Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-91427 | AIX7-00-001011 | SV-101525r1_rule | Medium |
Description |
---|
Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability. |
STIG | Date |
---|---|
IBM AIX 7.x Security Technical Implementation Guide | 2020-02-24 |
Check Text ( C-90581r3_chk ) |
---|
Obtain a list of Shared/Application/Default/Utility accounts from the ISSO/ISSM. Shared/Application/Default/Utility accounts can have direct login disabled by setting the "rlogin" parameter to "false" in the user’s stanza of the "/etc/security/user" file. From the command prompt, run the following command to check if shared account has "rlogin=true": # lsuser -a rlogin [shared_account] If a shared account is configured for "rlogin=true", this is a finding. |
Fix Text (F-97625r3_fix) |
---|
Direct login to shared or application accounts can be prevented by setting the "rlogin=false" in the accounts stanza of the "/etc/security/user" file. From the command prompt, run the following command to set "rlogin=false" for a shared account: # chuser rlogin=false [shared_account] |