Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-215178 | AIX7-00-001011 | SV-215178r1009531_rule | CCI-004045 | medium |
| Description | ||||
| Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability. | ||||
| STIG | Date | |||
| IBM AIX 7.x Security Technical Implementation Guide | 2024-08-16 | |||
Details
Check Text (C-215178r1009531_chk)
Obtain a list of Shared/Application/Default/Utility accounts from the ISSO/ISSM.
Shared/Application/Default/Utility accounts can have direct login disabled by setting the "rlogin" parameter to "false" in the user’s stanza of the "/etc/security/user" file.
From the command prompt, run the following command to check if shared account has "rlogin=true":
# lsuser -a rlogin [shared_account]
<shared_account> rlogin=true
If a shared account is configured for "rlogin=true", this is a finding.
Fix Text (F-16374r293986_fix)
Direct login to shared or application accounts can be prevented by setting the "rlogin=false" in the accounts stanza of the "/etc/security/user" file.
From the command prompt, run the following command to set "rlogin=false" for a shared account:
# chuser rlogin=false [shared_account]