-
Notifications
You must be signed in to change notification settings - Fork 706
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Ubuntu 24.04 5.1.8 Ensure sshd DisableForwarding is enabled
- Loading branch information
1 parent
c13b3fd
commit 5add21d
Showing
3 changed files
with
54 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50 changes: 50 additions & 0 deletions
50
linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
documentation_complete: true | ||
|
||
title: 'Disable SSH Forwarding' | ||
|
||
description: |- | ||
The DisableForwarding parameter disables all forwarding features, including X11, | ||
ssh-agent(1), TCP and StreamLocal. This option overrides all other forwarding-related | ||
options and may simplify restricted configurations. | ||
- X11Forwarding provides the ability to tunnel X11 traffic through the connection to | ||
enable remote graphic connections. | ||
- ssh-agent is a program to hold private keys used for public key authentication. | ||
Through use of environment variables the agent can be located and | ||
automatically used for authentication when logging in to other machines using | ||
ssh. | ||
- SSH port forwarding is a mechanism in SSH for tunneling application ports from | ||
the client to the server, or servers to clients. It can be used for adding encryption | ||
to legacy applications, going through firewalls, and some system administrators | ||
and IT professionals use it for opening backdoors into the internal network from | ||
their home machines. | ||
rationale: |- | ||
Disable X11 forwarding unless there is an operational requirement to use X11 | ||
applications directly. There is a small risk that the remote X11 servers of users who are | ||
logged in via SSH with X11 forwarding could be compromised by other users on the | ||
X11 server. Note that even if X11 forwarding is disabled, users can always install their | ||
own forwarders. | ||
Anyone with root privilege on the the intermediate server can make free use of ssh- | ||
agent to authenticate them to other servers | ||
Leaving port forwarding enabled can expose the organization to security risks and | ||
backdoors. SSH connections are protected with strong encryption. This makes their | ||
contents invisible to most deployed network monitoring and traffic filtering solutions. | ||
This invisibility carries considerable risk potential if it is used for malicious purposes | ||
such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their | ||
unauthorized communications, or to exfiltrate stolen data from the target network. | ||
severity: medium | ||
|
||
ocil_clause: "The DisableForwarding option exists and is yes" | ||
|
||
ocil: |- | ||
{{{ ocil_sshd_option(default="yes", option="DisableForwarding", value="yeso") }}} | ||
template: | ||
name: sshd_lineinfile | ||
vars: | ||
parameter: DisableForwarding | ||
value: 'yes' | ||
datatype: string |