AlmaLinux OS 9 must disable the ability of a user to restart the system from the login screen.

STIG ID: ALMA-09-022460  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269279

Vulnerability Discussion

A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.

Check

Note: This requirement assumes the use of the AlmaLinux OS 9 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify AlmaLinux OS 9 disables a user's ability to restart the system with the following command:

$ grep -R disable-restart-buttons /etc/dconf/db/*

/etc/dconf/db/distro.d/20-authselect:disable-restart-buttons='true'

If the "disable-restart-button" setting is not set to "true", is missing or commented out from the dconf database files, this is a finding.

Fix

Configure AlmaLinux OS 9 to disable a user's ability to restart the system.

Add or update the [org/gnome/settings-daemon/] section of the /etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:

[org/gnome/login-screen]
disable-restart-buttons=true

Then update the dconf system databases:

$ dconf update
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.