UCF STIG Viewer Logo

X displays must not be exported to the world.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4697 GEN005200 SV-35168r1_rule ECSC-1 High
Description
Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to xhost +, permitting access to the X Server by anyone, from anywhere.
STIG Date
HP-UX 11.23 Security Technical Implementation Guide 2015-12-02

Details

Check Text ( C-36601r1_chk )
Windows is not used on the system, this is not applicable.

Check the output of the "xhost" command from an X terminal. First, verify the DISPLAY variable is correctly set.
$ echo $DISPLAY

NOTE: It may be necessary to define the display if the command reports it cannot open the display.
MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.
$ DISPLAY=MachineName:0.0; export DISPLAY
$ xhost

If the output reports access control is enabled (and possibly lists the hosts that can receive X window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding.
Fix Text (F-31968r1_fix)
If using an xhost-type authentication the xhost - command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with xhost + commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred.