Title

The kshell daemon must be disabled on AIX. (Cat II impact)

Discussion

The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted communications. The recommendation is to use SSH wherever possible instead of kshell. If the kshell service is used, you should use the latest Kerberos version available and must make sure that all the latest patches are installed.

Check Content

From the command prompt, execute the following command: # grep "^kshell[[:blank:]]" /etc/inetd.conf If there is any output from the command, this is a finding.

Fix Text

In "/etc/inetd.conf", comment out the "kshell" entry by running command: # chsubserver -r inetd -C /etc/inetd.conf -d -v 'kshell' -p 'tcp' Restart inetd: # refresh -s inetd

Additional Identifiers

Rule ID: SV-215384r508663_rule

Vulnerability ID: V-215384

Group Title: SRG-OS-000095-GPOS-00049

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.