UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The /etc/shells file must exist on AIX systems.


Overview

Finding ID Version Rule ID IA Controls Severity
V-215408 AIX7-00-003110 SV-215408r508663_rule Medium
Description
The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell.
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2020-09-11

Details

Check Text ( C-16606r294675_chk )
AIX ships the following shells that should be considered as "approved" shells:

/bin/sh
/bin/bsh
/bin/csh
/bin/ksh
/bin/tsh
/bin/ksh93
/usr/bin/sh
/usr/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/ksh93
/usr/bin/rksh
/usr/bin/rksh93
/usr/sbin/uucp/uucico
/usr/sbin/sliplogin
/usr/sbin/snappd

ISSO/SA may install other shells. Ask ISSO/SA for other approved shells other than the shells shipped by AIX.

Check if file "/etc/shells" exists by running:

# ls -la /etc/shells
rw-r--r-- 1 bin bin 111 Jun 01 2015 /etc/shells

If "/etc/shells" file does not exist, this is a finding.

Verify that "/etc/shells" only contains approved shells:

# cat /etc/shells
/bin/csh
/bin/ksh
/bin/psh
/bin/tsh
/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/bsh

If "/etc/shells" file contains a non-approved shell, this is a finding.

Check "/etc/security/login.cfg" for the shells attribute value of "usw:" stanza:

# lssec -f /etc/security/login.cfg -s usw -a shells
usw shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd

If the shells attribute value does not exist or is empty, this is a finding.
If the returned shells attribute value contains a shell that is not defined in "/etc/shells" file, this is a finding.
If the returned shells attribute value contains a non-approved shell, this is a finding.
Fix Text (F-16604r294676_fix)
Run the following command to set shells attribute for stanza usw in "/etc/security/login.cfg":
# chsec -f /etc/security/login.cfg -s usw -a shells=

Create the "/etc/shells" file and add all approved shells there, one shell per line:
# vi /etc/shells

Change the ownership and mode-bit of "/etc/shells":
# chown bin.bin /etc/shells
# chmod 644 /etc/shells