|
|
dac76a |
From ff69d42fd57e64112af50b15ed03526a205b0f98 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: eradot4027 <jrtonmac@gmail.com>
|
|
|
dac76a |
Date: Thu, 2 Apr 2020 13:29:17 -0400
|
|
|
dac76a |
Subject: [PATCH 01/12] Initial commit of rule for issue 5524
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../sshd_disable_x11_forwarding/rule.yml | 46 +++++++++++++++++++
|
|
|
dac76a |
1 file changed, 46 insertions(+)
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..c0c01728e9
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,46 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Disable X11 Forwarding'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ The X11Forwarding parameter provides the ability to tunnel X11 traffic
|
|
|
dac76a |
+ through the connection to enable remote graphic connections.
|
|
|
dac76a |
+ SSH has the capability to encrypt remote X11 connections when SSH's
|
|
|
dac76a |
+ <tt>X11Forwarding</tt> option is enabled.
|
|
|
dac76a |
+
|
|
|
dac76a |
+ To disable X11 Forwarding, add or correct the
|
|
|
dac76a |
+ following line in <tt>/etc/ssh/sshd_config</tt>:
|
|
|
dac76a |
+ X11Forwarding no
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ Disable X11 forwarding unless there is an operational requirement to use X11
|
|
|
dac76a |
+ applications directly. There is a small risk that the remote X11 servers of
|
|
|
dac76a |
+ users who are logged in via SSH with X11 forwarding could be compromised by
|
|
|
dac76a |
+ other users on the X11 server. Note that even if X11 forwarding is disabled,
|
|
|
dac76a |
+ users can always install their own forwarders.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: low
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cui: 3.1.13
|
|
|
dac76a |
+ disa: "366"
|
|
|
dac76a |
+ nist: CM-6(a),AC-17(a),AC-17(2)
|
|
|
dac76a |
+ nist-csf: DE.AE-1,PR.DS-7,PR.IP-1
|
|
|
dac76a |
+ srg: SRG-OS-000480-GPOS-00227
|
|
|
dac76a |
+ stigid@rhel7: "040710"
|
|
|
dac76a |
+ stigid@sle12: "030260"
|
|
|
dac76a |
+ isa-62443-2013: 'SR 7.6'
|
|
|
dac76a |
+ isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
|
|
dac76a |
+ cobit5: BAI03.08,BAI07.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS03.01
|
|
|
dac76a |
+ iso27001-2013: A.12.1.1,A.12.1.2,A.12.1.4,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.14.2.2,A.14.2.3,A.14.2.4
|
|
|
dac76a |
+ cis-csc: 1,11,12,13,15,16,18,20,3,4,6,9
|
|
|
dac76a |
+
|
|
|
dac76a |
+{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: sshd_lineinfile
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ missing_parameter_pass: 'false'
|
|
|
dac76a |
+ parameter: X11Forwarding
|
|
|
dac76a |
+ rule_id: sshd_disable_x11_forwarding
|
|
|
dac76a |
+ value: 'no'
|
|
|
dac76a |
|
|
|
dac76a |
From f1bc29396cf2953fb4cb9cb17d6b8537f7be22f1 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: eradot4027 <jrtonmac@gmail.com>
|
|
|
dac76a |
Date: Thu, 2 Apr 2020 13:34:02 -0400
|
|
|
dac76a |
Subject: [PATCH 02/12] Haven't found references except for Solaris 11. Remove
|
|
|
dac76a |
reference section
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../sshd_disable_x11_forwarding/rule.yml | 14 --------------
|
|
|
dac76a |
1 file changed, 14 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
index c0c01728e9..66872d01ab 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
@@ -21,20 +21,6 @@ rationale: |-
|
|
|
dac76a |
|
|
|
dac76a |
severity: low
|
|
|
dac76a |
|
|
|
dac76a |
-references:
|
|
|
dac76a |
- cui: 3.1.13
|
|
|
dac76a |
- disa: "366"
|
|
|
dac76a |
- nist: CM-6(a),AC-17(a),AC-17(2)
|
|
|
dac76a |
- nist-csf: DE.AE-1,PR.DS-7,PR.IP-1
|
|
|
dac76a |
- srg: SRG-OS-000480-GPOS-00227
|
|
|
dac76a |
- stigid@rhel7: "040710"
|
|
|
dac76a |
- stigid@sle12: "030260"
|
|
|
dac76a |
- isa-62443-2013: 'SR 7.6'
|
|
|
dac76a |
- isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
|
|
dac76a |
- cobit5: BAI03.08,BAI07.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS03.01
|
|
|
dac76a |
- iso27001-2013: A.12.1.1,A.12.1.2,A.12.1.4,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.14.2.2,A.14.2.3,A.14.2.4
|
|
|
dac76a |
- cis-csc: 1,11,12,13,15,16,18,20,3,4,6,9
|
|
|
dac76a |
-
|
|
|
dac76a |
{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}}
|
|
|
dac76a |
|
|
|
dac76a |
template:
|
|
|
dac76a |
|
|
|
dac76a |
From fb105b63c1ae36f309ede1831b8bae7a8d3ca4c7 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: eradot4027 <jrtonmac@gmail.com>
|
|
|
dac76a |
Date: Thu, 2 Apr 2020 13:56:05 -0400
|
|
|
dac76a |
Subject: [PATCH 03/12] Added CIS Reference
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 +++
|
|
|
dac76a |
1 file changed, 3 insertions(+)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
