{"description": "By default, <tt>GNOME</tt> will allow all users to have some administratrion\ncapability. This should be disabled so that non-administrative users are not making\nconfiguration changes. To configure the system to disable user administration\ncapability in the Graphical User Interface (GUI), add or set\n<tt>user-administration-disabled</tt> to <tt>true</tt> in\n<tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example:\n<pre>[org/gnome/desktop/lockdown]\nuser-administration-disabled=true\n</pre>\nOnce the settings have been added, add a lock to\n<tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.\nFor example:\n<pre>/org/gnome/desktop/lockdown/user-administration-disabled</pre>\nAfter the settings have been set, run <tt>dconf update</tt>.", "rationale": "Allowing all users to have some administratrive capabilities to the system through\nthe Graphical User Interface (GUI) when they would not have them otherwise could allow\nunintended configuration changes as well as a nefarious user the capability to make system\nchanges such as adding new accounts, etc.", "severity": "high", "references": {"cui": ["3.1.5"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "user administration is not configured or disabled", "ocil": "To ensure the GUI does not allow user administratrion capabilities to all users,\nrun the following command:\n<pre>$ gsettings get org.gnome.desktop.lockdown user-administration-disabled</pre>\nIf properly configured, the output should be <tt>true</tt>.\nTo ensure that users cannot enable user administration, run the following:\n<pre>$ grep user-administration /etc/dconf/db/local.d/locks/*</pre>\nIf properly configured, the output should be\n<tt>/org/gnome/desktop/lockdown/user-administration-disabled</tt>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Disable User Administration in GNOME3", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml", "template": {"name": "dconf_ini_file", "vars": {"parameter": "user-administration-disabled", "value": "true", "section": "org/gnome/desktop/lockdown", "path": "/etc/dconf/db/local.d/"}, "backends": {}}}