'sshd-39' - the value for AllowTcpForwarding parameter should be limited to either 'no' or 'local' #216

MikhailAseev · 2024-08-21T21:08:30Z

Description

The title for the rule 'sshd-39' is 'Server: Disable TCP forwarding'.
The description is 'If you use TCP forwarding in an uncontrolled manner then you can bypass the firewalls'.
I suggest that the value for AllowTcpForwarding SSH server parameter in this particular rule (with such title and description) should be limited to the following:

'no' as it prevents all TCP forwarding;
'local' as it allows local forwarding only.

This will suite the title and the description more than it is now.

Solution

I suggest removing input for AllowTcpForwarding SSH server parameter:

sshd_tcpforwarding = input('sshd_tcpforwarding', value: 'no')

And replace the line:

    its('AllowTcpForwarding') { should eq(sshd_tcpforwarding) }

with:

    its('AllowTcpForwarding') { should match(/^no|local$/) }

The text was updated successfully, but these errors were encountered:

MikhailAseev added the enhancement label Aug 21, 2024

MikhailAseev linked a pull request Aug 21, 2024 that will close this issue

Limit SSH server AllowTcpForwarding #217

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

'sshd-39' - the value for AllowTcpForwarding parameter should be limited to either 'no' or 'local' #216

'sshd-39' - the value for AllowTcpForwarding parameter should be limited to either 'no' or 'local' #216

MikhailAseev commented Aug 21, 2024 •

edited

Loading

'sshd-39' - the value for AllowTcpForwarding parameter should be limited to either 'no' or 'local' #216

'sshd-39' - the value for AllowTcpForwarding parameter should be limited to either 'no' or 'local' #216

Comments

MikhailAseev commented Aug 21, 2024 • edited Loading

Description

Solution

MikhailAseev commented Aug 21, 2024 •

edited

Loading