OL 9 must disable the user list at logon for graphical user interfaces.

STIG ID: OL09-00-002102  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-271672

Vulnerability Discussion

Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.

Check

This requirement assumes the use of the OL 9 default graphical user interface—the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify that OL 9 disables the user logon list for graphical user interfaces with the following command:

$ gsettings get org.gnome.login-screen disable-user-list
true

If the setting is "false", this is a finding.

Fix

Configure OL 9 to disable the user list at logon for graphical user interfaces.

Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command:

Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.

$ sudo touch /etc/dconf/db/local.d/02-login-screen

[org/gnome/login-screen]
disable-user-list=true

Update the system databases:

$ sudo dconf update
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.