Puppet Class: cis_security_hardening::rules::x11_installed

Defined in:
manifests/rules/x11_installed.pp

Summary

Ensure X Window System is not installed

Overview

The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login.

Rationale: Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface.

Examples:

class { 'cis_security_hardening::rules::x11_installed':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule



21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'manifests/rules/x11_installed.pp', line 21

class cis_security_hardening::rules::x11_installed (
  Boolean $enforce = false,
) {
  $x11_installed = fact('cis_security_hardening.x11.installed')
  $x11_packages = fact('cis_security_hardening.x11.packages')

  if  $enforce and $x11_installed != undef and $x11_installed {
    $x11_packages.each |$pkg| {
      # do not uninstall these packages due to dependances needed on the system
      if $pkg !~ /^xorg-x11-font/ and $pkg !~ /^xorg-x11-server-utils/ {
        $ensure = $facts['os']['family'].downcase() ? {
          'suse'  => 'absent',
          default => 'purged',
        }
        ensure_packages([$pkg], {
            ensure => $ensure,
        })
      }
    }
  }
}