STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must setup SSH daemon to disable revoked public keys.

DISA Rule

SV-215293r508663_rule

Vulnerability Number

V-215293

Group Title

SRG-OS-000384-GPOS-00167

Rule Version

AIX7-00-002110

Severity

CAT II

CCI(s)

• CCI-001991 - The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Weight

10

Fix Recommendation

Obtain the file that contains all the public keys that need to be revoked from ISSO/SA and save the file in /etc/ssh/ directory.

Edit the "/etc/ssh/sshd_config" file to allow "RevokedKeys" to point to the revoked key file obtained above.

Restart the SSH daemon:
# stopsrc -s sshd
# startsrc -s sshd

Check Contents

If public keys are not used for SSH authentication, this is Not Applicable.

Run the following command:

# grep "^RevokedKeys" /etc/ssh/sshd_config
RevokedKeys /etc/ssh/RevokedKeys.txt

If the command does not find the "RevokedKeys" setting, or the value for "RevokedKeys" is set to "none", this is a finding.

Vulnerability Number

V-215293

Documentable

False

Rule Version

AIX7-00-002110

Severity Override Guidance

If public keys are not used for SSH authentication, this is Not Applicable.

Run the following command:

# grep "^RevokedKeys" /etc/ssh/sshd_config
RevokedKeys /etc/ssh/RevokedKeys.txt

If the command does not find the "RevokedKeys" setting, or the value for "RevokedKeys" is set to "none", this is a finding.

Check Content Reference

M

Target Key

4012

Comments