Detections
Analytics
AIX7-00-001007 - If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
Information
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.Solution
To remove the clear-text password for 'bindpwd', do the following two steps:Edit '/etc/security/ldap/ldap.cfg' to remove the 'bindpwd' line and save the change;
Re-config the LDAP client using the 'mksecldap' command:
# mksecldap -c -h <LDAP_HOST:LDAP_PORT> -A <auth_type> -D <Default_Entry> -d <BASE_DN> -a <BIND_USER> -p <BIND_PASSWORD> -k <KDB_FILE> -w <KDB_PASSWORD>
Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: 'gsk8capicmd' (used below), 'gsk8capicmd_64' and 'gsk7cmd'.
To use the stashed password for SSL key database (KDB), do the following two steps:
Edit '/etc/security/ldap/ldap.cfg' to remove the 'ldapsslkeypwd' line and save the change;
Run the 'gsk8capicmd' to create a stashed password file for the SSL KDB:
# gsk8capicmd -keydb -stashpw -db <KDB_FILE> -pw <KDB_PASSWORD>
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_AIX_7-x_V3R1_STIG.zip
Item Details
Audit Name: DISA STIG AIX 7.x v3r1
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1)(c), CAT|I, CCI|CCI-000196, CCI|CCI-004062, Rule-ID|SV-215174r1009530_rule, STIG-ID|AIX7-00-001007, STIG-Legacy|SV-101389, STIG-Legacy|V-91291, Vuln-ID|V-215174
Plugin: Unix
Control ID: 0f98e3d0d351c6cc9e3b3bab29b95384a8e5d53c11a1bf08fe10829f152eb3f9