Detections
Analytics

1.8.5 Ensure GDM autorun-never is configured

Information

The autorun-never setting allows the GNOME Desktop Display Manager to disable autorun through GDM.

By using the lockdown mode in dconf, you can prevent users from changing specific settings.

Malware on removable media may take advantage of Autorun features when the media is inserted into a system and execute.

Without locking down the system settings, user settings take precedence over the system settings.

Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227

Solution

- Create or edit the file /etc/dconf/profile/user and add the following lines if they do not exist:

user-db:user
system-db:local

Example:

#!/usr/bin/env bash

{
 l_dir="/etc/dconf/profile/"
 [ ! -d "$l_dir" ] && mkdir /etc/dconf/profile/
 ! grep -Psq '^\h*user-db:user\b' "$l_dir/user" && \
 printf '%s\n' "" "user-db:user" >> "$l_dir/user"
 ! grep -Psq '^\h*system-db:local\b' "$l_dir/user" && \
 sed -ri '/^\s*user-db:user/a system-db:local' "$l_dir/user"
} <xhtml:ol start="2"> - Run the following command to create the /etc/dconf/db/local.d/ and /etc/dconf/db/local.d/locks/ directories if either does not exist:

# [ ! -d "/etc/dconf/db/local.d/locks/" ] && mkdir -p /etc/dconf/db/local.d/locks/ <xhtml:ol start="3"> - Create or edit a file in /etc/dconf/db/local.d/locks/ and add the following lines:

/org/gnome/desktop/media-handling/autorun-never

Example:

# printf '%s\n' "" "/org/gnome/desktop/media-handling/autorun-never" >> \
/etc/dconf/db/local.d/locks/60-media-autorun <xhtml:ol start="4"> - Run the following script to comment out any incorrect settings in a local system-wide database keyfile:

#!/usr/bin/env bash

{
 l_parameter="autorun-never=" l_value="false"
 while IFS= read -r -d $'\0' l_file; do
 grep -Psiq -- "^\h*$l_parameter$l_value(\b|\h*$)" "$l_file" && \
 sed -ri '/^\s*'"$l_parameter"'/s/^/# /g' "$l_file"
 done < <(find /etc/dconf/db -mindepth 2 -maxdepth 2 -type f -print0)
} <xhtml:ol start="5"> - Create or edit a local keyfile for machine-wide settings in '/etc/dconf/db/local.d/` with the following lines:

[org/gnome/desktop/media-handling]
autorun-never=true

Example script:

#!/usr/bin/env bash

{
 l_file="/etc/dconf/db/local.d/60-media-autorun"
 a_keyfile=("[org/gnome/desktop/media-handling]" "autorun-never=true")
 if grep -Psq -- '^\h*\[org\/gnome\/desktop\/media-handling\]' "$l_file"; then
 ! grep -Psiq -- '^\h*autorun-never=true\b' "$l_file" && \
 sed -ri '/^\s*\[org\/gnome\/desktop\/media-handling\]/a autorun-never=true' "$l_file"
 grep -Psiq -- '^\h*autorun-never=false\b' "$l_file" && \
 sed -ri 's/^\s*(autorun-never=)(false).*$/\1true/' "$l_file"
 else
 printf '%s\n' "" "${a_keyfile[@]}" >> "$l_file"
 fi
} <xhtml:ol start="6"> - Run the following command to update the dconf databases:

# dconf update

Note: Users must log out and back in again before the system-wide settings take effect.

See Also

https://workbench.cisecurity.org/benchmarks/23600

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|8.5

Plugin: Unix

Control ID: 304a005d76d2c043dd860a22bd15edd55d69f2fb1b9abbe0532312706110ca7e