Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-219059 | RHEL-07-020111 | SV-219059r854002_rule | Medium |
Description |
---|
Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 |
STIG | Date |
---|---|
Red Hat Enterprise Linux 7 Security Technical Implementation Guide | 2022-12-06 |
Check Text ( C-36354r602662_chk ) |
---|
Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable. Verify the operating system disables the ability to automount devices in a graphical user interface. Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. Check to see if automounter service is disabled with the following commands: # cat /etc/dconf/db/local.d/00-No-Automount [org/gnome/desktop/media-handling] automount=false automount-open=false autorun-never=true If the output does not match the example above, this is a finding. # cat /etc/dconf/db/local.d/locks/00-No-Automount /org/gnome/desktop/media-handling/automount /org/gnome/desktop/media-handling/automount-open /org/gnome/desktop/media-handling/autorun-never If the output does not match the example, this is a finding. |
Fix Text (F-36318r602663_fix) |
---|
Configure the graphical user interface to disable the ability to automount devices. Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following: [org/gnome/desktop/media-handling] automount=false automount-open=false autorun-never=true Create or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following: /org/gnome/desktop/media-handling/automount /org/gnome/desktop/media-handling/automount-open /org/gnome/desktop/media-handling/autorun-never Run the following command to update the database: # dconf update |