{"description": "By removing the following packages, the system no longer has X Windows installed.\n <tt>xorg-x11-server-Xorg</tt>\n <tt>xorg-x11-server-common</tt>\n <tt>xorg-x11-server-utils</tt>\n <tt>xorg-x11-server-Xwayland</tt>\n\nIf X Windows is not installed then the system cannot boot into graphical user mode.\nThis prevents the system from being accidentally or maliciously booted into a <tt>graphical.target</tt>\nmode. To do so, run the following command:\n<pre>sudo apt_get remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland</pre>", "rationale": "Unnecessary service packages must not be installed to decrease the attack surface of the system.\nX windows has a long history of security vulnerabilities and should not be installed unless approved and documented.", "severity": "medium", "references": {"nist": ["CM-6(b)"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "xorg related packages are not removed and run level is not correctly configured", "ocil": "To ensure the X Windows package group is removed, run the following command:\n<pre>$ rpm -qi xorg-x11-server-Xorg</pre>\n<pre>$ rpm -qi xorg-x11-server-common</pre>\n<pre>$ rpm -qi xorg-x11-server-utils</pre>\n<pre>$ rpm -qi xorg-x11-server-Xwayland</pre>\nFor each <tt>package</tt> mentioned above you should receive following line:\n<pre>package &lt;package&gt; is not installed</pre>", "oval_external_content": null, "fixtext": "To ensure the X Windows package group is removed, run the following command:\n$ apt-get remove xorg-x11-server-Xorg\n$ apt-get remove xorg-x11-server-common\n$ apt-get remove xorg-x11-server-utils\n$ apt-get remove xorg-x11-server-Xwayland", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 Must Be Configured In Accordance With The Security Configuration Settings Based On Dod Security Configuration Or Implementation Guidance, Including Stigs, Nsa Configuration Guides, Ctos, And Dtms.", "warnings": [{"functionality": "The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your\noverall security posture. Removing the package xorg-x11-server-common package will remove the graphical target\nwhich might bring your system to an inconsistent state requiring additional configuration to access the system\nagain.\nThe rule <tt>xwindows_runlevel_target</tt> can be used to configure the system to boot into the multi-user.target.\nIf a GUI is an operational requirement, a tailored profile that removes this rule should be used before\ncontinuing installation."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "A graphical display manager must not be installed on Ubuntu 22.04 unless approved.", "vuldiscussion": "Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.", "checktext": "Verify that a graphical user interface is not installed with the following command:\n\n$ dnf list --installed \"xorg-x11-server-common\"\nError: No matching Packages to list\n\nIf the \"xorg-x11-server-common\" package is installed, and the use of a graphical user interface has not been documented with the information system security officer (ISSO) as an operational requirement, this is a finding.", "fixtext": "Document the requirement for a graphical user interface with the ISSO or remove all xorg packages with the following command:\n\nWarning: If you are accessing the system through the graphical user interface, change to the multi-user.target with the following command:\n\n$ sudo systemctl isolate multi-user.target\n\nWarning: Removal of the graphical user interface will immediately render it useless. The following commands must not be run from a virtual terminal emulator in the graphical interface.\n\n$ sudo dnf remove \"xorg*\"\n$ sudo systemctl set-default multi-user.target"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable graphical user interface", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml", "template": null}