Require Credential Prompting for Remote Access in GNOME3
An XCCDF Rule
Description
By default, GNOME
does not require credentials when using Vino
for
remote access. To configure the system to require remote credentials, add or set
authentication-methods
to ['vnc']
in
/etc/dconf/db/local.d/00-security-settings
. For example:
[org/gnome/Vino] authentication-methods=['vnc']Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock
to prevent user modification.
For example:
/org/gnome/Vino/authentication-methodsAfter the settings have been set, run
dconf update
.
Rationale
Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely.
- ID
- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-171-3.1.12
- dconf_gnome_remote_access_credential_prompt
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :