1.8.3 Ensure last logged in user display is disabled - disable user list

Information

GDM is the GNOME Display Manager which handles graphical login for GNOME based systems.

Rationale:

Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on.

Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place.

Notes:

If a graphical login is not required, it should be removed to reduce the attack surface of the system.

If a different GUI login service is in use and required on the system, consult your documentation to disable displaying the last logged on user

Solution

Edit or create the file /etc/dconf/profile/gdm and add the following:

user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults

Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/00-login-screen)

[org/gnome/login-screen]
# Do not show the user list
disable-user-list=true

Run the following command to update the system databases:

# dconf update

See Also

https://workbench.cisecurity.org/files/3148

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: 79c92dd67969da611be3e5f022cc4e23fc6af63a505f2e1fc68f825bfe5f87a9