X displays must not be exported to the world.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-216076 | SOL-11.1-020530 | SV-216076r959010_rule | CCI-000225 | high |
| Description | ||||
| Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to xhost +, permitting access to the X Server by anyone, from anywhere. | ||||
| STIG | Date | |||
| Solaris 11 X86 Security Technical Implementation Guide | 2025-05-05 | |||
Details
Check Text (C-216076r959010_chk)
If X Windows is not used on the system, this is not applicable.
Check the output of the xhost command from an X terminal.
Procedure:
$ xhost
If the output reports access control is enabled (and possibly lists the hosts that can receive X Window logins), this is not a finding. If the xhost command returns a line indicating access control is disabled, this is a finding.
NOTE: It may be necessary to define the display if the command reports it cannot open the display.
Procedure:
$ DISPLAY=MachineName:0.0; export DISPLAY
MachineName may be replaced with an Internet Protocol Address. Repeat the check procedure after setting the display.
Fix Text (F-17312r372611_fix)
If using an xhost-type authentication the xhost - command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with xhost + commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred. Refer to your X11 server's documentation for further security information.