From 5add21d1cfa5b6451ef6a1f0c68f2eabc856c4eb Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Thu, 12 Dec 2024 16:30:38 -0800 Subject: [PATCH 1/2] Ubuntu 24.04 5.1.8 Ensure sshd DisableForwarding is enabled --- components/openssh.yml | 1 + controls/cis_ubuntu2404.yml | 5 +- .../sshd_disable_forwarding/rule.yml | 50 +++++++++++++++++++ 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml diff --git a/components/openssh.yml b/components/openssh.yml index f257c7e6f37..3298afea093 100644 --- a/components/openssh.yml +++ b/components/openssh.yml @@ -38,6 +38,7 @@ rules: - sshd_allow_only_protocol2 - sshd_disable_compression - sshd_disable_empty_passwords +- sshd_disable_forwarding - sshd_disable_gssapi_auth - sshd_disable_kerb_auth - sshd_disable_pubkey_auth diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index c72af22cb84..5412e738bd4 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1120,8 +1120,9 @@ controls: levels: - l1_server - l2_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - sshd_disable_forwarding + status: automated - id: 3.2.1 title: Ensure dccp kernel module is not available (Automated) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml new file mode 100644 index 00000000000..8cfc4104ccc --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml @@ -0,0 +1,50 @@ +documentation_complete: true + +title: 'Disable SSH Forwarding' + +description: |- + The DisableForwarding parameter disables all forwarding features, including X11, + ssh-agent(1), TCP and StreamLocal. This option overrides all other forwarding-related + options and may simplify restricted configurations. + - X11Forwarding provides the ability to tunnel X11 traffic through the connection to + enable remote graphic connections. + - ssh-agent is a program to hold private keys used for public key authentication. + Through use of environment variables the agent can be located and + automatically used for authentication when logging in to other machines using + ssh. + - SSH port forwarding is a mechanism in SSH for tunneling application ports from + the client to the server, or servers to clients. It can be used for adding encryption + to legacy applications, going through firewalls, and some system administrators + and IT professionals use it for opening backdoors into the internal network from + their home machines. + +rationale: |- + Disable X11 forwarding unless there is an operational requirement to use X11 + applications directly. There is a small risk that the remote X11 servers of users who are + logged in via SSH with X11 forwarding could be compromised by other users on the + X11 server. Note that even if X11 forwarding is disabled, users can always install their + own forwarders. + + Anyone with root privilege on the the intermediate server can make free use of ssh- + agent to authenticate them to other servers + + Leaving port forwarding enabled can expose the organization to security risks and + backdoors. SSH connections are protected with strong encryption. This makes their + contents invisible to most deployed network monitoring and traffic filtering solutions. + This invisibility carries considerable risk potential if it is used for malicious purposes + such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their + unauthorized communications, or to exfiltrate stolen data from the target network. + +severity: medium + +ocil_clause: "The DisableForwarding option exists and is yes" + +ocil: |- + {{{ ocil_sshd_option(default="yes", option="DisableForwarding", value="yeso") }}} + +template: + name: sshd_lineinfile + vars: + parameter: DisableForwarding + value: 'yes' + datatype: string From 04b21cdceefbe30424f1844cb72f6818b6d4bf19 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Fri, 13 Dec 2024 15:35:05 -0800 Subject: [PATCH 2/2] Ubuntu 24.04 5.1.8 Ensure sshd DisableForwarding is enabled --- .../sshd_disable_forwarding/rule.yml | 34 +++---------------- 1 file changed, 4 insertions(+), 30 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml index 8cfc4104ccc..2b38acabeb2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml @@ -3,44 +3,18 @@ documentation_complete: true title: 'Disable SSH Forwarding' description: |- - The DisableForwarding parameter disables all forwarding features, including X11, - ssh-agent(1), TCP and StreamLocal. This option overrides all other forwarding-related - options and may simplify restricted configurations. - - X11Forwarding provides the ability to tunnel X11 traffic through the connection to - enable remote graphic connections. - - ssh-agent is a program to hold private keys used for public key authentication. - Through use of environment variables the agent can be located and - automatically used for authentication when logging in to other machines using - ssh. - - SSH port forwarding is a mechanism in SSH for tunneling application ports from - the client to the server, or servers to clients. It can be used for adding encryption - to legacy applications, going through firewalls, and some system administrators - and IT professionals use it for opening backdoors into the internal network from - their home machines. + The DisableForwarding parameter disables all forwarding features, rationale: |- - Disable X11 forwarding unless there is an operational requirement to use X11 - applications directly. There is a small risk that the remote X11 servers of users who are - logged in via SSH with X11 forwarding could be compromised by other users on the - X11 server. Note that even if X11 forwarding is disabled, users can always install their - own forwarders. - - Anyone with root privilege on the the intermediate server can make free use of ssh- - agent to authenticate them to other servers - - Leaving port forwarding enabled can expose the organization to security risks and - backdoors. SSH connections are protected with strong encryption. This makes their - contents invisible to most deployed network monitoring and traffic filtering solutions. - This invisibility carries considerable risk potential if it is used for malicious purposes - such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their - unauthorized communications, or to exfiltrate stolen data from the target network. + Disable ssh forwarding unless there is an operational requirement to use it. + Leaving port forwarding enabled can expose the organization to security risks. severity: medium ocil_clause: "The DisableForwarding option exists and is yes" ocil: |- - {{{ ocil_sshd_option(default="yes", option="DisableForwarding", value="yeso") }}} + {{{ ocil_sshd_option(default="yes", option="DisableForwarding", value="yes") }}} template: name: sshd_lineinfile