Navigate

Check: GEN005531

VMware ESX 3 Server: GEN005531 (in version v1 r2)

Title

The SSH daemon must not permit tunnels. (Cat II impact)

Discussion

OpenSSH has the ability to create network tunnels (layer-2 and layer-3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.

Check Content

Check the SSH daemon configuration for the PermitTunnel setting. # grep -i PermitTunnel /etc/ssh/sshd_config | grep -v '^#' If the setting is not present, or set to yes, this is a finding.

Fix Text

Edit the SSH daemon configuration and add or edit the PermitTunnel setting value to no.

Additional Identifiers

Rule ID: SV-26774r1_rule

Vulnerability ID: V-22480

Group Title: GEN005531

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000221	The information system enforces security policies regarding information on interconnected systems.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
No controls are assigned to this check