The X server must have the correct options enabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1021	GEN000000-LNX00360	SV-37207r1_rule	ECSC-1	Medium

Description
Without the correct options enabled, the Xwindows system would be less secure and there would be no screen timeout.

STIG	Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide	2014-01-09

Details

Check Text ( C-35896r1_chk )
Verify the options of the running Xwindows server are correct. Procedure: Get the running xserver information # ps -ef \|grep X If the response contains /usr/bin/Xorg:0 /usr/bin/Xorg:0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7 this is indicative of Xorg starting through gdm. This is the default on RHEL. Examine the Xorg line: If the "-auth" option is missing this would be a finding. If the "-audit" option is missing or not set to 4, this is a finding. If the "-s" option is missing or greater than 15, this is a finding. If the response to the grep contains X:0 /usr/bin/X:0 this indicates the X server was started with the xinit command with no associated .xserverrc in the home directory of the user. No options are selected by default. This is a finding. Otherwise if there are options on the X:0 line: If the "-auth" option is missing this is a finding If the "-audit" option is missing or not set to 4, this is a finding. If the "-s" option is missing or greater than 15, this is a finding.

Check Text ( C-35896r1_chk )

Verify the options of the running Xwindows server are correct.

Procedure:
Get the running xserver information

# ps -ef |grep X

If the response contains /usr/bin/Xorg:0

/usr/bin/Xorg:0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7

this is indicative of Xorg starting through gdm. This is the default on RHEL.

Examine the Xorg line:

If the "-auth" option is missing this would be a finding.
If the "-audit" option is missing or not set to 4, this is a finding.
If the "-s" option is missing or greater than 15, this is a finding.

If the response to the grep contains X:0

/usr/bin/X:0

this indicates the X server was started with the xinit command with no associated .xserverrc in the home directory of the user. No options are selected by default. This is a finding.

Otherwise if there are options on the X:0 line:
If the "-auth" option is missing this is a finding
If the "-audit" option is missing or not set to 4, this is a finding.
If the "-s" option is missing or greater than 15, this is a finding.

Fix Text (F-31154r1_fix)
Enable the following options: -audit (at level 4), -auth and -s with 15 minutes as the timeout value. Procedure for gdm: Edit /etc/gdm/custom.conf and add the following: [server-Standard] name=Standard server command=/usr/bin/Xorg -br -audit 4 -s 15 chooser=false handled=true flexible=true priority=0 Procedure for xinit: Edit or create a .xserverrc file in the users home directory containing the startup script for xinit. This script must have an exec line with at least these options: exec /usr/bin/X -audit 4 -s 15 -auth & The is created using the "xauth" command and is customarily located in the users home directory with the name ".Xauthority".

Fix Text (F-31154r1_fix)

Enable the following options: -audit (at level 4), -auth and -s with 15 minutes as the timeout value.

Procedure for gdm:
Edit /etc/gdm/custom.conf and add the following:
[server-Standard]
name=Standard server
command=/usr/bin/Xorg -br -audit 4 -s 15
chooser=false
handled=true
flexible=true
priority=0

Procedure for xinit:
Edit or create a .xserverrc file in the users home directory containing the startup script for xinit.
This script must have an exec line with at least these options:

exec /usr/bin/X -audit 4 -s 15 -auth &

The is created using the "xauth" command and is customarily located in the users home directory with the name ".Xauthority".