Check: AIX7-00-002096
IBM AIX 7.x STIG:
AIX7-00-002096
(in versions v3 r1 through v1 r1)
Title
AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required. (Cat II impact)
Discussion
The AIX Encrypted File System (EFS) is a J2 filesystem-level encryption through individual key stores. This allows for file encryption in order to protect confidential data from attackers with physical access to the computer. User authentication and access control lists can protect files from unauthorized access (even from root user) while the operating system is running. Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000405-GPOS-00184, SRG-OS-000404-GPOS-00183
Check Content
If the organization does not require to encrypt the data at rest, this is Not Applicable. Check if "clic.rte" fileset is installed: # lslpp -l |grep clic The above command should yield the following output: clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel clic.rte.lib 4.10.0.1 COMMITTED CryptoLite for C Library clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel If the "clic.rte.lib", or the "clic.rte.kernext", fileset is not installed, this is a finding. To check if a JFS2 file system (mounted as /fs2_mnt) is EFS-enabled, use the following command: # lsfs -q /fs2_mnt Name Nodename Mount Pt VFS Size Options Auto Accounting /dev/fslv00 -- /fs2_mnt jfs2 262144 -- no no (lv size: 262144, fs size: 262144, block size: 4096, sparse files: yes, inline log: no, inline log size: 0, EAformat: v2, Quota: no, DMAPI: no, VIX: yes, EFS: no, ISNAPSHOT: no, MAXEXT: 0, MountGuard: no) If the above command shows "EFS: no", this is a finding.
Fix Text
Install "clic.rte" filesets from AIX DVD Volume 1 using the following commands (assuming that the DVD device is /dev/cd0): # installp -aXYgd /dev/cd0 -e /tmp/install.log clic.rte.lib # installp -aXYgd /dev/cd0 -e /tmp/install.log clic.rte.kernext Run the follow command to initialize and enable EFS on the system: # efsenable -a To create a new EFS-enabled JFS2 file system and mount the file system, using the following commands: # crfs -v jfs2 -g rootvg -m /fs2 -a size=100M -a efs=yes # mount /fs2 To enable EFS on a JFS2 file system (like, /fs3), run the following command: chfs -a efs=yes /fs3
Additional Identifiers
Rule ID: SV-215283r991589_rule
Vulnerability ID: V-215283
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
CCI-002475 |
Implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined system components. |
CCI-002476 |
Implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined system components. |