index 66872d01ab..88ed64c681 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
@@ -23,6 +23,9 @@ severity: low
|
|
|
dac76a |
|
|
|
dac76a |
{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}}
|
|
|
dac76a |
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel8: 5.2.6
|
|
|
dac76a |
+
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: sshd_lineinfile
|
|
|
dac76a |
vars:
|
|
|
dac76a |
|
|
|
dac76a |
From 93f1dd883c3bef0e0df0a0eab87a8eaa75134637 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: eradot4027 <jrtonmac@gmail.com>
|
|
|
dac76a |
Date: Thu, 2 Apr 2020 13:58:34 -0400
|
|
|
dac76a |
Subject: [PATCH 04/12] CIS RHEL 7 Benchmark Reference
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 ++-
|
|
|
dac76a |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
index 88ed64c681..c56d498972 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
@@ -24,8 +24,9 @@ severity: low
|
|
|
dac76a |
{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}}
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
+ cis@rhel7: 5.2.5
|
|
|
dac76a |
cis@rhel8: 5.2.6
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: sshd_lineinfile
|
|
|
dac76a |
vars:
|
|
|
dac76a |
|
|
|
dac76a |
From 96a51e5a2496c40aa28d9aace336ee75c26afdeb Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: eradot4027 <jrtonmac@gmail.com>
|
|
|
dac76a |
Date: Thu, 2 Apr 2020 14:09:25 -0400
|
|
|
dac76a |
Subject: [PATCH 05/12] MOre CIS References
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 2 ++
|
|
|
dac76a |
1 file changed, 2 insertions(+)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
index c56d498972..92cdbc2151 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
@@ -26,6 +26,8 @@ severity: low
|
|
|
dac76a |
references:
|
|
|
dac76a |
cis@rhel7: 5.2.5
|
|
|
dac76a |
cis@rhel8: 5.2.6
|
|
|
dac76a |
+ cis@sle12: 5.2.4
|
|
|
dac76a |
+ cis@sle15: 5.2.6
|
|
|
dac76a |
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: sshd_lineinfile
|
|
|
dac76a |
|
|
|
dac76a |
From da6fb541c8085d3f6a29f2569615201f3c88bda4 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: eradot4027 <jrtonmac@gmail.com>
|
|
|
dac76a |
Date: Thu, 2 Apr 2020 15:39:53 -0400
|
|
|
dac76a |
Subject: [PATCH 06/12] Modified per pull request comments.
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 6 ++++--
|
|
|
dac76a |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
index 92cdbc2151..bea57e74aa 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
@@ -21,7 +21,9 @@ rationale: |-
|
|
|
dac76a |
|
|
|
dac76a |
severity: low
|
|
|
dac76a |
|
|
|
dac76a |
-{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}}
|
|
|
dac76a |
+ocil_clause: "that the X11Forwarding option exists and is enabled"
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: '{{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
cis@rhel7: 5.2.5
|
|
|
dac76a |
@@ -32,7 +34,7 @@ references:
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: sshd_lineinfile
|
|
|
dac76a |
vars:
|
|
|
dac76a |
- missing_parameter_pass: 'false'
|
|
|
dac76a |
+ missing_parameter_pass: 'true'
|
|
|
dac76a |
parameter: X11Forwarding
|
|
|
dac76a |
rule_id: sshd_disable_x11_forwarding
|
|
|
dac76a |
value: 'no'
|
|
|
dac76a |
|
|
|
dac76a |
From b0b3524c550d3007b33a2d3bdda7d8925dd2fe00 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: eradot4027 <jrtonmac@gmail.com>
|
|
|
dac76a |
Date: Thu, 2 Apr 2020 16:17:05 -0400
|
|
|
dac76a |
Subject: [PATCH 07/12] Modified per comment
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 ++-
|
|
|
dac76a |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
index bea57e74aa..14771fcc9a 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
@@ -23,7 +23,8 @@ severity: low
|
|
|
dac76a |
|
|
|
dac76a |
ocil_clause: "that the X11Forwarding option exists and is enabled"
|
|
|
dac76a |
|
|
|
dac76a |
-ocil: '{{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}'
|
|
|
dac76a |
+ocil: |-
|
|
|
dac76a |
+ {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
cis@rhel7: 5.2.5
|
|
|
dac76a |
|
|
|
dac76a |
From 84f97ae10eaf3c4118f8efa00d7d887ec44db150 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: eradot4027 <jrtonmac@gmail.com>
|
|
|
dac76a |
Date: Thu, 2 Apr 2020 16:24:28 -0400
|
|
|
dac76a |
Subject: [PATCH 08/12] Added check to RHEL7,8 CIS Profile per request
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
rhel7/profiles/cis.profile | 3 ++-
|
|
|
dac76a |
2 files changed, 11 insertions(+), 10 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index 739ed27200..ba413cb1d8 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -578,7 +578,8 @@ selections:
|
|
|
dac76a |
- sshd_set_loglevel_info
|
|
|
dac76a |
|
|
|
dac76a |
### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored)
|
|
|
dac76a |
-
|
|
|
dac76a |
+ - sshd_disable_x11_forwarding
|
|
|
dac76a |
+
|
|
|
dac76a |
### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
|
|
|
dac76a |
- sshd_set_max_auth_tries
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
From 1618a15fb61c447770fd54e131c15445f765eabc Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: eradot4027 <jrtonmac@gmail.com>
|
|
|
dac76a |
Date: Thu, 2 Apr 2020 20:16:53 -0400
|
|
|
dac76a |
Subject: [PATCH 09/12] Fixed OCIL Clause
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 1 +
|
|
|
dac76a |
1 file changed, 1 insertion(+)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
index 14771fcc9a..09dd808e99 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
dac76a |
@@ -26,6 +26,7 @@ ocil_clause: "that the X11Forwarding option exists and is enabled"
|
|
|
dac76a |
ocil: |-
|
|
|
dac76a |
{{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}
|
|
|
dac76a |
|
|
|
dac76a |
+
|
|
|
dac76a |
references:
|
|
|
dac76a |
cis@rhel7: 5.2.5
|
|
|
dac76a |
cis@rhel8: 5.2.6
|
|
|
dac76a |
|
|
|
dac76a |
From e593461ca7cc38b5125f4413c445c4f9e9261c4e Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: eradot4027 <jrtonmac@gmail.com>
|
|
|
dac76a |
Date: Fri, 3 Apr 2020 10:49:57 -0400
|
|
|
dac76a |
Subject: [PATCH 10/12] Added OVAL and tests
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../sshd_disable_x11_forwarding/oval/shared.xml | 1 +
|
|
|
dac76a |
.../sshd_disable_x11_forwarding/tests/comment.pass.sh | 9 +++++++++
|
|
|
dac76a |
.../tests/correct_value.pass.sh | 9 +++++++++
|
|
|
dac76a |
.../tests/line_not_there.pass.sh | 5 +++++
|
|
|
dac76a |
.../tests/wrong_value.fail.sh | 9 +++++++++
|
|
|
dac76a |
5 files changed, 33 insertions(+)
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..88b4e756f5
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
|
|
|
dac76a |
@@ -0,0 +1 @@
|
|
|
dac76a |
+{{{ oval_sshd_config(parameter="X11Forwarding", value="no", missing_parameter_pass=true) }}}
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..2b2e7869af
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,9 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+#
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
dac76a |
+
|
|
|
dac76a |
+if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then
|
|
|
dac76a |
+ sed -i "s/^X11Forwarding.*/# X11Forwarding no/" /etc/ssh/sshd_config
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ echo "# X11Forwarding no" >> /etc/ssh/sshd_config
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..f8b1ed4685
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,9 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+#
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
dac76a |
+
|
|
|
dac76a |
+if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then
|
|
|
dac76a |
+ sed -i "s/^X11Forwarding.*/X11Forwarding no/" /etc/ssh/sshd_config
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ echo "X11Forwarding no" >> /etc/ssh/sshd_config
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..53a3d754b8
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,5 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+#
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
dac76a |
+
|
|
|
dac76a |
+sed -i "/^X11Forwarding.*/d" /etc/ssh/sshd_config
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..bbb09f62d0
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,9 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+#
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
dac76a |
+
|
|
|
dac76a |
+if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then
|
|
|
dac76a |
+ sed -i "s/^X11Forwarding.*/X11Forwarding yes/" /etc/ssh/sshd_config
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ echo "X11Forwarding yes" >> /etc/ssh/sshd_config
|
|
|
dac76a |
+fi
|
|
|
dac76a |
|
|
|
dac76a |
From 192c1ee531a838c91db37108f49124295cc5cec3 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: eradot4027 <jrtonmac@gmail.com>
|
|
|
dac76a |
Date: Fri, 3 Apr 2020 13:10:49 -0400
|
|
|
dac76a |
Subject: [PATCH 11/12] Removed OVAL in favor of template
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml | 1 -
|
|
|
dac76a |
1 file changed, 1 deletion(-)
|
|
|
dac76a |
delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
|
|
|
dac76a |
deleted file mode 100644
|
|
|
dac76a |
index 88b4e756f5..0000000000
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
|
|
|
dac76a |
+++ /dev/null
|
|
|
dac76a |
@@ -1 +0,0 @@
|
|
|
dac76a |
-{{{ oval_sshd_config(parameter="X11Forwarding", value="no", missing_parameter_pass=true) }}}
|
|
|
dac76a |
|