When upgrading the Compliance Scanner for VMware Tanzu from version 1.3.6 to 1.3.29 and running the "CIS Ubuntu Linux 22.04 LTS - Level 2" benchmark, administrators may notice that several SSH forwarding compliance checks are no longer evaluated.

Specifically, the following four rules present in version 1.3.6 are missing in version 1.3.29:

• Ensure SSH X11 forwarding is disabled (sshd_config)
• Ensure SSH X11 forwarding is disabled (sshd -T)
• Ensure SSH AllowTcpForwarding is disabled (sshd_config)
• Ensure SSH AllowTcpForwarding is disabled (sshd -T)

Simultaneously, a new rule may appear and report as a failure (red) under the Access, Authentication and Authorization category:

• Ensure sshd DisableForwarding is enabled

Compliance Scanner for VMware Tanzu v1.3.6

Compliance Scanner for VMware Tanzu v1.3.29

Ubuntu 22.04 LTS (Jammy) Stemcells

This change is expected behavior and is the result of upstream updates to the underlying CIS (Center for Internet Security) Benchmark data streams.

In newer CIS benchmark versions utilized by scanner v1.3.29, granular checks for X11 and TCP forwarding have been consolidated to eliminate redundancy. In OpenSSH, the DisableForwarding directive acts as a master override switch; setting it to yes automatically disables X11, TCP, Agent, and Tun device forwarding. Therefore, the four legacy rules were deprecated in favor of the single, comprehensive Ensure sshd DisableForwarding is enabled rule.

If this new rule is failing, it is because the target BOSH VM does not explicitly have DisableForwarding yes defined in its SSH daemon configuration (/etc/ssh/sshd_config or /etc/ssh/sshd_config.d/), causing OpenSSH to default to allowing forwarding.

No issue in the removal of those 4 rules, as they are now comprised in one rule within the new "CIS Ubuntu Linux 22.04 LTS - Level 2" benchmark in Compliance Scanner for VMware Tanzu v1.3.29.

Apart from this, the "Ensure sshd DisableForwarding is enabled" rule will fail for BOSH-managed VMs. Below is the reason:

• Operational Requirement: SSH forwarding (specifically TCP forwarding) is a required feature for standard BOSH operations. BOSH relies heavily on this functionality to establish secure tunnels and execute port forwarding for platform management and troubleshooting tasks (such as using the bosh ssh command).
• Impact of Enforcement: Enforcing this rule by setting DisableForwarding yes in the SSH configuration will actively disrupt platform management capabilities and block administrators from accessing the VMs.
• Next Steps: Because BOSH explicitly requires this functionality to operate correctly, this compliance failure is expected behavior. It should be documented within your organization's compliance tracking system as a known and accepted operational risk exception. Alternatively, if clean reports are required, the rule can be ignored by uploading an XCCDF Tailoring File to the Compliance Scanner tile.