The kshell daemon must be disabled on AIX.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-215384 | AIX7-00-003079 | SV-215384r958478_rule | CCI-000381 | medium |
| Description | ||||
| The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted communications. The recommendation is to use SSH wherever possible instead of kshell. If the kshell service is used, you should use the latest Kerberos version available and must make sure that all the latest patches are installed. | ||||
| STIG | Date | |||
| IBM AIX 7.x Security Technical Implementation Guide | 2024-08-16 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-7
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.4.6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000381
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-215384r958478_chk)
From the command prompt, execute the following command:
# grep "^kshell[[:blank:]]" /etc/inetd.conf
If there is any output from the command, this is a finding.
Fix Text (F-16580r294604_fix)
In "/etc/inetd.conf", comment out the "kshell" entry by running command:
# chsubserver -r inetd -C /etc/inetd.conf -d -v 'kshell' -p 'tcp'
Restart inetd:
# refresh -s inetd