STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to IBM AIX 7.x Security Technical Implementation Guide

V-215194

CAT II (Medium)

The Group Identifiers (GIDs) reserved for AIX system accounts must not be assigned to non-system accounts as their primary group GID.

Rule ID

SV-215194r991589_rule

STIG

IBM AIX 7.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000366

Discussion

Reserved GIDs are typically used by system software packages. If non-system groups have GIDs in this range, they may conflict with system software, possibly leading to the group having permissions to modify system files.

Check Content

From the command prompt, run the following command:

# more /etc/passwd 
root:!:0:0::/root:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
nobody:!:4294967294:4294967294::/:
invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh
srvproxy:*:203:0:Service Proxy Daemon:/home/srvproxy:/usr/bin/ksh
esaadmin:*:7:0::/var/esa:/usr/bin/ksh
sshd:*:212:203::/var/empty:/usr/bin/ksh
doejohn:*:704:1776::/home/doej:/usr/bin/ksh

Confirm all accounts with a primary GID of 99 and below are used by a system account. 

If a GID reserved for system accounts, 0 - 99, is used by a non-system account, this is a finding.

Fix Text

Change the primary GID for non-system accounts that have reserved GIDs as their primary GIDs using the following command:
# chuser pgrp=<non_reserved_group_name> <non_system_user_name>