STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must automatically lock after 15 minutes of inactivity in the CDE Graphical desktop environment.

DISA Rule

SV-215318r508663_rule

Vulnerability Number

V-215318

Group Title

SRG-OS-000029-GPOS-00010

Rule Version

AIX7-00-003000

Severity

CAT II

CCI(s)

• CCI-000057 - The information system initiates a session lock after the organization-defined time period of inactivity.

Weight

10

Fix Recommendation

From the command prompt, run the following script to set the default timeout parameters "dtsession*saverTimeout:" and "dtsession*lockTimeout:" as "15" minutes:
for file in /usr/dt/config/*/sys.resources; do
etc_file=`echo $file | sed -e s/usr/etc/`
echo "\nupdating config file "$etc_file"..."
if [[ ! -f $etc_file ]]; then
dir=`dirname $file | sed -e s/usr/etc/`
mkdir -p $dir
echo 'dtsession*saverTimeout: 15' >> $dir/sys.resources
echo 'dtsession*lockTimeout: 15' >> $dir/sys.resources
else
cp $etc_file $etc_file.bak
cat $etc_file | grep -v 'dtsession\*saverTimeout:' > $etc_file.sav
cat $etc_file.sav | grep -v 'dtsession\*lockTimeout:' > $etc_file
echo 'dtsession*saverTimeout: 15' >> $etc_file
echo 'dtsession*lockTimeout: 15' >> $etc_file
fi
done

Check Contents

If CDE (X11) is not used on AIX, this is Not Applicable.

From the command prompt, run the following script:
for file in /usr/dt/config/*/sys.resources; do
etc_file=`echo $file | sed -e s/usr/etc/`
echo "\nChecking config file "$etc_file"..."
if [[ ! -f $etc_file ]]; then
echo "Missing config file "$etc_file
else
cat $etc_file |grep 'dtsession\*saverTimeout:'
cat $etc_file |grep 'dtsession\*lockTimeout:'
fi
done

The above script should yield the following output:
Checking config file /etc/dt/config/C/sys.resources...
Missing config file /etc/dt/config/C/sys.resources

Checking config file /etc/dt/config/POSIX/sys.resources...
dtsession*saverTimeout: 15
dtsession*lockTimeout: 30

Checking config file /etc/dt/config/en_US/sys.resources...
dtsession*saverTimeout: 15
dtsession*lockTimeout: 25

If the result of the script shows any config file missing, or any of the "dtsession*saverTimeout" or "dtsession*lockTimeout" values are greater than "15", this is a finding.

Vulnerability Number

V-215318

Documentable

False

Rule Version

AIX7-00-003000

Severity Override Guidance

If CDE (X11) is not used on AIX, this is Not Applicable.

From the command prompt, run the following script:
for file in /usr/dt/config/*/sys.resources; do
etc_file=`echo $file | sed -e s/usr/etc/`
echo "\nChecking config file "$etc_file"..."
if [[ ! -f $etc_file ]]; then
echo "Missing config file "$etc_file
else
cat $etc_file |grep 'dtsession\*saverTimeout:'
cat $etc_file |grep 'dtsession\*lockTimeout:'
fi
done

The above script should yield the following output:
Checking config file /etc/dt/config/C/sys.resources...
Missing config file /etc/dt/config/C/sys.resources

Checking config file /etc/dt/config/POSIX/sys.resources...
dtsession*saverTimeout: 15
dtsession*lockTimeout: 30

Checking config file /etc/dt/config/en_US/sys.resources...
dtsession*saverTimeout: 15
dtsession*lockTimeout: 25

If the result of the script shows any config file missing, or any of the "dtsession*saverTimeout" or "dtsession*lockTimeout" values are greater than "15", this is a finding.

Check Content Reference

M

Target Key

4012

Comments