{"description": "The X11Forwarding parameter provides the ability to tunnel X11 traffic\nthrough the connection to enable remote graphic connections.\nSSH has the capability to encrypt remote X11 connections when SSH's\nX11Forwarding option is enabled.\n
\nThe default SSH configuration disables X11Forwarding. The appropriate\nconfiguration is used if no value is set for X11Forwarding.\n
\nTo explicitly disable X11 Forwarding, add or correct the following line in\n\n\n/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:\n\n
X11Forwarding no
", "rationale": "Disable X11 forwarding unless there is an operational requirement to use X11\napplications directly. There is a small risk that the remote X11 servers of\nusers who are logged in via SSH with X11 forwarding could be compromised by\nother users on the X11 server. Note that even if X11 forwarding is disabled,\nusers can always install their own forwarders.", "severity": "medium", "references": {"nist": ["CM-6(b)"], "srg": ["SRG-OS-000480-GPOS-00227"], "ism": ["0484"], "pcidss4": ["2.2.6", "2.2"], "stigid": ["UBTU-22-255040"], "stigref": ["SV-260529r991589_rule"]}, "control_references": {"ism": ["0484"], "pcidss4": ["2.2.6", "2.2"], "stigid": ["UBTU-22-255040"]}, "components": [], "identifiers": {}, "ocil_clause": "the required value is not set", "ocil": "To determine how the SSH daemon's X11Forwarding option is set, run the following command:\n\n
$ sudo grep -i X11Forwarding /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
\n
$ sudo grep -i X11Forwarding /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
\n\nIf a line indicating no is returned, then the required value is set.\n", "oval_external_content": null, "fixtext": "To configure the system add or modify the following line in \"/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf\".\nX11Forwarding no\nRestart the SSH daemon for the settings to take effect:\n$ sudo systemctl restart sshd.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 SSH daemon must disable remote X connections for interactive users.", "vuldiscussion": "When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.", "checktext": "Verify the SSH daemon does not allow X11Forwarding with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*x11forwarding'\n\nX11forwarding no\n\nIf the value is returned as \"yes\", the returned line is commented out, or no output is returned, and X11 forwarding is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.", "fixtext": "Configure the SSH daemon to not allow X11 forwarding.\n\nAdd the following line to \"/etc/ssh/sshd_config\" or to a file in \"/etc/ssh/sshd_config.d\", or uncomment the line and set the value to \"no\":\n\nX11forwarding no\n\nThe SSH service must be restarted for changes to take effect:\n\n$ sudo systemctl restart sshd.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable X11 Forwarding", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "X11Forwarding", "value": "no", "datatype": "string", "is_default_value": "true"}, "backends": {}}}