Skip to content

1.7.3 Ensure GDM disable-user-list option is enabled

Audit#

Run the following command and to verify that the disable-user-list option is enabled: 

# gsettings get org.gnome.login-screen disable-user-list
true

Remediation#

- IF - A user profile exists run the following command to enable the disable-user-list: 

# gsettings set org.gnome.login-screen disable-user-list

Note:

  • gsettings commands in this section MUST be done from a command window on a graphical desktop or an error will be returned.
  • The system must be restarted after all gsettings configurations have been set in order for CIS-CAT Assessor to appropriately assess.
  • If the dconf database is not updating correctly due to umask requirements contain in the benchmark, then use (umask 0022 && gsetting set) commands from above to temporarily set umask ensuring that any files or directories created by gsettings will have the required permissions.

- OR/IF - A user profile does not exist:

  1. Create or edit the gdm profile in the /etc/dconf/profile/gdm with the following lines: 
    user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults

Note: gdm is the name of a dconf database.

  1. Create a gdm keyfile for machine-wide settings in /etc/dconf/db/gdm.d/00-login-screen: 

    [org/gnome/login-screen]
# Do not show the user list
disable-user-list=true

  2. Update the system databases 

    # dconf update
    Note: When the user profile is created or changed, the user will need to log out and log in again before the changes will be applied.

Default Value:
false