ComplianceAsCode · jan-cerny · Dec 2, 2025 · Dec 3, 2025 · Dec 4, 2025 · Dec 4, 2025
diff --git a/components/gnome.yml b/components/gnome.yml
@@ -47,6 +47,7 @@ rules:
 - gnome_gdm_disable_guest_login
 - gnome_gdm_disable_unattended_automatic_login
 - gnome_gdm_disable_xdmcp
+- group_server_with_gui_removed
 - gui_login_dod_acknowledgement
 - package_gdm_removed
 - xwayland_disabled
@@ -968,6 +968,7 @@ controls:
       status: automated
       rules:
           - package_gdm_removed
+          - group_server_with_gui_removed
 
     - id: 2.1.20
       title: Ensure X window server services are not in use (Automated)

diff --git a/...ide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/ansible/shared.yml b/...ide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/ansible/shared.yml
@@ -0,0 +1,22 @@
+# platform = multi_platform_rhel
+# strategy = configure
+# complexity = low
+# disruption = low
+# reboot = false
+
+# Note: This is important to update dependencies to allow the removal of the Server
+# with GUI group with minimal impact to the system functionality.
+- name: "{{{ rule_title }}} - Install Minimal Install group"
+  ansible.builtin.command:
+    cmd: dnf groupinstall -y 'Minimal Install'
+  when: not ansible_check_mode
+
+- name: "{{{ rule_title }}} - Remove Server with GUI group"
+  ansible.builtin.command:
+    cmd: dnf groupremove -y 'Server with GUI'
+  when: not ansible_check_mode
+
+- name: "{{{ rule_title }}} - Install Server group"
+  ansible.builtin.command:
+    cmd: dnf groupinstall -y 'Server'
+  when: not ansible_check_mode
diff --git a/...s/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/bash/shared.sh b/...s/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_rhel
+
+# Note: This is important to update dependencies to allow the removal of the Server
+# with GUI group with minimal impact to the system functionality.
+dnf groupinstall -y "Minimal Install"
+
+# Remove the Server with GUI group
+dnf groupremove -y "Server with GUI"
+dnf groupinstall -y "Server"
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+title: 'Remove the Server with GUI Package Group'
+
+description: |-
+    By removing the <tt>Server with GUI</tt> package group, the system no longer has a graphical user interface (GUI) installed.
+    If a GUI is not installed then the system cannot boot into graphical user mode.
+    This prevents the system from being accidentally or maliciously booted into a <tt>graphical.target</tt> mode.
+    To do so, run the following command:
+    <pre>dnf groupremove -y "Server with GUI"</pre>
+
+rationale: |-
+    Unnecessary service packages must not be installed to decrease the attack surface of the system.
+    If a Graphical User Interface (GUI) is not required, it should be removed to reduce the
+    attack surface of the system.
+
+severity: medium
+
+identifiers:
+    cce@rhel10: CCE-87443-8
+
+ocil_clause: The Server with GUI package group has not been removed
+
+ocil: |-
+    Run the following command to verify the Installed Environment Group is not
+    Server with GUI:
+    # dnf grouplist | sed -n '/Installed Environment Groups:/,/Installed Groups:/p'
+    The output should not contain the Server with GUI group.
+
+fixtext: |-
+    Run the following commands to remove the Server with GUI package group:
+    # dnf groupinstall -y "Minimal Install"
+    Note: This is important to update dependencies to allow the removal of the Server
+    with GUI group with minimal impact to the system functionality.
+    # dnf groupremove -y "Server with GUI"
+    # dnf groupinstall -y "Server"
+    # reboot
+
+warnings:
+    - general: |-
+        This rule doesn't come with an OVAL check, as it is not possible to check if the Server with GUI group is installed using the OVAL rpm objects. Therefore, this rule contains only an SCE check.
diff --git a/...os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/sce/shared.sh b/...os/guide/services/xwindows/disabling_xwindows/group_server_with_gui_removed/sce/shared.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# platform = multi_platform_rhel
+# check-import = stdout
+
+if dnf grouplist | sed -n '/Installed Environment Groups:/,/Installed Groups:/p' | grep -q "Server with GUI"; then
+    echo "Server with GUI group is installed"
+    exit $XCCDF_RESULT_FAIL
+fi
+
+exit $XCCDF_RESULT_PASS
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+dnf groupinstall -y "Server with GUI"
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Note: This is important to update dependencies to allow the removal of the Server
+# with GUI group with minimal impact to the system functionality.
+dnf groupinstall -y "Minimal Install"
+
+# Remove the Server with GUI group
+dnf groupremove -y "Server with GUI"
+dnf groupinstall -y "Server"
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -431,7 +431,6 @@ CCE-87438-8
 CCE-87440-4
 CCE-87441-2
 CCE-87442-0
-CCE-87443-8
 CCE-87446-1
 CCE-87450-3
 CCE-87453-7

@@ -256,6 +256,7 @@ file_permissions_user_cfg
 file_permissions_var_log_audit
 firewalld_loopback_traffic_trusted
 gid_passwd_group_same
+group_server_with_gui_removed
 group_unique_id
 group_unique_name
 groups_no_zero_gid_except_root
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		#!/bin/bash

		dnf groupinstall -y "Server with GUI"