1.8.6 Ensure GDM automatic mounting of removable media is disabled

Information

By default GNOME automatically mounts removable media when inserted as a convenience to the user.

With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.

Solution

Run the following script to disable automatic mounting of media for all GNOME users:

#!/usr/bin/env bash

{
l_pkgoutput=""
l_gpname="local" # Set to desired dconf profile name (default is local)
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable

# determine system's package manager
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput
- Package: \"$l_pn\" exists on the system
- checking configuration"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
echo -e "$l_pkgoutput"
# Look for existing settings and set variables if they exist
l_kfile="$(grep -Prils -- '^h*automountb' /etc/dconf/db/*.d)"
l_kfile2="$(grep -Prils -- '^h*automount-openb' /etc/dconf/db/*.d)"
# Set profile name based on dconf db directory ({PROFILE_NAME}.d)
if [ -f "$l_kfile" ]; then
l_gpname="$(awk -F/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
echo " - updating dconf profile name to \"$l_gpname\""
elif [ -f "$l_kfile2" ]; then
l_gpname="$(awk -F/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")"
echo " - updating dconf profile name to \"$l_gpname\""
fi
# check for consistency (Clean up configuration if needed)
if [ -f "$l_kfile" ] && [ "$(awk -F/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")" != "$l_gpname" ]; then
sed -ri "/^s*automounts*=/s/^/# /" "$l_kfile"
l_kfile="/etc/dconf/db/$l_gpname.d/00-media-automount"
fi
if [ -f "$l_kfile2" ] && [ "$(awk -F/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")" != "$l_gpname" ]; then
sed -ri "/^s*automount-opens*=/s/^/# /" "$l_kfile2"
fi
[ -z "$l_kfile" ] && l_kfile="/etc/dconf/db/$l_gpname.d/00-media-automount"
# Check if profile file exists
if grep -Pq -- "^h*system-db:$l_gpnameb" /etc/dconf/profile/*; then
echo -e "
- dconf database profile exists in: \"$(grep -Pl -- "^h*system-db:$l_gpnameb" /etc/dconf/profile/*)\""
else
if [ ! -f "/etc/dconf/profile/user" ]; then
l_gpfile="/etc/dconf/profile/user"
else
l_gpfile="/etc/dconf/profile/user2"
fi
echo -e " - creating dconf database profile"
{
echo -e "
user-db:user"
echo "system-db:$l_gpname"
} >> "$l_gpfile"
fi
# create dconf directory if it doesn't exists
l_gpdir="/etc/dconf/db/$l_gpname.d"
if [ -d "$l_gpdir" ]; then
echo " - The dconf database directory \"$l_gpdir\" exists"
else
echo " - creating dconf database directory \"$l_gpdir\""
mkdir "$l_gpdir"
fi
# check automount-open setting
if grep -Pqs -- '^h*automount-openh*=h*falseb' "$l_kfile"; then
echo " - \"automount-open\" is set to false in: \"$l_kfile\""
else
echo " - creating \"automount-open\" entry in \"$l_kfile\""
! grep -Psq -- '^h*[org/gnome/desktop/media-handling]b' "$l_kfile" && echo '[org/gnome/desktop/media-handling]' >> "$l_kfile"
sed -ri '/^s*[org/gnome/desktop/media-handling]/a \nautomount-open=false' "$l_kfile"
fi
# check automount setting
if grep -Pqs -- '^h*automounth*=h*falseb' "$l_kfile"; then
echo " - \"automount\" is set to false in: \"$l_kfile\""
else
echo " - creating \"automount\" entry in \"$l_kfile\""
! grep -Psq -- '^h*[org/gnome/desktop/media-handling]b' "$l_kfile" && echo '[org/gnome/desktop/media-handling]' >> "$l_kfile"
sed -ri '/^s*[org/gnome/desktop/media-handling]/a \nautomount=false' "$l_kfile"
fi
# update dconf database
dconf update
else
echo -e "
- GNOME Desktop Manager package is not installed on the system
- Recommendation is not applicable"
fi
}

OR

Run the following command to uninstall the GNOME desktop Manager package:

# dnf remove gdm

Impact:

The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting.

See Also

https://workbench.cisecurity.org/benchmarks/15288

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|8.5

Plugin: Unix

Control ID: 650bb366de5f49dc84efb2509705698af3769e0fcad05eb193bb6c88ac9c6b7a