The login user list must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-209070 | OL6-00-000527 | SV-209070r793791_rule | Medium |
| Description |
|---|
| Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. |
| STIG | Date |
|---|---|
| Oracle Linux 6 Security Technical Implementation Guide | 2021-12-03 |
Details
| Check Text ( C-9323r357995_chk ) |
|---|
| If the GConf2 package is not installed, this is not applicable. To ensure the user list is disabled, run the following command: $ gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --get /apps/gdm/simple-greeter/disable_user_list The output should be "true". If it is not, this is a finding. |
| Fix Text (F-9323r357996_fix) |
|---|
| In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. Run the following command to disable the user list: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool --set /apps/gdm/simple-greeter/disable_user_list true |