Disable GDM Unattended or Automatic Login

An XCCDF Rule

Description

The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials or unattended login. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the DISPLAYMANAGER_AUTOLOGIN="" or DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" in the /etc/sysconfig/displaymanager. For example:

DISPLAYMANAGER_AUTOLOGIN=""
DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"

Rationale

Failure to restrict system access to authenticated users negatively impacts operating system security.

ID: xccdf_org.ssgproject.content_rule_gnome_gdm_disable_unattended_automatic_login
Severity: High
References: CCI-000366

CM-6(b) CM-6.1(iv)

SRG-OS-000480-GPOS-00229

SLES-12-010380

CCE-83245-1

8.3 8.3.1

SV-217139r991591_rule
Updated: 3 months ago

Remediation Templates

# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
if ! (sed -n '/^DISPLAYMANAGER_AUTOLOGIN=\"\"/p' /etc/sysconfig/displaymanager)
then
  sed -i "s/^DISPLAYMANAGER_AUTOLOGIN=.*/DISPLAYMANAGER_AUTOLOGIN=\"\"/g" /etc/sysconfig/displaymanager
fi
if ! (sed -n '/^DISPLAYMANAGER_PASSWORD_LESS_LOGIN=\"no\"/p' /etc/sysconfig/displaymanager)
then
  sed -i "s/^DISPLAYMANAGER_PASSWORD_LESS_LOGIN=.*/DISPLAYMANAGER_PASSWORD_LESS_LOGIN=\"no\"/g" /etc/sysconfig/displaymanager
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83245-1
  - DISA-STIG-SLES-12-010380  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - PCI-DSSv4-8.3
  - PCI-DSSv4-8.3.1
  - gnome_gdm_disable_unattended_automatic_login
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - unknown_strategy
- name: Disable GDM Automatic Login
  ini_file:
    dest: /etc/sysconfig/displaymanager
    section: null
    option: DISPLAYMANAGER_AUTOLOGIN
    value: '""'
    no_extra_spaces: true
    create: false
  when:
  - '"gdm" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83245-1
  - DISA-STIG-SLES-12-010380
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - PCI-DSSv4-8.3
  - PCI-DSSv4-8.3.1
  - gnome_gdm_disable_unattended_automatic_login
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - unknown_strategy

- name: Disable password less Login
  ini_file:
    dest: /etc/sysconfig/displaymanager
    section: null
    option: DISPLAYMANAGER_PASSWORD_LESS_LOGIN
    value: '"no"'
    no_extra_spaces: true
    create: false
  when:
  - '"gdm" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83245-1
  - DISA-STIG-SLES-12-010380
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - PCI-DSSv4-8.3
  - PCI-DSSv4-8.3.1
  - gnome_gdm_disable_unattended_automatic_login
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - unknown_strategy

Disable GDM Unattended or Automatic Login

Description

Rationale

Remediation Templates

A Shell Script

An Ansible Snippet