STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.

DISA Rule

SV-215180r508663_rule

Vulnerability Number

V-215180

Group Title

SRG-OS-000123-GPOS-00064

Rule Version

AIX7-00-001014

Severity

CAT II

CCI(s)

• CCI-001682 - The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account.

Weight

10

Fix Recommendation

From the command prompt, run the following command to set the "expires" value to "72" hours from now:
# chuser expires=1228093516 <emergency_user>

The "expires" value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric.

Check Contents

Obtain a list of emergency accounts from the ISSO/ISSM and then run this command against each of the identified accounts:
# lsuser -a expires <emergency_user>

The above command should yield the following output:
<emergency_user> expires=0
Or
<emergency_user> expires=1215103116

The "expires" value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire.

If "expires" value is "0", or the expiration time is greater than "72" hours from the user creation time, this is a finding.

Vulnerability Number

V-215180

Documentable

False

Rule Version

AIX7-00-001014

Severity Override Guidance

Obtain a list of emergency accounts from the ISSO/ISSM and then run this command against each of the identified accounts:
# lsuser -a expires <emergency_user>

The above command should yield the following output:
<emergency_user> expires=0
Or
<emergency_user> expires=1215103116

The "expires" value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire.

If "expires" value is "0", or the expiration time is greater than "72" hours from the user creation time, this is a finding.

Check Content Reference

M

Target Key

4012

Comments