Check: ZSSH0010
zOS ACF2 STIG:
ZSSH0010
(in versions v6 r43 through v6 r30)
Title
The SSH daemon must be configured to only use the SSHv2 protocol. (Cat I impact)
Discussion
SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
Check Content
Locate the SSH daemon configuration file. May be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active there is no finding. Examine SSH daemon configuration file. If the variables 'Protocol 2,1’ or ‘Protocol 1’ are defined on a line without a leading comment, this is a finding.
Fix Text
Edit the sshd_config file and set the "Protocol" setting to "2".
Additional Identifiers
Rule ID: SV-83851r1_rule
Vulnerability ID: V-69229
Group Title: ZSSH0010
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |