The sshd server must bind the X11 forwarding server to the loopback address.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-233301 | SOL-11.1-040331 | SV-233301r959010_rule | CCI-000366 | medium |
| Description | ||||
| As enabling X11 Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the user's needs. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to “localhost”. This prevents remote hosts from connecting to the proxy display. | ||||
| STIG | Date | |||
| Solaris 11 X86 Security Technical Implementation Guide | 2025-05-05 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-233301r959010_chk)
Determine if the X11 forwarding server is bound to the loopback address.
# grep "^X11UseLocalhost" /etc/ssh/sshd_config
If the output of this command is not:
X11UseLocalhost yes
this is a finding.
Fix Text (F-36460r622216_fix)
The root role is required.
Modify the sshd_config file.
# vi /etc/ssh/sshd_config
Locate the line containing:
X11UseLocalhost
Change it to:
X11UseLocalhost yes
Restart the SSH service.
# svcadm restart svc:/network/ssh