STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

All AIX shells referenced in passwd file must be listed in /etc/shells file, except any shells specified for the purpose of preventing logins.

DISA Rule

SV-215288r508663_rule

Vulnerability Number

V-215288

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

AIX7-00-002103

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Use the "chsh" utility or edit the "/etc/passwd" file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the "/etc/shells file".

Alternatively, use the SMIT to change the "/etc/passwd" shell entry.

Check Contents

Confirm the login shells referenced in the "/etc/passwd" file are listed in the "/etc/security/login.cfg" file's "shells =variable" in the usw stanza by running commands:

# more /etc/security/login.cfg | grep shells | grep -v '*'
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh

# more /etc/shells
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/psh
/usr/bin/tsh
/usr/bin/bsh

The "/usr/bin/false", "/bin/false", "/dev/null", "/sbin/nologin" (and equivalents), and "sdshell" will be considered valid shells for use in the "/etc/passwd" file, but will not be listed in the shells stanza.
If a shell referenced in "/etc/passwd" is not listed in the shells stanza, excluding the above mentioned shells, this is a finding.

Vulnerability Number

V-215288

Documentable

False

Rule Version

AIX7-00-002103

Severity Override Guidance

Confirm the login shells referenced in the "/etc/passwd" file are listed in the "/etc/security/login.cfg" file's "shells =variable" in the usw stanza by running commands:

# more /etc/security/login.cfg | grep shells | grep -v '*'
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh

# more /etc/shells
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/psh
/usr/bin/tsh
/usr/bin/bsh

The "/usr/bin/false", "/bin/false", "/dev/null", "/sbin/nologin" (and equivalents), and "sdshell" will be considered valid shells for use in the "/etc/passwd" file, but will not be listed in the shells stanza.
If a shell referenced in "/etc/passwd" is not listed in the shells stanza, excluding the above mentioned shells, this is a finding.

Check Content Reference

M

Target Key

4012

Comments