OL 9 must not have a graphical display manager installed unless approved.

STIG ID: OL09-00-000145  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000382 |  Vulnerability Id: V-271465

Vulnerability Discussion

Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.

Check

Verify that OL 9 does not have a graphical user interface installed with the following command:

$ dnf list --installed "xorg*common"
Error: No matching Packages to list

If the "x11-server-common" package is installed, and the use of a graphical user interface has not been documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix

Remove all xorg packages with the following command:

Warning: If accessing the system through the graphical user interface, change to the multi-user.target with the following command:

$ sudo systemctl isolate multi-user.target

Warning: Removal of the graphical user interface will immediately render it useless. The following commands must not be run from a virtual terminal emulator in the graphical interface.

$ sudo dnf remove "xorg*"
$ sudo systemctl set-default multi-user.target

If there is an operational requirement for a graphical user interface it must be documented with the ISSO.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.