Check: AIX7-00-002103
IBM AIX 7.x STIG:
AIX7-00-002103
(in versions v3 r1 through v1 r1)
Title
All AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins. (Cat II impact)
Discussion
The /etc/shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell.
Check Content
Confirm the login shells referenced in the "/etc/passwd" file are listed in the "/etc/security/login.cfg" file's "shells =variable" in the usw stanza by running commands: # more /etc/security/login.cfg | grep shells | grep -v '*' shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh # more /etc/shells /bin/csh /bin/ksh /bin/psh /bin/tsh /bin/bsh /usr/bin/csh /usr/bin/ksh /usr/bin/psh /usr/bin/tsh /usr/bin/bsh The "/usr/bin/false", "/bin/false", "/dev/null", "/sbin/nologin" (and equivalents), and "sdshell" will be considered valid shells for use in the "/etc/passwd" file, but will not be listed in the shells stanza. If a shell referenced in "/etc/passwd" is not listed in the shells stanza, excluding the above mentioned shells, this is a finding.
Fix Text
Use the "chsh" utility or edit the "/etc/passwd" file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the "/etc/shells file". Alternatively, use the SMIT to change the "/etc/passwd" shell entry.
Additional Identifiers
Rule ID: SV-215288r991589_rule
Vulnerability ID: V-215288
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |