UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-91665	AIX7-00-001036	SV-101763r1_rule		Medium

Description
Reserved UIDs are typically used by system software packages. If non-system accounts have UIDs in this range, they may conflict with system software, possibly leading to the user having permissions to modify system files.

STIG	Date
IBM AIX 7.x Security Technical Implementation Guide	2020-02-24

Details

Check Text ( C-90819r3_chk )
Check the UID assignments of all accounts using: # more /etc/passwd root:!:0:0::/root:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: nobody:!:4294967294:4294967294::/: invscout::6:12::/var/adm/invscout:/usr/bin/ksh srvproxy::203:0:Service Proxy Daemon:/home/srvproxy:/usr/bin/ksh esaadmin::7:0::/var/esa:/usr/bin/ksh sshd::212:203::/var/empty:/usr/bin/ksh doej:*:704:1776::/home/doej:/usr/bin/ksh Confirm all accounts with a UID of 128 and below are used by a system account. If a UID reserved for system accounts (0-128) is used by a non-system account, this is a finding.

Check Text ( C-90819r3_chk )

Check the UID assignments of all accounts using:

# more /etc/passwd
root:!:0:0::/root:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
nobody:!:4294967294:4294967294::/:
invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh
srvproxy:*:203:0:Service Proxy Daemon:/home/srvproxy:/usr/bin/ksh
esaadmin:*:7:0::/var/esa:/usr/bin/ksh
sshd:*:212:203::/var/empty:/usr/bin/ksh
doej:*:704:1776::/home/doej:/usr/bin/ksh

Confirm all accounts with a UID of 128 and below are used by a system account.

If a UID reserved for system accounts (0-128) is used by a non-system account, this is a finding.

Fix Text (F-97863r1_fix)
Using the "usermod" command, change the UID numbers for non-system accounts with reserved UIDs (those less or equal to 128): # usermod -u [user_name]