Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-215278 | AIX7-00-002087 | SV-215278r508663_rule | Medium |
| Description |
|---|
| If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files. |
| STIG | Date |
|---|---|
| IBM AIX 7.x Security Technical Implementation Guide | 2023-08-23 |
Details
| Check Text ( C-16476r294285_chk ) |
|---|
| Check the contents of user home directories for files group-owned by a group of which the home directory's owner is not a member. List the user accounts: # cut -d : -f 1 /etc/passwd root daemon bin sys adm uucp nobody invscout snapp ipsec srvproxy esaadmin sshd doejohn dirtjoe For each user account, get a list of group names for files in the user's home directory: # find < users home directory > -exec ls -lLd {} \; Obtain the list of group names associated with the user's account: # lsuser -a groups < user name > doejohn groups=staff Check the group name lists: # cat /etc/group system:!:0:root,srvproxy,esaadmin staff:!:1:ipsec,srvproxy,esaadmin,sshd,doejohn bin:!:2:root,bin sys:!:3:root,bin,sys adm:!:4:bin,adm mail:!:6: security:!:7:root cron:!:8:root audit:!:10:root ecs:!:28: nobody:!:4294967294:nobody,lpd usr:!:100:dirtjoe perf:!:20: shutdown:!:21: invscout:!:12:invscout snapp:!:13:snapp ipsec:!:200: sshd:!:201:sshd If there are group names in the file list not present in the user list, this is a finding. |
| Fix Text (F-16474r294286_fix) |
|---|
| Change the group of a file not group-owned by a group where the home directory's owner is a member using command: # chgrp [user's primary group] [file with bad group ownership] |