-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure SSH X11 forwarding is disabled task only fixes first occurence #380
Comments
hi @fgierlinger Thank you for this issue, i can see you are referring to the older benchmark version 2.0.0. I hope this helps. Many thanks uk-bolly |
@uk-bolly The CIS v3.0 was released a while ago, but there has been no release of the RHEL8-CIS for CIS v3.0. The last release is the tag 2.6.0 (commit bc4cdf8). Is there a chance to release a 2.0.1 / 2.1.0 for the changes on the benchmark_v2.0.0 branch? But the issue persists in the devel branch. RHEL8-CIS/tasks/section_4/cis_4.2.x.yml Lines 208 to 212 in 069fc40
|
hi @fgierlinger Thank you for the feedback, our process is a devel to main normally after a couple of weeks to confirm no issues. I am already working on the next push to devel for these fixes before we release to main for the v3.0.0 release, which is likely to be either the end of this week or next week. I hope that makes sense? many thanks again for your feedback and time. uk-bolly |
hi @fgierlinger Thank you again for your time regarding this issue. You should find that this fix was merged into devel and is now in the main branch. I will close this issue, please feel free to reopen if this is not resolved as expected. Many thanks uk-bolly |
Describe the Issue
The hardening guide requires to disable X11 forwarding unless there is an operational requirement. The task 5.2.12 accomplishes this with the lineinfile module. lineinfile only replaces the first occurrence of X11Forwarding. But X11Forwarding can appear multiple times in the ssh config. Once as a general option and once as an user option.
Expected Behavior
All occurences of X11Forwarding should be disabled by the playbook.
Actual Behavior
Only the first occurence of X11Forwarding is disabled by the playbook.
Control(s) Affected
v8 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
v7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running
Environment (please complete the following information):
Additional Notes
MVE of sshd_config
Possible Solution
Use replace instead of lineinfile module. As there is a disabled match user block in the default sshd_config, a regex match on lines starting with
#
cannot be used as it would enable the indented line in the block. This could cause a config error. Therefore, only lines that are already enabled are checked. The default value forX11Forwarding
on RHEL8 isno
.The text was updated successfully, but these errors were encountered: