← Back to IBM AIX 7.x Security Technical Implementation Guide

V-215277

CAT II (Medium)

All AIX interactive users home directories must be group-owned by the home directory owner primary group.

Rule ID

SV-215277r991592_rule

STIG

IBM AIX 7.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000366

Discussion

If the Group Identifier (GID) of the home directory is not the same as the GID of the user, this would allow unauthorized access to files.

Check Content

Check the group ownership for each user in the "/etc/passwd" file using command: 

# cut -d: -f6 /etc/passwd | xargs ls -lLd

drwxr-xr-x   21 root     system         4096 Jan 29 09:58 /

drwxr-xr-x    4 bin      bin           45056 Jan 24 12:31 /bin

drwxr-xr-x    2 doejohn  staff           256 Jan 25 13:18 /home/doejohn

drwxr-xr-x    2 sshd     system          256 Aug 11 2017  /home/srvproxy

drwx------    2 root     system          256 Jan 30 12:54 /root

drwxrwxr-x    4 bin      bin             256 Mar 23 2017  /usr/sys

drwxrwxr-x   15 root     adm            4096 Jan 24 12:26 /var/adm

drwxr-xr-x    6 root     system         4096 Jan 24 07:34 /var/adm/invscout

drwxr-xr-x    8 esaadmin system          256 Jan 24 09:02 /var/esa

If any user's home directory is not group-owned by the assigned user's primary group, this is a finding. 

Home directories for application accounts requiring different group ownership must be documented using site-defined procedures.

Fix Text

Change the group owner for users home directories to the primary group of the assigned user: 
# chgrp <groupname> <directoryname> 

(Replace examples with appropriate group and home directory.) 

Document all changes.