STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member.

DISA Rule

SV-215278r508663_rule

Vulnerability Number

V-215278

Group Title

SRG-OS-000480-GPOS-00230

Rule Version

AIX7-00-002087

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Change the group of a file not group-owned by a group where the home directory's owner is a member using command:
# chgrp [user's primary group] [file with bad group ownership]

Check Contents

Check the contents of user home directories for files group-owned by a group of which the home directory's owner is not a member.

List the user accounts:

# cut -d : -f 1 /etc/passwd
root
daemon
bin
sys
adm
uucp
nobody
invscout
snapp
ipsec
srvproxy
esaadmin
sshd
doejohn
dirtjoe

For each user account, get a list of group names for files in the user's home directory:

# find < users home directory > -exec ls -lLd {} \;

Obtain the list of group names associated with the user's account:

# lsuser -a groups < user name >
doejohn groups=staff

Check the group name lists:

# cat /etc/group
system:!:0:root,srvproxy,esaadmin
staff:!:1:ipsec,srvproxy,esaadmin,sshd,doejohn
bin:!:2:root,bin
sys:!:3:root,bin,sys
adm:!:4:bin,adm
mail:!:6:
security:!:7:root
cron:!:8:root
audit:!:10:root
ecs:!:28:
nobody:!:4294967294:nobody,lpd
usr:!:100:dirtjoe
perf:!:20:
shutdown:!:21:
invscout:!:12:invscout
snapp:!:13:snapp
ipsec:!:200:
sshd:!:201:sshd

If there are group names in the file list not present in the user list, this is a finding.

Vulnerability Number

V-215278

Documentable

False

Rule Version

AIX7-00-002087

Severity Override Guidance

Check the contents of user home directories for files group-owned by a group of which the home directory's owner is not a member.

List the user accounts:

# cut -d : -f 1 /etc/passwd
root
daemon
bin
sys
adm
uucp
nobody
invscout
snapp
ipsec
srvproxy
esaadmin
sshd
doejohn
dirtjoe

For each user account, get a list of group names for files in the user's home directory:

# find < users home directory > -exec ls -lLd {} \;

Obtain the list of group names associated with the user's account:

# lsuser -a groups < user name >
doejohn groups=staff

Check the group name lists:

# cat /etc/group
system:!:0:root,srvproxy,esaadmin
staff:!:1:ipsec,srvproxy,esaadmin,sshd,doejohn
bin:!:2:root,bin
sys:!:3:root,bin,sys
adm:!:4:bin,adm
mail:!:6:
security:!:7:root
cron:!:8:root
audit:!:10:root
ecs:!:28:
nobody:!:4294967294:nobody,lpd
usr:!:100:dirtjoe
perf:!:20:
shutdown:!:21:
invscout:!:12:invscout
snapp:!:13:snapp
ipsec:!:200:
sshd:!:201:sshd

If there are group names in the file list not present in the user list, this is a finding.

Check Content Reference

M

Target Key

4012

Comments