AlmaLinux OS 9 SSH daemon must disable remote X connections for interactive users.

STIG ID: ALMA-09-021470  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269270

Vulnerability Discussion

When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.

Check

Verify the SSH daemon does not allow X11Forwarding with the following command:

$ sshd -T | grep x11forwarding

x11forwarding no

If the value is returned as "yes" and X11 forwarding is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix

Configure the SSH daemon to not allow X11 forwarding.

Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":

X11forwarding no

Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:

$ echo 'X11forwarding no' > /etc/ssh/sshd_config.d/40-x11forwarding.conf

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.