Rule ID
SV-275622r1147916_rule
Version
V1R1
CCIs
The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. For example, a system administrator needs to protect clients from exposing themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. X11 forwarding must be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker could then perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.
Verify X11 forwarding is disabled by using the following command:
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH 'x11forwarding'
/etc/ssh/sshd_config:X11Forwarding no
If "X11Forwarding" is set to "yes" and is not documented with the information system security officer as an operational requirement, is commented out, is missing, or conflicting results are returned, this is a finding.Configure the SSH server to disable X11 forwarding.
Add or modify the following line in the "/etc/ssh/sshd_config" file:
X11Forwarding no
Restart the SSH daemon for the changes to take effect:
$ sudo systemctl restart sshd.service