Check: GEN009120
AIX 5.3 STIG:
GEN009120
(in version v1 r3)
Title
The system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. (Cat II impact)
Discussion
In accordance with CTO 07-015, PKI authentication is required. This provides stronger, two-factor authentication than using a username/password. NOTE: The following are exempt from this; however, they must meet all password requirements and must be documented with the IAO: - SIPRNET systems. - Stand-alone systems. - Application Accounts. - Students or unpaid employees (such as interns) who are not eligible to receive or not in receipt of a CAC, PIV, or ALT. - Warfighters and support personnel located at operational tactical locations conducting wartime operations that are not “collocated” with RAPIDS workstations to issue CAC, are not eligible for CAC, or do not have the capability to use ALT. - Test systems with an Interim Approval to Test (IATT) and provide protection via separate VPN, firewall, or security measures preventing access to network and system components from outside the protection boundary documented in the IATT.
Check Content
Consult vendor documentation to determine if the system is capable of CAC authentication. If it is not, this is not applicable. Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. If non-exempt accounts are not using CAC authentication, this is a finding.
Fix Text
Consult IBM documentation to determine the procedures necessary for configuring CAC authentication through PKI. Configure all accounts required by policy to use CAC authentication.
Additional Identifiers
Rule ID: SV-39317r1_rule
Vulnerability ID: V-24347
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000768 |
The information system implements multifactor authentication for local access to non-privileged accounts. |
Controls
Number | Title |
---|---|
IA-2 (4) |
Local Access To Non-Privileged Accounts |