Detections
Analytics

1.8.4 Ensure GDM automount is configured

Information

By default GNOME automatically mounts removable media when inserted as a convenience to the user.

By using the lockdown mode in dconf, you can prevent users from changing specific settings.

With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.

Without locking down the system settings, user settings take precedence over the system settings.

Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227

Solution

- Create or edit the file /etc/dconf/profile/user and add the following lines if they do not exist:

user-db:user
system-db:local

Example:

#!/usr/bin/env bash

{
 l_dir="/etc/dconf/profile/"
 [ ! -d "$l_dir" ] && mkdir /etc/dconf/profile/
 ! grep -Psq '^\h*user-db:user\b' "$l_dir/user" && \
 printf '%s\n' "" "user-db:user" >> "$l_dir/user"
 ! grep -Psq '^\h*system-db:local\b' "$l_dir/user" && \
 sed -ri '/^\s*user-db:user/a system-db:local' "$l_dir/user"
} <xhtml:ol start="2"> - Run the following command to create the /etc/dconf/db/local.d/ and /etc/dconf/db/local.d/locks/ directories if either does not exist:

# [ ! -d "/etc/dconf/db/local.d/locks/" ] && mkdir -p /etc/dconf/db/local.d/locks/ <xhtml:ol start="3"> - Create or edit a file in /etc/dconf/db/local.d/locks/ and add the following lines:

/org/gnome/desktop/media-handling/automount
/org/gnome/desktop/media-handling/automount-open

Example:

# printf '%s\n' "" "/org/gnome/desktop/media-handling/automount" \
"/org/gnome/desktop/media-handling/automount-open" >> \
/etc/dconf/db/local.d/locks/60-media-automount <xhtml:ol start="4"> - Run the following script to comment out any incorrect settings in a local system-wide database keyfile:

#!/usr/bin/env bash

{
 f_key_file_fix()
 {
 while IFS= read -r -d $'\0' l_file; do
 grep -Psiq -- "^\h*$l_parameter$l_value(\b|\h*$)" "$l_file" && \
 sed -ri '/^\s*'"$l_parameter"'/s/^/# /g' "$l_file"
 done < <(find /etc/dconf/db -mindepth 2 -maxdepth 2 -type f -print0)
 }
 l_parameter="automount=" l_value="true"; f_key_file_fix
 l_parameter="automount-open=" l_value="true"; f_key_file_fix
} <xhtml:ol start="5"> - Create or edit a local keyfile for machine-wide settings in '/etc/dconf/db/local.d/` with the following lines:

[org/gnome/desktop/media-handling]
automount=false
automount-open=false

Example script:

#!/usr/bin/env bash

{
 l_file="/etc/dconf/db/local.d/60-media-automount"
 a_keyfile=("[org/gnome/desktop/media-handling]" "automount=false" "automount-open=false")
 if grep -Psq -- '^\h*\[org\/gnome\/desktop\/media-handling\]' "$l_file"; then
 ! grep -Psiq -- '^\h*automount-open=false\b' "$l_file" && \
 sed -ri '/^\s*\[org\/gnome\/desktop\/media-handling\]/a automount-open=false' "$l_file"
 ! grep -Psiq -- '^\h*automount=false\b' "$l_file" && \
 sed -ri '/^\s*\[org\/gnome\/desktop\/media-handling\]/a automount=false' "$l_file"
 grep -Psiq -- '^\h*automount=true\b' "$l_file" && \
 sed -ri 's/^\s*(automount=)(true).*$/\1fales/' "$l_file"
 grep -Psiq -- '^\h*automount-open=true\b' "$l_file" && \
 sed -ri 's/^\s*(automount-open=)(true).*$/\1fales/' "$l_file"
 else
 printf '%s\n' "" "${a_keyfile[@]}" >> "$l_file"
 fi
} <xhtml:ol start="6"> - Run the following command to update the dconf databases:

# dconf update

Note: Users must log out and back in again before the system-wide settings take effect.

Impact:

The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting.

See Also

https://workbench.cisecurity.org/benchmarks/23602

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|8.5

Plugin: Unix

Control ID: 17a2e210f80e0bfd13243bcd41b0868c2419e49c844a68746fbf97b42d6bb9b6