{"description": "By default, remote X11 connections are not encrypted when initiated\nby users. SSH has the capability to encrypt remote X11 connections when SSH's\n<tt>X11Forwarding</tt> option is enabled.\n<br /><br />\nTo enable X11 Forwarding, add or correct the following line in\n\n\n<tt>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</tt>:\n\n<pre>X11Forwarding yes</pre>", "rationale": "Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands\nremotely.", "severity": "high", "references": {"cis-csc": ["1", "11", "12", "13", "15", "16", "18", "20", "3", "4", "6", "9"], "cobit5": ["BAI03.08", "BAI07.04", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS03.01"], "cui": ["3.1.13"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3", "4.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.1", "A.12.1.2", "A.12.1.4", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.1.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nerc-cip": ["CIP-007-3 R7.1"], "nist": ["CM-6(a)", "AC-17(a)", "AC-17(2)"], "nist-csf": ["DE.AE-1", "PR.DS-7", "PR.IP-1"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the required value is not set", "ocil": "To determine how the SSH daemon's <tt>X11Forwarding</tt> option is set, run the following command:\n\n<pre>$ sudo grep -i X11Forwarding /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</pre>\n\n\nIf a line indicating <tt>yes</tt> is returned, then the required value is set.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable Encrypted X11 Forwarding", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "X11Forwarding", "value": "yes", "datatype": "string"}, "backends": {}}}