Title

AIX must turn off TCP forwarding for the SSH daemon. (Cat II impact)

Discussion

SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.

Check Content

If TCP forwarding is approved for use by the ISSO, this is not applicable. Check the SSH daemon configuration for the "AllowTcpForwarding" directive using command: # grep -i AllowTcpForwarding /etc/ssh/sshd_config | grep -v '^#' AllowTcpForwarding no If the setting is not present or the setting is "yes", this is a finding.

Fix Text

Edit the "/etc/sshd/sshd_config" file to add the following line and save the change: AllowTcpForwarding no Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

Additional Identifiers

Rule ID: SV-215301r508663_rule

Vulnerability ID: V-215301

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.