An error occurred:

Check: AIX7-00-002110

IBM AIX 7.x STIG: AIX7-00-002110 (in versions v2 r9 through v1 r1)

Title

AIX must setup SSH daemon to disable revoked public keys. (Cat II impact)

Discussion

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Check Content

If public keys are not used for SSH authentication, this is Not Applicable. Run the following command: # grep "^RevokedKeys" /etc/ssh/sshd_config RevokedKeys /etc/ssh/RevokedKeys.txt If the command does not find the "RevokedKeys" setting, or the value for "RevokedKeys" is set to "none", this is a finding.

Fix Text

Obtain the file that contains all the public keys that need to be revoked from ISSO/SA and save the file in /etc/ssh/ directory. Edit the "/etc/ssh/sshd_config" file to allow "RevokedKeys" to point to the revoked key file obtained above. Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd

Additional Identifiers

Rule ID: SV-215293r853475_rule

Vulnerability ID: V-215293

Group Title: SRG-OS-000384-GPOS-00167

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001991

The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-5 (2)

Pki-Based Authentication