UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

AIX must protect the confidentiality and integrity of all information at rest.


Overview

Finding ID Version Rule ID IA Controls Severity
V-91449 AIX7-00-001048 SV-101547r1_rule Medium
Description
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2020-02-24

Details

Check Text ( C-90603r3_chk )
If the organization does not require to encrypt the data at rest this is Not Applicable.

Check if the "clic.rte" fileset is installed:
# lslpp -l |grep clic

The above command should yield the following output:
clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel
clic.rte.lib 4.10.0.1 COMMITTED CryptoLite for C Library
clic.rte.kernext 4.10.0.1 COMMITTED CryptoLite for C Kernel

If the "clic.rte" fileset is not installed, this is a finding.

To check if a JFS2 file system (mounted as /fs2_mnt) is EFS-enabled, use the following command:

# lsfs -q /fs2_mnt

Name Nodename Mount Pt VFS Size Options Auto Accounting
/dev/fslv00 -- /fs2_mnt jfs2 262144 -- no no
(lv size: 262144, fs size: 262144, block size: 4096, sparse files: yes, inline log: no, inline log size: 0, EAformat: v2, Quota: no, DMAPI: no, VIX: yes, EFS: no, ISNAPSHOT: no, MAXEXT: 0, MountGuard: no)

If the above command shows "EFS: no", this is a finding.
Fix Text (F-97647r2_fix)
Install "clic.rte" fileset if it is not installed using command:
# installp -aXYqg -d /dev/cd0 clic.rte

Run the follow command to initialize and enable EFS on the system:
# efsenable -a

To create a new EFS-enabled JFS2 file system and mount the file system, using the following commands:
# crfs -v jfs2 -g rootvg -m /fs2 -a size=100M -a efs=yes
# mount /fs2

To enable EFS on a JFS2 file system (like, /fs3), run the following command:
chfs -a efs=yes /fs3