Title

The graphical login service provides the capability of logging into the system using an X-Windows type interface from the console. If graphical login access for the console is required, the service must be in local-only mode. (Cat II impact)

Discussion

Externally accessible graphical desktop software may open the system to remote attacks.

Check Content

Determine if the X11 server system is providing remote services on the network. # svcprop -p options/tcp_listen svc:/application/x11/x11-server If the output of the command is "true" and network access to graphical user login is not required, this is a finding.

Fix Text

The System Administrator profile is required: Configure the X11 server for local system only graphics access. # pfexec svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen=false

Additional Identifiers

Rule ID: SV-216315r959010_rule

Vulnerability ID: V-216315

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.