Check: AIX7-00-002124
IBM AIX 7.x STIG:
AIX7-00-002124
(in versions v3 r1 through v1 r1)
Title
If AIX SSH daemon is required, the SSH daemon must only listen on the approved listening IP addresses. (Cat II impact)
Discussion
The SSH daemon should only listen on the approved listening IP addresses. Otherwise the SSH service could be subject to unauthorized access.
Check Content
From the command prompt, run the following command to check if "ListenAddress" is defined in SSH config file: # grep -i ListenAddress /etc/ssh/sshd_config | grep -v '^#' ListenAddress 10.17.76.74 If no configuration is returned, or if a returned listen configuration contains addresses not permitted, this is a finding.
Fix Text
Edit the SSH daemon config file and add/modify the "ListenAddress" network addresses: # vi /etc/ssh/sshd_config Restart SSH daemon: # stopsrc -s sshd # startsrc -s sshd
Additional Identifiers
Rule ID: SV-215306r991593_rule
Vulnerability ID: V-215306
Group Title: SRG-OS-000480-GPOS-00232
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |