1.8.18 Ensure graphical user interface automounter is disabled - automount

Information

The Linux operating system must disable the graphical user interface automounter unless required.

Rationale:

Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.

Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227

Solution

Configure the graphical user interface to disable the ability to automount devices.
Note: The example below is using the database 'local' for the system, so the path is '/etc/dconf/db/local.d'. This path must be modified if a database other than 'local' is being used.
Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following:

[org/gnome/desktop/media-handling]
automount=false
automount-open=false
autorun-never=true

Create or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following:

/org/gnome/desktop/media-handling/automount
/org/gnome/desktop/media-handling/automount-open
/org/gnome/desktop/media-handling/autorun-never

Run the following command to update the database:

# dconf update

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-6b., 800-53|IA-3, CCI|CCI-000366, CCI|CCI-000778, CCI|CCI-001958, CSCv7|8.5, Rule-ID|SV-219059r603261_rule, STIG-ID|RHEL-07-020111

Plugin: Unix

Control ID: c646e820dbd0c9fde57247b6b4b03da1fe1fcd1d4d39d820f2772961e6b0a8b6