Detections
Analytics
1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden
Information
By default GNOME automatically mounts removable media when inserted as a convenience to the userBy using the lockdown mode in dconf, you can prevent users from changing specific settings.
To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory.
Example Lock File:
# Lock desktop screensaver settings
/org/gnome/desktop/media-handling/automount
/org/gnome/desktop/media-handling/automount-open
Rationale:
With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.
Impact:
The use of portable hard drives is very common for workstation users
Solution
Run the following script to lock disable automatic mounting of media for all GNOME users:#!/usr/bin/env bash
{
# Check if GNMOE Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable
# determine system's package manager
l_pkgoutput=''
if command -v dpkg-query > /dev/null 2>&1; then
l_pq='dpkg-query -W'
elif command -v rpm > /dev/null 2>&1; then
l_pq='rpm -q'
fi
# Check if GDM is installed
l_pcl='gdm gdm3' # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq '$l_pn' > /dev/null 2>&1 && l_pkgoutput='y' && echo -e '
- Package: '$l_pn' exists on the system
- remediating configuration if needed'
done
# Check configuration (If applicable)
if [ -n '$l_pkgoutput' ]; then
# Look for automount to determine profile in use, needed for remaining tests
l_kfd='/etc/dconf/db/$(grep -Psril '^h*automountb' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,'.');print a[1]}').d' #set directory of key file to be locked
# Look for automount-open to determine profile in use, needed for remaining tests
l_kfd2='/etc/dconf/db/$(grep -Psril '^h*automount-openb' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,'.');print a[1]}').d' #set directory of key file to be locked
if [ -d '$l_kfd' ]; then # If key file directory doesn't exist, options can't be locked
if grep -Priq '^h*/org/gnome/desktop/media-handling/automountb' '$l_kfd'; then
echo ' - 'automount' is locked in '$(grep -Pril '^h*/org/gnome/desktop/media-handling/automountb' '$l_kfd')''
else
echo ' - creating entry to lock 'automount''
[ ! -d '$l_kfd'/locks ] && echo 'creating directory $l_kfd/locks' && mkdir '$l_kfd'/locks
{
echo -e '
# Lock desktop media-handling automount setting'
echo '/org/gnome/desktop/media-handling/automount'
} >> '$l_kfd'/locks/00-media-automount
fi
else
echo -e ' - 'automount' is not set so it can not be locked
- Please follow Recommendation 'Ensure GDM automatic mounting of removable media is disabled' and follow this Recommendation again'
fi
if [ -d '$l_kfd2' ]; then # If key file directory doesn't exist, options can't be locked
if grep -Priq '^h*/org/gnome/desktop/media-handling/automount-openb' '$l_kfd2'; then
echo ' - 'automount-open' is locked in '$(grep -Pril '^h*/org/gnome/desktop/media-handling/automount-openb' '$l_kfd2')''
else
echo ' - creating entry to lock 'automount-open''
[ ! -d '$l_kfd2'/locks ] && echo 'creating directory $l_kfd2/locks' && mkdir '$l_kfd2'/locks
{
echo -e '
# Lock desktop media-handling automount-open setting'
echo '/org/gnome/desktop/media-handling/automount-open'
} >> '$l_kfd2'/locks/00-media-automount
fi
else
echo -e ' - 'automount-open' is not set so it can not be locked
- Please follow Recommendation 'Ensure GDM automatic mounting of removable media is disabled' and follow this Recommendation again'
fi
# update dconf database
dconf update
else
echo -e ' - GNOME Desktop Manager package is not installed on the system
- Recommendation is not applicable'
fi
}
See Also
Item Details
Audit Name: CIS Ubuntu Linux 20.04 LTS Server L1 v2.0.1
Category: MEDIA PROTECTION
References: 800-53|MP-7
Plugin: Unix
Control ID: fbb4560f5ae9841e80fca7e45d8e27d2fe2747268be6eba1200d4acb38ea131d