Skip to content

Remove the X Windows Package Group

An XCCDF Rule

Description

By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:

$ sudo yum groupremove base-x
$ sudo yum remove xorg-x11-server-common

warning alert: Functionality Warning

The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target which might bring your system to an inconsistent state requiring additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before continuing installation.

Rationale

Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.

ID
xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed
Severity
Medium
References
Updated



Remediation - Anaconda Pre-Install Instructions


package --remove=xorg-x11-server-common

Remediation - Ansible

- name: Ensure xorg-x11-server-common is removed
  package:
    name: xorg-x11-server-common
    state: absent
  tags:
  - NIST-800-53-CM-6(a)

Remediation - Puppet

include remove_xorg-x11-server-common

class remove_xorg-x11-server-common {
  package { 'xorg-x11-server-common':
    ensure => 'purged',
  }

Remediation - Shell Script


# CAUTION: This remediation script will remove xorg-x11-server-common
#	   from the system, and may remove any packages
#	   that depend on xorg-x11-server-common. Execute this
#	   remediation AFTER testing on a non-production
#	   system!