The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces.

An XCCDF Rule

Description

Leaving the user list enabled is a security risk as it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.

ID: SV-256969r902690_rule
Version: RHEL-07-010063
Severity: Medium
References: CCI-000366
Updated: 15 days ago

Remediation Templates

Configure the operating system to disable the login screen user list for graphical user interfaces.

Create or edit the gdm profile in "/etc/dconf/profile/" to contain the following lines:

     $ sudo vi /etc/dconf/profile/gdm
	      user-db:user
     system-db:gdm
     file-db:/usr/share/gdm/greeter-dconf-defaults
	 
Create or edit the gdm database for machine-wide settings in "/etc/dconf/db/gdm.d/" with the following lines:

     $ sudo vi /etc/dconf/db/gdm.d/00-login-screen
	 
     [org/gnome/login-screen]
     disable-user-list=true
	 
Update the system databases by updating the dconf utility:

     $ sudo dconf update
	 
If the login screen user list persists after updating the system databases, you can restart the GNOME Desktop without rebooting the system:

     $ sudo systemctl restart gdm

The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces.

Description

Remediation Templates

A Manual Procedure