{"description": "In the default graphical environment, users logging directly into the\nsystem are greeted with a login screen that displays all known users.\nThis functionality should be disabled by setting <tt>disable-user-list</tt>\nto <tt>true</tt>.\n<br /><br />\nTo disable, add or edit <tt>disable-user-list</tt> to\n<tt>/etc/dconf/db/gdm.d/00-security-settings</tt>. For example:\n<pre>[org/gnome/login-screen]\ndisable-user-list=true</pre>\nOnce the setting has been added, add a lock to\n<tt>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</tt> to prevent\nuser modification. For example:\n<pre>/org/gnome/login-screen/disable-user-list</pre>\nAfter the settings have been set, run <tt>dconf update</tt>.", "rationale": "Leaving the user list enabled is a security risk since it allows anyone\nwith physical access to the system to quickly enumerate known user accounts\nwithout logging in.", "severity": "medium", "references": {"nist": ["CM-6(a)", "AC-23"], "srg": ["SRG-OS-000480-GPOS-00227"], "cis": ["1.7.3"]}, "control_references": {"cis": ["1.7.3"]}, "components": [], "identifiers": {}, "ocil_clause": "disable-user-list has not been configured or is not disabled", "ocil": "To ensure the user list is disabled, run the following command:\n<pre>$ grep disable-user-list /etc/dconf/db/gdm.d/*</pre>\nThe output should be <tt>true</tt>.\nTo ensure that users cannot enable displaying the user list, run the following:\n<pre>$ grep disable-user-list /etc/dconf/db/gdm.d/locks/*</pre>\nIf properly configured, the output should be <tt>/org/gnome/login-screen/disable-user-list</tt>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must disable the user list at logon for graphical user interfaces.", "vuldiscussion": "Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.", "checktext": "Note: This requirement assumes the use of the Ubuntu 22.04 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nVerify that Ubuntu 22.04 disables the user logon list for graphical user interfaces with the following command:\n\n$ gsettings get org.gnome.login-screen disable-user-list\n\ntrue\n\nIf the setting is \"false\", this is a finding.", "fixtext": "Configure Ubuntu 22.04 to disable the user list at logon for graphical user interfaces.\n\nCreate a database to contain the systemwide screensaver settings (if it does not already exist) with the following command:\nNote: The example below is using the database \"local\" for the system. If the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/02-login-screen\n\n[org/gnome/login-screen]\ndisable-user-list=true\n\nUpdate the system databases:\n\n$ sudo dconf update"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Disable the GNOME3 Login User List", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml", "template": null}