Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
X displays must not be exported to the world.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-4697 | GEN005200 | SV-35168r1_rule | ECSC-1 | High |
| Description |
|---|
| Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to xhost +, permitting access to the X Server by anyone, from anywhere. |
| STIG | Date |
|---|---|
| HP-UX 11.31 Security Technical Implementation Guide | 2016-12-20 |
Details
| Check Text ( C-36601r1_chk ) |
|---|
| Windows is not used on the system, this is not applicable. Check the output of the "xhost" command from an X terminal. First, verify the DISPLAY variable is correctly set. $ echo $DISPLAY NOTE: It may be necessary to define the display if the command reports it cannot open the display. MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display. $ DISPLAY=MachineName:0.0; export DISPLAY $ xhost If the output reports access control is enabled (and possibly lists the hosts that can receive X window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding. |
| Fix Text (F-31968r1_fix) |
|---|
| If using an xhost-type authentication the xhost - command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with xhost + commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred. |