Title

The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved. (Cat II impact)

Discussion

Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.

Check Content

Verify the system is configured to boot to the command line: $ systemctl get-default multi-user.target If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding. Verify a graphical user interface is not installed: $ rpm -qa | grep xorg | grep server Ask the System Administrator if use of a graphical user interface is an operational requirement. If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.

Fix Text

Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure: Open an SSH session and enter the following commands: $ sudo systemctl set-default multi-user.target $ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils A reboot is required for the changes to take effect.

Additional Identifiers

Rule ID: SV-204624r646847_rule

Vulnerability ID: V-204624

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.