STIGQter STIGQter: STIG Summary: Solaris 11 SPARC Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

X displays must not be exported to the world.

DISA Rule

SV-216311r603267_rule

Vulnerability Number

V-216311

Group Title

SRG-OS-000480

Rule Version

SOL-11.1-020530

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

If using an xhost-type authentication the xhost - command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with xhost + commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred. Refer to your X11 server's documentation for further security information.

Check Contents

If X Windows is not used on the system, this is not applicable.

Check the output of the xhost command from an X terminal.

Procedure:
$ xhost
If the output reports access control is enabled (and possibly lists the hosts that can receive X Window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding.

NOTE: It may be necessary to define the display if the command reports it cannot open the display.

Procedure:
$ DISPLAY=MachineName:0.0; export DISPLAY
MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.

Vulnerability Number

V-216311

Documentable

False

Rule Version

SOL-11.1-020530

Severity Override Guidance

If X Windows is not used on the system, this is not applicable.

Check the output of the xhost command from an X terminal.

Procedure:
$ xhost
If the output reports access control is enabled (and possibly lists the hosts that can receive X Window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding.

NOTE: It may be necessary to define the display if the command reports it cannot open the display.

Procedure:
$ DISPLAY=MachineName:0.0; export DISPLAY
MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.

Check Content Reference

M

Target Key

4022

Comments