{"description": "The <tt>autofs</tt> daemon mounts and unmounts filesystems, such as user\nhome directories shared via NFS, on demand. In addition, autofs can be used to handle\nremovable media, and the default configuration provides the cdrom device as <tt>/misc/cd</tt>.\nHowever, this method of providing access to removable media is not common, so autofs\ncan almost always be disabled if NFS is not in use. Even if NFS is required, it may be\npossible to configure filesystem mounts statically by editing <tt>/etc/fstab</tt>\nrather than relying on the automounter.\n<br /><br />\n\nThe <code>autofs</code> service can be disabled with the following command:\n<pre>$ sudo systemctl mask --now autofs.service</pre>", "rationale": "Disabling the automounter permits the administrator to\nstatically control filesystem mounting through <tt>/etc/fstab</tt>.\n<br /><br />\nAdditionally, automatically mounting filesystems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["APO13.01", "DSS01.04", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.4.6"], "hipaa": ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.310(d)(1)", "164.310(d)(2)", "164.312(a)(1)", "164.312(a)(2)(iv)", "164.312(b)"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.6"], "iso27001-2013": ["A.11.2.6", "A.13.1.1", "A.13.2.1", "A.18.1.4", "A.6.2.1", "A.6.2.2", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "MP-7"], "nist-csf": ["PR.AC-1", "PR.AC-3", "PR.AC-6", "PR.AC-7"], "srg": ["SRG-OS-000114-GPOS-00059", "SRG-OS-000378-GPOS-00163", "SRG-OS-000480-GPOS-00227"], "cis": ["2.1.1"]}, "control_references": {"cis": ["2.1.1"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"autofs\" is loaded and not masked", "ocil": "To check that the <code>autofs</code> service is disabled in system boot configuration,\nrun the following command:\n<pre>$ sudo systemctl is-enabled <code>autofs</code></pre>\nOutput should indicate the <code>autofs</code> service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n<pre>$ sudo systemctl is-enabled <code>autofs</code><br/> disabled</pre>\n\nRun the following command to verify <code>autofs</code> is not active (i.e. not running) through current runtime configuration:\n<pre>$ sudo systemctl is-active autofs</pre>\n\nIf the service is not running the command will return the following output:\n<pre>inactive</pre>\n\nThe service will also be masked, to check that the <code>autofs</code> is masked, run the following command:\n<pre>$ sudo systemctl show <code>autofs</code> | grep \"LoadState\\|UnitFileState\"</pre>\n\nIf the service is masked the command will return the following outputs:\n\n<pre>LoadState=masked</pre>\n\n<pre>UnitFileState=masked</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to disable the ability to automount devices.\n\nThe <code>autofs</code> service can be disabled with the following command:\n<pre>$ sudo systemctl mask --now autofs.service</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 file system automounter must be disabled unless required.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 file system automount function must be disabled unless required.", "vuldiscussion": "An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.", "checktext": "Note: If the autofs service is not installed, this requirement is Not Applicable.\n\nVerify that the Ubuntu 22.04 file system automount function has been disabled with the following command:\n\n$ systemctl is-enabled  autofs\n\nmasked\n\nIf the returned value is not \"masked\", \"disabled\", or \"Failed to get unit file state for autofs.service for autofs\" and is not documented as an operational requirement with the information system security officer (ISSO), this is a finding.", "fixtext": "Configure Ubuntu 22.04 to disable the ability to automount devices.\n\nThe autofs service can be disabled with the following command:\n\n$ sudo systemctl mask --now autofs.service"}}, "platform": "system_with_kernel and package[autofs]", "platforms": ["system_with_kernel and package[autofs]"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "service_autofs_disabled.sh", "relative_path": "ubuntu2204/checks/sce/service_autofs_disabled.sh"}, "inherited_platforms": [], "cpe_platform_names": ["package_autofs_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable the Automounter", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml", "template": {"name": "service_disabled", "vars": {"servicename": "autofs"}, "backends": {}}}