UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

OL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-248900 OL08-00-040340 SV-248900r951585_rule Medium
Description
The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A System Administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the "ForwardX11Trusted" option is also enabled. If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.
STIG Date
Oracle Linux 8 Security Technical Implementation Guide 2024-02-19

Details

Check Text ( C-52334r951584_chk )
Verify "X11Forwarding" is disabled with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11forwarding'

X11Forwarding no

If the "X11Forwarding" keyword is set to "yes" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.

If conflicting results are returned, this is a finding.
Fix Text (F-52288r780265_fix)
Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):

X11Forwarding no

The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd