From 04b21cdceefbe30424f1844cb72f6818b6d4bf19 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Fri, 13 Dec 2024 15:35:05 -0800 Subject: [PATCH] Ubuntu 24.04 5.1.8 Ensure sshd DisableForwarding is enabled --- .../sshd_disable_forwarding/rule.yml | 34 +++---------------- 1 file changed, 4 insertions(+), 30 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml index 8cfc4104ccc..2b38acabeb2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml @@ -3,44 +3,18 @@ documentation_complete: true title: 'Disable SSH Forwarding' description: |- - The DisableForwarding parameter disables all forwarding features, including X11, - ssh-agent(1), TCP and StreamLocal. This option overrides all other forwarding-related - options and may simplify restricted configurations. - - X11Forwarding provides the ability to tunnel X11 traffic through the connection to - enable remote graphic connections. - - ssh-agent is a program to hold private keys used for public key authentication. - Through use of environment variables the agent can be located and - automatically used for authentication when logging in to other machines using - ssh. - - SSH port forwarding is a mechanism in SSH for tunneling application ports from - the client to the server, or servers to clients. It can be used for adding encryption - to legacy applications, going through firewalls, and some system administrators - and IT professionals use it for opening backdoors into the internal network from - their home machines. + The DisableForwarding parameter disables all forwarding features, rationale: |- - Disable X11 forwarding unless there is an operational requirement to use X11 - applications directly. There is a small risk that the remote X11 servers of users who are - logged in via SSH with X11 forwarding could be compromised by other users on the - X11 server. Note that even if X11 forwarding is disabled, users can always install their - own forwarders. - - Anyone with root privilege on the the intermediate server can make free use of ssh- - agent to authenticate them to other servers - - Leaving port forwarding enabled can expose the organization to security risks and - backdoors. SSH connections are protected with strong encryption. This makes their - contents invisible to most deployed network monitoring and traffic filtering solutions. - This invisibility carries considerable risk potential if it is used for malicious purposes - such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their - unauthorized communications, or to exfiltrate stolen data from the target network. + Disable ssh forwarding unless there is an operational requirement to use it. + Leaving port forwarding enabled can expose the organization to security risks. severity: medium ocil_clause: "The DisableForwarding option exists and is yes" ocil: |- - {{{ ocil_sshd_option(default="yes", option="DisableForwarding", value="yeso") }}} + {{{ ocil_sshd_option(default="yes", option="DisableForwarding", value="yes") }}} template: name: sshd_lineinfile