RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258017	RHEL-09-271035	SV-258017r926038_rule		Medium

Description
Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227

STIG	Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide	2024-02-19

Details

Check Text ( C-61758r926036_chk )
Verify RHEL 9 disables ability of the user to override the graphical user interface autorun setting. Note: This requirement assumes the use of the RHEL 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: $ sudo grep system-db /etc/dconf/profile/user system-db:local Check that the automount setting is locked from nonprivileged user modification with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. $ grep 'autorun-never' /etc/dconf/db/local.d/locks/* /org/gnome/desktop/media-handling/autorun-never If the command does not return at least the example result, this is a finding.

Check Text ( C-61758r926036_chk )

Verify RHEL 9 disables ability of the user to override the graphical user interface autorun setting.

Note: This requirement assumes the use of the RHEL 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Determine which profile the system database is using with the following command:

$ sudo grep system-db /etc/dconf/profile/user

system-db:local

Check that the automount setting is locked from nonprivileged user modification with the following command:

Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.

$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*

/org/gnome/desktop/media-handling/autorun-never

If the command does not return at least the example result, this is a finding.

Fix Text (F-61682r926037_fix)
Configure the GNOME desktop to not allow a user to change the setting that disables autorun on removable media. Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification: /org/gnome/desktop/media-handling/autorun-never Then update the dconf system databases: $ sudo dconf update