{"description": "The GNOME Display Manager (GDM) can allow users to login without credentials\nwhich can be useful for public kiosk scenarios. Allowing users to login without credentials\nor \"guest\" account access has inherent security risks and should be disabled. To do disable\ntimed logins or guest account access, set the TimedLoginEnable to false in\nthe [daemon] section in /etc/gdm/custom.conf. For example:\n[daemon]\nTimedLoginEnable=false
", "rationale": "Failure to restrict system access to authenticated users negatively impacts operating\nsystem security.", "severity": "high", "references": {"cis-csc": ["11", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05"], "cui": ["3.1.1"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "IA-2"], "nist-csf": ["PR.IP-1"], "srg": ["SRG-OS-000480-GPOS-00229"], "pcidss4": ["8.3.1", "8.3"]}, "control_references": {"pcidss4": ["8.3.1", "8.3"]}, "components": [], "identifiers": {}, "ocil_clause": "GDM allows a guest to login without credentials", "ocil": "To verify that timed logins are disabled, run the following command:\n$ grep -Pzoi \"^\\[daemon]\\\\ntimedlogin.*\" /etc/gdm/custom.conf
\nThe output should show the following:\n[daemon]\nTimedLoginEnable=false
", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Disable GDM Guest Login", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/rule.yml", "template": null}