Skip to content

Set the GNOME3 Login Number of Failures

An XCCDF Rule

Description

In the default graphical environment, the GNOME3 login screen and be configured to restart the authentication process after a configured number of attempts. This can be configured by setting allowed-failures to 3 or less.

To enable, add or edit allowed-failures to /etc/dconf/db/gdm.d/00-security-settings. For example:

[org/gnome/login-screen]
allowed-failures=3
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/allowed-failures
After the settings have been set, run dconf update.

Rationale

Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks.

ID
xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-171-3.1.8
  - dconf_gnome_login_retries

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :