Disable XDMCP in GDM
An XCCDF Rule
Description
XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g.
XDMCP Gnome docs.
To disable XDMCP support in Gnome, set Enable to false under the [xdmcp] configuration section in /etc/gdm/custom.conf. For example:
[xdmcp] Enable=false
Rationale
XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using XDMCP, the privileged user password could be compromised due to typed XEvents and keystrokes will traversing over the network in clear text.
- ID
- xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp
- Severity
- High
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm; then
# Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set
# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there
if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- gnome_gdm_disable_xdmcp
- high_severity