|
 |
d10e36 |
From 35eb6ba272c4ca0b7bae1c10af182e59e3e52c6a Mon Sep 17 00:00:00 2001
|
|
|
d10e36 |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
d10e36 |
Date: Fri, 15 Jan 2021 16:28:07 +0100
|
|
|
d10e36 |
Subject: [PATCH] RHEL-07-040710 now configures X11Forwarding to disable.
|
|
|
d10e36 |
|
|
|
d10e36 |
---
|
|
|
d10e36 |
.../sshd_disable_x11_forwarding/rule.yml | 19 ++++++++++---------
|
|
|
d10e36 |
.../sshd_enable_x11_forwarding/rule.yml | 1 -
|
|
|
d10e36 |
rhel7/profiles/stig.profile | 2 +-
|
|
|
d10e36 |
3 files changed, 11 insertions(+), 11 deletions(-)
|
|
|
d10e36 |
|
|
|
d10e36 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
d10e36 |
index 1779129f87..7da2e067a6 100644
|
|
|
d10e36 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
d10e36 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
|
|
d10e36 |
@@ -19,22 +19,23 @@ rationale: |-
|
|
|
d10e36 |
other users on the X11 server. Note that even if X11 forwarding is disabled,
|
|
|
d10e36 |
users can always install their own forwarders.
|
|
|
d10e36 |
|
|
|
d10e36 |
-severity: low
|
|
|
d10e36 |
+severity: medium
|
|
|
d10e36 |
|
|
|
d10e36 |
-ocil_clause: "that the X11Forwarding option exists and is enabled"
|
|
|
d10e36 |
-
|
|
|
d10e36 |
-ocil: |-
|
|
|
d10e36 |
- {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}
|
|
|
d10e36 |
+{{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}}
|
|
|
d10e36 |
|
|
|
d10e36 |
identifiers:
|
|
|
d10e36 |
cce@rhel7: CCE-83359-0
|
|
|
d10e36 |
cce@rhel8: CCE-83360-8
|
|
|
d10e36 |
|
|
|
d10e36 |
references:
|
|
|
d10e36 |
- cis@rhel7: 5.2.4
|
|
|
d10e36 |
- cis@rhel8: 5.2.6
|
|
|
d10e36 |
- cis@sle12: 5.2.4
|
|
|
d10e36 |
- cis@sle15: 5.2.6
|
|
|
d10e36 |
+ cis@rhel7: 5.2.4
|
|
|
d10e36 |
+ cis@rhel8: 5.2.6
|
|
|
d10e36 |
+ cis@sle12: 5.2.4
|
|
|
d10e36 |
+ cis@sle15: 5.2.6
|
|
|
d10e36 |
+ stigid@rhel7: RHEL-07-040710
|
|
|
d10e36 |
+ srg: SRG-OS-000480-GPOS-00227
|
|
|
d10e36 |
+ disa: CCI-000366
|
|
|
d10e36 |
+ nist: CM-6(b)
|
|
|
d10e36 |
|
|
|
d10e36 |
template:
|
|
|
d10e36 |
name: sshd_lineinfile
|
|
|
d10e36 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
|
|
d10e36 |
index 803e581a0f..87c3cb7f5a 100644
|
|
|
d10e36 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
|
|
d10e36 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
|
|
d10e36 |
@@ -29,7 +29,6 @@ references:
|
|
|
d10e36 |
nist: CM-6(a),AC-17(a),AC-17(2)
|
|
|
d10e36 |
nist-csf: DE.AE-1,PR.DS-7,PR.IP-1
|
|
|
d10e36 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
d10e36 |
- stigid@rhel7: RHEL-07-040710
|
|
|
d10e36 |
stigid@sle12: SLES-12-030260
|
|
|
d10e36 |
isa-62443-2013: 'SR 7.6'
|
|
|
d10e36 |
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
|
|
d10e36 |
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
|
|
d10e36 |
index 817e0982e5..6c06a8ede6 100644
|
|
|
d10e36 |
--- a/rhel7/profiles/stig.profile
|
|
|
d10e36 |
+++ b/rhel7/profiles/stig.profile
|
|
|
d10e36 |
@@ -285,7 +285,7 @@ selections:
|
|
|
d10e36 |
- postfix_prevent_unrestricted_relay
|
|
|
d10e36 |
- package_vsftpd_removed
|
|
|
d10e36 |
- package_tftp-server_removed
|
|
|
d10e36 |
- - sshd_enable_x11_forwarding
|
|
|
d10e36 |
+ - sshd_disable_x11_forwarding
|
|
|
d10e36 |
- sshd_x11_use_localhost
|
|
|
d10e36 |
- tftpd_uses_secure_mode
|
|
|
d10e36 |
- package_xorg-x11-server-common_removed
|