STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Apr 2019: The /etc/shells file must exist on AIX systems.

DISA Rule

SV-101737r1_rule

Vulnerability Number

V-91639

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

AIX7-00-003110

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Run the following command to set shells attribute for stanza usw in "/etc/security/login.cfg":
# chsec -f /etc/security/login.cfg -s usw -a shells=<list of approved shells separated by comma>

Create the "/etc/shells" file and add all approved shells there, one shell per line:
# vi /etc/shells

Change the ownership and mode-bit of "/etc/shells":
# chown bin.bin /etc/shells
# chmod 644 /etc/shells

Check Contents

AIX ships the following shells that should be considered as "approved" shells:

/bin/sh
/bin/bsh
/bin/csh
/bin/ksh
/bin/tsh
/bin/ksh93
/usr/bin/sh
/usr/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/ksh93
/usr/bin/rksh
/usr/bin/rksh93
/usr/sbin/uucp/uucico
/usr/sbin/sliplogin
/usr/sbin/snappd

ISSO/SA may install other shells. Ask ISSO/SA for other approved shells other than the shells shipped by AIX.

Check if file "/etc/shells" exists by running:

# ls -la /etc/shells
rw-r--r-- 1 bin bin 111 Jun 01 2015 /etc/shells

If "/etc/shells" file does not exist, this is a finding.

Verify that "/etc/shells" only contains approved shells:

# cat /etc/shells
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/bsh

If "/etc/shells" file contains a non-approved shell, this is a finding.

Check "/etc/security/login.cfg" for the shells attribute value of "usw:" stanza:

# lssec -f /etc/security/login.cfg -s usw -a shells
usw shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd

If the shells attribute value does not exist or is empty, this is a finding.
If the returned shells attribute value contains a shell that is not defined in "/etc/shells" file, this is a finding.
If the returned shells attribute value contains a non-approved shell, this is a finding.

Vulnerability Number

V-91639

Documentable

False

Rule Version

AIX7-00-003110

Severity Override Guidance

AIX ships the following shells that should be considered as "approved" shells:

/bin/sh
/bin/bsh
/bin/csh
/bin/ksh
/bin/tsh
/bin/ksh93
/usr/bin/sh
/usr/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/ksh93
/usr/bin/rksh
/usr/bin/rksh93
/usr/sbin/uucp/uucico
/usr/sbin/sliplogin
/usr/sbin/snappd

ISSO/SA may install other shells. Ask ISSO/SA for other approved shells other than the shells shipped by AIX.

Check if file "/etc/shells" exists by running:

# ls -la /etc/shells
rw-r--r-- 1 bin bin 111 Jun 01 2015 /etc/shells

If "/etc/shells" file does not exist, this is a finding.

Verify that "/etc/shells" only contains approved shells:

# cat /etc/shells
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/bsh

If "/etc/shells" file contains a non-approved shell, this is a finding.

Check "/etc/security/login.cfg" for the shells attribute value of "usw:" stanza:

# lssec -f /etc/security/login.cfg -s usw -a shells
usw shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd

If the shells attribute value does not exist or is empty, this is a finding.
If the returned shells attribute value contains a shell that is not defined in "/etc/shells" file, this is a finding.
If the returned shells attribute value contains a non-approved shell, this is a finding.

Check Content Reference

M

Target Key

3491

Comments