{"description": "In the default graphical environment, users logging directly into the\nsystem are greeted with a login screen that allows any user, known or\nunknown, the ability the ability to shutdown or restart the system. This\nfunctionality should be disabled by setting\n<tt>disable-restart-buttons</tt> to <tt>true</tt>.\n<br /><br />\nTo disable, add or edit <tt>disable-restart-buttons</tt> to\n<tt>/etc/dconf/db/gdm.d/00-security-settings</tt>. For example:\n<pre>[org/gnome/login-screen]\ndisable-restart-buttons=true</pre>\nOnce the setting has been added, add a lock to\n<tt>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</tt> to prevent\nuser modification. For example:\n<pre>/org/gnome/login-screen/disable-restart-buttons</pre>\nAfter the settings have been set, run <tt>dconf update</tt>.", "rationale": "A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons\nare pressed at the login screen, this can create the risk of short-term loss of availability of systems\ndue to reboot.", "severity": "high", "references": {"cis-csc": ["12", "13", "14", "15", "16", "18", "3", "5"], "cobit5": ["APO01.06", "DSS05.04", "DSS05.07", "DSS06.02"], "cui": ["3.1.2"], "isa-62443-2009": ["4.3.3.7.3"], "isa-62443-2013": ["SR 2.1", "SR 5.2"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nist": ["CM-6(a)", "AC-6(1)", "CM-7(b)"], "nist-csf": ["PR.AC-4", "PR.DS-5"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "disable-restart-buttons has not been configured or is not disabled", "ocil": "To ensure disable and restart on the login screen are disabled, run the following command:\n<pre>$ grep disable-restart-buttons /etc/dconf/db/gdm.d/*</pre>\nThe output should be <tt>true</tt>.\nTo ensure that users cannot enable disable and restart on the login screen, run the following:\n<pre>$ grep disable-restart-buttons /etc/dconf/db/gdm.d/locks/*</pre>\nIf properly configured, the output should be <tt>/org/gnome/login-screen/disable-restart-buttons</tt>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.", "vuldiscussion": "A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.", "checktext": "Note: This requirement assumes the use of the Ubuntu 22.04 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nVerify Ubuntu 22.04 prevents a user from overriding the disable-restart-buttons setting for graphical user interfaces.\n\n$ gsettings writable org.gnome.login-screen disable-restart-buttons\n\nfalse\n\nIf \"disable-restart-buttons\" is writable and the result is \"true\", this is a finding.", "fixtext": "Configure Ubuntu 22.04 to prevent a user from overriding the disable-restart-buttons setting for graphical user interfaces.\n\nCreate a database to contain the systemwide graphical user logon settings (if it does not already exist) with the following command:\n\n$ sudo touch /etc/dconf/db/local.d/locks/session\n\nAdd the following line to prevent nonprivileged users from modifying it:\n\n/org/gnome/login-screen/disable-restart-buttons\n\nRun the following command to update the database:\n\n$ sudo dconf update"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Disable the GNOME3 Login Restart and Shutdown Buttons", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml", "template": null}