STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must implement a way to force an identified temporary user to renew their password at next login.

DISA Rule

SV-215228r508663_rule

Vulnerability Number

V-215228

Group Title

SRG-OS-000380-GPOS-00165

Rule Version

AIX7-00-001131

Severity

CAT II

CCI(s)

• CCI-002041 - The information system allows the use of a temporary password for system logons with an immediate change to a permanent password.

Weight

10

Fix Recommendation

Use the following command to force a temporary user (<tmp_user>) to change password at next login:
# chsec -f /etc/security/passwd -s <tmp_user> -a "flags=ADMCHG"

Check Contents

To force a temporary user to renew their password at next login, admins can set the "flags" attribute of the user to contain "ADMCHG" flag.

To check the "flags" attribute for a temporary user (<tmp_user>), using the following command:
# lsuser -a flags <tmp_user>

If the above command displays a "no" value for the "flags" attribute, or the value of the attribute does not contain "ADMCHG", this is a finding.

Vulnerability Number

V-215228

Documentable

False

Rule Version

AIX7-00-001131

Severity Override Guidance

To force a temporary user to renew their password at next login, admins can set the "flags" attribute of the user to contain "ADMCHG" flag.

To check the "flags" attribute for a temporary user (<tmp_user>), using the following command:
# lsuser -a flags <tmp_user>

If the above command displays a "no" value for the "flags" attribute, or the value of the attribute does not contain "ADMCHG", this is a finding.

Check Content Reference

M

Target Key

4012

Comments