Hi Team,
We have be imformed of a non compliance for a CIS scan on out XI servers for the following X11 packages.
xorg-x11-fonts-ISO8859-1-100dpi-7.5-19.el8.noarch
xorg-x11-server-utils-7.7-27.el8.x86_64
xorg-x11-font-utils-7.5-41.el8.x86_64
Nagios XI 5.8.5
OS RHEL 8.5
We need to understand some things :
1 - What are they used for ?
2 - Can they and their dependencies be removed ?
Thanks
Oskar
X11 packages in XI, what are they used for.
-
oskargaboda
- Posts: 14
- Joined: Mon Aug 27, 2018 5:45 am
Re: X11 packages in XI, what are they used for.
Hello @oskargaboda
Thanks for reaching out, just jumped on over to my test VM and we see that there are associated dependencies.
As we know, xorg is only used in a graphical typically on runlevel 5, most servers are on runlevel 3, a shell frontend.
verify xorg processes?
As long as xorg/x11 associated services are not running, appears that there are forums suggesting ways to disable.
Thanks,
Perry
Thanks for reaching out, just jumped on over to my test VM and we see that there are associated dependencies.
As we know, xorg is only used in a graphical typically on runlevel 5, most servers are on runlevel 3, a shell frontend.
Code: Select all
runlevelCode: Select all
ps -aux | grep -Ei 'x11|xserver'Code: Select all
ss -tlp | grep -Ei x11'Thanks,
Perry
-
oskargaboda
- Posts: 14
- Joined: Mon Aug 27, 2018 5:45 am
Re: X11 packages in XI, what are they used for.
Hi Perry,
Thanks for your reply, i've checked and no X11 processes are running, however when checking what dependencies exist on removal we find that graphviz-gd relies on these suggesting we'd be breaking some visualisations by removing them.
It says
Removing dependent packages:
graphviz-gd x86_64 2.40.1-43.el8 @codeready-builder 48 k
urw-base35-bookman-fonts noarch 20170801-10.el8 @appstream 1.4 M
urw-base35-c059-fonts noarch 20170801-10.el8 @appstream 1.4 M
urw-base35-d050000l-fonts noarch 20170801-10.el8 @appstream 85 k
urw-base35-gothic-fonts noarch 20170801-10.el8 @appstream 1.2 M
urw-base35-nimbus-mono-ps-fonts noarch 20170801-10.el8 @appstream 1.0 M
urw-base35-nimbus-roman-fonts noarch 20170801-10.el8 @appstream 1.4 M
urw-base35-nimbus-sans-fonts noarch 20170801-10.el8 @appstream 2.4 M
urw-base35-p052-fonts noarch 20170801-10.el8 @appstream 1.5 M
urw-base35-z003-fonts
plus a whole bunch of “unused dependencies” including libraries and adobe stuff
Regards
Oskar
Thanks for your reply, i've checked and no X11 processes are running, however when checking what dependencies exist on removal we find that graphviz-gd relies on these suggesting we'd be breaking some visualisations by removing them.
It says
Removing dependent packages:
graphviz-gd x86_64 2.40.1-43.el8 @codeready-builder 48 k
urw-base35-bookman-fonts noarch 20170801-10.el8 @appstream 1.4 M
urw-base35-c059-fonts noarch 20170801-10.el8 @appstream 1.4 M
urw-base35-d050000l-fonts noarch 20170801-10.el8 @appstream 85 k
urw-base35-gothic-fonts noarch 20170801-10.el8 @appstream 1.2 M
urw-base35-nimbus-mono-ps-fonts noarch 20170801-10.el8 @appstream 1.0 M
urw-base35-nimbus-roman-fonts noarch 20170801-10.el8 @appstream 1.4 M
urw-base35-nimbus-sans-fonts noarch 20170801-10.el8 @appstream 2.4 M
urw-base35-p052-fonts noarch 20170801-10.el8 @appstream 1.5 M
urw-base35-z003-fonts
plus a whole bunch of “unused dependencies” including libraries and adobe stuff
Regards
Oskar
Re: X11 packages in XI, what are they used for.
Hello @oskargaboda
What are your ultimate intention and final endgame objective going forward? Typically we don't suggest removing packages unless there are conflicts with dependencies and/or other distro-related concerns.
Thanks,
Perry
What are your ultimate intention and final endgame objective going forward? Typically we don't suggest removing packages unless there are conflicts with dependencies and/or other distro-related concerns.
Thanks,
Perry
-
oskargaboda
- Posts: 14
- Joined: Mon Aug 27, 2018 5:45 am
Re: X11 packages in XI, what are they used for.
Hi Perry,
We have two options provided to pass a CIS scan :
a) We provide sufficient information on the requirement of the packages , what they do within the tool , the need for the feature and if the tool will continue to operate without them. Then build a justification to our infosec team for a exemption.
b) Remove the packages
Regards
Oskar
We have two options provided to pass a CIS scan :
a) We provide sufficient information on the requirement of the packages , what they do within the tool , the need for the feature and if the tool will continue to operate without them. Then build a justification to our infosec team for a exemption.
b) Remove the packages
Regards
Oskar
Re: X11 packages in XI, what are they used for.
Hello @oskargaboda
Please send us the full details of the CIS scan with any CVEs/endpoints/etc so I can run it by development.
The packages were installed as sub-dependencies of a dependency that the Nagios XI application uses.
If you try to remove the packages and their dependencies it will likely really break your system by uninstalling a lot of things (I labbed it up and it that's why I say that)
Given that the XI application installs a dependency that requires them we cannot recommend that you removing them as we're unsure of the impact and they are installed on a fresh install of XI (I labbed it up and looked).
Is your XI server an offline install/RPM install?
Thanks,
Perry
Please send us the full details of the CIS scan with any CVEs/endpoints/etc so I can run it by development.
The packages were installed as sub-dependencies of a dependency that the Nagios XI application uses.
If you try to remove the packages and their dependencies it will likely really break your system by uninstalling a lot of things (I labbed it up and it that's why I say that)
Given that the XI application installs a dependency that requires them we cannot recommend that you removing them as we're unsure of the impact and they are installed on a fresh install of XI (I labbed it up and looked).
Is your XI server an offline install/RPM install?
Code: Select all
rpm -qa | grep nagiosxiPerry