- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
By removing the following packages, the system no longer has X Windows installed.
xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils
If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:
sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils
Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
The following script can be run on the host to remediate the issue.
#!/bin/bash
# remove packages
if rpm -q --quiet "xorg-x11-server-Xorg" ; then
yum remove -y "xorg-x11-server-Xorg"
fi
if rpm -q --quiet "xorg-x11-server-utils" ; then
yum remove -y "xorg-x11-server-utils"
fi
if rpm -q --quiet "xorg-x11-server-common" ; then
yum remove -y "xorg-x11-server-common"
fi
The following playbook can be run with Ansible to remediate the issue.
- name: Ensure xorg packages are removed
package:
name:
- xorg-x11-server-Xorg
- xorg-x11-server-common
- xorg-x11-server-utils
state: absent
tags:
- CCE-83410-1
- DISA-STIG-RHEL-07-040730
- NIST-800-53-CM-6(b)
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- xwindows_remove_packages
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
which might bring your system to an inconsistent state requiring additional configuration to access the system
again.
The rule xwindows_runlevel_target
can be used to configure the system to boot into the multi-user.target.
If a GUI is an operational requirement, a tailored profile that removes this rule should be used before
continuing installation.