STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The shipped /etc/security/mkuser.sys file on AIX must not be customized directly.

DISA Rule

SV-215181r508663_rule

Vulnerability Number

V-215181

Group Title

SRG-OS-000001-GPOS-00001

Rule Version

AIX7-00-001015

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Edit the script /etc/security/mkuser.sys to contain the following:
# This file is no longer user customizable. To have a customized mkuser.sys script
# create a file /etc/security/mkuser.sys.custom and the /etc/security/mkuser.sys
# will run this script instead of the original mkuser.sys script.

export PATH=/usr/bin:/usr/sbin:$PATH

#
# Check the number of arguments first
#
if [ $# -ne 4 ]
then
exit 1
fi

#
# If a customer mkuser.sys.custom script exists
# then execute it instead and exit passing all arguments
# and returning the return code from mkuser.sys.custom
#
if [ -x /etc/security/mkuser.sys.custom ]
then
/etc/security/mkuser.sys.custom $*
exit $?
fi

#
# Create the named directory if it does not already exist
# and set the file ownership and permission
#
if [ ! -d $1 ]
then
last=$1

while [ 1 ]
do
dir=`dirname $last`

if [ -d $last ]
then
break
elif [ -d $dir ]
then
mkdir -p $1
chown -R bin:bin $last
chmod -R 755 $last
break
else
last=$dir
fi
done

chgrp "$3" $1
chown $2 $1
fi

#
# Copy the user's default .profile if it does not already
# exist and change the file ownership, etc.
#
if [ `basename $4` != "csh" ] && [ ! -f $1/.profile ]
then
cp /etc/security/.profile $1/.profile
chmod u+rwx,go-w $1/.profile
chgrp "$3" $1/.profile
chown $2 $1/.profile

else
if [ `basename $4` = "csh" ] && [ ! -f $1/.login ]
then
echo "#!/bin/csh" > "$1"/.login
echo "set path = ( /usr/bin /etc /usr/sbin /usr/ucb \$HOME/bin /usr/bin/X11 /sbin . )" >> "$1"/.login
echo "setenv MAIL \"/var/spool/mail/\$LOGNAME\"" >> "$1"/.login
echo "setenv MAILMSG \"[YOU HAVE NEW MAIL]\"" >> "$1"/.login
echo "if ( -f \"\$MAIL\" && ! -z \"\$MAIL\") then" >> "$1"/.login
echo " echo \"\$MAILMSG\"" >> "$1"/.login
echo "endif" >> "$1"/.login
chmod u+rwx,go-w $1/.login
chgrp "$3" $1/.login
chown $2 $1/.login
fi
fi

Check Contents

Use the "cat" command to show the content of "/etc/security/mkuser.sys" script:
# cat /etc/security/mkuser.sys

The cat command should display the following:
# This file is no longer user customizable. To have a customized mkuser.sys script
# create a file /etc/security/mkuser.sys.custom and the /etc/security/mkuser.sys
# will run this script instead of the original mkuser.sys script.

export PATH=/usr/bin:/usr/sbin:$PATH

#
# Check the number of arguments first
#
if [ $# -ne 4 ]
then
exit 1
fi

#
# If a customer mkuser.sys.custom script exists
# then execute it instead and exit passing all arguments
# and returning the return code from mkuser.sys.custom
#
if [ -x /etc/security/mkuser.sys.custom ]
then
/etc/security/mkuser.sys.custom $*
exit $?
fi

