Check: GEN005200
HP-UX 11.31 STIG:
GEN005200
(in versions v1 r19 through v1 r13)
Title
X displays must not be exported to the world. (Cat I impact)
Discussion
Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to xhost +, permitting access to the X Server by anyone, from anywhere.
Check Content
Windows is not used on the system, this is not applicable. Check the output of the "xhost" command from an X terminal. First, verify the DISPLAY variable is correctly set. $ echo $DISPLAY NOTE: It may be necessary to define the display if the command reports it cannot open the display. MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display. $ DISPLAY=MachineName:0.0; export DISPLAY $ xhost If the output reports access control is enabled (and possibly lists the hosts that can receive X window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding.
Fix Text
If using an xhost-type authentication the xhost - command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with xhost + commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred.
Additional Identifiers
Rule ID: SV-35168r1_rule
Vulnerability ID: V-4697
Group Title: GEN005200
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000225 |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
Controls
Number | Title |
---|---|
AC-6 |
Least Privilege |