1.7.8 Ensure GDM autorun-never is enabled

Information

The autorun-never setting allows the GNOME Desktop Display Manager to disable autorun through GDM.

Malware on removable media may taking advantage of Autorun features when the media is inserted into a system and execute.

Solution

- IF - A user profile exists run the following command to set autorun-never to true for GDM users:

# gsettings set org.gnome.desktop.media-handling autorun-never true

Note:

- gsettings commands in this section MUST be done from a command window on a graphical desktop or an error will be returned.
- The system must be restarted after all gsettings configurations have been set in order for CIS-CAT Assessor to appropriately assess.

- OR/IF - A user profile does not exist:

- create the file /etc/dconf/db/local.d/locks/00-media-autorun with the following content:

[org/gnome/desktop/media-handling]
autorun-never=true <xhtml:ol start="2"> - Update the systems databases:

# dconf update

Note: Users must log out and back in again before the system-wide settings take effect.

See Also

https://workbench.cisecurity.org/benchmarks/18959

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|8.5

Plugin: Unix

Control ID: 801d53905f3978968f62151706578ed691339f5e6449ed752da33490c6af8ac8