Skip to content

Disable Full User Name on Splash Shield

An XCCDF Rule

Description

By default when the screen is locked, the splash shield will show the user's full name. This should be disabled to prevent casual observers from seeing who has access to the system. This can be disabled by adding or setting show-full-name-in-top-bar to false in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
show-full-name-in-top-bar=false
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/show-full-name-in-top-bar
After the settings have been set, run dconf update.

Rationale

Setting the splash screen to not reveal the logged in user's name conceals who has access to the system from passersby.

ID
xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-87468-5
  - dconf_gnome_screensaver_user_info