Check: AIX7-00-003078
IBM AIX 7.x STIG:
AIX7-00-003078
(in versions v3 r1 through v1 r1)
Title
The klogin daemon must be disabled on AIX. (Cat II impact)
Discussion
The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text password exchanges on the network. However, it is still not as secure as SSH, which encrypts all traffic. If using klogin to log in to a system, the password is not sent in clear text; however, if using "su" to another user, that password exchange is open to detection from network-sniffing programs. The recommendation is to use SSH wherever possible instead of klogin. If the klogin service is used, use the latest Kerberos version available and make sure that all the latest patches are installed.
Check Content
From the command prompt, execute the following command: # grep "^klogin[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.
Fix Text
In "/etc/inetd.conf", comment out the "klogin" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'klogin' -p 'tcp' Restart inetd: # refresh -s inetd
Additional Identifiers
Rule ID: SV-215383r958478_rule
Vulnerability ID: V-215383
Group Title: SRG-OS-000095-GPOS-00049
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
Configure the system to provide only organization-defined mission essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |