6.11 Remove Autologin Capabilities from the GNOME desktop - pam.d/gdm-autologin

Information

The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information. By default, GNOME automatic login is defined in pam.conf(4) to allow users to access the system without a password.

As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabled in pam.conf(4).

Solution

Comment out or remove all gdm-autologin lines from /etc/pam.conf:
#gdm-autologin auth required pam_unix_cred.so.1
#gdm-autologin auth sufficient pam_allow.so.1
#gdm-autologin account sufficient pam_allow.so.1

Comment out or remove all lines from /etc/pam.d/gdm-autologin:
#auth required pam_unix_cred.so.1
#auth sufficient pam_allow.so.1
#account sufficient pam_allow.so.1

See Also

https://workbench.cisecurity.org/files/612

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-14a.

Plugin: Unix

Control ID: 199a60e0f06601c666e70f7345f98a3bb942702b777636ccae9ac6e0d6c06cfa