1.8.6 Ensure GDM automatic mounting of removable media is disabled

Information

By default GNOME automatically mounts removable media when inserted as a convenience to the user.

Rationale:

With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.

Impact:

The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting.

Solution

Run the following script to disable automatic mounting of media for all GNOME users:

#!/usr/bin/env bash

{
l_pkgoutput='' l_output='' l_output2=''
l_gpbame='local' # Set to desired dconf profile name (defaule is local)
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable

# determine system's package manager
if command -v dpkg-query > /dev/null 2>&1; then
l_pq='dpkg-query -W'
elif command -v rpm > /dev/null 2>&1; then
l_pq='rpm -q'
fi
# Check if GDM is installed
l_pcl='gdm gdm3' # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq '$l_pn' > /dev/null 2>&1 && l_pkgoutput='$l_pkgoutput
- Package: '$l_pn' exists on the system
- checking configuration'
done
echo -e '$l_packageout'
# Check configuration (If applicable)
if [ -n '$l_pkgoutput' ]; then
echo -e '$l_pkgoutput'
# Look for existing settings and set variables if they exist
l_kfile='$(grep -Prils -- '^h*automountb' /etc/dconf/db/*.d)'
l_kfile2='$(grep -Prils -- '^h*automount-openb' /etc/dconf/db/*.d)'
# Set profile name based on dconf db directory ({PROFILE_NAME}.d)
if [ -f '$l_kfile' ]; then
l_gpname='$(awk -F/ '{split($(NF-1),a,'.');print a[1]}' <<< '$l_kfile')'
echo ' - updating dconf profile name to '$l_gpname''
elif [ -f '$l_kfile2' ]; then
l_gpname='$(awk -F/ '{split($(NF-1),a,'.');print a[1]}' <<< '$l_kfile2')'
echo ' - updating dconf profile name to '$l_gpname''
fi
# check for consistency (Clean up configuration if needed)
if [ -f '$l_kfile' ] && [ '$(awk -F/ '{split($(NF-1),a,'.');print a[1]}' <<< '$l_kfile')' != '$l_gpname' ]; then
sed -ri '/^s*automounts*=/s/^/# /' '$l_kfile'
l_kfile='/etc/dconf/db/$l_gpname.d/00-media-automount'
fi
if [ -f '$l_kfile2' ] && [ '$(awk -F/ '{split($(NF-1),a,'.');print a[1]}' <<< '$l_kfile2')' != '$l_gpname' ]; then
sed -ri '/^s*automount-opens*=/s/^/# /' '$l_kfile2'
fi
[ -n '$l_kfile' ] && l_kfile='/etc/dconf/db/$l_gpname.d/00-media-automount'
# Check if profile file exists
if grep -Pq -- '^h*system-db:$l_gpnameb' /etc/dconf/profile/*; then
echo -e '
- dconf database profile exists in: '$(grep -Pl -- '^h*system-db:$l_gpnameb' /etc/dconf/profile/*)''
else
[ ! -f '/etc/dconf/profile/user' ] && l_gpfile='/etc/dconf/profile/user' || l_gpfile='/etc/dconf/profile/user2'
echo -e ' - creating dconf database profile'
{
echo -e '
user-db:user'
echo 'system-db:$l_gpname'
} >> '$l_gpfile'
fi
# create dconf directory if it doesn't exists
l_gpdir='/etc/dconf/db/$l_gpname.d'
if [ -d '$l_gpdir' ]; then
echo ' - The dconf database directory '$l_gpdir' exists'
else
echo ' - creating dconf database directory '$l_gpdir''
mkdir '$l_gpdir'
fi
# check automount-open setting
if grep -Pqs -- '^h*automount-openh*=h*falseb' '$l_kfile'; then
echo ' - 'automount-open' is set to false in: '$l_kfile''
else
echo ' - creating 'automount-open' entry in '$l_kfile''
! grep -Psq -- '^h*[org/gnome/desktop/media-handling]b' '$l_kfile' && echo '[org/gnome/desktop/media-handling]' >> '$l_kfile'
sed -ri '/^s*[org/gnome/desktop/media-handling]/a \nautomount-open=false'
fi
# check automount setting
if grep -Pqs -- '^h*automounth*=h*falseb' '$l_kfile'; then
echo ' - 'automount' is set to false in: '$l_kfile''
else
echo ' - creating 'automount' entry in '$l_kfile''
! grep -Psq -- '^h*[org/gnome/desktop/media-handling]b' '$l_kfile' && echo '[org/gnome/desktop/media-handling]' >> '$l_kfile'
sed -ri '/^s*[org/gnome/desktop/media-handling]/a \nautomount=false'
fi
else
echo -e '
- GNOME Desktop Manager package is not installed on the system
- Recommendation is not applicable'
fi
# update dconf database
dconf update
}

OR
Run the following command to uninstall the GNOME desktop Manager package:

# apt purge gdm3

See Also

https://workbench.cisecurity.org/files/4115

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|8.5

Plugin: Unix

Control ID: 6bf6a1f876eb495dc368ff637fb0ec321ed92e74ee4a6537490afabbd27965eb