GEN005531-ESXI5-000108 - The SSH daemon must not permit tunnels.

Information

OpenSSH has the ability to create network tunnels (layer-2 and layer-3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s):
# vi /etc/ssh/sshd_config

Add/modify the attribute line entry to the following (quotes for emphasis only):
'PermitTunnel no'

Re-enable lock down mode.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Group-ID|V-39268, Rule-ID|SV-250600r798799_rule, STIG-ID|GEN005531-ESXI5-000108, STIG-Legacy|SV-51084, STIG-Legacy|V-39268, Vuln-ID|V-250600

Plugin: VMware

Control ID: b3af4f4c1dd03b2ae32d1d8a3e2ad93a64b4e54f2754823202fbeec5287c7b65