{"description": "By removing the xorg-x11-server-common package, the system no longer has X Windows\ninstalled. If X Windows is not installed then the system cannot boot into graphical user mode.\nThis prevents the system from being accidentally or maliciously booted into a graphical.target\nmode. To do so, run the following command:\n$ sudo apt_get groupremove \"X Window System\"
\n$ sudo apt_get remove xorg-x11-server-common
", "rationale": "Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security\nvulnerabilities and should not be installed unless approved and documented.", "severity": "medium", "references": {"cis-csc": ["12", "15", "8"], "cobit5": ["APO13.01", "DSS01.04", "DSS05.02", "DSS05.03"], "isa-62443-2009": ["4.3.3.6.6"], "isa-62443-2013": ["SR 1.13", "SR 2.6", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.6.2.1", "A.6.2.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.AC-3", "PR.PT-4"], "srg": ["SRG-OS-000480-GPOS-00227"], "cis": ["2.1.20"]}, "control_references": {"cis": ["2.1.20"]}, "components": [], "identifiers": {}, "ocil_clause": "the X Windows package group or xorg-x11-server-common has not be removed", "ocil": "To ensure the X Windows package group is removed, run the following command:\n$ rpm -qi xorg-x11-server-common
\nThe output should be:\npackage xorg-x11-server-common is not installed
", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"functionality": "The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your\noverall security posture. Removing the package xorg-x11-server-common package will remove the graphical target\nwhich might bring your system to an inconsistent state requiring additional configuration to access the system\nagain. If a GUI is an operational requirement, a tailored profile that removes this rule should used before\ncontinuing installation."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "A graphical display manager must not be installed on Ubuntu 22.04 unless approved.", "vuldiscussion": "Unnecessary service packages must not be installed to decrease the attack surface of the system.\nGraphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.", "checktext": "Verify that a graphical user interface is not installed with the following command:\n\n$ sudo dnf list --installed \"xorg*common\"\n\nError: No matching Packages to list\n\nIf the \"x11-server-common\" package is installed and the use of a graphical user interface has not been documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.", "fixtext": "Document the requirement for a graphical user interface with the ISSO or remove all xorg packages with the following command:\n\nWarning: If you are accessing the system through the graphical user interface, change to the multi-user.target with the following command:\n\n$ sudo systemctl isolate multi-user.target\n\nWarning: Removal of the graphical user interface will immediately render it useless. The following commands should not be run from a virtual terminal emulator in the graphical interface.\n\n$ sudo dnf remove \"xorg*\"\n$ sudo systemctl set-default multi-user.target"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Remove the X Windows Package Group", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml", "template": {"name": "package_removed", "vars": {"pkgname": "xserver-common"}, "backends": {}}}