Merge pull request #12714 from ericeberry/u2404_518

Ubuntu 24.04 5.1.8 Ensure sshd DisableForwarding is enabled
ComplianceAsCode · Dec 16, 2024 · 6e3ab9d · 6e3ab9d
2 parents 5cadc4c + 04b21cd
commit 6e3ab9d
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/components/openssh.yml b/components/openssh.yml
@@ -38,6 +38,7 @@ rules:
 - sshd_allow_only_protocol2
 - sshd_disable_compression
 - sshd_disable_empty_passwords
+- sshd_disable_forwarding
 - sshd_disable_gssapi_auth
 - sshd_disable_kerb_auth
 - sshd_disable_pubkey_auth

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
@@ -1120,8 +1120,9 @@ controls:
     levels:
       - l1_server
       - l2_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - sshd_disable_forwarding
+    status: automated
 
   - id: 3.2.1
     title: Ensure dccp kernel module is not available (Automated)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Disable SSH Forwarding'
+
+description: |-
+    The DisableForwarding parameter disables all forwarding features, 
+
+rationale: |-
+    Disable ssh forwarding unless there is an operational requirement to use it. 
+    Leaving port forwarding enabled can expose the organization to security risks.
+
+severity: medium
+
+ocil_clause: "The DisableForwarding option exists and is yes"
+
+ocil: |-
+    {{{ ocil_sshd_option(default="yes", option="DisableForwarding", value="yes") }}}
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: DisableForwarding
+        value: 'yes'
+        datatype: string