Detections
Analytics

1.10 Ensure GDM is removed or login is configured

Information

The GNOME Display Manager (GDM) handles graphical login for GNOME based systems.

Configuration of the GNOME desktop is managed with dconf. It is a hierarchically structured database or registry that allows users to modify their personal settings, and system administrators to set default or mandatory values for all users.

Global dconf configuration parameters can be set in the /etc/dconf/db/ directory. This includes the configuration for GDM or locking certain configuration options for users.

If a graphical login is not required, it should be removed to reduce the attack surface of the system.

If a graphical login is required, last logged in user display should be disabled, and a warning banner should be configured.

Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on.

Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place.

Notes:

 -

This recommendation is based on the gdm profile. If a different profile name is used on the system, update the gdm and gdm.d to <profilee_name> and <profile_name>.d

 -

Additional options and sections may appear in the /etc/dconf/db/gdm.d/01-banner-message and/or /etc/dconf/db/gdm.d/00-login-screen file.

 -

If a different GUI login service is in use and required on the system, consult your documentation to disable displaying the last logged on user and apply an equivalent banner.

Solution

Run the following command to remove GDM

# zypper remove gdm

OR

If GDM is required:

Edit or create the gdm profile which contains the following lines: (This is typically /etc/dconf/profile/gdm )

user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults

Run the following Run to display a login banner:

Note: the directory /etc/dconf/db/gdm.d/ may need to be created

Edit or create a gdm keyfile for machine-wide settings:

(This is typically /etc/dconf/db/gdm.d/01-banner-message )

[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='<banner message>'

Example Banner Text:

'Authorized uses only. All activity may be monitored and reported.'

Run the following to disable the user list:

Edit or create a gdm keyfile for machine-wide settings in the directory /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/00-login-screen )

[org/gnome/login-screen]
# Do not show the user list
disable-user-list=true

Run the following command to update the system databases:

# dconf update

See Also

https://workbench.cisecurity.org/benchmarks/8498

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|2.6, CSCv7|5.1

Plugin: Unix

Control ID: 838150a29f16861001cddd8119655993d8571e7f1e202a8729c0cee7e06e1449