Disable the Automounter
An XCCDF Rule
Description
The autofs
daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd
.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs
service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service
Rationale
Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab
.
Additionally, automatically mounting filesystems permits easy introduction of
unknown devices, thereby facilitating malicious activity.
- ID
- xccdf_org.ssgproject.content_rule_service_autofs_disabled
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - OS Build Blueprint
[customizations.services]
disabled = ["autofs"]
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-09-231040
- NIST-800-171-3.4.6
Remediation - Puppet
include disable_autofs
class disable_autofs {
service {'autofs':
enable => false,
ensure => 'stopped',
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q autofs ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'autofs.service'
"$SYSTEMCTL_EXEC" disable 'autofs.service'