Check: AIX7-00-001138
IBM AIX 7.x STIG:
AIX7-00-001138
(in versions v3 r1 through v1 r1)
Title
NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs. (Cat II impact)
Discussion
The nosuid mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system not containing approved setuid files. Executing setuid files from untrusted file systems, or file systems not containing approved setuid files, increases the opportunity for unprivileged users to attain unauthorized administrative access.
Check Content
Obtain a list of NFS file systems that contain approved "setuid" or "setgid" files from the ISSO/ISSM. Check the "nosuid" mount option is used on all NFS file systems that do not contain approved "setuid" or "setgid" files: # mount | grep -E "options|nfs|---" node mounted mounted over vfs date options -------- --------------- --------------- ------ ------------ --------------- ausgsa.ibm.com /gsa/ausgsa/projects/a/aix/71 /mnt_1 nfs3 Nov 05 14:11 ro,bg,hard,intr,nosuid,sec=sys ausgsa.ibm.com /gsa/ausgsa/projects/a/aix/72 /mnt_2 nfs3 Nov 05 14:12 ro,bg,hard,intr,sec=sys If the NFS mounts do not show the "nosuid" setting in their "options" fields, along with other mount options, this is a finding.
Fix Text
For each NFS file systems that does not contain approved "setuid" or "setgid" files, add the "nosuid" option, along with other mount options, to the "options" field in "/etc/filesystems" using the following command: # chfs -a options=ro,bg,hard,intr,nosuid,sec=sys <NFS_mount_point> Note that the other mount options (other than the nosuid options) may be different among NFS mounts.
Additional Identifiers
Rule ID: SV-215234r958730_rule
Vulnerability ID: V-215234
Group Title: SRG-OS-000326-GPOS-00126
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002233 |
Prevent the organization-defined software from executing at higher privilege levels than users executing the software. |
Controls
Number | Title |
---|---|
AC-6(8) |
Privilege Levels for Code Execution |