Check: AIX7-00-002110
IBM AIX 7.x STIG:
AIX7-00-002110
(in versions v3 r1 through v1 r1)
Title
AIX must setup SSH daemon to disable revoked public keys. (Cat II impact)
Discussion
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
Check Content
If public keys are not used for SSH authentication, this is Not Applicable. Run the following command: # grep "^RevokedKeys" /etc/ssh/sshd_config RevokedKeys /etc/ssh/RevokedKeys.txt If the command does not find the "RevokedKeys" setting, or the value for "RevokedKeys" is set to "none", this is a finding.
Fix Text
Obtain the file that contains all the public keys that need to be revoked from ISSO/SA and save the file in /etc/ssh/ directory. Edit the "/etc/ssh/sshd_config" file to allow "RevokedKeys" to point to the revoked key file obtained above. Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd
Additional Identifiers
Rule ID: SV-215293r1009549_rule
Vulnerability ID: V-215293
Group Title: SRG-OS-000384-GPOS-00167
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001991 |
The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
CCI-004068 |
For public key-based authentication, implement a local cache of revocation data to support path discovery and validation. |
Controls
Number | Title |
---|---|
IA-5(2) |
Pki-based Authentication |