An error occurred:

Check: AIX7-00-003203

IBM AIX 7.x STIG: AIX7-00-003203 (in versions v2 r9 through v1 r1)

Title

AIX must have the have the PowerSC Multi Factor Authentication Product configured. (Cat II impact)

Discussion

To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication.

Check Content

Verify /etc/security/pmfa/pam_pmfa.conf is configured correctly. # grep -i "trustedcas" /etc/security/pmfa/pam_pmfa.conf | grep -v '#' TRUSTEDCAS = /<path_to_file>/server_ca.pem Note: Verify with the SA/ISSO as to the location of the "server_ca.pem" file. If "TRUSTEDCAS" is not configured to point to a valid "server_ca.pem" file or is missing, this is a finding. # grep -i "mfa-url" /etc/security/pmfa/pam_pmfa.conf | grep -v '#' MFA-URL = https://pmfa.example.com:6793/policyAuth/ If the "MFA-URL" is missing or does not point to a valid address, this is a finding. # grep -i "server-version" /etc/security/pmfa/pam_pmfa.conf | grep -v '#' SERVER-VERSION = 2 If "SERVER-VERSION" is missing or is not set to "2", this is a finding. # grep -i "ctc-prompt" /etc/security/pmfa/pam_pmfa.conf | grep -v '#' CTC-PROMPT-ONLY = Y If "CTC-PROMPT-ONLY" is missing or is not set to "Y", this is a finding.

Fix Text

Add or update the following lines in the "/etc/security/pmfa/pam_pmfa.conf" file: TRUSTEDCAS = /<path_to_file>/server_ca.pem Note: Verify with the SA/ISSO as to the location of the "server_ca.pem" file. MFA-URL = https://pmfa.example.com:6793/policyAuth/ SERVER-VERSION = 2 CTC-PROMPT-ONLY = Y

Additional Identifiers

Rule ID: SV-215439r508663_rule

Vulnerability ID: V-215439

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings