X displays must not be exported to the world.
An XCCDF Rule
Description
Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to xhost +, permitting access to the X Server by anyone, from anywhere.
- ID
- SV-216076r959010_rule
- Version
- SOL-11.1-020530
- Severity
- High
- References
- Updated
Remediation Templates
A Manual Procedure
If using an xhost-type authentication the xhost - command can be used to remove current trusted hosts and then selectively allow only trusted hosts to connect with xhost + commands. A cryptographically secure authentication, such as provided by the xauth program, is always preferred. Refer to your X11 server's documentation for further security information.