Check: AIX7-00-001025
IBM AIX 7.x STIG:
AIX7-00-001025
(in versions v3 r1 through v2 r1)
Title
AIX must configure the ttys value for all interactive users. (Cat II impact)
Discussion
A user's "ttys" attribute controls from which device(s) the user can authenticate and log in. If the "ttys" attribute is not specified, all terminals can access the user account.
Check Content
Verify that the default "ttys" value is set for all users: # lssec -f /etc/security/user -s default -a ttys default ttys=ALL If the value returned is not "ttys=ALL", this is a finding. From the command prompt, run the following command to check "ttys" attribute value for all accounts: # lsuser -a ttys ALL The above command should yield the following output: root ttys=ALL user1 ttys=ALL user2 ttys=ALL user3 ttys=ALL If any interactive user account does not have "ttys=ALL", this is a finding.
Fix Text
From the command prompt, run the following command to set "ttys=ALL" for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a ttys=ALL Run the following command to recheck "ttys" values for all users: # lsuser -a ttys ALL For each interactive user who does not have "ttys=ALL", set the value of "ttys" to "ALL" by running the following command from command prompt: # chsec -f /etc/security/user -s [user_name] -a ttys=ALL
Additional Identifiers
Rule ID: SV-215186r958498_rule
Vulnerability ID: V-215186
Group Title: SRG-OS-000114-GPOS-00059
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000778 |
Uniquely identify organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection. |
Controls
Number | Title |
---|---|
IA-3 |
Device Identification and Authentication |