UIDs reserved for system accounts must not be assigned to non-system accounts on AIX systems.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-215195	SRG-OS-000480-GPOS-00227	AIX7-00-001036	SV-215195r991589_rule	2024-08-16	3

Description
Reserved UIDs are typically used by system software packages. If non-system accounts have UIDs in this range, they may conflict with system software, possibly leading to the user having permissions to modify system files.

ℹ️ Check
Check the UID assignments of all accounts using: # more /etc/passwd root:!:0:0::/root:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: nobody:!:4294967294:4294967294::/: invscout::6:12::/var/adm/invscout:/usr/bin/ksh srvproxy::203:0:Service Proxy Daemon:/home/srvproxy:/usr/bin/ksh esaadmin::7:0::/var/esa:/usr/bin/ksh sshd::212:203::/var/empty:/usr/bin/ksh doej:*:704:1776::/home/doej:/usr/bin/ksh Confirm all accounts with a UID of 128 and below are used by a system account. If a UID reserved for system accounts (0-128) is used by a non-system account, this is a finding.

ℹ️ Check

Check the UID assignments of all accounts using: # more /etc/passwd root:!:0:0::/root:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: nobody:!:4294967294:4294967294::/: invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh srvproxy:*:203:0:Service Proxy Daemon:/home/srvproxy:/usr/bin/ksh esaadmin:*:7:0::/var/esa:/usr/bin/ksh sshd:*:212:203::/var/empty:/usr/bin/ksh doej:*:704:1776::/home/doej:/usr/bin/ksh Confirm all accounts with a UID of 128 and below are used by a system account. If a UID reserved for system accounts (0-128) is used by a non-system account, this is a finding.

✔️ Fix
Using the "usermod" command, change the UID numbers for non-system accounts with reserved UIDs (those less or equal to 128): # usermod -u <uid> [user_name]