Skip to content

1.7.7 Ensure GDM disabling automatic mounting of removable media is not overridden

Audit#

Run the following script to verify automatic mounting of removable media is not overridden and correctly configured in a configuration file: - automount=false - automount-open=false 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#!/usr/bin/env bash
{
a_output=() a_output2=()
check_setting()
{
grep -Psrilq "^\h*$1\h*=\h*false\b" /etc/dconf/db/local.d/locks/* 2>/dev/null && \
echo "- \"$3\" is locked and set to false" || echo "- \"$3\" is not locked or not set to false"
}
declare -A settings=(
["automount"]="org/gnome/desktop/media-handling"
["automount-open"]="org/gnome/desktop/media-handling"
)
for setting in "${!settings[@]}"; do
result=$(check_setting "$setting" "${settings[$setting]}" "$setting")
if [[ $result == *"is not locked"* || $result == *"not set to false"* ]]; then
a_output2+=("$result")
else
a_output+=("$result")
fi
done
printf '%s\n' "" "- Audit Result:"
if [ "${#a_output2[@]}" -gt 0 ]; then
printf '%s\n' " ** FAIL **" " - Reason(s) for audit failure:" "${a_output2[@]}"
[ "${#a_output[@]}" -gt 0 ] && printf '%s\n' "" "- Correctly set:" "${a_output[@]}"
else
printf '%s\n' " ** PASS **" "${a_output[@]}"
fi
}

Remediation#

  1. To prevent the user from overriding these settings, create the file /etc/dconf/db/local.d/locks/00-media-automount with the following content: 

    #!/usr/bin/env bash
[org/gnome/desktop/media-handling]
automount=false
automount-open=false

  2. Update the system databases 

    # dconf update

Note: - A user profile must exist in order to apply locks. - Users must log out and back in again before the system-wide settings take effect.