Detections
Analytics

1.8.9 Ensure GDM autorun-never is not overridden

Information

The autorun-never setting allows the GNOME Desktop Display Manager to disable autorun through GDM.

By using the lockdown mode in dconf, you can prevent users from changing specific settings.

To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory.

Example Lock File:

# Lock desktop media-handling settings
/org/gnome/desktop/media-handling/autorun-never

Malware on removable media may take advantage of Autorun features when the media is inserted into a system and execute.

Solution

Run the following script to ensure that autorun-never=true cannot be overridden:

#!/usr/bin/env bash

{
 # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
 # determine system's package manager
 l_pkgoutput=""
 if command -v dpkg-query > /dev/null 2>&1; then
 l_pq="dpkg-query -W"
 elif command -v rpm > /dev/null 2>&1; then
 l_pq="rpm -q"
 fi
 # Check if GDM is installed
 l_pcl="gdm gdm3" # Space separated list of packages to check
 for l_pn in $l_pcl; do
 $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="y" && echo -e "\n - Package: \"$l_pn\" exists on the system\n - remediating configuration if needed"
 done
 # Check configuration (If applicable)
 if [ -n "$l_pkgoutput" ]; then
 # Look for autorun to determine profile in use, needed for remaining tests
 l_kfd="/etc/dconf/db/$(grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
 if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
 if grep -Priq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then
 echo " - \"autorun-never\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd")\""
 else
 echo " - creating entry to lock \"autorun-never\""
 [ ! -d "$l_kfd"/locks ] && echo "creating directory $l_kfd/locks" && mkdir "$l_kfd"/locks
 {
 echo -e '\n# Lock desktop media-handling autorun-never setting'
 echo '/org/gnome/desktop/media-handling/autorun-never'
 } >> "$l_kfd"/locks/00-media-autorun
 fi
 else
 echo -e " - \"autorun-never\" is not set so it can not be locked\n - Please follow Recommendation \"Ensure GDM autorun-never is enabled\" and follow this Recommendation again"
 fi
 # update dconf database
 dconf update
 else
 echo -e " - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
 fi
}

See Also

https://workbench.cisecurity.org/benchmarks/21095

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|8.5

Plugin: Unix

Control ID: 2afab081d43217b6717aa95f137bea0071432b03b38946ed192a0d2a0c2c6c66