Remove the X Windows Package Group
An XCCDF Rule
Description
By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into agraphical.target
mode. To do so, run the following command:
$ sudo yum groupremove "X Window System"
$ sudo yum remove xorg-x11-server-common
warning alert: Functionality Warning
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
which might bring your system to an inconsistent state requiring additional configuration to access the system
again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before
continuing installation.
Rationale
Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
- ID
- xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed
- Severity
- Medium
- References
- Updated
Remediation Templates
A Puppet Snippet
include remove_xorg-x11-server-common
class remove_xorg-x11-server-common {
package { 'xorg-x11-server-common':
ensure => 'purged',
}
}
An Ansible Snippet
- name: Ensure xorg-x11-server-common is removed
package:
name: xorg-x11-server-common
state: absent
tags:
- NIST-800-53-CM-6(a)A Shell Script
# CAUTION: This remediation script will remove xorg-x11-server-common
# from the system, and may remove any packages
# that depend on xorg-x11-server-common. Execute this
# remediation AFTER testing on a non-production
# system!