SV-215408r508663_rule
V-215408
SRG-OS-000480-GPOS-00227
AIX7-00-003110
CAT II
10
Run the following command to set shells attribute for stanza usw in "/etc/security/login.cfg":
# chsec -f /etc/security/login.cfg -s usw -a shells=<list of approved shells separated by comma>
Create the "/etc/shells" file and add all approved shells there, one shell per line:
# vi /etc/shells
Change the ownership and mode-bit of "/etc/shells":
# chown bin.bin /etc/shells
# chmod 644 /etc/shells
AIX ships the following shells that should be considered as "approved" shells:
/bin/sh
/bin/bsh
/bin/csh
/bin/ksh
/bin/tsh
/bin/ksh93
/usr/bin/sh
/usr/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/ksh93
/usr/bin/rksh
/usr/bin/rksh93
/usr/sbin/uucp/uucico
/usr/sbin/sliplogin
/usr/sbin/snappd
ISSO/SA may install other shells. Ask ISSO/SA for other approved shells other than the shells shipped by AIX.
Check if file "/etc/shells" exists by running:
# ls -la /etc/shells
rw-r--r-- 1 bin bin 111 Jun 01 2015 /etc/shells
If "/etc/shells" file does not exist, this is a finding.
Verify that "/etc/shells" only contains approved shells:
# cat /etc/shells
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/bsh
If "/etc/shells" file contains a non-approved shell, this is a finding.
Check "/etc/security/login.cfg" for the shells attribute value of "usw:" stanza:
# lssec -f /etc/security/login.cfg -s usw -a shells
usw shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd
If the shells attribute value does not exist or is empty, this is a finding.
If the returned shells attribute value contains a shell that is not defined in "/etc/shells" file, this is a finding.
If the returned shells attribute value contains a non-approved shell, this is a finding.
V-215408
False
AIX7-00-003110
AIX ships the following shells that should be considered as "approved" shells:
/bin/sh
/bin/bsh
/bin/csh
/bin/ksh
/bin/tsh
/bin/ksh93
/usr/bin/sh
/usr/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/ksh93
/usr/bin/rksh
/usr/bin/rksh93
/usr/sbin/uucp/uucico
/usr/sbin/sliplogin
/usr/sbin/snappd
ISSO/SA may install other shells. Ask ISSO/SA for other approved shells other than the shells shipped by AIX.
Check if file "/etc/shells" exists by running:
# ls -la /etc/shells
rw-r--r-- 1 bin bin 111 Jun 01 2015 /etc/shells
If "/etc/shells" file does not exist, this is a finding.
Verify that "/etc/shells" only contains approved shells:
# cat /etc/shells
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/bsh
If "/etc/shells" file contains a non-approved shell, this is a finding.
Check "/etc/security/login.cfg" for the shells attribute value of "usw:" stanza:
# lssec -f /etc/security/login.cfg -s usw -a shells
usw shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd
If the shells attribute value does not exist or is empty, this is a finding.
If the returned shells attribute value contains a shell that is not defined in "/etc/shells" file, this is a finding.
If the returned shells attribute value contains a non-approved shell, this is a finding.
M
4012