|
 |
d10e36 |
From 389d25be2b69e4e5c828d9b0b72573e0962cabb4 Mon Sep 17 00:00:00 2001
|
|
|
d10e36 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
d10e36 |
Date: Wed, 13 Jan 2021 17:07:48 +0100
|
|
|
d10e36 |
Subject: [PATCH 1/4] add rule
|
|
|
d10e36 |
|
|
|
d10e36 |
---
|
|
|
d10e36 |
.../sshd_x11_use_localhost/rule.yml | 43 +++++++++++++++++++
|
|
|
d10e36 |
shared/references/cce-redhat-avail.txt | 3 --
|
|
|
d10e36 |
2 files changed, 43 insertions(+), 3 deletions(-)
|
|
|
d10e36 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
|
|
d10e36 |
|
|
|
d10e36 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
|
|
d10e36 |
new file mode 100644
|
|
|
d10e36 |
index 0000000000..67131e509c
|
|
|
d10e36 |
--- /dev/null
|
|
|
d10e36 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
|
|
d10e36 |
@@ -0,0 +1,43 @@
|
|
|
d10e36 |
+documentation_complete: true
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+prodtype: fedora,ol7,rhel7
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+title: 'Prevent remote hosts from connecting to the proxy display'
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+description: |-
|
|
|
d10e36 |
+ The SSH daemon should prevent remote hosts from connecting to the proxy
|
|
|
d10e36 |
+ display. Make sure that the option <tt>X11UseLocalhost</tt> is set to
|
|
|
d10e36 |
+ <tt>yes</tt> within the SSH server configuration file.
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+rationale: |-
|
|
|
d10e36 |
+ When X11 forwarding is enabled, there may be additional exposure to the
|
|
|
d10e36 |
+ server and client displays if the sshd proxy display is configured to listen
|
|
|
d10e36 |
+ on the wildcard address. By default, sshd binds the forwarding server to the
|
|
|
d10e36 |
+ loopback address and sets the hostname part of the <tt>DISPLAY</tt>
|
|
|
d10e36 |
+ environment variable to localhost. This prevents remote hosts from
|
|
|
d10e36 |
+ connecting to the proxy display.
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+severity: medium
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+identifiers:
|
|
|
d10e36 |
+ cce@rhel7: CCE-83404-4
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+references:
|
|
|
d10e36 |
+ srg: SRG-OS-000480-GPOS-00227
|
|
|
d10e36 |
+ stig@rhel7: RHEL-07-040711
|
|
|
d10e36 |
+ disa: CCI-000366
|
|
|
d10e36 |
+ nist: CM-6(b)
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+ocil_clause: "the display proxy is listening on wildcard address"
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+ocil: |-
|
|
|
d10e36 |
+ {{{ ocil_sshd_option(default="yes", option="X11UseLocalhost", value="yes") }}}
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+template:
|
|
|
d10e36 |
+ name: sshd_lineinfile
|
|
|
d10e36 |
+ vars:
|
|
|
d10e36 |
+ missing_parameter_pass: 'false'
|
|
|
d10e36 |
+ parameter: X11UseLocalhost
|
|
|
d10e36 |
+ rule_id: sshd_x11_use_localhost
|
|
|
d10e36 |
+ value: 'yes'
|
|
|
d10e36 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
d10e36 |
index 4dbec8255c..fb59a52ca7 100644
|
|
|
d10e36 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
d10e36 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
d10e36 |
@@ -1,8 +1,5 @@
|
|
|
d10e36 |
