STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

If Bourne / ksh shell is used, AIX must display logout messages.

DISA Rule

SV-215310r508663_rule

Vulnerability Number

V-215310

Group Title

SRG-OS-000281-GPOS-00111

Rule Version

AIX7-00-002129

Severity

CAT III

CCI(s)

• CCI-002364 - The information system displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.

Weight

10

Fix Recommendation

Create the ".logout" file if it does not exist.

Add the following two lines to ".logout" to display a logout message and sleep for "5" seconds:
echo "You are being disconnected."
sleep 5

Create, or modify, ".profile" to include the following line:
trap '$HOME/.logout' EXIT

Check Contents

Verify users have a ".logout" file in their home directory:

# for home in `cut -d: -f6 /etc/passwd`; do ls -alL $home/.logout; done
-rwxr----- 1 root system 297 Jan 29 09:47 /root/.logout
-rwxr----- 1 doejohn staff 297 Jul 4 00:47 /home/doejohn/.logout

If an interactive user does not have their ".logout" file, this is a finding.

Verify that each ".logout" file identified above contains a logout message:

# cat <user_home_directory>/.logout
echo "You are being disconnected."
sleep 5

If the ".logout" file does not display a logout message, this is a finding.

Verify each users' ".profile" file calls "$HOME/.logout" while logging out:

# grep "trap '$HOME/.logout' EXIT " <user_home_directory>/.profile
trap '$HOME/.logout' EXIT

If the ".profile" file does not call "$HOME/.logout", this is a finding.

Vulnerability Number

V-215310

Documentable

False

Rule Version

AIX7-00-002129

Severity Override Guidance

Verify users have a ".logout" file in their home directory:

# for home in `cut -d: -f6 /etc/passwd`; do ls -alL $home/.logout; done
-rwxr----- 1 root system 297 Jan 29 09:47 /root/.logout
-rwxr----- 1 doejohn staff 297 Jul 4 00:47 /home/doejohn/.logout

If an interactive user does not have their ".logout" file, this is a finding.

Verify that each ".logout" file identified above contains a logout message:

# cat <user_home_directory>/.logout
echo "You are being disconnected."
sleep 5

If the ".logout" file does not display a logout message, this is a finding.

Verify each users' ".profile" file calls "$HOME/.logout" while logging out:

# grep "trap '$HOME/.logout' EXIT " <user_home_directory>/.profile
trap '$HOME/.logout' EXIT

If the ".profile" file does not call "$HOME/.logout", this is a finding.

Check Content Reference

M

Target Key

4012

Comments