ssh-baseline 'sshd-39' - the value for AllowTcpForwarding parameter should be limited to either 'no' or 'local'

'sshd-39' - the value for AllowTcpForwarding parameter should be limited to either 'no' or 'local'

Open MikhailAseev opened this issue 1 year ago • 0 comments

trafficstars

Description

The title for the rule 'sshd-39' is 'Server: Disable TCP forwarding'. The description is 'If you use TCP forwarding in an uncontrolled manner then you can bypass the firewalls'. I suggest that the value for AllowTcpForwarding SSH server parameter in this particular rule (with such title and description) should be limited to the following:

'no' as it prevents all TCP forwarding;
'local' as it allows local forwarding only.

This will suite the title and the description more than it is now.

Solution

I suggest removing input for AllowTcpForwarding SSH server parameter:

sshd_tcpforwarding = input('sshd_tcpforwarding', value: 'no')

And replace the line:

    its('AllowTcpForwarding') { should eq(sshd_tcpforwarding) }

with:

    its('AllowTcpForwarding') { should match(/^no|local$/) }

Aug 21 '24 21:08 MikhailAseev

ssh-baseline ssh-baseline copied to clipboard

'sshd-39' - the value for AllowTcpForwarding parameter should be limited to either 'no' or 'local'

Description

Solution

ssh-baseline
ssh-baseline copied to clipboard