STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

DISA Rule

SV-215294r508663_rule

Vulnerability Number

V-215294

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

AIX7-00-002111

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Edit the "/etc/ssh/sshd_config" file and add/edit the following line to contain FIPS 140-2 approved ciphers:
MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96

Restart SSH daemon:
# stopsrc -s sshd
# startsrc -s sshd

Note: If the "MACs" configuration contains any ciphers that are not FIPS 140-2 approved, they should be removed from the configuration file.

Check Contents

Check the SSH daemon configuration for allowed MACs by running the following command:
# grep -i macs /etc/ssh/sshd_config | grep -v '^#'
MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96

If no lines are returned, or the returned MAC list contains any MAC that is not FIPS 140-2 approved, this is a finding.

Vulnerability Number

V-215294

Documentable

False

Rule Version

AIX7-00-002111

Severity Override Guidance

Check the SSH daemon configuration for allowed MACs by running the following command:
# grep -i macs /etc/ssh/sshd_config | grep -v '^#'
MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96

If no lines are returned, or the returned MAC list contains any MAC that is not FIPS 140-2 approved, this is a finding.

Check Content Reference

M

Target Key

4012

Comments