UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

If LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day.


Overview

Finding ID Version Rule ID IA Controls Severity
V-91547 AIX7-00-001046 SV-101645r1_rule Medium
Description
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2020-02-24

Details

Check Text ( C-90701r4_chk )
If LDAP authentication is not required, this is Not Applicable.

Verify the "/etc/security/ldap/ldap.cfg" file to see if the following two keywords have a value that is greater than "900" seconds:

# grep -i usercachetimeout /etc/security/ldap/ldap.cfg
usercachetimeout: 900

# grep -i groupcachetimeout /etc/security/ldap/ldap.cfg
groupcachetimeout: 900

If any of the above keywords does not exist, is commented out, or any value of the above keywords are greater than "900", this is a finding.
Fix Text (F-97745r1_fix)
Edit the "/etc/security/ldap/ldap.cfg" file to set the following two keywords to have value of "900":
usercachetimeout
groupcachetimeout

Restart LDAP client using command:
# /usr/sbin/restart-secldapclntd