Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
X displays must not be exported to the world.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-4697 | GEN005200 | SV-45920r1_rule | High |
| Description |
|---|
| Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to “xhost +”, permitting access to the X Server by anyone, from anywhere. |
| STIG | Date |
|---|---|
| SUSE Linux Enterprise Server v11 for System z | 2016-12-20 |
Details
| Check Text ( C-43228r1_chk ) |
|---|
| If Xwindows is not used on the system, this is not applicable. Check the output of the "xhost" command from an X terminal. Procedure: # xhost If the output reports access control is enabled (and possibly lists the hosts able to receive X window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding. Note: It may be necessary to define the display if the command reports it cannot open the display. Procedure: $ DISPLAY=MachineName:0.0; export DISPLAY MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display. |
| Fix Text (F-39298r1_fix) |
|---|
| If using an xhost-type authentication the "xhost -" command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with "xhost +" commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred. Refer to your X11 server's documentation for further security information. |