STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must config the SSH idle timeout interval.

DISA Rule

SV-215290r648727_rule

Vulnerability Number

V-215290

Group Title

SRG-OS-000279-GPOS-00109

Rule Version

AIX7-00-002105

Severity

CAT II

CCI(s)

• CCI-001133 - The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Add or update the following lines in "/etc/ssh/sshd_config":
ClientAliveInterval 600
ClientAliveCountMax 0

Restart sshd:
# stopsrc -s sshd
# startsrc -s sshd

Check Contents

Run the following command to check if "ClientAliveInterval" and "ClientAliveCountMax" are set for SSH server:

# grep -E "^ClientAliveInterval|^ClientAliveCountMax" /etc/ssh/sshd_config
ClientAliveInterval 600
ClientAliveCountMax 0

If "ClientAliveCountMax" is not set or its value is not "0", this is a finding.

If "ClientAliveInterval" is not set, or its value is not "600" (10-minutes) or less, this is a finding.

Vulnerability Number

V-215290

Documentable

False

Rule Version

AIX7-00-002105

Severity Override Guidance

Run the following command to check if "ClientAliveInterval" and "ClientAliveCountMax" are set for SSH server:

# grep -E "^ClientAliveInterval|^ClientAliveCountMax" /etc/ssh/sshd_config
ClientAliveInterval 600
ClientAliveCountMax 0

If "ClientAliveCountMax" is not set or its value is not "0", this is a finding.

If "ClientAliveInterval" is not set, or its value is not "600" (10-minutes) or less, this is a finding.

Check Content Reference

M

Target Key

4012

Comments