Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-1021 | GEN000000-LNX00360 | SV-62805r1_rule | ECSC-1 | Medium |
Description |
---|
Without the correct options enabled, the Xwindows system would be less secure and there would be no screen timeout. |
STIG | Date |
---|---|
Oracle Linux 5 Security Technical Implementation Guide | 2015-06-05 |
Check Text ( C-51657r1_chk ) |
---|
Verify the options of the running Xwindows server are correct. Procedure: Get the running xserver information # ps -ef |grep X If the response contains /usr/bin/Xorg:0 /usr/bin/Xorg:0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7 this is indicative of Xorg starting through gdm. This is the default on this version of the operating system. Examine the Xorg line: If the "-auth" option is missing this would be a finding. If the "-audit" option is missing or not set to 4, this is a finding. If the "-s" option is missing or greater than 15, this is a finding. If the response to the grep contains X:0 /usr/bin/X:0 this indicates the X server was started with the xinit command with no associated .xserverrc in the home directory of the user. No options are selected by default. This is a finding. Otherwise if there are options on the X:0 line: If the "-auth" option is missing this is a finding If the "-audit" option is missing or not set to 4, this is a finding. If the "-s" option is missing or greater than 15, this is a finding. |
Fix Text (F-53373r5_fix) |
---|
Enable the following options: -audit (at level 4), -auth and -s with 15 minutes as the timeout value. Procedure for gdm: Edit /etc/gdm/custom.conf and add the following: [server-Standard] name=Standard server command=/usr/bin/Xorg -br -audit 4 -s 15 chooser=false handled=true flexible=true priority=0 Procedure for xinit: Edit or create a .xserverrc file in the user's home directory containing the startup script for xinit. This script must have an exec line with at least these options: exec /usr/bin/X -audit 4 -s 15 -auth The |