Set the GNOME3 Login Number of Failures
An XCCDF Rule
Description
In the default graphical environment, the GNOME3 login
screen and be configured to restart the authentication process after
a configured number of attempts. This can be configured by setting
allowed-failures
to 3
or less.
To enable, add or edit allowed-failures
to
/etc/dconf/db/gdm.d/00-security-settings
. For example:
[org/gnome/login-screen] allowed-failures=3Once the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock
to prevent user modification.
For example:
/org/gnome/login-screen/allowed-failuresAfter the settings have been set, run
dconf update
.
Rationale
Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks.
- ID
- xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-171-3.1.8
- dconf_gnome_login_retries