Check: AIX7-00-001132
IBM AIX 7.x STIG:
AIX7-00-001132
(in versions v3 r1 through v1 r1)
Title
AIX must prevent the use of dictionary words for passwords. (Cat II impact)
Discussion
If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
Check Content
From the command prompt, run the following command to check if the default "dictionlist" attribute is set: # lssec -f /etc/security/user -s default -a dictionlist The above command should yield the following output: dictionlist="/etc/security/ice/dictionary/English" If the above command shows an empty string for default "dictionlist" attribute, this is a finding. From the command prompt, run the following command to check if "dictionlist" attribute is set for all users: # lsuser -a dictionlist ALL The above command should yield the following output: root dictionlist=/etc/security/ice/dictionary/English daemon dictionlist=/etc/security/ice/dictionary/English bin dictionlist=/etc/security/ice/dictionary/English sys dictionlist=/etc/security/ice/dictionary/English If any user's "dictionlist" attribute is empty, this is a finding.
Fix Text
From the command prompt, run the following command to set "dictionlist" attribute for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a dictionlist="/etc/security/ice/dictionary/English" From the command prompt, run the following command to set "dictionlist" attribute for users who have an empty "dictionlist" attribute: # chsec -f /etc/security/user -s [user_name] -a dictionlist="/etc/security/ice/dictionary/English"
Additional Identifiers
Rule ID: SV-215229r991587_rule
Vulnerability ID: V-215229
Group Title: SRG-OS-000480-GPOS-00225
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |