Navigate

Check: GEN005515

VMware ESX 3 Server: GEN005515 (in version v1 r2)

Title

The SSH daemon must be configured to not allow TCP connection forwarding. (Cat III impact)

Discussion

SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. If this function is necessary to support a valid mission requirement, its use must be authorized and approved in the system accreditation package.

Check Content

Check the SSH daemon configuration for the TCP connection forwarding setting. # grep -i AllowTCPForwarding /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned setting has a value evaluating to yes, this is a finding.

Fix Text

Edit the SSH daemon configuration and change or add the AllowTCPForwarding setting to no.

Additional Identifiers

Rule ID: SV-26757r1_rule

Vulnerability ID: V-22464

Group Title: GEN005515

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000032	The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-4 (8)	Security Policy Filters