-CCE-83392-1
|
|
|
d10e36 |
-CCE-83397-0
|
|
|
d10e36 |
CCE-83398-8
|
|
|
d10e36 |
CCE-83399-6
|
|
|
d10e36 |
-CCE-83404-4
|
|
|
d10e36 |
CCE-83405-1
|
|
|
d10e36 |
CCE-83406-9
|
|
|
d10e36 |
CCE-83407-7
|
|
|
d10e36 |
|
|
|
d10e36 |
From a40b9e68305afb52c2c674848b71cbcaee25fe32 Mon Sep 17 00:00:00 2001
|
|
|
d10e36 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
d10e36 |
Date: Wed, 13 Jan 2021 17:08:08 +0100
|
|
|
d10e36 |
Subject: [PATCH 2/4] add rule to the stig profile
|
|
|
d10e36 |
|
|
|
d10e36 |
---
|
|
|
d10e36 |
rhel7/profiles/stig.profile | 1 +
|
|
|
d10e36 |
1 file changed, 1 insertion(+)
|
|
|
d10e36 |
|
|
|
d10e36 |
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
|
|
d10e36 |
index 88b50d5ef4..817e0982e5 100644
|
|
|
d10e36 |
--- a/rhel7/profiles/stig.profile
|
|
|
d10e36 |
+++ b/rhel7/profiles/stig.profile
|
|
|
d10e36 |
@@ -286,6 +286,7 @@ selections:
|
|
|
d10e36 |
- package_vsftpd_removed
|
|
|
d10e36 |
- package_tftp-server_removed
|
|
|
d10e36 |
- sshd_enable_x11_forwarding
|
|
|
d10e36 |
+ - sshd_x11_use_localhost
|
|
|
d10e36 |
- tftpd_uses_secure_mode
|
|
|
d10e36 |
- package_xorg-x11-server-common_removed
|
|
|
d10e36 |
- xwindows_runlevel_target
|
|
|
d10e36 |
|
|
|
d10e36 |
From 588912842af0164d79c4aa4c076bfa6cb3ac8f8b Mon Sep 17 00:00:00 2001
|
|
|
d10e36 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
d10e36 |
Date: Thu, 14 Jan 2021 09:34:14 +0100
|
|
|
d10e36 |
Subject: [PATCH 3/4] return erroneously removed cces
|
|
|
d10e36 |
|
|
|
d10e36 |
---
|
|
|
d10e36 |
shared/references/cce-redhat-avail.txt | 2 ++
|
|
|
d10e36 |
1 file changed, 2 insertions(+)
|
|
|
d10e36 |
|
|
|
d10e36 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
d10e36 |
index fb59a52ca7..d6ccab5dbf 100644
|
|
|
d10e36 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
d10e36 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
d10e36 |
@@ -1,3 +1,5 @@
|
|
|
d10e36 |
+CCE-83392-1
|
|
|
d10e36 |
+CCE-83397-0
|
|
|
d10e36 |
CCE-83398-8
|
|
|
d10e36 |
CCE-83399-6
|
|
|
d10e36 |
CCE-83405-1
|
|
|
d10e36 |
|
|
|
d10e36 |
From be2f96b80fbfb74708381e15a2a6e76c3952bbb5 Mon Sep 17 00:00:00 2001
|
|
|
d10e36 |
From: vojtapolasek <krecoun@gmail.com>
|
|
|
d10e36 |
Date: Fri, 15 Jan 2021 07:46:09 +0100
|
|
|
d10e36 |
Subject: [PATCH 4/4] Update
|
|
|
d10e36 |
linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
|
|
d10e36 |
|
|
|
d10e36 |
Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
|
|
|
d10e36 |
---
|
|
|
d10e36 |
.../services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml | 2 +-
|
|
|
d10e36 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
d10e36 |
|
|
|
d10e36 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
|
|
d10e36 |
index 67131e509c..7267d2443a 100644
|
|
|
d10e36 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
|
|
d10e36 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
|
|
d10e36 |
@@ -37,7 +37,7 @@ ocil: |-
|
|
|
d10e36 |
template:
|
|
|
d10e36 |
name: sshd_lineinfile
|
|
|
d10e36 |
vars:
|
|
|
d10e36 |
- missing_parameter_pass: 'false'
|
|
|
d10e36 |
+ missing_parameter_pass: 'true'
|
|
|
d10e36 |
parameter: X11UseLocalhost
|
|
|
d10e36 |
rule_id: sshd_x11_use_localhost
|
|
|
d10e36 |
value: 'yes'
|