Check: RHEL-07-020111
Red Hat Enterprise Linux 7 STIG:
RHEL-07-020111
(in versions v3 r14 through v3 r1)
Title
The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required. (Cat II impact)
Discussion
Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
Check Content
Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable. Verify the operating system disables the ability to automount devices in a graphical user interface. Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. Check to see if automounter service is disabled with the following commands: # cat /etc/dconf/db/local.d/00-No-Automount [org/gnome/desktop/media-handling] automount=false automount-open=false autorun-never=true If the output does not match the example above, this is a finding. # cat /etc/dconf/db/local.d/locks/00-No-Automount /org/gnome/desktop/media-handling/automount /org/gnome/desktop/media-handling/automount-open /org/gnome/desktop/media-handling/autorun-never If the output does not match the example, this is a finding.
Fix Text
Configure the graphical user interface to disable the ability to automount devices. Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following: [org/gnome/desktop/media-handling] automount=false automount-open=false autorun-never=true Create or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following: /org/gnome/desktop/media-handling/automount /org/gnome/desktop/media-handling/automount-open /org/gnome/desktop/media-handling/autorun-never Run the following command to update the database: # dconf update
Additional Identifiers
Rule ID: SV-219059r854002_rule
Vulnerability ID: V-219059
Group Title: SRG-OS-000114-GPOS-00059
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-000778 |
The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection. |
| CCI-001958 |
The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection. |