Information
Restricts access to root via su to members of a specific group. Direct login via console and/or remote login via telnet is blocked.
Rationale:
For accountability, no direct access to root is allowed.
The attributes here control access to root for programs other than OpenSSH.
Setting the sugroups attribute to SUADMIN ensures that only members of the this group are able to su root. This makes it more difficult for an attacker to use a stolen root password as the attacker first has to get access to a system user ID.
Access via a console (e.g., /dev/vty0 or /dev/tty0) is only permitted when there are external controls managing accountability of access to the console. For example, HMC access must not be via the account hscroot; a physical console is accessible only after a hard-copy log has been entered and verified before physical access is granted to the (data center) console terminal.
The group system is not recommended as it is not uncommon for other accounts to be included in this OS-provided group (gid==0).
Impact:
In this recommendation we specify the group SAADMIN. This is same group name applied during installation of the security profile known as BAS - Base AIX Security.
When scoring - the attribute login may be true as long as access to the HMC is not via the account name hscroot.
In any case, sugroups should not equal ALL.
Solution
In /etc/security/user, set the root stanza sugroups attribute to SUADMIN and ensure the login and rlogin attributes are set to false:
lsgroup SUADMIN >/dev/null || mkgroup -a SUADMIN
chuser login=false rlogin=false sugroups=SUADMIN
NOTE: For the remediation the setting of su is irrelevant.
Default Value:
root login=true rlogin=true sugroups=ALL su=true
Item Details
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION
References: 800-53|AC-6(2), 800-53|AC-6(5), 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|IA-5, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|4.1, CSCv7|5.1
Control ID: f0944112e413caafc58c508eee4e739ad03b59691f18423367b5811e65a98f73