UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The X server must have the correct options enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-1021 GEN000000-LNX00360 SV-37207r1_rule ECSC-1 Medium
Description
Without the correct options enabled, the Xwindows system would be less secure and there would be no screen timeout.
STIG Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide 2014-01-09

Details

Check Text ( C-35896r1_chk )
Verify the options of the running Xwindows server are correct.

Procedure:
Get the running xserver information

# ps -ef |grep X

If the response contains /usr/bin/Xorg:0

/usr/bin/Xorg:0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7

this is indicative of Xorg starting through gdm. This is the default on RHEL.

Examine the Xorg line:

If the "-auth" option is missing this would be a finding.
If the "-audit" option is missing or not set to 4, this is a finding.
If the "-s" option is missing or greater than 15, this is a finding.


If the response to the grep contains X:0

/usr/bin/X:0

this indicates the X server was started with the xinit command with no associated .xserverrc in the home directory of the user. No options are selected by default. This is a finding.

Otherwise if there are options on the X:0 line:
If the "-auth" option is missing this is a finding
If the "-audit" option is missing or not set to 4, this is a finding.
If the "-s" option is missing or greater than 15, this is a finding.
Fix Text (F-31154r1_fix)
Enable the following options: -audit (at level 4), -auth and -s with 15 minutes as the timeout value.

Procedure for gdm:
Edit /etc/gdm/custom.conf and add the following:
[server-Standard]
name=Standard server
command=/usr/bin/Xorg -br -audit 4 -s 15
chooser=false
handled=true
flexible=true
priority=0

Procedure for xinit:
Edit or create a .xserverrc file in the users home directory containing the startup script for xinit.
This script must have an exec line with at least these options:

exec /usr/bin/X -audit 4 -s 15 -auth &

The is created using the "xauth" command and is customarily located in the users home directory with the name ".Xauthority".