Navigate

Check: GEN005516

VMware ESX 3 Server: GEN005516 (in version v1 r2)

Title

The SSH client must be configured to not allow TCP forwarding. (Cat III impact)

Discussion

SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. If this function is necessary to support a valid mission requirement, its use must be authorized and approved in the system accreditation package.

Check Content

Check the SSH client configuration for the TCP forwarding setting. # egrep -i "LocalForward|RemoteForward" /etc/ssh/ssh_config | grep -v '^#' If any uncommented lines are returned, this is a finding.

Fix Text

Edit the SSH client configuration and change or add the AllowTCPForwarding setting to no.

Additional Identifiers

Rule ID: SV-26758r1_rule

Vulnerability ID: V-22465

Group Title: GEN005516

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000032	The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-4 (8)	Security Policy Filters