All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-215278 | AIX7-00-002087 | SV-215278r991592_rule | CCI-000366 | medium |
| Description | ||||
| If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files. | ||||
| STIG | Date | |||
| IBM AIX 7.x Security Technical Implementation Guide | 2024-08-16 | |||
Details
Check Text (C-215278r991592_chk)
Check the contents of user home directories for files group-owned by a group of which the home directory's owner is not a member.
List the user accounts:
# cut -d : -f 1 /etc/passwd
root
daemon
bin
sys
adm
uucp
nobody
invscout
snapp
ipsec
srvproxy
esaadmin
sshd
doejohn
dirtjoe
For each user account, get a list of group names for files in the user's home directory:
# find < users home directory > -exec ls -lLd {} \;
Obtain the list of group names associated with the user's account:
# lsuser -a groups < user name >
doejohn groups=staff
Check the group name lists:
# cat /etc/group
system:!:0:root,srvproxy,esaadmin
staff:!:1:ipsec,srvproxy,esaadmin,sshd,doejohn
bin:!:2:root,bin
sys:!:3:root,bin,sys
adm:!:4:bin,adm
mail:!:6:
security:!:7:root
cron:!:8:root
audit:!:10:root
ecs:!:28:
nobody:!:4294967294:nobody,lpd
usr:!:100:dirtjoe
perf:!:20:
shutdown:!:21:
invscout:!:12:invscout
snapp:!:13:snapp
ipsec:!:200:
sshd:!:201:sshd
If there are group names in the file list not present in the user list, this is a finding.
Fix Text (F-16474r294286_fix)
Change the group of a file not group-owned by a group where the home directory's owner is a member using command:
# chgrp [user's primary group] [file with bad group ownership]