AIX must turn off TCP forwarding for the SSH daemon.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-215301 | SRG-OS-000480-GPOS-00227 | AIX7-00-002118 | SV-215301r991589_rule | 2024-08-16 | 3 |
| Description |
|---|
| SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. |
| ℹ️ Check |
|---|
| If TCP forwarding is approved for use by the ISSO, this is not applicable. Check the SSH daemon configuration for the "AllowTcpForwarding" directive using command: # grep -i AllowTcpForwarding /etc/ssh/sshd_config | grep -v '^#' AllowTcpForwarding no If the setting is not present or the setting is "yes", this is a finding. |
| ✔️ Fix |
|---|
| Edit the "/etc/sshd/sshd_config" file to add the following line and save the change: AllowTcpForwarding no Restart the SSH daemon: # stopsrc -s sshd # startsrc -s sshd |