Check: GEN005200
Solaris 10 X86 STIG:
GEN005200
(in versions v2 r4 through v1 r17)
Title
X displays must not be exported to the world. (Cat I impact)
Discussion
Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to xhost +, permitting access to the X Server by anyone, from anywhere.
Check Content
If X Windows is not used on the system, this is not applicable. Check the output of the xhost command from an X terminal. Procedure: $ xhost If the output reports access control is enabled (and possibly lists the hosts that can receive X Window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding. NOTE: It may be necessary to define the display if the command reports it cannot open the display. Procedure: $ DISPLAY=MachineName:0.0; export DISPLAY MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.
Fix Text
If using an xhost-type authentication the xhost - command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with xhost + commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred. Refer to your X11 server's documentation for further security information.
Additional Identifiers
Rule ID: SV-227871r603266_rule
Vulnerability ID: V-227871
Group Title: SRG-OS-000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |