STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day.

DISA Rule

SV-215205r508663_rule

Vulnerability Number

V-215205

Group Title

SRG-OS-000383-GPOS-00166

Rule Version

AIX7-00-001046

Severity

CAT II

CCI(s)

• CCI-002007 - The information system prohibits the use of cached authenticators after an organization-defined time period.

Weight

10

Fix Recommendation

Edit the "/etc/security/ldap/ldap.cfg" file to set the following two keywords to have value of "900":
usercachetimeout
groupcachetimeout

Restart LDAP client using command:
# /usr/sbin/restart-secldapclntd

Check Contents

If LDAP authentication is not required, this is Not Applicable.

Verify the "/etc/security/ldap/ldap.cfg" file to see if the following two keywords have a value that is greater than "900" seconds:

# grep -i usercachetimeout /etc/security/ldap/ldap.cfg
usercachetimeout: 900

# grep -i groupcachetimeout /etc/security/ldap/ldap.cfg
groupcachetimeout: 900

If any of the above keywords does not exist, is commented out, or any value of the above keywords are greater than "900", this is a finding.

Vulnerability Number

V-215205

Documentable

False

Rule Version

AIX7-00-001046

Severity Override Guidance

If LDAP authentication is not required, this is Not Applicable.

Verify the "/etc/security/ldap/ldap.cfg" file to see if the following two keywords have a value that is greater than "900" seconds:

# grep -i usercachetimeout /etc/security/ldap/ldap.cfg
usercachetimeout: 900

# grep -i groupcachetimeout /etc/security/ldap/ldap.cfg
groupcachetimeout: 900

If any of the above keywords does not exist, is commented out, or any value of the above keywords are greater than "900", this is a finding.

Check Content Reference

M

Target Key

4012

Comments