OpenControls Logo

STIG Viewer

The AIX operating system must be configured to use Multi Factor Authentication for remote connections.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-215438AIX7-00-003202SV-215438r991589_ruleCCI-000366medium
Description
To assure accountability and prevent unauthenticated access, privileged and non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1. Something you know (e.g., password/PIN); 2. Something you have (e.g., cryptographic identification device, token); and 3. Something you are (e.g., biometric). The DoD CAC with DoD-approved PKI is an example of multifactor authentication.
STIGDate
IBM AIX 7.x Security Technical Implementation Guide2024-08-16

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
CM-6
1.00
  • DISA · 3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
  • DISA · 3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
  • DISA · 3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
  • DISA · 3 · disa_xccdf · related

Details

Check Text (C-215438r991589_chk)

Verify SSH is configured to use multi factor authentication: # grep ^sshd /etc/pam.conf | head -3 sshd auth required pam_ckfile sshd auth required pam_permission file=/etc/security/access.conf found=allow sshd auth required pam_pmfa /etc/security/pmfa/pam_pmfa.conf If the output does not match the above lines, any lines are missing, or commented out, this is a finding.

Fix Text (F-16634r294766_fix)

Add or update the following lines in the /etc/pam.conf file: sshd auth required pam_ckfile sshd auth required pam_permission file=/etc/security/access.conffound=allow sshd auth required pam_pmfa /etc/security/pmfa/pam_pmfa.conf