Disable GDM Guest Login

An XCCDF Rule

Description

The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access has inherent security risks and should be disabled. To do disable timed logins or guest account access, set the TimedLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example:

[daemon]
TimedLoginEnable=false

Rationale

Failure to restrict system access to authenticated users negatively impacts operating system security.

ID: xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login
Severity: High
References: 11 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05

3.1.1

CCI-000366

4.3.4.3.2 4.3.4.3.3

SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4

CM-6(a) CM-7(a) CM-7(b) IA-2

PR.IP-1

FIA_UAU.1

SRG-OS-000480-GPOS-00229

SV-204433r877377_rule

8.3.1
Updated: over 1 year ago

Remediation Templates

# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
if rpm --quiet -q gdm
then
	if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf
	then		sed -i "/^\[daemon\]/a \
		TimedLoginEnable=false" /etc/gdm/custom.conf
	else
		sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=false/g" /etc/gdm/custom.conf
	fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-07-010450
  - NIST-800-171-3.1.1  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-2
  - PCI-DSSv4-8.3.1
  - gnome_gdm_disable_guest_login
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - unknown_strategy
- name: Disable GDM Guest Login
  ini_file:
    dest: /etc/gdm/custom.conf
    section: daemon
    option: TimedLoginEnable
    value: 'false'
    no_extra_spaces: true
    create: true
  when:
  - '"gdm" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-07-010450
  - NIST-800-171-3.1.1
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-2
  - PCI-DSSv4-8.3.1
  - gnome_gdm_disable_guest_login
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - unknown_strategy

Disable GDM Guest Login

Description

Rationale

Remediation Templates

A Shell Script

An Ansible Snippet