1.7.7 Ensure GDM disabling automatic mounting of removable media is not overridden

Information

By default GNOME automatically mounts removable media when inserted as a convenience to the user.

By using the lockdown mode in dconf, you can prevent users from changing specific settings. To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory.

With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.

Solution

- To prevent the user from overriding these settings, create the file /etc/dconf/db/local.d/locks/00-media-automount with the following content:

[org/gnome/desktop/media-handling]
automount=false
automount-open=false <xhtml:ol start="2"> - Update the systems databases:

# dconf update

Note:

- A user profile must exist in order to apply locks.
- Users must log out and back in again before the system-wide settings take effect.

Impact:

The use of portable hard drives is very common for workstation users

See Also

https://workbench.cisecurity.org/benchmarks/18959

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-2

Plugin: Unix

Control ID: 1d1170fb7cde45cee6e75607f7f35836a2151a3c2c4b32722bb3da6675f16f06