Disable graphical user interface

문서 > Datadog 보안 > OOTB Rules > Disable graphical user interface

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

By removing the following packages, the system no longer has X Windows installed.

xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils

If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:

sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils

Rationale

Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# remove packages
if rpm -q --quiet "xorg-x11-server-Xorg" ; then

    yum remove -y "xorg-x11-server-Xorg"

fi
if rpm -q --quiet "xorg-x11-server-utils" ; then

    yum remove -y "xorg-x11-server-utils"

fi
if rpm -q --quiet "xorg-x11-server-common" ; then

    yum remove -y "xorg-x11-server-common"

fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure xorg packages are removed
  package:
    name:
    - xorg-x11-server-Xorg
    - xorg-x11-server-common
    - xorg-x11-server-utils
    state: absent
  tags:
  - CCE-83410-1
  - DISA-STIG-RHEL-07-040730
  - NIST-800-53-CM-6(b)
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
  - xwindows_remove_packages

Warning

The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target which might bring your system to an inconsistent state requiring additional configuration to access the system again. The rule xwindows_runlevel_target can be used to configure the system to boot into the multi-user.target. If a GUI is an operational requirement, a tailored profile that removes this rule should be used before continuing installation.