Skip to content

Disable GDM Guest Login

An XCCDF Rule

Description

The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access has inherent security risks and should be disabled. To do disable timed logins or guest account access, set the TimedLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example:

[daemon]
TimedLoginEnable=false

Rationale

Failure to restrict system access to authenticated users negatively impacts operating system security.

ID
xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login
Severity
High
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

if rpm --quiet -q gdm
then
	if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-80824-6
  - NIST-800-171-3.1.1