Skip to content

Require Encryption for Remote Access in GNOME3

An XCCDF Rule

Description

By default, GNOME requires encryption when using Vino for remote access. To prevent remote access encryption from being disabled, add or set require-encryption to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/Vino]
require-encryption=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update.

Rationale

Open X displays allow an attacker to capture keystrokes and to execute commands remotely.

ID
xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-171-3.1.13
  - NIST-800-53-AC-17(2)

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :