Disable GNOME3 Automount Opening
An XCCDF Rule
Description
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
automount-open
to false
in /etc/dconf/db/local.d/00-security-settings
.
For example:
[org/gnome/desktop/media-handling] automount-open=falseOnce the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock
to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount-openAfter the settings have been set, run
dconf update
.
Rationale
Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.
- ID
- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-09-271020
- DISA-STIG-RHEL-09-271025