Title

AIX must turn on SSH daemon privilege separation. (Cat II impact)

Discussion

SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.

Check Content

Check the SSH daemon configuration for the "UsePrivilegeSeparation" setting using command: # grep -i UsePrivilegeSeparation /etc/ssh/sshd_config | grep -v '^#' UsePrivilegeSeparation yes If the setting is not present or the setting is "no", this is a finding.

Fix Text

Edit the "/etc/sshd/sshd_config" file and add the following line: UsePrivilegeSeparation yes Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

Additional Identifiers

Rule ID: SV-215297r508663_rule

Vulnerability ID: V-215297

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.