All shell files must not have extended ACLs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22366	GEN002230	SV-38744r1_rule	ECLP-1	Medium

Description
Shells with world/group write permissions give the ability to maliciously modify the shell to obtain unauthorized access.

STIG	Date
Draft AIX Security Technical Implementation Guide	2011-08-17

Details

Check Text ( C-37243r1_chk )
Check the permissions of each shell referenced in /etc/shells. Procedure: # cat /etc/shells For each shell listed, run aclget #aclget Check the permissions of each shell referenced in /etc/security/login.cfg. Procedure: #grep shells /etc/security/login.cfg For each shell listed, run aclget # aclget Otherwise, check any shells found on the system. # find / -name "*sh #aclget / If extended permissions are enabled on any shell, this is a finding.

Check Text ( C-37243r1_chk )

Check the permissions of each shell referenced in /etc/shells.
Procedure:
# cat /etc/shells

For each shell listed, run aclget
#aclget

Check the permissions of each shell referenced in /etc/security/login.cfg.
Procedure:
#grep shells /etc/security/login.cfg
For each shell listed, run aclget
# aclget

Otherwise, check any shells found on the system.
# find / -name "*sh

#aclget /

If extended permissions are enabled on any shell, this is a finding.

Fix Text (F-32458r1_fix)
Remove the extended ACL from the shell file(s) and disable extended permissions. #acledit /