Detections
Analytics
1.7.7 Ensure GDM disabling automatic mounting of removable media is not overridden
Information
By default GNOME automatically mounts removable media when inserted as a convenience to the userBy using the lockdown mode in dconf, you can prevent users from changing specific settings.
To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory.
Example Lock File:
# Lock automount settings
/org/gnome/desktop/media-handling/automount
/org/gnome/desktop/media-handling/automount-open
With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.
Solution
Run the following script to lock disable automatic mounting of media for all GNOME users:#!/usr/bin/env bash
{
# Check if GNMOE Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable
# determine system's package manager
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="y" && echo -e "
- Package: \"$l_pn\" exists on the system
- remediating configuration if needed"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
# Look for automount to determine profile in use, needed for remaining tests
l_kfd="/etc/dconf/db/$(grep -Psril '^h*automountb' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
# Look for automount-open to determine profile in use, needed for remaining tests
l_kfd2="/etc/dconf/db/$(grep -Psril '^h*automount-openb' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
if grep -Priq '^h*/org/gnome/desktop/media-handling/automountb' "$l_kfd"; then
echo " - \"automount\" is locked in \"$(grep -Pril '^h*/org/gnome/desktop/media-handling/automountb' "$l_kfd")\""
else
echo " - creating entry to lock \"automount\""
[ ! -d "$l_kfd"/locks ] && echo "creating directory $l_kfd/locks" && mkdir "$l_kfd"/locks
{
echo -e '
# Lock desktop media-handling automount setting'
echo '/org/gnome/desktop/media-handling/automount'
} >> "$l_kfd"/locks/00-media-automount
fi
else
echo -e " - \"automount\" is not set so it can not be locked
- Please follow Recommendation \"Ensure GDM automatic mounting of removable media is disabled\" and follow this Recommendation again"
fi
if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked
if grep -Priq '^h*/org/gnome/desktop/media-handling/automount-openb' "$l_kfd2"; then
echo " - \"automount-open\" is locked in \"$(grep -Pril '^h*/org/gnome/desktop/media-handling/automount-openb' "$l_kfd2")\""
else
echo " - creating entry to lock \"automount-open\""
[ ! -d "$l_kfd2"/locks ] && echo "creating directory $l_kfd2/locks" && mkdir "$l_kfd2"/locks
{
echo -e '
# Lock desktop media-handling automount-open setting'
echo '/org/gnome/desktop/media-handling/automount-open'
} >> "$l_kfd2"/locks/00-media-automount
fi
else
echo -e " - \"automount-open\" is not set so it can not be locked
- Please follow Recommendation \"Ensure GDM automatic mounting of removable media is disabled\" and follow this Recommendation again"
fi
# update dconf database
dconf update
else
echo -e " - GNOME Desktop Manager package is not installed on the system
- Recommendation is not applicable"
fi
}
Impact:
The use of portable hard drives is very common for workstation users
See Also
Item Details
Audit Name: CIS CentOS Linux 7 v4.0.0 L2 Workstation
Category: MEDIA PROTECTION
References: 800-53|MP-7, CSCv7|8.5
Plugin: Unix
Control ID: 99d3f8c93eada37fc8e52753e3b8cee7ab88f02ab39126433dfebd1badd7f7d7