From 35eb6ba272c4ca0b7bae1c10af182e59e3e52c6a Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 15 Jan 2021 16:28:07 +0100 Subject: [PATCH] RHEL-07-040710 now configures X11Forwarding to disable. --- .../sshd_disable_x11_forwarding/rule.yml | 19 ++++++++++--------- .../sshd_enable_x11_forwarding/rule.yml | 1 - rhel7/profiles/stig.profile | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index 1779129f87..7da2e067a6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -19,22 +19,23 @@ rationale: |- other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. -severity: low +severity: medium -ocil_clause: "that the X11Forwarding option exists and is enabled" - -ocil: |- - {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}} +{{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}} identifiers: cce@rhel7: CCE-83359-0 cce@rhel8: CCE-83360-8 references: - cis@rhel7: 5.2.4 - cis@rhel8: 5.2.6 - cis@sle12: 5.2.4 - cis@sle15: 5.2.6 + cis@rhel7: 5.2.4 + cis@rhel8: 5.2.6 + cis@sle12: 5.2.4 + cis@sle15: 5.2.6 + stigid@rhel7: RHEL-07-040710 + srg: SRG-OS-000480-GPOS-00227 + disa: CCI-000366 + nist: CM-6(b) template: name: sshd_lineinfile diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml index 803e581a0f..87c3cb7f5a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml @@ -29,7 +29,6 @@ references: nist: CM-6(a),AC-17(a),AC-17(2) nist-csf: DE.AE-1,PR.DS-7,PR.IP-1 srg: SRG-OS-000480-GPOS-00227 - stigid@rhel7: RHEL-07-040710 stigid@sle12: SLES-12-030260 isa-62443-2013: 'SR 7.6' isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3 diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile index 817e0982e5..6c06a8ede6 100644 --- a/rhel7/profiles/stig.profile +++ b/rhel7/profiles/stig.profile @@ -285,7 +285,7 @@ selections: - postfix_prevent_unrestricted_relay - package_vsftpd_removed - package_tftp-server_removed - - sshd_enable_x11_forwarding + - sshd_disable_x11_forwarding - sshd_x11_use_localhost - tftpd_uses_secure_mode - package_xorg-x11-server-common_removed