Detections
Analytics

1.8.15 Ensure graphical user interface automounter is disabled

Information

The Linux operating system must disable the graphical user interface automounter unless required.

Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.

Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227

Solution

Configure the graphical user interface to disable the ability to automount devices.

Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.

Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following:

[org/gnome/desktop/media-handling]

automount=false

automount-open=false

autorun-never=true

Create or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following:

/org/gnome/desktop/media-handling/automount

/org/gnome/desktop/media-handling/automount-open

/org/gnome/desktop/media-handling/autorun-never

Run the following command to update the database:

# dconf update

See Also

https://workbench.cisecurity.org/benchmarks/8415

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-6b., 800-53|IA-3, CAT|II, CCI|CCI-000366, CCI|CCI-000778, CCI|CCI-001958, CSCv7|8.5, Rule-ID|SV-219059r603261_rule, STIG-ID|RHEL-07-020111, Vuln-ID|V-219059

Plugin: Unix

Control ID: 4e88bfd39fafd7ce6892a0c5db107083eded43b3a6d1c6f33c6ff886e4ce5482