All files and directories contained in users home directories on AIX must be group-owned by a group in which the home directory owner is a member.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-215278 | SRG-OS-000480-GPOS-00230 | AIX7-00-002087 | SV-215278r991592_rule | 2024-08-16 | 3 |
| Description |
|---|
| If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files. |
| ℹ️ Check |
|---|
| Check the contents of user home directories for files group-owned by a group of which the home directory's owner is not a member. List the user accounts: # cut -d : -f 1 /etc/passwd root daemon bin sys adm uucp nobody invscout snapp ipsec srvproxy esaadmin sshd doejohn dirtjoe For each user account, get a list of group names for files in the user's home directory: # find < users home directory > -exec ls -lLd {} \; Obtain the list of group names associated with the user's account: # lsuser -a groups < user name > doejohn groups=staff Check the group name lists: # cat /etc/group system:!:0:root,srvproxy,esaadmin staff:!:1:ipsec,srvproxy,esaadmin,sshd,doejohn bin:!:2:root,bin sys:!:3:root,bin,sys adm:!:4:bin,adm mail:!:6: security:!:7:root cron:!:8:root audit:!:10:root ecs:!:28: nobody:!:4294967294:nobody,lpd usr:!:100:dirtjoe perf:!:20: shutdown:!:21: invscout:!:12:invscout snapp:!:13:snapp ipsec:!:200: sshd:!:201:sshd If there are group names in the file list not present in the user list, this is a finding. |
| ✔️ Fix |
|---|
| Change the group of a file not group-owned by a group where the home directory's owner is a member using command: # chgrp [user's primary group] [file with bad group ownership] |