Check: RHEL-09-255175
RHEL 9 STIG:
RHEL-09-255175
(in version v1 r3)
Title
RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display. (Cat II impact)
Discussion
When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the "DISPLAY" environment variable to localhost. This prevents remote hosts from connecting to the proxy display.
Check Content
Verify the SSH daemon prevents remote hosts from connecting to the proxy display with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11uselocalhost' X11UseLocalhost yes If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding.
Fix Text
Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": X11UseLocalhost yes The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service
Additional Identifiers
Rule ID: SV-258011r952218_rule
Vulnerability ID: V-258011
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |