{"description": "By default, <tt>GNOME</tt> requires encryption when using <tt>Vino</tt> for remote access.\nTo prevent remote access encryption from being disabled, add or set\n<tt>require-encryption</tt> to <tt>true</tt> in\n<tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example:\n<pre>[org/gnome/Vino]\nrequire-encryption=true\n</pre>\nOnce the settings have been added, add a lock to\n<tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.\nFor example:\n<pre>/org/gnome/Vino/require-encryption</pre>\nAfter the settings have been set, run <tt>dconf update</tt>.", "rationale": "Open X displays allow an attacker to capture keystrokes and to execute commands\nremotely.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "15", "16", "18", "20", "3", "4", "6", "9"], "cobit5": ["BAI03.08", "BAI07.04", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS03.01"], "cui": ["3.1.13"], "hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.310(b)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3", "4.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.1", "A.12.1.2", "A.12.1.4", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.1.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["CM-6(a)", "AC-17(a)", "AC-17(2)"], "nist-csf": ["DE.AE-1", "PR.DS-7", "PR.IP-1"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "remote access connections are not encrypted", "ocil": "To ensure that remote access connections are encrypted, run the following command:\n<pre>$ gsettings get org.gnome.Vino require-encrpytion</pre>\nIf properly configured, the output should be <tt>true</tt>.\nTo ensure that users cannot disable encrypted remote connections, run the following:\n<pre>$ grep require-encryption /etc/dconf/db/local.d/locks/*</pre>\nIf properly configured, the output should be\n<tt>/org/gnome/Vino/require-encryption</tt>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Require Encryption for Remote Access in GNOME3", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml", "template": null}