STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Apr 2019: The AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers.

DISA Rule

SV-101343r1_rule

Vulnerability Number

V-91243

Group Title

SRG-OS-000033-GPOS-00014

Rule Version

AIX7-00-003100

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Edit the "/etc/ssh/sshd_config" file and add or edit a "Ciphers" line like this:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

Restart the SSH daemon:
# stopsrc -s sshd
# startsrc -s sshd

Check Contents

Check the SSH daemon configuration for allowed ciphers by running the following command:
# grep -i ciphers /etc/ssh/sshd_config | grep -v '^#'

The above command should yield the following output:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

If any of the following conditions are true, this is a finding.
1. No line is returned (default ciphers);
2. The returned ciphers list contains any cipher not starting with aes;
3. The returned ciphers list contains any cipher ending with cbc.

Vulnerability Number

V-91243

Documentable

False

Rule Version

AIX7-00-003100

Severity Override Guidance

Check the SSH daemon configuration for allowed ciphers by running the following command:
# grep -i ciphers /etc/ssh/sshd_config | grep -v '^#'

The above command should yield the following output:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

If any of the following conditions are true, this is a finding.
1. No line is returned (default ciphers);
2. The returned ciphers list contains any cipher not starting with aes;
3. The returned ciphers list contains any cipher ending with cbc.

Check Content Reference

M

Target Key

3491

Comments