rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   dac76ab332cb6f7ca5cdbec311d2754a26f6d91e
  2.   SOURCES
  3.   scap-security-guide-0.1.50-add_rule_sshd_disable_x11_forwarding_PR_5554.patch
Blob Blame History Raw 
From ff69d42fd57e64112af50b15ed03526a205b0f98 Mon Sep 17 00:00:00 2001
From: eradot4027 <jrtonmac@gmail.com>
Date: Thu, 2 Apr 2020 13:29:17 -0400
Subject: [PATCH 01/12] Initial commit of rule for issue 5524

---
 .../sshd_disable_x11_forwarding/rule.yml      | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
new file mode 100644
index 0000000000..c0c01728e9
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -0,0 +1,46 @@
+documentation_complete: true
+
+title: 'Disable X11 Forwarding'
+
+description: |-
+    The X11Forwarding parameter provides the ability to tunnel X11 traffic
+    through the connection to enable remote graphic connections.
+    SSH has the capability to encrypt remote X11 connections when SSH's
+    <tt>X11Forwarding</tt> option is enabled.
+    <br /><br />
+    To disable X11 Forwarding, add or correct the
+    following line in <tt>/etc/ssh/sshd_config</tt>:
+    <pre>X11Forwarding no</pre>
+
+rationale: |-
+    Disable X11 forwarding unless there is an operational requirement to use X11
+    applications directly. There is a small risk that the remote X11 servers of
+    users who are logged in via SSH with X11 forwarding could be compromised by
+    other users on the X11 server. Note that even if X11 forwarding is disabled,
+    users can always install their own forwarders.
+
+severity: low
+
+references:
+    cui: 3.1.13
+    disa: "366"
+    nist: CM-6(a),AC-17(a),AC-17(2)
+    nist-csf: DE.AE-1,PR.DS-7,PR.IP-1
+    srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel7: "040710"
+    stigid@sle12: "030260"
+    isa-62443-2013: 'SR 7.6'
+    isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3
+    cobit5: BAI03.08,BAI07.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS03.01
+    iso27001-2013: A.12.1.1,A.12.1.2,A.12.1.4,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.14.2.2,A.14.2.3,A.14.2.4
+    cis-csc: 1,11,12,13,15,16,18,20,3,4,6,9
+
+{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}}
+
+template:
+    name: sshd_lineinfile
+    vars:
+        missing_parameter_pass: 'false'
+        parameter: X11Forwarding
+        rule_id: sshd_disable_x11_forwarding
+        value: 'no'

From f1bc29396cf2953fb4cb9cb17d6b8537f7be22f1 Mon Sep 17 00:00:00 2001
From: eradot4027 <jrtonmac@gmail.com>
Date: Thu, 2 Apr 2020 13:34:02 -0400
Subject: [PATCH 02/12] Haven't found references except for Solaris 11.  Remove
 reference section

---
 .../sshd_disable_x11_forwarding/rule.yml           | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index c0c01728e9..66872d01ab 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -21,20 +21,6 @@ rationale: |-
 
 severity: low
 
-references:
-    cui: 3.1.13
-    disa: "366"
-    nist: CM-6(a),AC-17(a),AC-17(2)
-    nist-csf: DE.AE-1,PR.DS-7,PR.IP-1
-    srg: SRG-OS-000480-GPOS-00227
-    stigid@rhel7: "040710"
-    stigid@sle12: "030260"
-    isa-62443-2013: 'SR 7.6'
-    isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3
-    cobit5: BAI03.08,BAI07.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS03.01
-    iso27001-2013: A.12.1.1,A.12.1.2,A.12.1.4,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.14.2.2,A.14.2.3,A.14.2.4
-    cis-csc: 1,11,12,13,15,16,18,20,3,4,6,9
-
 {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}}
 
 template:

From fb105b63c1ae36f309ede1831b8bae7a8d3ca4c7 Mon Sep 17 00:00:00 2001
From: eradot4027 <jrtonmac@gmail.com>
Date: Thu, 2 Apr 2020 13:56:05 -0400
Subject: [PATCH 03/12] Added CIS Reference

---
 .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml        | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index 66872d01ab..88ed64c681 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -23,6 +23,9 @@ severity: low
 
 {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}}
 
+references:
+  cis@rhel8: 5.2.6
+  
 template:
     name: sshd_lineinfile
     vars:

From 93f1dd883c3bef0e0df0a0eab87a8eaa75134637 Mon Sep 17 00:00:00 2001
From: eradot4027 <jrtonmac@gmail.com>
Date: Thu, 2 Apr 2020 13:58:34 -0400
Subject: [PATCH 04/12] CIS RHEL 7 Benchmark Reference

---
 .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml        | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index 88ed64c681..c56d498972 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -24,8 +24,9 @@ severity: low
 {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}}
 
 references:
+  cis@rhel7: 5.2.5
   cis@rhel8: 5.2.6
-  
+
 template:
     name: sshd_lineinfile
     vars:

From 96a51e5a2496c40aa28d9aace336ee75c26afdeb Mon Sep 17 00:00:00 2001
From: eradot4027 <jrtonmac@gmail.com>
Date: Thu, 2 Apr 2020 14:09:25 -0400
Subject: [PATCH 05/12] MOre CIS References

---
 .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml         | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index c56d498972..92cdbc2151 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -26,6 +26,8 @@ severity: low
 references:
   cis@rhel7: 5.2.5
   cis@rhel8: 5.2.6
+  cis@sle12: 5.2.4
+  cis@sle15: 5.2.6
 
 template:
     name: sshd_lineinfile

From da6fb541c8085d3f6a29f2569615201f3c88bda4 Mon Sep 17 00:00:00 2001
From: eradot4027 <jrtonmac@gmail.com>
Date: Thu, 2 Apr 2020 15:39:53 -0400
Subject: [PATCH 06/12] Modified per pull request comments.

