Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-209070 | OL6-00-000527 | SV-209070r793791_rule | Medium |
Description |
---|
Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. |
STIG | Date |
---|---|
Oracle Linux 6 Security Technical Implementation Guide | 2021-12-03 |
Check Text ( C-9323r357995_chk ) |
---|
If the GConf2 package is not installed, this is not applicable. To ensure the user list is disabled, run the following command: $ gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --get /apps/gdm/simple-greeter/disable_user_list The output should be "true". If it is not, this is a finding. |
Fix Text (F-9323r357996_fix) |
---|
In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. Run the following command to disable the user list: $ sudo gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool --set /apps/gdm/simple-greeter/disable_user_list true |