Nagios Support Forum

Hi Team,

We have be imformed of a non compliance for a CIS scan on out xi servers for the following X11 packages.

xorg-x11-fonts-ISO8859-1-100dpi-7.5-19.el8.noarch
xorg-x11-server-utils-7.7-27.el8.x86_64
xorg-x11-font-utils-7.5-41.el8.x86_64

Nagios xi 5.8.5
OS RHEL 8.5

We need to understand some things :

1 - What are they used for ?
2 - Can they and their dependencies be removed ?

Thanks
Oskar

Hello @oskargaboda

Thanks for reaching out, just jumped on over to my test VM and we see that there are associated dependencies.

As we know, xorg is only used in a graphical typically on runlevel 5, most servers are on runlevel 3, a shell frontend.
verify xorg processes? As long as xorg/x11 associated services are not running, appears that there are forums suggesting ways to disable.

Thanks,
Perry

Hi Perry,

Thanks for your reply, i've checked and no X11 processes are running, however when checking what dependencies exist on removal we find that graphviz-gd relies on these suggesting we'd be breaking some visualisations by removing them.

It says
Removing dependent packages:
graphviz-gd x86_64 2.40.1-43.el8 @codeready-builder 48 k
urw-base35-bookman-fonts noarch 20170801-10.el8 @appstream 1.4 M
urw-base35-c059-fonts noarch 20170801-10.el8 @appstream 1.4 M
urw-base35-d050000l-fonts noarch 20170801-10.el8 @appstream 85 k
urw-base35-gothic-fonts noarch 20170801-10.el8 @appstream 1.2 M
urw-base35-nimbus-mono-ps-fonts noarch 20170801-10.el8 @appstream 1.0 M
urw-base35-nimbus-roman-fonts noarch 20170801-10.el8 @appstream 1.4 M
urw-base35-nimbus-sans-fonts noarch 20170801-10.el8 @appstream 2.4 M
urw-base35-p052-fonts noarch 20170801-10.el8 @appstream 1.5 M
urw-base35-z003-fonts

plus a whole bunch of “unused dependencies” including libraries and adobe stuff

Regards
Oskar

Hello @oskargaboda

What are your ultimate intention and final endgame objective going forward? Typically we don't suggest removing packages unless there are conflicts with dependencies and/or other distro-related concerns.

Thanks,
Perry

Hi Perry,

We have two options provided to pass a CIS scan :

a) We provide sufficient information on the requirement of the packages , what they do within the tool , the need for the feature and if the tool will continue to operate without them. Then build a justification to our infosec team for a exemption.

b) Remove the packages

Regards
Oskar

Hello @oskargaboda

Please send us the full details of the CIS scan with any CVEs/endpoints/etc so I can run it by development.

The packages were installed as sub-dependencies of a dependency that the Nagios xi application uses.

If you try to remove the packages and their dependencies it will likely really break your system by uninstalling a lot of things (I labbed it up and it that's why I say that)

Given that the xi application installs a dependency that requires them we cannot recommend that you removing them as we're unsure of the impact and they are installed on a fresh install of xi (I labbed it up and looked).

Is your xi server an offline install/RPM install?
Thanks,
Perry