Skip to content

Commit

Permalink
Ubuntu 24.04 5.1.8 Ensure sshd DisableForwarding is enabled
Browse files Browse the repository at this point in the history
  • Loading branch information
ericeberry committed Dec 13, 2024
1 parent c13b3fd commit 5add21d
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 2 deletions.
1 change: 1 addition & 0 deletions components/openssh.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ rules:
- sshd_allow_only_protocol2
- sshd_disable_compression
- sshd_disable_empty_passwords
- sshd_disable_forwarding
- sshd_disable_gssapi_auth
- sshd_disable_kerb_auth
- sshd_disable_pubkey_auth
Expand Down
5 changes: 3 additions & 2 deletions controls/cis_ubuntu2404.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1120,8 +1120,9 @@ controls:
levels:
- l1_server
- l2_workstation
status: planned
notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
rules:
- sshd_disable_forwarding
status: automated

- id: 3.2.1
title: Ensure dccp kernel module is not available (Automated)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
documentation_complete: true

title: 'Disable SSH Forwarding'

description: |-
The DisableForwarding parameter disables all forwarding features, including X11,
ssh-agent(1), TCP and StreamLocal. This option overrides all other forwarding-related
options and may simplify restricted configurations.
- X11Forwarding provides the ability to tunnel X11 traffic through the connection to
enable remote graphic connections.
- ssh-agent is a program to hold private keys used for public key authentication.
Through use of environment variables the agent can be located and
automatically used for authentication when logging in to other machines using
ssh.
- SSH port forwarding is a mechanism in SSH for tunneling application ports from
the client to the server, or servers to clients. It can be used for adding encryption
to legacy applications, going through firewalls, and some system administrators
and IT professionals use it for opening backdoors into the internal network from
their home machines.
rationale: |-
Disable X11 forwarding unless there is an operational requirement to use X11
applications directly. There is a small risk that the remote X11 servers of users who are
logged in via SSH with X11 forwarding could be compromised by other users on the
X11 server. Note that even if X11 forwarding is disabled, users can always install their
own forwarders.
Anyone with root privilege on the the intermediate server can make free use of ssh-
agent to authenticate them to other servers
Leaving port forwarding enabled can expose the organization to security risks and
backdoors. SSH connections are protected with strong encryption. This makes their
contents invisible to most deployed network monitoring and traffic filtering solutions.
This invisibility carries considerable risk potential if it is used for malicious purposes
such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their
unauthorized communications, or to exfiltrate stolen data from the target network.
severity: medium

ocil_clause: "The DisableForwarding option exists and is yes"

ocil: |-
{{{ ocil_sshd_option(default="yes", option="DisableForwarding", value="yeso") }}}
template:
name: sshd_lineinfile
vars:
parameter: DisableForwarding
value: 'yes'
datatype: string

0 comments on commit 5add21d

Please sign in to comment.