Disable graphical user interface

Docs > Plateforme de sécurité Datadog > OOTB Rules > Disable graphical user interface

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

By removing the following packages, the system no longer has X Windows installed.

xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils

If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:

sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils

Rationale

Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# remove packages
if rpm -q --quiet "xorg-x11-server-Xorg" ; then

    yum remove -y "xorg-x11-server-Xorg"

fi
if rpm -q --quiet "xorg-x11-server-utils" ; then

    yum remove -y "xorg-x11-server-utils"

fi
if rpm -q --quiet "xorg-x11-server-common" ; then

    yum remove -y "xorg-x11-server-common"

fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure xorg packages are removed
  package:
    name:
    - xorg-x11-server-Xorg
    - xorg-x11-server-common
    - xorg-x11-server-utils
    state: absent
  tags:
  - CCE-83410-1
  - DISA-STIG-RHEL-07-040730
  - NIST-800-53-CM-6(b)
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
  - xwindows_remove_packages

Warning

The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target which might bring your system to an inconsistent state requiring additional configuration to access the system again. The rule xwindows_runlevel_target can be used to configure the system to boot into the multi-user.target. If a GUI is an operational requirement, a tailored profile that removes this rule should be used before continuing installation.