is one guessed password away from a network login with no accountability. This is the OS account gate in /etc/security/user, separate from sshd's PermitRootLogin.
Fix: restrict both: 'chsec -f /etc/security/user -s root -a rlogin=false' (admins log in as themselves and su/sudo to root) and '-a sugroups=<sysadmin-group>' so only a named group may su to root.
cis-l1, ffiec:II.C.7
MediumNetwork exposure vs filtering10 external listener(s) on ports 22,25,111,199,657,1334,32768,32769 +1 more; host IP filtering INACTIVE10 services listen on non-loopback addresses (reachable from the network) and AIX host packet filtering (IP Security) is not active — the box relies entirely on the upstream network/firewall. One perimeter mistake, VLAN change, or misrouted subnet exposes every one of these ports directly.
Fix: reduce the surface first (stop services you do not need — see the listeners and cleartext-inetd checks), then, if the box must self-defend, define rules with 'genfilt'/'mkfilt' and activate host filtering with 'mkfilt -v4 -u'.
CriticalSTIG account policy5 of 12 rules compliant, 1 n/a; failing: V-215171 loginretries=0 (needs le 3), V-215220 mindiff=0 (needs ge 8), V-215223 maxage=13 (needs le 8), V-215224 histsize=4 (needs ge 5), V-215226 minlen=10 (needs ge 15), +2 moreOne or more account/password-policy attributes in /etc/security are weaker than the DISA STIG for IBM AIX 7.x mandates — each is a documented hardening gap an auditor will flag, and it applies to every account inheriting the default stanza.
Fix: tighten the failing attributes with chsec (chsec -f <file> -s default -a <attr>=<value>); the compliance report lists every rule, the required value, and the observed value.
stig:V-215171, stig:V-215172, stig:V-215217, stig:V-215218, stig:V-215219, stig:V-215220, stig:V-215222, stig:V-215223, stig:V-215224, stig:V-215226, stig:V-215227, stig:V-215232, stig:V-215337
CriticalSTIG network tunables3 of 4 rules compliant, 0 n/a; failing: V-215399 clean_partial_conns=0 (needs eq 1)One or more kernel network options are set to a value the DISA STIG for IBM AIX 7.x flags — e.g. IP forwarding on a non-router, or TCP half-open connection cleanup disabled. Each is a documented hardening gap an auditor will flag.
Fix: set the failing tunables with 'no -p -o <tunable>=<value>' (nfso for NFS options) so the change persists across reboot; the compliance report lists every rule, the required value, and the observed value.
stig:V-215263, stig:V-215265, stig:V-215399, stig:V-215430
CriticalSTIG disabled services34 of 37 rules compliant, 0 n/a; failing: V-215353 sendmail, V-215354 snmpd, V-215365 snmpmibdOne or more legacy network services the DISA STIG for IBM AIX 7.x requires disabled are still enabled or running — each is an unneeded, often unauthenticated, network-facing daemon an auditor will flag.
Fix: comment the service out of /etc/inetd.conf and 'refresh -s inetd' (inetd services), or 'stopsrc -s <subsystem>' and disable it at boot (SRC subsystems); the compliance report lists every rule and its evidence.
stig:V-215257, stig:V-215258, stig:V-215259, stig:V-215334, stig:V-215346, stig:V-215347, stig:V-215369, stig:V-215370, stig:V-215371, stig:V-215372, stig:V-215373, stig:V-215374, stig:V-215375, stig:V-215376, stig:V-215377, stig:V-215378, stig:V-215379, stig:V-215380, stig:V-215381, stig:V-215382, stig:V-215383, stig:V-215384, stig:V-215385, stig:V-215386, stig:V-215387, stig:V-215388, stig:V-215389, stig:V-215390, stig:V-215391, stig:V-215406, stig:V-215353, stig:V-215354, stig:V-215365, stig:V-215358, stig:V-215361, stig:V-215362, stig:V-215363
H. Config hygiene
RiskFindingObservedWhat it means & how to fixControl tags
HighTime synchronization (NTP)xntpd inoperative, 0 server(s)No working time sync — clock drift breaks log correlation, Kerberos and TLS.
Fix: configure /etc/ntp.conf with a server and start xntpd ('startsrc -s xntpd'; enable at boot).
stig:V-215208, cis-l1
LowKernel tunables (nextboot)1 changed tunable line(s)Kernel tunables are changed from default for next boot — deliberate tuning or archaeology? document each.
Fix: review /etc/tunables/nextboot; record why each change exists, or revert to default.
LowHost self-resolutiondoes not resolveTools and certs misbehave when the box can't resolve itself.
Fix: add this host to DNS or /etc/hosts.
I. Monitoring & operational readiness
RiskFindingObservedWhat it means & how to fixControl tags
HighMonitoring agentnone detectedNothing is watching this box — every finding in this report goes unnoticed until someone runs it again.
Fix: install and point a monitoring agent (Zabbix/NRPE/Datadog/njmon) at this LPAR.
ffiec:III.B
LowRemote syslogno remote targetNo remote syslog target — logs die with the box, exactly when you need them.
Fix: add an '@loghost' line to /etc/syslog.conf and 'refresh -s syslogd'.
ffiec:II.C.22
MediumScheduled backup jobno backup in crontabNo scheduled backup in root's crontab — where does the mksysb come from?
Fix: schedule mksysb/savevg in root's crontab, or confirm NIM/central backup owns it.

Manual review outside the tool's read-only view

Control mappings reference the DISA STIG for IBM AIX 7.x (public domain). This report indicates AIXray's read-only observations and is not a certified audit.