Skip to content

1.8.6 Ensure GDM automatic mounting of removable media is disabled

Audit#

Run the following commands to verify automatic mounting is disabled: 

# gsettings get org.gnome.desktop.media-handling automount
false

# gsettings get org.gnome.desktop.media-handling automount-open
false

Remediation#

- IF - A user profile exists run the following commands to ensure automatic mounting is disabled: 

# gsettings set org.gnome.desktop.media-handling automount false
# gsettings set org.gnome.desktop.media-handling automount-open false

Note: - gsettings commands in this section MUST be done from a command window on a graphical desktop or an error will be returned. - The system must be restarted after all gsettings configurations have been set in order for CIS-CAT Assessor to appropriately assess. - If the dconf database is not updating correctly due to umask requirements contain in the benchmark, then use (umask 0022 && gsetting set) commands from above to temporarily set umask ensuring that any files or directories created by gsettings will have the required permissions.

- OR/IF - A user profile does not exist: 1. Create a file /etc/dconf/db/local.d/00-media-automount with the following content: 

[org/gnome/desktop/media-handling]
automount=false
automount-open=false

  1. After creating the file, apply the changes using below command : 
    # dconf update

Note: Users must log out and back in again before the system-wide settings take effect.