UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member.


Overview

Finding ID Version Rule ID IA Controls Severity
V-215278 AIX7-00-002087 SV-215278r508663_rule Medium
Description
If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files.
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2023-05-17

Details

Check Text ( C-16476r294285_chk )
Check the contents of user home directories for files group-owned by a group of which the home directory's owner is not a member.

List the user accounts:

# cut -d : -f 1 /etc/passwd
root
daemon
bin
sys
adm
uucp
nobody
invscout
snapp
ipsec
srvproxy
esaadmin
sshd
doejohn
dirtjoe

For each user account, get a list of group names for files in the user's home directory:

# find < users home directory > -exec ls -lLd {} \;

Obtain the list of group names associated with the user's account:

# lsuser -a groups < user name >
doejohn groups=staff

Check the group name lists:

# cat /etc/group
system:!:0:root,srvproxy,esaadmin
staff:!:1:ipsec,srvproxy,esaadmin,sshd,doejohn
bin:!:2:root,bin
sys:!:3:root,bin,sys
adm:!:4:bin,adm
mail:!:6:
security:!:7:root
cron:!:8:root
audit:!:10:root
ecs:!:28:
nobody:!:4294967294:nobody,lpd
usr:!:100:dirtjoe
perf:!:20:
shutdown:!:21:
invscout:!:12:invscout
snapp:!:13:snapp
ipsec:!:200:
sshd:!:201:sshd

If there are group names in the file list not present in the user list, this is a finding.
Fix Text (F-16474r294286_fix)
Change the group of a file not group-owned by a group where the home directory's owner is a member using command:
# chgrp [user's primary group] [file with bad group ownership]