Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-215178	AIX7-00-001011	SV-215178r508663_rule		Medium

Description
Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability.

STIG	Date
IBM AIX 7.x Security Technical Implementation Guide	2022-06-06

Details

Check Text ( C-16376r293985_chk )
Obtain a list of Shared/Application/Default/Utility accounts from the ISSO/ISSM. Shared/Application/Default/Utility accounts can have direct login disabled by setting the "rlogin" parameter to "false" in the user’s stanza of the "/etc/security/user" file. From the command prompt, run the following command to check if shared account has "rlogin=true": # lsuser -a rlogin [shared_account] rlogin=true If a shared account is configured for "rlogin=true", this is a finding.

Check Text ( C-16376r293985_chk )

Obtain a list of Shared/Application/Default/Utility accounts from the ISSO/ISSM.

Shared/Application/Default/Utility accounts can have direct login disabled by setting the "rlogin" parameter to "false" in the user’s stanza of the "/etc/security/user" file.

From the command prompt, run the following command to check if shared account has "rlogin=true":

# lsuser -a rlogin [shared_account]
rlogin=true

If a shared account is configured for "rlogin=true", this is a finding.

Fix Text (F-16374r293986_fix)
Direct login to shared or application accounts can be prevented by setting the "rlogin=false" in the accounts stanza of the "/etc/security/user" file. From the command prompt, run the following command to set "rlogin=false" for a shared account: # chuser rlogin=false [shared_account]