Information
Managing automatic actions, while useful in very few situations, is unlikely to increase security on the computer and does complicate the user experience and add additional complexity to the configuration. These settings are user controlled and can be changed without Administrator privileges unless controlled through MCX settings or Parental Controls. Unlike Windows, the Auto-run the optical media is accessed through Operating System applications. Those same applications can open and access the media directly. If optical media is not allowed in the environment the optical media drive should be disabled in hardware and software.
Rationale:
Setting automatic actions for optical media can mitigate malicious code from running automatically when optical media is inserted.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Perform the following to set the optical media action setting:
Graphical Method:
Open System Preferences
Select CDs & DVDs
Set each option to meet your organization's requirements
Terminal Method:
Run the following command to set the optical media action:
$ sudo -u <username> defaults write /Users/<username>/Library/Preferences/com.apple.digihub <what type of media> -dict action <preferred action>
example:
$ sudo -u seconduser defaults write /Users/seconduser/Library/Preferences/com.apple.digihub com.apple.digihub.blank.dvd.appeared -dict action 1
The five media types are com.apple.digihub.blank.cd.appeared(blank cd), com.apple.digihub.blank.dvd.appeared (blank dvd), com.apple.digihub.cd.music.appeared (music cd), com.apple.digihub.cd.picture.appeared (picture cd), and com.apple.digihub.dvd.video.appeared (DVD movie).
Item Details
Category: CONFIGURATION MANAGEMENT, MEDIA PROTECTION, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|MP-7, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2
Control ID: d67f0e960da1b5683daaff827a695276586dc9c60b0d90c84119733000dd51e5