Remote access to your servers is something you want to have total control over. X Windows represents one type of remote access that isn’t often used for Linux servers in the cloud, but it is worth watching out for. Unless you’re providing a remote desktop for users, X Windows is most likely something you *don’t* want your users to run.
Here we talk about how to receive alerts when users run or use X Windows. Because starting X Windows creates logs, the simple way to monitor X Windows usage is by looking at the current log file for any changes. The log file is located here: /var/log/XFree86.0.log. This log file may be written to for several different X Windows events besides just X Windows starting up, so you can receive alerts about any X Windows activities.
Create a FIM policy to keep track of activity in the X Windows logs. Make sure you mark it as “Flag Critical” and “Send Alert”. Now every time there is X Windows activity, such as a user starting up X Windows, an alert will be generated and sent to you.