Check: AIX7-00-003072
IBM AIX 7.x STIG:
AIX7-00-003072
(in versions v3 r1 through v1 r1)
Title
The discard daemon must be disabled on AIX. (Cat II impact)
Discussion
The discard service is used as a debugging and measurement tool. It sets up a listening socket and ignores data that it receives. This is a /dev/null service and is obsolete. This can be used in DoS attacks and therefore, must be disabled to prevent attacks.
Check Content
From the command prompt, execute the following command: # grep "^discard[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.
Fix Text
In "/etc/inetd.conf", comment out the "discard" entries by running commands: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'discard' -p 'tcp' # chsubserver -r inetd -C /etc/inetd.conf -d -v 'discard' -p 'udp' Restart inetd: # refresh -s inetd
Additional Identifiers
Rule ID: SV-215377r958478_rule
Vulnerability ID: V-215377
Group Title: SRG-OS-000095-GPOS-00049
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
Configure the system to provide only organization-defined mission essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |