1.7.6 Ensure GDM automatic mounting of removable media is disabled

Information

By default GNOME automatically mounts removable media when inserted as a convenience to the user.

With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.

Solution

- IF - A user profile exists run the following commands to ensure automatic mounting is disabled:

# gsettings set org.gnome.desktop.media-handling automount false
# gsettings set org.gnome.desktop.media-handling automount-open false

Note:

- gsettings commands in this section MUST be done from a command window on a graphical desktop or an error will be returned.
- The system must be restarted after all gsettings configurations have been set in order for CIS-CAT Assessor to appropriately assess.

- OR/IF - A user profile does not exist:

- Create a file /etc/dconf/db/local.d/00-media-automount with following content:

[org/gnome/desktop/media-handling]
automount=false
automount-open=false <xhtml:ol start="2"> - After creating the file, apply the changes using below command :

# dconf update

Note: Users must log out and back in again before the system-wide settings take effect.

Impact:

The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting.

See Also

https://workbench.cisecurity.org/benchmarks/18959

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|8.5

Plugin: Unix

Control ID: d0b46f01196960f9c7d58be2322d7911354185a619877b26b69fb6bd3c715879