UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

X displays must not be exported to the world.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4697 GEN005200 SV-63295r1_rule ECSC-1 High
Description
Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to "xhost +", permitting access to the X Server by anyone, from anywhere.
STIG Date
Oracle Linux 5 Security Technical Implementation Guide 2015-03-26

Details

Check Text ( C-51997r1_chk )
If Xwindows is not used on the system, this is not applicable.

Check the output of the "xhost" command from an X terminal.

Procedure:
# xhost
If the output reports access control is enabled (and possibly lists the hosts able to receive X window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding.

Note: It may be necessary to define the display if the command reports it cannot open the display.

Procedure:
$ DISPLAY=MachineName:0.0; export DISPLAY
MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.
Fix Text (F-53885r1_fix)
If using an xhost-type authentication the "xhost -" command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with "xhost +" commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred.

Refer to your X11 server's documentation for further security information.