STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The AIX SSH daemon must be configured for IP filtering.

DISA Rule

SV-215295r508663_rule

Vulnerability Number

V-215295

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

AIX7-00-002112

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Add appropriate IP restrictions for SSH to the "/etc/hosts.deny" and/or "/etc/hosts.allow" files.

TCP Wrappers can be installed from the AIX Expansion Pack by installing fileset "netsec.options.tcpwrappers" using the following command (assume AIX Expansion Pack is mounted on /dev/cd0):
# installp -aXYgd /dev/cd0 -e /tmp/install.log netsec.options.tcpwrappers

Check Contents

Check the TCP wrappers configuration files to determine if SSHD is configured to use TCP wrappers using commands:

# grep sshd /etc/hosts.deny
sshd : ALL

# grep sshd /etc/hosts.allow
sshd : 10.10.20.*

If no entries are returned, the TCP wrappers are not configured for SSHD, this is a finding.

Vulnerability Number

V-215295

Documentable

False

Rule Version

AIX7-00-002112

Severity Override Guidance

Check the TCP wrappers configuration files to determine if SSHD is configured to use TCP wrappers using commands:

# grep sshd /etc/hosts.deny
sshd : ALL

# grep sshd /etc/hosts.allow
sshd : 10.10.20.*

If no entries are returned, the TCP wrappers are not configured for SSHD, this is a finding.

Check Content Reference

M

Target Key

4012

Comments