Check: AIX7-00-001011
IBM AIX 7.x STIG:
AIX7-00-001011
(in versions v3 r1 through v1 r1)
Title
Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts. (Cat II impact)
Discussion
Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability.
Check Content
Obtain a list of Shared/Application/Default/Utility accounts from the ISSO/ISSM. Shared/Application/Default/Utility accounts can have direct login disabled by setting the "rlogin" parameter to "false" in the user’s stanza of the "/etc/security/user" file. From the command prompt, run the following command to check if shared account has "rlogin=true": # lsuser -a rlogin [shared_account] <shared_account> rlogin=true If a shared account is configured for "rlogin=true", this is a finding.
Fix Text
Direct login to shared or application accounts can be prevented by setting the "rlogin=false" in the accounts stanza of the "/etc/security/user" file. From the command prompt, run the following command to set "rlogin=false" for a shared account: # chuser rlogin=false [shared_account]
Additional Identifiers
Rule ID: SV-215178r1009531_rule
Vulnerability ID: V-215178
Group Title: SRG-OS-000109-GPOS-00056
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
CCI-004045 |
Require users to be individually authenticated before granting access to the shared accounts or resources. |
Controls
Number | Title |
---|---|
IA-2(5) |
Group Authentication |