STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX SSH private host key files must have mode 0600 or less permissive.

DISA Rule

SV-215321r508663_rule

Vulnerability Number

V-215321

Group Title

SRG-OS-000067-GPOS-00035

Rule Version

AIX7-00-003004

Severity

CAT II

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

Change the permissions for the SSH private host key files:
# chmod 0600 /etc/ssh/*key

Check Contents

Check the permissions for SSH private host key files:
# ls -lL /etc/ssh/*key

The above command should yield the following output:
-rw------- 1 root system 668 Jan 18 2017 /etc/ssh/ssh_host_dsa_key
-rw------- 1 root system 227 Jan 18 2017 /etc/ssh/ssh_host_ecdsa_key
-rw------- 1 root system 965 Jan 18 2017 /etc/ssh/ssh_host_key
-rw------- 1 root system 1675 Jan 18 2017 /etc/ssh/ssh_host_rsa_key

If any file has a mode more permissive than "0600", this is a finding.

Vulnerability Number

V-215321

Documentable

False

Rule Version

AIX7-00-003004

Severity Override Guidance

Check the permissions for SSH private host key files:
# ls -lL /etc/ssh/*key

The above command should yield the following output:
-rw------- 1 root system 668 Jan 18 2017 /etc/ssh/ssh_host_dsa_key
-rw------- 1 root system 227 Jan 18 2017 /etc/ssh/ssh_host_ecdsa_key
-rw------- 1 root system 965 Jan 18 2017 /etc/ssh/ssh_host_key
-rw------- 1 root system 1675 Jan 18 2017 /etc/ssh/ssh_host_rsa_key

If any file has a mode more permissive than "0600", this is a finding.

Check Content Reference

M

Target Key

4012

Comments