documentation_complete: true

title: 'Disable graphical user interface'

description: |-
    By removing the following packages, the system no longer has X Windows installed.
    {{%- for xwindows_package in xwindows_packages %}}
     <tt>{{{ xwindows_package }}}</tt>
    {{%- endfor %}}

    If X Windows is not installed then the system cannot boot into graphical user mode.
    This prevents the system from being accidentally or maliciously booted into a <tt>graphical.target</tt>
    mode. To do so, run the following command:
    <pre>sudo {{{ pkg_manager }}} remove {{{ xwindows_packages | join(' ') }}}</pre>

rationale: |-
    Unnecessary service packages must not be installed to decrease the attack surface of the system.
    X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.

severity: medium

identifiers:
    cce@rhel8: CCE-83411-9
    cce@rhel9: CCE-84106-4
    cce@rhel10: CCE-88391-8
    cce@sle12: CCE-92242-7
    cce@sle15: CCE-91362-4

references:
    cis@sle12: 2.2.2
    cis@sle15: 2.2.2
    nist: CM-6(b)
    srg: SRG-OS-000480-GPOS-00227
    stigid@ol7: OL07-00-040730
    stigid@ol8: OL08-00-040320

ocil_clause: 'xorg related packages are not removed and run level is not correctly configured'

ocil: |-
    To ensure the X Windows package group is removed, run the following command:
    {{%- for xwindows_package in xwindows_packages %}}
    <pre>$ rpm -qi {{{ xwindows_package }}}</pre>
    {{%- endfor %}}
    For each <tt>package</tt> mentioned above you should receive following line:
    <pre>package &lt;package&gt; is not installed</pre>

fixtext: |-
    To ensure the X Windows package group is removed, run the following command:
    {{%- for xwindows_package in xwindows_packages -%}}
    {{{ package_remove(xwindows_package) }}}
    {{%- endfor %}}

srg_requirement: '{{{ full_name }}} Must Be Configured In Accordance With The Security Configuration Settings Based On Dod Security Configuration Or Implementation Guidance, Including Stigs, Nsa Configuration Guides, Ctos, And Dtms.'

platforms:
{{{ rule_notapplicable_when_ovirt_installed() | indent(4)}}}

warnings:
    - functionality: |-
        The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
        overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
        which might bring your system to an inconsistent state requiring additional configuration to access the system
        again.
        The rule <tt>xwindows_runlevel_target</tt> can be used to configure the system to boot into the multi-user.target.
        If a GUI is an operational requirement, a tailored profile that removes this rule should be used before
        continuing installation.
{{{ warning_ovirt_rule_notapplicable("X11 graphic libraries are dependency of OpenStack Cinderlib storage provider") | indent(4) }}}