1.7.9 Ensure GDM autorun-never is not overridden

Information

The autorun-never setting allows the GNOME Desktop Display Manager to disable autorun through GDM.

By using the lockdown mode in dconf, you can prevent users from changing specific settings.

To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory.

Malware on removable media may taking advantage of Autorun features when the media is inserted into a system and execute.

Solution

- To prevent the user from overriding these settings, create the file /etc/dconf/db/local.d/locks/00-media-autorun with the following content:

[org/gnome/desktop/media-handling]
autorun-never=true <xhtml:ol start="2"> - Update the systems databases:

# dconf update

Note:

- A user profile must exist in order to apply locks.
- Users must log out and back in again before the system-wide settings take effect.

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|8.5

Plugin: Unix

Control ID: 04f903ba60d1b38f140ccd633735c994e7096c1262d29e8a14af2059d703b650