1.8.3 Ensure GDM disable-user-list option is enabled

Information

GDM is the GNOME Display Manager which handles graphical login for GNOME based systems.

The disable-user-list option controls if a list of users is displayed on the login screen

Displaying the user list eliminates half of the Userid/Password equation that an unauthorized person would need to log on.

Solution

Run the following script to enable the disable-user-list option:

Note: the l_gdm_profile variable in the script can be changed if a different profile name is desired in accordance with local site policy.

#!/usr/bin/env bash

{
l_gdmprofile="gdm"
if [ ! -f "/etc/dconf/profile/$l_gdmprofile" ]; then
echo "Creating profile \"$l_gdmprofile\""
echo -e "user-db:user
system-db:$l_gdmprofile
file-db:/usr/share/$l_gdmprofile/greeter-dconf-defaults" > /etc/dconf/profile/$l_gdmprofile
fi
if [ ! -d "/etc/dconf/db/$l_gdmprofile.d/" ]; then
echo "Creating dconf database directory \"/etc/dconf/db/$l_gdmprofile.d/\""
mkdir /etc/dconf/db/$l_gdmprofile.d/
fi
if ! grep -Piq '^h*disable-user-listh*=h*trueb' /etc/dconf/db/$l_gdmprofile.d/*; then
echo "creating gdm keyfile for machine-wide settings"
if ! grep -Piq -- '^h*[org/gnome/login-screen]' /etc/dconf/db/$l_gdmprofile.d/*; then
echo -e "
[org/gnome/login-screen]
# Do not show the user list
disable-user-list=true" >> /etc/dconf/db/$l_gdmprofile.d/00-login-screen
else
sed -ri '/^s*[org/gnome/login-screen]/ a# Do not show the user list
disable-user-list=true' $(grep -Pil -- '^h*[org/gnome/login-screen]' /etc/dconf/db/$l_gdmprofile.d/*)
fi
fi
dconf update
}

Note: When the user profile is created or changed, the user will need to log out and log in again before the changes will be applied.

OR

Run the following command to remove the GNOME package:

# apt purge gdm3

See Also

https://workbench.cisecurity.org/benchmarks/13775

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10

Plugin: Unix

Control ID: 201d89e9b989d0cc201de2ace8a61d8c201c589ef7be958c1802bab85932df60