The SSH daemon must be configured to not allow X11 forwarding.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| GEN005519-ESXI5-000102 | GEN005519-ESXI5-000102 | GEN005519-ESXI5-000102_rule | Low |
| Description |
|---|
| X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-GEN005519-ESXI5-000102_chk ) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Check the SSH daemon configuration for the X11 forwarding setting. # grep -i "^X11Forwarding" /etc/ssh/sshd_config If "X11Forwarding" is set to "yes", this is a finding. Re-enable lock down mode. |
| Fix Text (F-GEN005519-ESXI5-000102_fix) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Edit the SSH daemon configuration and add/modify the "X11Forwarding" configuration, setting it to "no". # vi /etc/ssh/sshd_config Re-enable lock down mode. |