SLEM 5 SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-261333	SLEM-05-255040	SV-261333r996464_rule		Medium

Description
The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.

Description

The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.

STIG	Date
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide	2024-06-04

Details

Check Text ( C-65062r996463_chk )
Verify SLEM 5 SSH daemon remote X forwarded connections for interactive users are disabled with the following command: > sudo /usr/sbin/sshd -dd 2>&1 \| awk '/filename/ {print $4}' \| tr -d '\r' \| tr '\n' ' ' \| xargs sudo grep -iH '^\s*x11forwarding' /etc/ssh/sshd_config:X11Forwarding no If the "X11Forwarding" keyword is set to "yes" and is not documented with the information system security officer (ISSO) as an operational requirement, is commented out, or the line is missing, this is a finding.

Check Text ( C-65062r996463_chk )

Verify SLEM 5 SSH daemon remote X forwarded connections for interactive users are disabled with the following command:

> sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11forwarding'
/etc/ssh/sshd_config:X11Forwarding no

If the "X11Forwarding" keyword is set to "yes" and is not documented with the information system security officer (ISSO) as an operational requirement, is commented out, or the line is missing, this is a finding.

Fix Text (F-64970r995865_fix)
Configure SLEM 5 SSH daemon to disable forwarded X connections for interactive users. Add or modify the following line in the "/etc/ssh/sshd_config" file: X11Forwarding no