Disable the GNOME3 Login Restart and Shutdown Buttons
An XCCDF Rule
Description
In the default graphical environment, users logging directly into the
system are greeted with a login screen that allows any user, known or
unknown, the ability the ability to shutdown or restart the system. This
functionality should be disabled by setting
disable-restart-buttons
to true
.
To disable, add or edit disable-restart-buttons
to
/etc/dconf/db/gdm.d/00-security-settings
. For example:
[org/gnome/login-screen] disable-restart-buttons=trueOnce the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock
to prevent
user modification. For example:
/org/gnome/login-screen/disable-restart-buttonsAfter the settings have been set, run
dconf update
.
Rationale
A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.
- ID
- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown
- Severity
- High
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-171-3.1.2
- NIST-800-53-AC-6(1)
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :