Disable X Windows

What the X Window System disabler does

This Automox Worklet™ disables the X Window System (X11) on Linux server endpoints so they boot into multi-user text mode instead of a graphical session. The Worklet inspects the host to decide which init path is in use, then writes the correct change to that path. On systemd hosts it runs systemctl set-default multi-user.target and rewrites GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub to text. On older SysV hosts it edits /etc/inittab to flip the default runlevel from id:5:initdefault: to id:3:initdefault:.

The remediation script is conservative by default. It changes the boot target and GRUB flags, then exits without rebooting. Two optional hooks let you go further when the change window allows it. Set performReboot=1 in the script to issue shutdown -r NOW after a successful edit. Uncomment the yum groupremove "X Window System" line to delete X server packages outright on RPM endpoints, or replace the commented apt-get line with a valid xserver-xorg package list before uncommenting it on Debian or Ubuntu endpoints.

Because the change touches boot configuration, the Worklet is safe to pilot on a single server first. Each path also handles its own failure mode. If /etc/inittab does not contain id:5:initdefault:, the script logs initlevel 5 not found and exits non-zero. If /etc/default/grub is missing the GRUB_CMDLINE_LINUX_DEFAULT key, it logs Boot option not found in grub config and exits non-zero. Both messages surface in Automox activity logs so you can triage hosts that need a manual look.

Why disable X11 on Linux servers

A graphical desktop on a server is attack surface that no production workload needs. The X Window System ships with display managers (gdm, lightdm, sddm), font servers, and a large stack of graphical libraries, each of which carries its own CVE history. CIS Linux Benchmarks (RHEL 1.8 Remove GUI, Ubuntu 1.7 Disable GUI, SUSE 1.7) call out the X server explicitly because the same logic applies on every distro. Running headless cuts patch load, removes a class of local privilege escalation paths, and shortens the asset-management footprint a vulnerability scanner has to track.

On grub-based hosts the Worklet runs systemctl set-default multi-user.target and rewrites GRUB_CMDLINE_LINUX_DEFAULT to "text" so the next boot lands at a text console rather than a graphical greeter. A forgotten staging box cannot leave a graphical login running on a production subnet for months, because the next evaluation flags any host that has drifted back to a graphical default and re-asserts the multi-user target.

How X Window System disabling works

1. Evaluation phase: The evaluation script exits 1 unconditionally, which flags every targeted endpoint as non-compliant and hands control to remediation. This design keeps the runtime simple on a mixed inittab + GRUB fleet: remediation itself reads the host state, decides whether a change is needed, and reports back through its own exit code. Endpoints that already boot to multi-user.target pass through remediation as a no-op.

2. Remediation phase: The script checks for /etc/inittab first. If present and id:5:initdefault: is set, sed -i 's/^id:5:initdefault:/id:3:initdefault:/' /etc/inittab flips the runlevel. Otherwise it falls back to /etc/default/grub, runs systemctl set-default multi-user.target, and rewrites GRUB_CMDLINE_LINUX_DEFAULT to "text" with sed. update-grub regenerates the boot menu so the change survives reboot. If performReboot=1, shutdown -r NOW applies the change immediately; otherwise the new default takes effect on the next reboot.

X Window System hardening requirements

• Linux server endpoint with either /etc/inittab (SysV init) or /etc/default/grub (GRUB2 plus systemd) present

• Root privileges on the Automox agent, which the default agent context already provides

• Confirmation that the host is genuinely headless: no local users rely on the graphical login, and remote management runs over SSH, a web console, or out-of-band tooling such as iLO, iDRAC, or IPMI

• A maintenance window if you set performReboot=1; the change does not take effect until the next reboot otherwise

• For full package removal, uncomment the matching line in remediation.sh. The script ships with yum groupremove "X Window System" for RHEL or CentOS and a placeholder apt-get line for Debian or Ubuntu that you should replace with a valid package set such as xserver-xorg before enabling it

• Targeting groups split by server vs workstation so the policy never reaches a developer laptop that still needs a desktop session

Expected boot state after X11 removal

After remediation completes and the host reboots, the endpoint comes up in multi-user.target with a text login on tty1 instead of a graphical greeter. systemctl get-default returns multi-user.target. systemctl is-active graphical.target returns inactive. On GRUB hosts, grep GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub shows the value "text", and the regenerated /boot/grub/grub.cfg no longer carries the splash or quiet graphical flags. On SysV hosts, runlevel returns N 3 and grep ^id: /etc/inittab shows id:3:initdefault:.

If you also enabled the package removal line, rpm -qa | grep -i xorg or dpkg -l | grep xserver-xorg returns nothing. The xorg-x11-server-common or xserver-xorg-core packages are gone, and a future yum update or apt upgrade no longer pulls X11 dependencies down with kernel patches. To revert, run systemctl set-default graphical.target on the host. Reinstall the X group with yum groupinstall "X Window System" or apt-get install xserver-xorg, and reboot. Capture the output of systemctl get-default and uname -r alongside the Automox activity log if you need audit evidence for a CIS or PCI control.