---
 .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml     | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index 92cdbc2151..bea57e74aa 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -21,7 +21,9 @@ rationale: |-
 
 severity: low
 
-{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}}
+ocil_clause: "that the X11Forwarding option exists and is enabled"
+
+ocil: '{{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}'
 
 references:
   cis@rhel7: 5.2.5
@@ -32,7 +34,7 @@ references:
 template:
     name: sshd_lineinfile
     vars:
-        missing_parameter_pass: 'false'
+        missing_parameter_pass: 'true'
         parameter: X11Forwarding
         rule_id: sshd_disable_x11_forwarding
         value: 'no'

From b0b3524c550d3007b33a2d3bdda7d8925dd2fe00 Mon Sep 17 00:00:00 2001
From: eradot4027 <jrtonmac@gmail.com>
Date: Thu, 2 Apr 2020 16:17:05 -0400
Subject: [PATCH 07/12] Modified per comment

---
 .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml        | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index bea57e74aa..14771fcc9a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -23,7 +23,8 @@ severity: low
 
 ocil_clause: "that the X11Forwarding option exists and is enabled"
 
-ocil: '{{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}'
+ocil: |-
+    {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}
 
 references:
   cis@rhel7: 5.2.5

From 84f97ae10eaf3c4118f8efa00d7d887ec44db150 Mon Sep 17 00:00:00 2001
From: eradot4027 <jrtonmac@gmail.com>
Date: Thu, 2 Apr 2020 16:24:28 -0400
Subject: [PATCH 08/12] Added check to RHEL7,8 CIS Profile per request

---
 rhel7/profiles/cis.profile |  3 ++-
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 739ed27200..ba413cb1d8 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -578,7 +578,8 @@ selections:
     - sshd_set_loglevel_info
 
     ### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored)
-
+    - sshd_disable_x11_forwarding
+    
     ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
     - sshd_set_max_auth_tries
 

From 1618a15fb61c447770fd54e131c15445f765eabc Mon Sep 17 00:00:00 2001
From: eradot4027 <jrtonmac@gmail.com>
Date: Thu, 2 Apr 2020 20:16:53 -0400
Subject: [PATCH 09/12] Fixed OCIL Clause

---
 .../services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index 14771fcc9a..09dd808e99 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -26,6 +26,7 @@ ocil_clause: "that the X11Forwarding option exists and is enabled"
 ocil: |-
     {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}
 
+
 references:
   cis@rhel7: 5.2.5
   cis@rhel8: 5.2.6

From e593461ca7cc38b5125f4413c445c4f9e9261c4e Mon Sep 17 00:00:00 2001
From: eradot4027 <jrtonmac@gmail.com>
Date: Fri, 3 Apr 2020 10:49:57 -0400
Subject: [PATCH 10/12] Added OVAL and tests

---
 .../sshd_disable_x11_forwarding/oval/shared.xml          | 1 +
 .../sshd_disable_x11_forwarding/tests/comment.pass.sh    | 9 +++++++++
 .../tests/correct_value.pass.sh                          | 9 +++++++++
 .../tests/line_not_there.pass.sh                         | 5 +++++
 .../tests/wrong_value.fail.sh                            | 9 +++++++++
 5 files changed, 33 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
new file mode 100644
index 0000000000..88b4e756f5
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
@@ -0,0 +1 @@
+{{{ oval_sshd_config(parameter="X11Forwarding", value="no", missing_parameter_pass=true) }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh
new file mode 100644
index 0000000000..2b2e7869af
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then
+	sed -i "s/^X11Forwarding.*/# X11Forwarding no/" /etc/ssh/sshd_config
+else
+	echo "# X11Forwarding no" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..f8b1ed4685
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then
+	sed -i "s/^X11Forwarding.*/X11Forwarding no/" /etc/ssh/sshd_config
+else
+	echo "X11Forwarding no" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh
new file mode 100644
index 0000000000..53a3d754b8
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+sed -i "/^X11Forwarding.*/d" /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..bbb09f62d0
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then
+	sed -i "s/^X11Forwarding.*/X11Forwarding yes/" /etc/ssh/sshd_config
+else
+	echo "X11Forwarding yes" >> /etc/ssh/sshd_config
+fi

From 192c1ee531a838c91db37108f49124295cc5cec3 Mon Sep 17 00:00:00 2001
From: eradot4027 <jrtonmac@gmail.com>
Date: Fri, 3 Apr 2020 13:10:49 -0400
Subject: [PATCH 11/12] Removed OVAL in favor of template

---
 .../ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml   | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
deleted file mode 100644
index 88b4e756f5..0000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml
+++ /dev/null
@@ -1 +0,0 @@
-{{{ oval_sshd_config(parameter="X11Forwarding", value="no", missing_parameter_pass=true) }}}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation