Disable GDM Guest Login
An XCCDF Rule
Description
The GNOME Display Manager (GDM) can allow users to login without credentials
which can be useful for public kiosk scenarios. Allowing users to login without credentials
or "guest" account access has inherent security risks and should be disabled. To do disable
timed logins or guest account access, set the TimedLoginEnable
to false
in
the [daemon]
section in /etc/gdm/custom.conf
. For example:
[daemon] TimedLoginEnable=false
Rationale
Failure to restrict system access to authenticated users negatively impacts operating system security.
- ID
- xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login
- Severity
- High
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
if rpm --quiet -q gdm
then
if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80824-6
- NIST-800-171-3.1.1