Remove the X Windows Package Group
An XCCDF Rule
Description
By removing the xorg-x11-server-common package, the system no longer has X Windows
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:
$ sudo apt_get groupremove "X Window System"
$ sudo apt_get remove xorg-x11-server-common
warning alert: Functionality Warning
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
which might bring your system to an inconsistent state requiring additional configuration to access the system
again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before
continuing installation.
Rationale
Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
- ID
- xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Ensure xserver-xorg is removed
package:
name: xserver-xorg
state: absent
tags:
- NIST-800-53-CM-6(a)
Remediation - Puppet
include remove_xserver-xorg
class remove_xserver-xorg {
package { 'xserver-xorg':
ensure => 'purged',
}
Remediation - Shell Script
# CAUTION: This remediation script will remove xserver-xorg
# from the system, and may remove any packages
# that depend on xserver-xorg. Execute this
# remediation AFTER testing on a non-production
# system!