Title

All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member. (Cat II impact)

Discussion

If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files.

Check Content

Check the contents of user home directories for files group-owned by a group of which the home directory's owner is not a member. List the user accounts: # cut -d : -f 1 /etc/passwd root daemon bin sys adm uucp nobody invscout snapp ipsec srvproxy esaadmin sshd doejohn dirtjoe For each user account, get a list of group names for files in the user's home directory: # find < users home directory > -exec ls -lLd {} \; Obtain the list of group names associated with the user's account: # lsuser -a groups < user name > doejohn groups=staff Check the group name lists: # cat /etc/group system:!:0:root,srvproxy,esaadmin staff:!:1:ipsec,srvproxy,esaadmin,sshd,doejohn bin:!:2:root,bin sys:!:3:root,bin,sys adm:!:4:bin,adm mail:!:6: security:!:7:root cron:!:8:root audit:!:10:root ecs:!:28: nobody:!:4294967294:nobody,lpd usr:!:100:dirtjoe perf:!:20: shutdown:!:21: invscout:!:12:invscout snapp:!:13:snapp ipsec:!:200: sshd:!:201:sshd If there are group names in the file list not present in the user list, this is a finding.

Fix Text

Change the group of a file not group-owned by a group where the home directory's owner is a member using command: # chgrp [user's primary group] [file with bad group ownership]

Additional Identifiers

Rule ID: SV-215278r508663_rule

Vulnerability ID: V-215278

Group Title: SRG-OS-000480-GPOS-00230

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.