Detections
Analytics

1.8.2 Ensure GDM disable-user-list is configured

Information

GNOME Display Manager (GDM) handles graphical login for GNOME based systems.

The disable-user-list option controls if a list of users is displayed on the login screen

By using the lockdown mode in dconf, you can prevent users from changing specific settings.

Displaying the user list eliminates half of the Userid/Password equation that an unauthorized person would need to log on.

Without locking down the system settings, user settings take precedence over the system settings.

Solution

- Create or edit the file /etc/dconf/profile/user and add the following lines if they do not exist:

user-db:user
system-db:local

Example:

#!/usr/bin/env bash

{
 l_dir="/etc/dconf/profile/"
 [ ! -d "$l_dir" ] && mkdir /etc/dconf/profile/
 ! grep -Psq '^\h*user-db:user\b' "$l_dir/user" && \
 printf '%s\n' "" "user-db:user" >> "$l_dir/user"
 ! grep -Psq '^\h*system-db:local\b' "$l_dir/user" && \
 sed -ri '/^\s*user-db:user/a system-db:local' "$l_dir/user"
} <xhtml:ol start="2"> - Run the following command to create the /etc/dconf/db/local.d/ and /etc/dconf/db/local.d/locks/ directories if either does not exist:

# [ ! -d "/etc/dconf/db/local.d/locks/" ] && mkdir -p /etc/dconf/db/local.d/locks/ <xhtml:ol start="3"> - Create or edit a file in /etc/dconf/db/local.d/locks/ and add the following lines:

/org/gnome/login-screen/disable-user-list

Example:

# printf '%s\n' "" "/org/gnome/login-screen/disable-user-list" >> /etc/dconf/db/local.d/locks/60-login-screen <xhtml:ol start="4"> - Run the following script to comment out any incorrect settings in a local system-wide database keyfile:

#!/usr/bin/env bash

{
 l_parameter="disable-user-list=" l_value="false"
 while IFS= read -r -d $'\0' l_file; do
 grep -Psiq -- "^\h*$l_parameter$l_value(\b|\h*$)" "$l_file" && \
 sed -ri '/^\s*'"$l_parameter"'/s/^/# /g' "$l_file"
 done < <(find /etc/dconf/db -mindepth 2 -maxdepth 2 -type f -print0)
} <xhtml:ol start="5"> - Create or edit a local keyfile for machine-wide settings in '/etc/dconf/db/local.d/` with the following lines:

[org/gnome/login-screen]
disable-user-list=true

Example script:

#!/usr/bin/env bash

{
 l_file="/etc/dconf/db/local.d/60-login-screen"
 a_keyfile=("[org/gnome/login-screen]" "disable-user-list=true")
 if grep -Psq -- '^\h*\[org\/gnome\/login-screen\]' "$l_file"; then
 ! grep -Psiq -- '^\h*disable-user-list=true\b' "$l_file" && \
 sed -ri '/^\s*\[org\/gnome\/login-screen\]/a disable-user-list=true' "$l_file"
 grep -Psiq -- '^\h*disable-user-list=false\b' "$l_file" && \
 sed -ri 's/^\s*(disable-user-list=)(false).*$/\1true/' "$l_file"
 else
 printf '%s\n' "" "${a_keyfile[@]}" >> "$l_file"
 fi
} <xhtml:ol start="6"> - Run the following command to update the dconf databases:

# dconf update

Note: Users must log out and back in again before the system-wide settings take effect.

See Also

https://workbench.cisecurity.org/benchmarks/23597

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 3d51bfbc904f31979f47dde5d956f8816d5b6b8c4a5da9e8568beb44ab2afe53