The SSH daemon must be configured to not allow X11 forwarding.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-39265 | GEN005519-ESXI5-000102 | SV-51081r1_rule | Medium |
| Description |
|---|
| X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed. |
| STIG | Date |
|---|---|
| VMware ESXi Server 5.0 Security Technical Implementation Guide | 2017-01-06 |
Details
| Check Text ( C-46529r1_chk ) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Check the SSH daemon configuration for the X11 forwarding setting. # grep -i "^X11Forwarding" /etc/ssh/sshd_config If "X11Forwarding" is set to "yes", this is a finding. Re-enable lock down mode. |
| Fix Text (F-44244r1_fix) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Edit the SSH daemon configuration and add/modify the "X11Forwarding" configuration, setting it to "no". # vi /etc/ssh/sshd_config Re-enable lock down mode. |