Detections
Analytics
AIX7-00-002096 - AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required.
Information
The AIX Encrypted File System (EFS) is a J2 filesystem-level encryption through individual key stores. This allows for file encryption in order to protect confidential data from attackers with physical access to the computer. User authentication and access control lists can protect files from unauthorized access (even from root user) while the operating system is running.Operating systems handling data requiring 'data at rest' protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000405-GPOS-00184, SRG-OS-000404-GPOS-00183
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Install 'clic.rte' filesets from AIX DVD Volume 1 using the following commands (assuming that the DVD device is /dev/cd0):# installp -aXYgd /dev/cd0 -e /tmp/install.log clic.rte.lib
# installp -aXYgd /dev/cd0 -e /tmp/install.log clic.rte.kernext
Run the follow command to initialize and enable EFS on the system:
# efsenable -a
To create a new EFS-enabled JFS2 file system and mount the file system, using the following commands:
# crfs -v jfs2 -g rootvg -m /fs2 -a size=100M -a efs=yes
# mount /fs2
To enable EFS on a JFS2 file system (like, /fs3), run the following command:
chfs -a efs=yes /fs3
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_AIX_7-x_V3R1_STIG.zip
Item Details
Audit Name: DISA STIG AIX 7.x v3r1
Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|CM-6b., 800-53|SC-28(1), CAT|II, CCI|CCI-000366, CCI|CCI-002475, CCI|CCI-002476, Rule-ID|SV-215283r991589_rule, STIG-ID|AIX7-00-002096, STIG-Legacy|SV-101821, STIG-Legacy|V-91723, Vuln-ID|V-215283
Plugin: Unix
Control ID: 16bb376d77cb40e462b5bc30c1da36edacb573d175e96b4204c5e5a7be5feb41