Skip to content

Enable Encrypted X11 Forwarding

An XCCDF Rule

Description

By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.

To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:

X11Forwarding yes

Rationale

Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands remotely.

ID
xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
Severity
High
References
Updated



Remediation - Ansible

- name: Enable Encrypted X11 Forwarding
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"