AIX must turn off TCP forwarding for the SSH daemon.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-215301 | SRG-OS-000480-GPOS-00227 | AIX7-00-002118 | SV-215301r991589_rule | 2026-02-06 | 3 |
Description
SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.
ℹ️ Check
If TCP forwarding is approved for use by the ISSO, this is not applicable.
Check the SSH daemon configuration for the "AllowTcpForwarding" directive using command:
# grep -i AllowTcpForwarding /etc/ssh/sshd_config | grep -v '^#'
AllowTcpForwarding no
If the setting is not present or the setting is "yes", this is a finding.
✔️ Fix
Edit the "/etc/sshd/sshd_config" file to add the following line and save the change:
AllowTcpForwarding no
Restart the SSH daemon:
# stopsrc -s sshd
# startsrc -s sshd