An error occurred:

Check: AIX7-00-001048

IBM AIX 7.x STIG: AIX7-00-001048 (in versions v2 r9 through v1 r1)

Title

AIX must protect the confidentiality and integrity of all information at rest. (Cat II impact)

Discussion

Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.

Check Content

If the organization does not require to encrypt the data at rest this is Not Applicable. Check if the "clic.rte" fileset is installed: # lslpp -l |grep clic The above command should yield the following output: clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel clic.rte.lib 4.10.0.1 COMMITTED CryptoLite for C Library clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel If the "clic.rte" fileset is not installed, this is a finding. To check if a JFS2 file system (mounted as /fs2_mnt) is EFS-enabled, use the following command: # lsfs -q /fs2_mnt Name Nodename Mount Pt VFS Size Options Auto Accounting /dev/fslv00 -- /fs2_mnt jfs2 262144 -- no no (lv size: 262144, fs size: 262144, block size: 4096, sparse files: yes, inline log: no, inline log size: 0, EAformat: v2, Quota: no, DMAPI: no, VIX: yes, EFS: no, ISNAPSHOT: no, MAXEXT: 0, MountGuard: no) If the above command shows "EFS: no", this is a finding.

Fix Text

Install "clic.rte" fileset if it is not installed using command: # installp -aXYqg -d /dev/cd0 clic.rte Run the follow command to initialize and enable EFS on the system: # efsenable -a To create a new EFS-enabled JFS2 file system and mount the file system, using the following commands: # crfs -v jfs2 -g rootvg -m /fs2 -a size=100M -a efs=yes # mount /fs2 To enable EFS on a JFS2 file system (like, /fs3), run the following command: chfs -a efs=yes /fs3

Additional Identifiers

Rule ID: SV-215207r508663_rule

Vulnerability ID: V-215207

Group Title: SRG-OS-000185-GPOS-00079

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001199

The information system protects the confidentiality and/or integrity of organization-defined information at rest.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-28

Protection Of Information At Rest