STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required.

DISA Rule

SV-215283r508663_rule

Vulnerability Number

V-215283

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

AIX7-00-002096

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-002475 - The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.
• CCI-002476 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Weight

10

Fix Recommendation

Install "clic.rte" filesets from AIX DVD Volume 1 using the following commands (assuming that the DVD device is /dev/cd0):
# installp -aXYgd /dev/cd0 -e /tmp/install.log clic.rte.lib
# installp -aXYgd /dev/cd0 -e /tmp/install.log clic.rte.kernext

Run the follow command to initialize and enable EFS on the system:
# efsenable -a

To create a new EFS-enabled JFS2 file system and mount the file system, using the following commands:
# crfs -v jfs2 -g rootvg -m /fs2 -a size=100M -a efs=yes
# mount /fs2

To enable EFS on a JFS2 file system (like, /fs3), run the following command:
chfs -a efs=yes /fs3

Check Contents

If the organization does not require to encrypt the data at rest, this is Not Applicable.

Check if "clic.rte" fileset is installed:
# lslpp -l |grep clic

The above command should yield the following output:
clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel
clic.rte.lib 4.10.0.1 COMMITTED CryptoLite for C Library
clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel

If the "clic.rte.lib", or the "clic.rte.kernext", fileset is not installed, this is a finding.

To check if a JFS2 file system (mounted as /fs2_mnt) is EFS-enabled, use the following command:
# lsfs -q /fs2_mnt

Name Nodename Mount Pt VFS Size Options Auto Accounting
/dev/fslv00 -- /fs2_mnt jfs2 262144 -- no no
(lv size: 262144, fs size: 262144, block size: 4096, sparse files: yes, inline log: no, inline log size: 0, EAformat: v2, Quota: no, DMAPI: no, VIX: yes, EFS: no, ISNAPSHOT: no, MAXEXT: 0, MountGuard: no)

If the above command shows "EFS: no", this is a finding.

Vulnerability Number

V-215283

Documentable

False

Rule Version

AIX7-00-002096

Severity Override Guidance

If the organization does not require to encrypt the data at rest, this is Not Applicable.

Check if "clic.rte" fileset is installed:
# lslpp -l |grep clic

The above command should yield the following output:
clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel
clic.rte.lib 4.10.0.1 COMMITTED CryptoLite for C Library
clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel

If the "clic.rte.lib", or the "clic.rte.kernext", fileset is not installed, this is a finding.

To check if a JFS2 file system (mounted as /fs2_mnt) is EFS-enabled, use the following command:
# lsfs -q /fs2_mnt

Name Nodename Mount Pt VFS Size Options Auto Accounting
/dev/fslv00 -- /fs2_mnt jfs2 262144 -- no no
(lv size: 262144, fs size: 262144, block size: 4096, sparse files: yes, inline log: no, inline log size: 0, EAformat: v2, Quota: no, DMAPI: no, VIX: yes, EFS: no, ISNAPSHOT: no, MAXEXT: 0, MountGuard: no)

If the above command shows "EFS: no", this is a finding.

Check Content Reference

M

Target Key

4012

Comments