STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers.

DISA Rule

SV-215402r508663_rule

Vulnerability Number

V-215402

Group Title

SRG-OS-000033-GPOS-00014

Rule Version

AIX7-00-003100

Severity

CAT II

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

Edit the "/etc/ssh/sshd_config" file and add or edit a "Ciphers" line like this:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

Restart the SSH daemon:
# stopsrc -s sshd
# startsrc -s sshd

Check Contents

Check the SSH daemon configuration for allowed ciphers by running the following command:
# grep -i ciphers /etc/ssh/sshd_config | grep -v '^#'

The above command should yield the following output:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

If any of the following conditions are true, this is a finding.
1. No line is returned (default ciphers);
2. The returned ciphers list contains any cipher not starting with aes;
3. The returned ciphers list contains any cipher ending with cbc.

Vulnerability Number

V-215402

Documentable

False

Rule Version

AIX7-00-003100

Severity Override Guidance

Check the SSH daemon configuration for allowed ciphers by running the following command:
# grep -i ciphers /etc/ssh/sshd_config | grep -v '^#'

The above command should yield the following output:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

If any of the following conditions are true, this is a finding.
1. No line is returned (default ciphers);
2. The returned ciphers list contains any cipher not starting with aes;
3. The returned ciphers list contains any cipher ending with cbc.

Check Content Reference

M

Target Key

4012

Comments