{"description": "Edit the file <tt>/etc/gdm/custom.conf</tt> and add or modify the following line in the\n<tt>[daemon]</tt> block:\n<pre>\n[daemon]\nWaylandEnable=false\n</pre>\n<p>\nThis will disable XWayland support in GDM.\n</p>", "rationale": "XWayland is a compatibility layer for running X11 applications on Wayland.\nIt is not secure and should be disabled. Wayland's security benefits from not relying on X11's network listener. Without X11,\nthere's no network listener, making it harder for malicious actors to exploit vulnerabilities\nin X11. However, enabling Xwayland (running X11 applications on Wayland) introduces\nX11's security concerns.\nAll X vulnerabilities apply to Xwayland, including keylogging, but they only affect X\nwindows and interactions with them.\nMalware can potentially exploit Xwayland vulnerabilities to keylog or intercept other\ninput events.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "The WaylandEnable parameter is not set to false in the [daemon] section of the /etc/gdm/custom.conf file.", "ocil": "To verify that XWayland is disabled, run the following command:\n<pre>sed -n '/\\[daemon\\]/,/\\[/p' /etc/gdm/custom.conf | grep -Psi '^\\h*waylandenable\\b'</pre>\nThe output should return the following:\n<pre>\n[daemon]\nWaylandEnable=false\n</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Disable XWayland", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/gnome/xwayland_disabled/rule.yml", "template": null}