STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Apr 2019: The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.

DISA Rule

SV-101535r1_rule

Vulnerability Number

V-91437

Group Title

SRG-OS-000123-GPOS-00064

Rule Version

AIX7-00-001014

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the command prompt, run the following command to set the "expires" value to "72" hours from now:
# chuser expires=1228093516 <emergency_user>

The "expires" value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric.

Check Contents

Obtain a list of emergency accounts from the ISSO/ISSM and then run this command against each of the identified accounts:
# lsuser -a expires <emergency_user>

The above command should yield the following output:
<emergency_user> expires=0
Or
<emergency_user> expires=1215103116

The "expires" value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire.

If "expires" value is "0", or the expiration time is greater than "72" hours from the user creation time, this is a finding.

Vulnerability Number

V-91437

Documentable

False

Rule Version

AIX7-00-001014

Severity Override Guidance

Obtain a list of emergency accounts from the ISSO/ISSM and then run this command against each of the identified accounts:
# lsuser -a expires <emergency_user>

The above command should yield the following output:
<emergency_user> expires=0
Or
<emergency_user> expires=1215103116

The "expires" value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire.

If "expires" value is "0", or the expiration time is greater than "72" hours from the user creation time, this is a finding.

Check Content Reference

M

Target Key

3491

Comments