Require Encryption for Remote Access in GNOME3
An XCCDF Rule
Description
By default, GNOME
requires encryption when using Vino
for remote access.
To prevent remote access encryption from being disabled, add or set
require-encryption
to true
in
/etc/dconf/db/local.d/00-security-settings
. For example:
[org/gnome/Vino] require-encryption=trueOnce the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock
to prevent user modification.
For example:
/org/gnome/Vino/require-encryptionAfter the settings have been set, run
dconf update
.
Rationale
Open X displays allow an attacker to capture keystrokes and to execute commands remotely.
- ID
- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-88756-2
- NIST-800-171-3.1.13
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :