Enable Encrypted X11 Forwarding
An XCCDF Rule
Description
By default, remote X11 connections are not encrypted when initiated
by users. SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding
option is enabled.
To enable X11 Forwarding, add or correct the following line in
/etc/ssh/sshd_config
:
X11Forwarding yes
Rationale
Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands remotely.
- ID
- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
- Severity
- High
- References
- Updated
Remediation - Ansible
- name: Enable Encrypted X11 Forwarding
block:
- name: Check for duplicate values
lineinfile:
path: /etc/ssh/sshd_config
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"