1.8.5 Ensure automatic mounting of removable media is disabled

Information

By default GNOME automatically mounts removable media when inserted as a convenience to the user.

Rationale:

With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.

Impact:

The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting.

Solution

Ensure that automatic mounting of media is disabled for all GNOME users:

# cat << EOF >> /etc/dconf/db/local.d/00-media-automount
[org/gnome/desktop/media-handling]
automount=false
automount-open=false
EOF

Apply the changes with:

# dconf update

See Also

https://workbench.cisecurity.org/files/3811