STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

All AIX users home directories must have mode 0750 or less permissive.

DISA Rule

SV-215331r508663_rule

Vulnerability Number

V-215331

Group Title

SRG-OS-000480-GPOS-00230

Rule Version

AIX7-00-003018

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Change the mode of interactive users' home directories to "0750" or less permissive using the following command:
# chmod 0750 <home directory>

Check Contents

Check the home directory mode of each interactive user in "/etc/passwd":

#cut -d : -f 6 /etc/passwd | xargs -n1 ls -ld | more
drwxr-xr-x 20 root system 4096 Jan 28 13:46 /
drwxr-xr-x 33 root system 8192 Jan 28 13:51 /etc
lrwxrwxrwx 1 bin bin 8 Jan 24 07:23 /bin -> /usr/bin
drwxrwxr-x 4 bin bin 256 Mar 23 2017 /usr/sys
drwxrwxr-x 15 root adm 4096 Jan 24 12:26 /var/adm
drwxr-xr-x 2 root sys 4096 Jan 24 08:43 /usr/lib/uucp
drwxr-xr-x 6 root system 4096 Jan 24 07:34 /var/adm/invscout
drwxr-xr-x 3 ipsec ipsec 256 Jan 24 08:43 /etc/ipsec
drwxr-xr-x 2 sshd system 256 Aug 11 2017 /home/srvproxy
drwxr-xr-x 8 esaadmin system 256 Jan 24 09:02 /var/esa
drwxr-x--- 2 doejohn staff 256 Jan 25 13:18 /home/doejohn

If an interactive user's home directory's mode is more permissive than "0750", this is a finding.

NOTE: Application directories are allowed and may need "0755" permissions (or greater) for correct operation.

Vulnerability Number

V-215331

Documentable

False

Rule Version

AIX7-00-003018

Severity Override Guidance

Check the home directory mode of each interactive user in "/etc/passwd":

#cut -d : -f 6 /etc/passwd | xargs -n1 ls -ld | more
drwxr-xr-x 20 root system 4096 Jan 28 13:46 /
drwxr-xr-x 33 root system 8192 Jan 28 13:51 /etc
lrwxrwxrwx 1 bin bin 8 Jan 24 07:23 /bin -> /usr/bin
drwxrwxr-x 4 bin bin 256 Mar 23 2017 /usr/sys
drwxrwxr-x 15 root adm 4096 Jan 24 12:26 /var/adm
drwxr-xr-x 2 root sys 4096 Jan 24 08:43 /usr/lib/uucp
drwxr-xr-x 6 root system 4096 Jan 24 07:34 /var/adm/invscout
drwxr-xr-x 3 ipsec ipsec 256 Jan 24 08:43 /etc/ipsec
drwxr-xr-x 2 sshd system 256 Aug 11 2017 /home/srvproxy
drwxr-xr-x 8 esaadmin system 256 Jan 24 09:02 /var/esa
drwxr-x--- 2 doejohn staff 256 Jan 25 13:18 /home/doejohn

If an interactive user's home directory's mode is more permissive than "0750", this is a finding.

NOTE: Application directories are allowed and may need "0755" permissions (or greater) for correct operation.

Check Content Reference

M

Target Key

4012

Comments