Disable graphical user interface

An XCCDF Rule

Description

By removing the following packages, the system no longer has X Windows installed. xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:

sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland

warning alert: Functionality Warning

The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target which might bring your system to an inconsistent state requiring additional configuration to access the system again. The rule xwindows_runlevel_target can be used to configure the system to boot into the multi-user.target. If a GUI is an operational requirement, a tailored profile that removes this rule should be used before continuing installation.

warning alert: Warning

This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. X11 graphic libraries are dependency of OpenStack Cinderlib storage provider.

Rationale

Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.

ID: xccdf_org.ssgproject.content_rule_xwindows_remove_packages
Severity: Medium
References: CCI-000366

CM-6(b)

SRG-OS-000480-GPOS-00227

SV-230553r809324_rule
Updated: about 1 year ago


package --remove=xorg-x11-server-Xorg --remove=xorg-x11-server-common --remove=xorg-x11-server-utils --remove=xorg-x11-server-Xwayland

- name: Ensure xorg packages are removed
  package:
    name:
    - xorg-x11-server-Xorg
    - xorg-x11-server-common
    - xorg-x11-server-utils    - xorg-x11-server-Xwayland
    state: absent
  tags:
  - DISA-STIG-RHEL-08-040320
  - NIST-800-53-CM-6(b)
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
  - xwindows_remove_packages



# remove packages
if rpm -q --quiet "xorg-x11-server-Xorg" ; then

    yum remove -y "xorg-x11-server-Xorg"
fi
if rpm -q --quiet "xorg-x11-server-utils" ; then

    yum remove -y "xorg-x11-server-utils"

fi
if rpm -q --quiet "xorg-x11-server-common" ; then

    yum remove -y "xorg-x11-server-common"

fi

if rpm -q --quiet "xorg-x11-server-Xwayland" ; then

    yum remove -y "xorg-x11-server-Xwayland"

fi

Disable graphical user interface

Description

Rationale

Remediation - Anaconda Pre-Install Instructions

Remediation - Ansible

Remediation - Shell Script