Title

The operating system must not allow an unattended or automatic logon to the system. (Cat II impact)

Discussion

Failure to restrict system access to authenticated users negatively impacts operating system security. Satisfies: SRG-OS-000480-GPOS-00229

Check Content

If the operating system provides a public access service, such as a kiosk, this is not applicable. Verify the operating system does not allow an unattended or automatic logon to the system. If it does, this is a finding. Automatic logon as an authorized user allows access to any user with physical access to the operating system. For the console, first list all the virtual consoles created at boot: $ cat /etc/ttys # If console is marked "insecure", then init will ask for the root password # when going to single-user mode. console none unknown off secure # ttyv0 "/usr/libexec/getty Pc" xterm on secure # Virtual terminals ttyv1 "/usr/libexec/getty Pc" xterm on secure ttyv2 "/usr/libexec/getty Pc" xterm on secure ttyv3 "/usr/libexec/getty Pc" xterm on secure The name after "/usr/libexec/getty" corresponds to an entry in /etc/gettytab. $ cat /etc/gettytab Ensure none of the entries used in /etc/ttys has "al=username" in them. For GNOME, automatic login is controlled by /usr/local/etc/gdm/custom.conf $ grep Automatic /usr/local/etc/gdm/custom.conf Ensure AutomaticLoginEnable is not set to True.

Fix Text

If the operating system provides a public access service, such as a kiosk, this is not applicable. Configure the operating system to not allow an unattended or automatic logon to the system. Automatic logon as an authorized user allows access to any user with physical access to the operating system.

Additional Identifiers

Rule ID:

Vulnerability ID: V-2290

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.