AIX defines Administrator accounts with the with the attribute admin. When true the account is Administrator and when false the account is considered User. Rationale: An inventory of accounts with the attribute 'admin=true' allows verification that all accounts considered administrative are so labeled by the system. Impact: The impact of 'admin=true' is two-fold. a) a label for identifying accounts considered related to system administration b) providing additional controls for account management. On AIX, an account with the attribute 'admin=true' requires a security role of Senior Security Admin to make modifications to the account attributes. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
A printable report can be prepared using the following example: cnt=0 printf '%4s%68s ' 'AIX' 'Administator Accounts' lsuser -R files -a admin ALL | while read usr adm; do if [[ ${adm} = 'admin=true' ]] ; then printf '%12s' ${usr} let cnt=cnt+1 [[ $(expr ${cnt} % 6) == 0 ]] && print fi done [[ $(expr ${cnt} % 6) != 0 ]] && print