1.7.3 Ensure GDM disable-user-list option is enabled

Information

GDM is the GNOME Display Manager which handles graphical login for GNOME based systems.

The disable-user-list option controls if a list of users is displayed on the login screen

Displaying the user list eliminates half of the Userid/Password equation that an unauthorized person would need to log on.

Solution

- IF - GDM is installed:

Run the following script to enable the disable-user-list option:

Note: the l_gdm_profile variable in the script can be changed if a different profile name is desired in accordance with local site policy.

#!/usr/bin/env bash

{
l_gdmprofile="gdm"
if [ ! -f "/etc/dconf/profile/$l_gdmprofile" ]; then
echo "Creating profile \"$l_gdmprofile\""
echo -e "user-db:user
system-db:$l_gdmprofile
file-db:/usr/share/$l_gdmprofile/greeter-dconf-defaults" > /etc/dconf/profile/$l_gdmprofile
fi
if [ ! -d "/etc/dconf/db/$l_gdmprofile.d/" ]; then
echo "Creating dconf database directory \"/etc/dconf/db/$l_gdmprofile.d/\""
mkdir /etc/dconf/db/$l_gdmprofile.d/
fi
if ! grep -Piq '^h*disable-user-listh*=h*trueb' /etc/dconf/db/$l_gdmprofile.d/*; then
echo "creating gdm keyfile for machine-wide settings"
if ! grep -Piq -- '^h*[org/gnome/login-screen]' /etc/dconf/db/$l_gdmprofile.d/*; then
echo -e "
[org/gnome/login-screen]
# Do not show the user list
disable-user-list=true" >> /etc/dconf/db/$l_gdmprofile.d/00-login-screen
else
sed -ri '/^s*[org/gnome/login-screen]/ a# Do not show the user list
disable-user-list=true' $(grep -Pil -- '^h*[org/gnome/login-screen]' /etc/dconf/db/$l_gdmprofile.d/*)
fi
fi
dconf update
}

Note: When the user profile is created or changed, the user will need to log out and log in again before the changes will be applied.

See Also

https://workbench.cisecurity.org/benchmarks/17074