An X server must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-1022 | GEN000000-LNX00380 | SV-62815r1_rule | Medium |
| Description |
|---|
| These options will detract from the security of the Xwindows system. |
| STIG | Date |
|---|---|
| Oracle Linux 5 Security Technical Implementation Guide | 2020-02-25 |
Details
| Check Text ( C-51687r1_chk ) |
|---|
| If the "xorg-x11-server-Xorg" package is not installed, this is not applicable. Verify the options of the running Xwindows server are correct. Procedure: Get the running xserver information # ps -ef |grep X If the response contains /usr/bin/Xorg:0 /usr/bin/Xorg:0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7 this is indicative of Xorg starting through gdm. This is the default window manager on this version of the operating system. If the "-ac" option is found, this is a finding. If the "-core" option is found, this is a finding. If the "-nolock" option is found, this is a finding. If the response to the grep contains X:0 /usr/bin/X:0 Examine the X:0 line: If the "-ac" option is found, this is a finding. If the "-core" option is found, this is a finding. If the "-nolock" option is found, this is a finding. |
| Fix Text (F-53401r1_fix) |
|---|
| Disable the unwanted options: Procedure: For gdm: Remove the -ac, -core and -nolock options by creating a "command" entry in the /etc/gdm/custom.conf file with the options removed. For Xwindows started by xinit: Create or modify the .xserverrc script in the user's home directory to remove the -ac, -core and -nolock options from the exec /usr/bin/X command. |