STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

DISA Rule

SV-215212r508663_rule

Vulnerability Number

V-215212

Group Title

SRG-OS-000031-GPOS-00012

Rule Version

AIX7-00-001101

Severity

CAT II

CCI(s)

• CCI-000060 - The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

Weight

10

Fix Recommendation

From the command prompt, run the following script to set the default timeout parameters "dtsession*saverTimeout:" and "dtsession*lockTimeout:" as "15" minutes:

# AIX7-00-001101_Fix.sh

Note: This script is included in the STIG package.

Check Contents

If CDE (X11) is not used on AIX, this is Not Applicable.

Ensure that the screen saver and session timeout are not disabled.

From the command prompt, run the following script:

# AIX7-00-001101_Check.sh

Note: This script is included in the STIG package.

The above script should yield the following output:

Checking config file /etc/dt/config/C/sys.resources...
Missing config file /etc/dt/config/C/sys.resources

Checking config file /etc/dt/config/POSIX/sys.resources...
dtsession*saverTimeout: 15
dtsession*lockTimeout: 30

Checking config file /etc/dt/config/en_US/sys.resources...
dtsession*saverTimeout: 15
dtsession*lockTimeout: 25

If the result of the script shows any config file missing, or any of the "dtsession*saverTimeout" or "dtsession*lockTimeout" values is greater than "15", this is a finding.

Vulnerability Number

V-215212

Documentable

False

Rule Version

AIX7-00-001101

Severity Override Guidance

If CDE (X11) is not used on AIX, this is Not Applicable.

Ensure that the screen saver and session timeout are not disabled.

From the command prompt, run the following script:

# AIX7-00-001101_Check.sh

Note: This script is included in the STIG package.

The above script should yield the following output:

Checking config file /etc/dt/config/C/sys.resources...
Missing config file /etc/dt/config/C/sys.resources

Checking config file /etc/dt/config/POSIX/sys.resources...
dtsession*saverTimeout: 15
dtsession*lockTimeout: 30

Checking config file /etc/dt/config/en_US/sys.resources...
dtsession*saverTimeout: 15
dtsession*lockTimeout: 25

If the result of the script shows any config file missing, or any of the "dtsession*saverTimeout" or "dtsession*lockTimeout" values is greater than "15", this is a finding.

Check Content Reference

M

Target Key

4012

Comments