{"description": "The system's default desktop environment, GNOME3, will mount\ndevices and removable media (such as DVDs, CDs and USB flash drives) whenever\nthey are inserted into the system. To disable automount within GNOME3, add or set\n<tt>automount</tt> to <tt>false</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.\nFor example:\n<pre>[org/gnome/desktop/media-handling]\nautomount=false</pre>\nOnce the settings have been added, add a lock to\n<tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.\nFor example:\n<pre>/org/gnome/desktop/media-handling/automount</pre>\nAfter the settings have been set, run <tt>dconf update</tt>.", "rationale": "Disabling automatic mounting in GNOME3 can prevent\nthe introduction of malware via removable media.\nIt will, however, also prevent desktop users from legitimate use\nof removable media.", "severity": "medium", "references": {"cis-csc": ["12", "16"], "cobit5": ["APO13.01", "DSS01.04", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "DSS06.03"], "cui": ["3.1.7"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.2", "4.3.3.6.6", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.13", "SR 1.2", "SR 1.4", "SR 1.5", "SR 1.9", "SR 2.1", "SR 2.6"], "iso27001-2013": ["A.11.2.6", "A.13.1.1", "A.13.2.1", "A.6.2.1", "A.6.2.2", "A.7.1.1", "A.9.2.1"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.AC-3", "PR.AC-6"], "srg": ["SRG-OS-000114-GPOS-00059", "SRG-OS-000378-GPOS-00163", "SRG-OS-000480-GPOS-00227"], "cis": ["1.7.6", "1.7.7"], "pcidss4": ["3.4.2", "3.4"]}, "control_references": {"cis": ["1.7.6", "1.7.7"], "pcidss4": ["3.4.2", "3.4"]}, "components": [], "identifiers": {}, "ocil_clause": "GNOME automounting is not disabled", "ocil": "These settings can be verified by running the following:\n<pre>$ gsettings get org.gnome.desktop.media-handling automount</pre>\nIf properly configured, the output for <tt>automount</tt> should be <tt>false</tt>.\nTo ensure that users cannot enable automount in GNOME3, run the following:\n<pre>$ grep 'automount' /etc/dconf/db/local.d/locks/*</pre>\nIf properly configured, the output for <tt>automount</tt> should be <tt>/org/gnome/desktop/media-handling/automount</tt>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Disable GNOME3 Automounting", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml", "template": null}