Title

Ubuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user interface automount function. (Cat II impact)

Discussion

A nonprivileged account is any operating system account with authorizations of a nonprivileged user. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227

Check Content

Note: This requirement assumes the use of the Ubuntu 24.04 LTS default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Verify Ubuntu 24.04 LTS disables the ability of the user to override the graphical user interface automount setting. Determine which profile the system database is using with the following command: $ sudo grep system-db /etc/dconf/profile/user system-db:local Check that the automount setting is locked from nonprivileged user modification with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. $ grep 'automount-open' /etc/dconf/db/local.d/locks/* /org/gnome/desktop/media-handling/automount-open If the command does not return at least the example result, this is a finding.

Fix Text

Configure Ubuntu 24.04 LTS so the GNOME desktop does not allow a user to change the setting that disables automated mounting of removable media. Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification: /org/gnome/desktop/media-handling/automount-open Update the dconf system databases: $ sudo dconf update

Additional Identifiers

Rule ID: SV-270679r1107295_rule

Vulnerability ID: V-270679

Group Title: SRG-OS-000028-GPOS-00009

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.