Check: AIX7-00-003200
IBM AIX 7.x STIG:
AIX7-00-003200
(in versions v3 r1 through v1 r1)
Title
The AIX operating system must use Multi Factor Authentication. (Cat II impact)
Discussion
To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160
Check Content
Verify that all required packages are installed: # lslpp -l |grep -i powerscmfa powerscMFA.license 1.2.0.1 COMMITTED PowerSC MFA license files powerscMFA.pam.base 1.2.0.1 COMMITTED PowerSC MFA standard inband powerscMFA.pam.fallback 1.2.0.1 COMMITTED PowerSC MFA Password fallback powerscMFA.pam.pmfamapper 1.2.0.1 COMMITTED USB Smartcard Interface to powerscMFA.pam.usbsmartcard If any of the above packages are not installed, this is a finding.
Fix Text
Install the IBM PowerSC MFA product.
Additional Identifiers
Rule ID: SV-215436r1009557_rule
Vulnerability ID: V-215436
Group Title: SRG-OS-000105-GPOS-00052
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000765 |
Implement multifactor authentication for access to privileged accounts. |
CCI-000766 |
Implement multifactor authentication for access to non-privileged accounts. |
CCI-000767 |
The information system implements multifactor authentication for local access to privileged accounts. |
CCI-000768 |
The information system implements multifactor authentication for local access to non-privileged accounts. |
CCI-001948 |
The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
CCI-004046 |
Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
Controls
Number | Title |
---|---|
IA-2(1) |
Network Access to Privileged Accounts |
IA-2(2) |
Network Access to Non-privileged Accounts |
IA-2(3) |
Local Access to Privileged Accounts |
IA-2(4) |
Local Access to Non-privileged Accounts |
IA-2(11) |
Remote Access - Separate Device |