Recommendations
1.8 GNOME Display Manager
138 | P a g e
139 | P a g e
1.8.1 Ensure GNOME Display Manager is removed (Manual)
Profile Applicability:
Level 2 - Server
Description:
The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins.
Rationale:
If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system.
Impact:
Removing the GNOME Display manager will remove the GUI from the system.
Audit:
Run the following command and verify the output:
# rpm -q gdm
package gdm is not installed
Remediation:
Run the following command to remove the gdm package
# yum remove gdm
References:
1. https://wiki.gnome.org/Projects/GDM
140 | P a g e CIS Controls:
Controls
Version Control IG 1 IG 2 IG 3
v8
4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.
● ●
v7 2.6 Address unapproved software
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner
● ● ●
141 | P a g e
1.8.2 Ensure GDM login banner is configured (Automated)
Profile Applicability:
Level 1 - Server
Level 1 - Workstation
Description:
GDM is the GNOME Display Manager which handles graphical login for GNOME based systems.
Rationale:
Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place.
Note: If a graphical login is not required, it should be removed to reduce the attack surface of the system.
Audit:
Verify that /etc/dconf/profile/gdm exists and includes the following:
user-db:user system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
Verify that a file exists in /etc/dconf/db/gdm.d/ and includes the following: (This is typically /etc/dconf/db/gdm.d/01-banner-message)
[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='<banner message>'
142 | P a g e Remediation:
Edit or create the file /etc/dconf/profile/gdm and add the following:
user-db:user system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically
/etc/dconf/db/gdm.d/01-banner-message)
[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='<banner message>'
Example Banner Text: 'Authorized users only. All activity may be monitored and reported.' Run the following command to update the system databases:
# dconf update
Additional Information:
Additional options and sections may appear in the /etc/dconf/db/gdm.d/01-banner- message file.
If a different GUI login service is in use and required on the system, consult your documentation to disable displaying the last logged on user and apply an equivalent banner.
CIS Controls:
Controls
Version Control IG 1 IG 2 IG 3
v8
4.1 Establish and Maintain a Secure Configuration Process
Establish and maintain a secure configuration process for enterprise assets (end- user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
● ● ●
v7 5.1 Establish Secure Configurations
Maintain documented, standard security configuration standards for all authorized operating systems and software.
● ● ●
143 | P a g e
1.8.3 Ensure last logged in user display is disabled (Automated)
Profile Applicability:
Level 1 - Server
Level 1 - Workstation
Description:
GDM is the GNOME Display Manager which handles graphical login for GNOME based systems.
Rationale:
Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on.
Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place.
Notes:
If a graphical login is not required, it should be removed to reduce the attack surface of the system.
If a different GUI login service is in use and required on the system, consult your documentation to disable displaying the last logged on user
Audit:
Verify that /etc/dconf/profile/gdm exists and includes the following:
user-db:user system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
Verify that a file exists in /etc/dconf/db/gdm.d/ and includes the following: (This is typically /etc/dconf/db/gdm.d/00-login-screen)
[org/gnome/login-screen]
disable-user-list=true
144 | P a g e Remediation:
Edit or create the file /etc/dconf/profile/gdm and add the following:
user-db:user system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically
/etc/dconf/db/gdm.d/00-login-screen)
[org/gnome/login-screen]
# Do not show the user list disable-user-list=true
Run the following command to update the system databases:
# dconf update
CIS Controls:
Controls
Version Control IG 1 IG 2 IG 3
v8
4.1 Establish and Maintain a Secure Configuration Process
Establish and maintain a secure configuration process for enterprise assets (end- user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
● ● ●
v7 5.1 Establish Secure Configurations
Maintain documented, standard security configuration standards for all authorized operating systems and software.
● ● ●
145 | P a g e
1.8.4 Ensure XDCMP is not enabled (Automated)
Profile Applicability:
Level 1 - Server
Level 1 - Workstation
Description:
X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays
Rationale:
XDMCP is inherently insecure.
XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user
XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server.
Audit:
Run the following command and verify the output:
# grep -Eis '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf Nothing should be returned
Remediation:
Edit the file /etc/gdm/custom.conf and remove the line
Enable=true
Default Value:
false (This is denoted by no Enabled= entry in the file /etc/gdm/custom.conf in the
[xdmcp] section References:
1. https://help.gnome.org/admin/gdm/2.32/configuration.html.en
146 | P a g e CIS Controls:
Controls
Version Control IG 1 IG 2 IG 3
v8
4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.
● ●
v7
9.2 Ensure Only Approved Ports, Protocols and Services Are Running
Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.
● ●
147 | P a g e