Disable X Windows Startup By Setting Default Target
An XCCDF Rule
Description
Systems that do not require a graphical user interface should only boot by
default into multi-user.target mode. This prevents accidental booting of the system
into a graphical.target mode. Setting the system's default target to
multi-user.target will prevent automatic startup of the X server. To do so, run:
$ systemctl set-default multi-user.targetYou should see the following output:
Removed symlink /etc/systemd/system/default.target. Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
Rationale
Services that are not required for system and application processes must not be active to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be used unless approved and documented.
- ID
- xccdf_org.ssgproject.content_rule_xwindows_runlevel_target
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Switch to multi-user runlevel
file:
src: /usr/lib/systemd/system/multi-user.target
dest: /etc/systemd/system/default.target
state: link
force: true
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
systemctl set-default multi-user.target
else