#
# Create the named directory if it does not already exist
# and set the file ownership and permission
#
if [ ! -d $1 ]
then
last=$1

while [ 1 ]
do
dir=`dirname $last`

if [ -d $last ]
then
break
elif [ -d $dir ]
then
mkdir -p $1
chown -R bin:bin $last
chmod -R 755 $last
break
else
last=$dir
fi
done

chgrp "$3" $1
chown $2 $1
fi

#
# Copy the user's default .profile if it does not already
# exist and change the file ownership, etc.
#
if [ `basename $4` != "csh" ] && [ ! -f $1/.profile ]
then
cp /etc/security/.profile $1/.profile
chmod u+rwx,go-w $1/.profile
chgrp "$3" $1/.profile
chown $2 $1/.profile

else
if [ `basename $4` = "csh" ] && [ ! -f $1/.login ]
then
echo "#!/bin/csh" > "$1"/.login
echo "set path = ( /usr/bin /etc /usr/sbin /usr/ucb \$HOME/bin /usr/bin/X11 /sbin . )" >> "$1"/.login
echo "setenv MAIL \"/var/spool/mail/\$LOGNAME\"" >> "$1"/.login
echo "setenv MAILMSG \"[YOU HAVE NEW MAIL]\"" >> "$1"/.login
echo "if ( -f \"\$MAIL\" && ! -z \"\$MAIL\") then" >> "$1"/.login
echo " echo \"\$MAILMSG\"" >> "$1"/.login
echo "endif" >> "$1"/.login
chmod u+rwx,go-w $1/.login
chgrp "$3" $1/.login
chown $2 $1/.login
fi
fi

If the "cat" command shows the script as different than the content listed above, this is a finding.

Vulnerability Number

V-215181

Documentable

False

Rule Version

AIX7-00-001015

Severity Override Guidance

Use the "cat" command to show the content of "/etc/security/mkuser.sys" script:
# cat /etc/security/mkuser.sys

The cat command should display the following:
# This file is no longer user customizable. To have a customized mkuser.sys script
# create a file /etc/security/mkuser.sys.custom and the /etc/security/mkuser.sys
# will run this script instead of the original mkuser.sys script.

export PATH=/usr/bin:/usr/sbin:$PATH

#
# Check the number of arguments first
#
if [ $# -ne 4 ]
then
exit 1
fi

#
# If a customer mkuser.sys.custom script exists
# then execute it instead and exit passing all arguments
# and returning the return code from mkuser.sys.custom
#
if [ -x /etc/security/mkuser.sys.custom ]
then
/etc/security/mkuser.sys.custom $*
exit $?
fi

#
# Create the named directory if it does not already exist
# and set the file ownership and permission
#
if [ ! -d $1 ]
then
last=$1

while [ 1 ]
do
dir=`dirname $last`

if [ -d $last ]
then
break
elif [ -d $dir ]
then
mkdir -p $1
chown -R bin:bin $last
chmod -R 755 $last
break
else
last=$dir
fi
done

chgrp "$3" $1
chown $2 $1
fi

#
# Copy the user's default .profile if it does not already
# exist and change the file ownership, etc.
#
if [ `basename $4` != "csh" ] && [ ! -f $1/.profile ]
then
cp /etc/security/.profile $1/.profile
chmod u+rwx,go-w $1/.profile
chgrp "$3" $1/.profile
chown $2 $1/.profile

else
if [ `basename $4` = "csh" ] && [ ! -f $1/.login ]
then
echo "#!/bin/csh" > "$1"/.login
echo "set path = ( /usr/bin /etc /usr/sbin /usr/ucb \$HOME/bin /usr/bin/X11 /sbin . )" >> "$1"/.login
echo "setenv MAIL \"/var/spool/mail/\$LOGNAME\"" >> "$1"/.login
echo "setenv MAILMSG \"[YOU HAVE NEW MAIL]\"" >> "$1"/.login
echo "if ( -f \"\$MAIL\" && ! -z \"\$MAIL\") then" >> "$1"/.login
echo " echo \"\$MAILMSG\"" >> "$1"/.login
echo "endif" >> "$1"/.login
chmod u+rwx,go-w $1/.login
chgrp "$3" $1/.login
chown $2 $1/.login
fi
fi

If the "cat" command shows the script as different than the content listed above, this is a finding.

Check Content Reference

M

Target Key

4012

Comments