Disable the GNOME3 Login User List

Docs > Datadog Security > OOTB Rules > Disable the GNOME3 Login User List

Classification:

compliance

Framework:

Control:

Description

In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting disable-user-list to true.

To disable, add or edit disable-user-list to /etc/dconf/db/gdm.d/00-security-settings. For example:

[org/gnome/login-screen]
disable-user-list=true

Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/login-screen/disable-user-list

After the settings have been set, run dconf update.

Rationale

Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
 | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"

mkdir -p "${DBDIR}"

# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
 if grep -q "^\\s\*disable-user-list\\s\*=" "${SETTINGSFILES[@]}"
 then
 
 sed -Ei "s/(^\s\*)disable-user-list(\s\*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}"
 fi
fi


[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
then
 printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
fi

escaped\_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s\*disable-user-list\\s\*=" "${DCONFFILE}"
then
 sed -i "s/\\s\*disable-user-list\\s\*=\\s\*.\*/disable-user-list=${escaped\_value}/g" "${DCONFFILE}"
 else
 sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped\_value}" "${DCONFFILE}"
fi

dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \
 | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"

mkdir -p "${LOCKSFOLDER}"

# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
 sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}"
fi

if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/
then
 echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi

dconf update

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi