Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-215178 | SRG-OS-000109-GPOS-00056 | AIX7-00-001011 | SV-215178r1009531_rule | 2026-02-06 | 3 |
Description
Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability.
ℹ️ Check
Obtain a list of Shared/Application/Default/Utility accounts from the ISSO/ISSM.
Shared/Application/Default/Utility accounts can have direct login disabled by setting the "rlogin" parameter to "false" in the user’s stanza of the "/etc/security/user" file.
From the command prompt, run the following command to check if shared account has "rlogin=true":
# lsuser -a rlogin [shared_account]
<shared_account> rlogin=true
If a shared account is configured for "rlogin=true", this is a finding.
✔️ Fix
Direct login to shared or application accounts can be prevented by setting the "rlogin=false" in the accounts stanza of the "/etc/security/user" file.
From the command prompt, run the following command to set "rlogin=false" for a shared account:
# chuser rlogin=false [shared_account]