Detections
Analytics

1.8.8 Ensure GDM autorun-never is enabled

Information

The autorun-never setting allows the GNOME Desktop Display Manager to disable autorun through GDM.

Rationale:

Malware on removable media may take advantage of Autorun features when the media is inserted into a system and execute.

Solution

Run the following script to set autorun-never to true for GDM users:

#!/usr/bin/env bash

{
 l_pkgoutput='' l_output='' l_output2=''
 l_gpname='local' # Set to desired dconf profile name (default is local)
 # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable

 # determine system's package manager
 if command -v dpkg-query > /dev/null 2>&1; then
 l_pq='dpkg-query -W'
 elif command -v rpm > /dev/null 2>&1; then
 l_pq='rpm -q'
 fi
 # Check if GDM is installed
 l_pcl='gdm gdm3' # Space separated list of packages to check
 for l_pn in $l_pcl; do
 $l_pq '$l_pn' > /dev/null 2>&1 && l_pkgoutput='$l_pkgoutput
 - Package: '$l_pn' exists on the system
 - checking configuration'
 done
 echo -e '$l_pkgoutput'
 # Check configuration (If applicable)
 if [ -n '$l_pkgoutput' ]; then
 echo -e '$l_pkgoutput'
 # Look for existing settings and set variables if they exist
 l_kfile='$(grep -Prils -- '^h*autorun-neverb' /etc/dconf/db/*.d)'
 # Set profile name based on dconf db directory ({PROFILE_NAME}.d)
 if [ -f '$l_kfile' ]; then
 l_gpname='$(awk -F/ '{split($(NF-1),a,'.');print a[1]}' <<< '$l_kfile')'
 echo ' - updating dconf profile name to '$l_gpname''
 fi
 [ ! -f '$l_kfile' ] && l_kfile='/etc/dconf/db/$l_gpname.d/00-media-autorun'
 # Check if profile file exists
 if grep -Pq -- '^h*system-db:$l_gpnameb' /etc/dconf/profile/*; then
 echo -e '
 - dconf database profile exists in: '$(grep -Pl -- '^h*system-db:$l_gpnameb' /etc/dconf/profile/*)''
 else
 [ ! -f '/etc/dconf/profile/user' ] && l_gpfile='/etc/dconf/profile/user' || l_gpfile='/etc/dconf/profile/user2'
 echo -e ' - creating dconf database profile'
 {
 echo -e '
user-db:user'
 echo 'system-db:$l_gpname'
 } >> '$l_gpfile'
 fi
 # create dconf directory if it doesn't exists
 l_gpdir='/etc/dconf/db/$l_gpname.d'
 if [ -d '$l_gpdir' ]; then
 echo ' - The dconf database directory '$l_gpdir' exists'
 else
 echo ' - creating dconf database directory '$l_gpdir''
 mkdir '$l_gpdir'
 fi
 # check autorun-never setting
 if grep -Pqs -- '^h*autorun-neverh*=h*trueb' '$l_kfile'; then
 echo ' - 'autorun-never' is set to true in: '$l_kfile''
 else
 echo ' - creating or updating 'autorun-never' entry in '$l_kfile''
 if grep -Psq -- '^h*autorun-never' '$l_kfile'; then
 sed -ri 's/(^s*autorun-nevers*=s*)(S+)(s*.*)$/1true 3/' '$l_kfile'
 else
 ! grep -Psq -- '^h*[org/gnome/desktop/media-handling]b' '$l_kfile' && echo '[org/gnome/desktop/media-handling]' >> '$l_kfile'
 sed -ri '/^s*[org/gnome/desktop/media-handling]/a \nautorun-never=true' '$l_kfile'
 fi
 fi
 else
 echo -e '
 - GNOME Desktop Manager package is not installed on the system
 - Recommendation is not applicable'
 fi
 # update dconf database
 dconf update
}

Default Value:

false

See Also

https://workbench.cisecurity.org/benchmarks/15286

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|8.5

Plugin: Unix

Control ID: 05af4cc7a7c015f677cb4b258b4d7eed0222f22362963c01a5da93a40a8e240d