STIGQter STIGQter: STIG Summary: Oracle Linux 5 Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 26 Oct 2018: An X server must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock.

DISA Rule

SV-62815r1_rule

Vulnerability Number

V-1022

Group Title

GEN000000-LNX00380

Rule Version

GEN000000-LNX00380

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Disable the unwanted options:
Procedure:
For gdm:
Remove the -ac, -core and -nolock options by creating a "command" entry in the /etc/gdm/custom.conf file with the options removed.

For Xwindows started by xinit:
Create or modify the .xserverrc script in the user's home directory to remove the -ac, -core and -nolock options from the exec /usr/bin/X command.

Check Contents

If the "xorg-x11-server-Xorg" package is not installed, this is not applicable.

Verify the options of the running Xwindows server are correct.

Procedure:

Get the running xserver information

# ps -ef |grep X

If the response contains /usr/bin/Xorg:0

/usr/bin/Xorg:0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7

this is indicative of Xorg starting through gdm. This is the default window manager on this version of the operating system.

If the "-ac" option is found, this is a finding.
If the "-core" option is found, this is a finding.
If the "-nolock" option is found, this is a finding.


If the response to the grep contains X:0

/usr/bin/X:0

Examine the X:0 line:

If the "-ac" option is found, this is a finding.
If the "-core" option is found, this is a finding.
If the "-nolock" option is found, this is a finding.

Vulnerability Number

V-1022

Documentable

False

Rule Version

GEN000000-LNX00380

Severity Override Guidance

If the "xorg-x11-server-Xorg" package is not installed, this is not applicable.

Verify the options of the running Xwindows server are correct.

Procedure:

Get the running xserver information

# ps -ef |grep X

If the response contains /usr/bin/Xorg:0

/usr/bin/Xorg:0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7

this is indicative of Xorg starting through gdm. This is the default window manager on this version of the operating system.

If the "-ac" option is found, this is a finding.
If the "-core" option is found, this is a finding.
If the "-nolock" option is found, this is a finding.


If the response to the grep contains X:0

/usr/bin/X:0

Examine the X:0 line:

If the "-ac" option is found, this is a finding.
If the "-core" option is found, this is a finding.
If the "-nolock" option is found, this is a finding.

Check Content Reference

M

Responsibility

System Administrator

Target Key

2207

Comments