AIX must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-215431	SRG-OS-000480-GPOS-00228	AIX7-00-003137	SV-215431r991590_rule	2024-08-16	3

Description
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.

ℹ️ Check
Check if "/etc/security/.profile" contains the proper "umask" setting by running the following command: # grep "umask 077" /etc/security/.profile umask 077 If the above command does not output the "umask 077", this is a finding. From the command prompt, run the following command to check if "umask=077" for the default stanza in "/etc/security/user": # lssec -f /etc/security/user -s default -a umask default umask=077 If the "umask" for the default stanza is not "077", or the "umask" is not set, this is a finding.

ℹ️ Check

Check if "/etc/security/.profile" contains the proper "umask" setting by running the following command: # grep "umask 077" /etc/security/.profile umask 077 If the above command does not output the "umask 077", this is a finding. From the command prompt, run the following command to check if "umask=077" for the default stanza in "/etc/security/user": # lssec -f /etc/security/user -s default -a umask default umask=077 If the "umask" for the default stanza is not "077", or the "umask" is not set, this is a finding.

✔️ Fix
Add the following line to "/etc/security/.profile": umask 077 Run the following command to set "umask=077" for the default stanza in "/etc/security/user": # chsec -f /etc/security/user -s default -a umask=077