STIGQter STIGQter: STIG Summary: Oracle Linux 5 Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 26 Oct 2018: X displays must not be exported to the world.

DISA Rule

SV-63295r1_rule

Vulnerability Number

V-4697

Group Title

GEN005200

Rule Version

GEN005200

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

If using an xhost-type authentication the "xhost -" command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with "xhost +" commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred.

Refer to your X11 server's documentation for further security information.

Check Contents

If Xwindows is not used on the system, this is not applicable.

Check the output of the "xhost" command from an X terminal.

Procedure:
# xhost
If the output reports access control is enabled (and possibly lists the hosts able to receive X window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding.

Note: It may be necessary to define the display if the command reports it cannot open the display.

Procedure:
$ DISPLAY=MachineName:0.0; export DISPLAY
MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.

Vulnerability Number

V-4697

Documentable

False

Rule Version

GEN005200

Severity Override Guidance

If Xwindows is not used on the system, this is not applicable.

Check the output of the "xhost" command from an X terminal.

Procedure:
# xhost
If the output reports access control is enabled (and possibly lists the hosts able to receive X window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding.

Note: It may be necessary to define the display if the command reports it cannot open the display.

Procedure:
$ DISPLAY=MachineName:0.0; export DISPLAY
MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.

Check Content Reference

M

Responsibility

System Administrator

Target Key

2207

Comments