Skip to content

1.7.8 Ensure GDM autorun-never is enabled

Audit#

Run the following command to verify that autorun-never is set to true for GDM: 

# gsettings get org.gnome.desktop.media-handling autorun-never
true

Remediation#

- IF - A user profile exists run the following command to set autorun-never to true for GDM users: 

# gsettings set org.gnome.desktop.media-handling autorun-never true

Note: - gsettings commands in this section MUST be done from a command window on a graphical desktop or an error will be returned. - The system must be restarted after all gsettings configurations have been set in order for CIS-CAT Assessor to appropriately assess. - If the dconf database is not updating correctly due to umask requirements contain in the benchmark, then use (umask 0022 && gsetting set) commands from above to temporarily set umask ensuring that any files or directories created by gsettings will have the required permissions.

- OR/IF - A lock does not exist: 1. create the file /etc/dconf/db/local.d/locks/00-media-autorun with the following content: 

[org/gnome/desktop/media-handling]
autorun-never=true

  1. Update the system databases 
    # dconf update
    Note: Users must log out and back in again before the system-wide settings take effect.

Default Value: false