STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts.

DISA Rule

SV-215178r508663_rule

Vulnerability Number

V-215178

Group Title

SRG-OS-000109-GPOS-00056

Rule Version

AIX7-00-001011

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Direct login to shared or application accounts can be prevented by setting the "rlogin=false" in the accounts stanza of the "/etc/security/user" file.

From the command prompt, run the following command to set "rlogin=false" for a shared account:

# chuser rlogin=false [shared_account]

Check Contents

Obtain a list of Shared/Application/Default/Utility accounts from the ISSO/ISSM.

Shared/Application/Default/Utility accounts can have direct login disabled by setting the "rlogin" parameter to "false" in the user’s stanza of the "/etc/security/user" file.

From the command prompt, run the following command to check if shared account has "rlogin=true":

# lsuser -a rlogin [shared_account]
<shared_account> rlogin=true

If a shared account is configured for "rlogin=true", this is a finding.

Vulnerability Number

V-215178

Documentable

False

Rule Version

AIX7-00-001011

Severity Override Guidance

Obtain a list of Shared/Application/Default/Utility accounts from the ISSO/ISSM.

Shared/Application/Default/Utility accounts can have direct login disabled by setting the "rlogin" parameter to "false" in the user’s stanza of the "/etc/security/user" file.

From the command prompt, run the following command to check if shared account has "rlogin=true":

# lsuser -a rlogin [shared_account]
<shared_account> rlogin=true

If a shared account is configured for "rlogin=true", this is a finding.

Check Content Reference

M

Target Key

4012

Comments