Check: AIX7-00-002086
IBM AIX 7.x STIG:
AIX7-00-002086
(in versions v3 r1 through v1 r1)
Title
All AIX interactive users home directories must be group-owned by the home directory owner primary group. (Cat II impact)
Discussion
If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files.
Check Content
Check the group ownership for each user in the "/etc/passwd" file using command: # cut -d: -f6 /etc/passwd | xargs ls -lLd drwxr-xr-x 21 root system 4096 Jan 29 09:58 / drwxr-xr-x 4 bin bin 45056 Jan 24 12:31 /bin drwxr-xr-x 2 doejohn staff 256 Jan 25 13:18 /home/doejohn drwxr-xr-x 2 sshd system 256 Aug 11 2017 /home/srvproxy drwx------ 2 root system 256 Jan 30 12:54 /root drwxrwxr-x 4 bin bin 256 Mar 23 2017 /usr/sys drwxrwxr-x 15 root adm 4096 Jan 24 12:26 /var/adm drwxr-xr-x 6 root system 4096 Jan 24 07:34 /var/adm/invscout drwxr-xr-x 8 esaadmin system 256 Jan 24 09:02 /var/esa If any user's home directory is not group-owned by the assigned user's primary group, this is a finding. Home directories for application accounts requiring different group ownership must be documented using site-defined procedures.
Fix Text
Change the group owner for users home directories to the primary group of the assigned user: # chgrp <groupname> <directoryname> (Replace examples with appropriate group and home directory.) Document all changes.
Additional Identifiers
Rule ID: SV-215277r991592_rule
Vulnerability ID: V-215277
Group Title: SRG-OS-000480-GPOS-00230
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |