From bf1b010001f16a428a0e3401347df0a37ce52e90 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Thu, 6 Aug 2020 15:43:31 +0200

Subject: [PATCH 1/8] Break dconf_gnome_disable_automount down into three

 separate rules.

---

 .../tests/empty.fail.sh                       |  9 +++

 .../ansible/shared.yml                        | 31 ----------

 .../bash/shared.sh                            |  4 --

 .../oval/shared.xml                           | 60 +------------------

 .../dconf_gnome_disable_automount/rule.yml    | 25 +++-----

 .../tests/correct_value.pass.sh               | 11 ++++

 .../ansible/shared.yml                        | 19 ++++++

 .../bash/shared.sh                            |  5 ++

 .../oval/shared.xml                           | 50 ++++++++++++++++

 .../rule.yml                                  | 57 ++++++++++++++++++

 .../tests/correct_value.pass.sh               | 12 ++++

 .../tests/wrong_value.fail.sh                 |  7 +++

 .../ansible/shared.yml                        | 20 +++++++

 .../bash/shared.sh                            |  5 ++

 .../oval/shared.xml                           | 50 ++++++++++++++++

 .../dconf_gnome_disable_autorun/rule.yml      | 57 ++++++++++++++++++

 .../tests/correct_value.pass.sh               | 10 ++++

 .../tests/wrong_value.fail.sh                 |  7 +++

 shared/references/cce-redhat-avail.txt        |  4 --

 19 files changed, 328 insertions(+), 115 deletions(-)

 create mode 100644 linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh

new file mode 100644

index 0000000000..cb84c5262b

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh

@@ -0,0 +1,9 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ncp

+

+source $SHARED/dconf_test_functions.sh

+

+install_dconf_and_gdm_if_needed

+

+clean_dconf_settings

+

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml

index c13d706df3..eeb7b8f301 100644

--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml

@@ -17,34 +17,3 @@

     regexp: '^/org/gnome/desktop/media-handling/automount'

     line: '/org/gnome/desktop/media-handling/automount'

     create: yes

-

-- name: "Disable GNOME3 Automounting - automount-open"

-  ini_file:

-    dest: /etc/dconf/db/local.d/00-security-settings

-    section: org/gnome/desktop/media-handling

-    option: automount-open

-    value: "false"

-    create: yes

-

-- name: "Prevent user modification of GNOME3 Automounting - automount-open"

-  lineinfile:

-    path: /etc/dconf/db/local.d/locks/00-security-settings-lock

-    regexp: '^/org/gnome/desktop/media-handling/automount-open'

-    line: '/org/gnome/desktop/media-handling/automount-open'

-    create: yes

-

-- name: "Disable GNOME3 Automounting - autorun-never"

-  ini_file:

-    dest: /etc/dconf/db/local.d/00-security-settings

-    section: org/gnome/desktop/media-handling

-    option: autorun-never

-    value: "true"

-    create: yes

-

-- name: "Prevent user modification of GNOME3 Automounting - autorun-never"

-  lineinfile:

-    path: /etc/dconf/db/local.d/locks/00-security-settings-lock

-    regexp: '^/org/gnome/desktop/media-handling/autorun-never'

-    line: '/org/gnome/desktop/media-handling/autorun-never'

-    create: yes

-

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh

index aa7c692c87..5a52153613 100644

--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh

@@ -2,8 +2,4 @@

 {{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount", "false", "local.d", "00-security-settings") }}}

-{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings") }}}

-{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings") }}}

 {{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount", "local.d", "00-security-settings-lock") }}}

-{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}}

-{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}}

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml

index fb359a2278..c05b1d8e1b 100644

--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml

@@ -1,19 +1,15 @@

 <def-group>

-  <definition class="compliance" id="dconf_gnome_disable_automount" version="1">

+  <definition class="compliance" id="dconf_gnome_disable_automount" version="2">

     {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount

       devices and removable media (such as DVDs, CDs and USB flash drives)

       whenever they are inserted into the system. Disable automount and autorun

       within GNOME3.") }}}

     <criteria operator="OR">

       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />

-      <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">

+      <criteria comment="Disable GNOME3 automount and prevent user from changing it" operator="AND">

         <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />

         <criterion comment="Disable automount in GNOME3" test_ref="test_dconf_gnome_disable_automount" />

-        <criterion comment="Disable automount-open in GNOME3" test_ref="test_dconf_gnome_disable_automount_open" />

-        <criterion comment="Disable autorun in GNOME3" test_ref="test_dconf_gnome_disable_autorun" />

         <criterion comment="Prevent user from changing automount setting" test_ref="test_prevent_user_gnome_automount" />

-        <criterion comment="Prevent user from changing automount-open setting" test_ref="test_prevent_user_gnome_automount_open" />

-        <criterion comment="Prevent user from changing autorun setting" test_ref="test_prevent_user_gnome_autorun" />

       </criteria>

     </criteria>

   </definition>

@@ -43,56 +39,4 @@

     <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount$</ind:pattern>

     <ind:instance datatype="int">1</ind:instance>

   </ind:textfilecontent54_object>

-

-  

-  comment="Disable automount-open in GNOME"

-  id="test_dconf_gnome_disable_automount_open" version="1">

-    <ind:object object_ref="obj_dconf_gnome_disable_automount_open" />

-  </ind:textfilecontent54_test>

-  

-  version="1">

-    <ind:path>/etc/dconf/db/local.d/</ind:path>

-    <ind:filename operation="pattern match">^.*$</ind:filename>

-    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>

-    <ind:instance datatype="int">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-  

-  comment="Prevent user from changing automount-open setting"

-  id="test_prevent_user_gnome_automount_open" version="1">

-    <ind:object object_ref="obj_prevent_user_gnome_automount_open" />

-  </ind:textfilecontent54_test>

-  

-  version="1">

-    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>

-    <ind:filename operation="pattern match">^.*$</ind:filename>

-    <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>

-    <ind:instance datatype="int">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-  

-  comment="Disable autorun in GNOME"

-  id="test_dconf_gnome_disable_autorun" version="1">

-    <ind:object object_ref="obj_dconf_gnome_disable_autorun" />

-  </ind:textfilecontent54_test>

-  

-  version="1">

-    <ind:path>/etc/dconf/db/local.d/</ind:path>

-    <ind:filename operation="pattern match">^.*$</ind:filename>

-    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>

-    <ind:instance datatype="int">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-  

-  comment="Prevent user from changing autorun setting"

-  id="test_prevent_user_gnome_autorun" version="1">

-    <ind:object object_ref="obj_prevent_user_gnome_autorun" />

-  </ind:textfilecontent54_test>

-  

-  version="1">

-    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>

-    <ind:filename operation="pattern match">^.*$</ind:filename>

-    <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern>

-    <ind:instance datatype="int">1</ind:instance>

-  </ind:textfilecontent54_object>

 </def-group>

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml

index 551f6cacdf..b7e7192bc0 100644

--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml

@@ -7,20 +7,15 @@ title: 'Disable GNOME3 Automounting'

 description: |-

     The system's default desktop environment, GNOME3, will mount

     devices and removable media (such as DVDs, CDs and USB flash drives) whenever

-    they are inserted into the system. To disable automount and autorun within GNOME3, add or set

-    <tt>automount</tt> to <tt>false</tt>, <tt>automount-open</tt> to <tt>false</tt>, and

-    <tt>autorun-never</tt> to <tt>true</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.

+    they are inserted into the system. To disable automount within GNOME3, add or set

+    <tt>automount</tt> to <tt>false</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.

     For example:

     
[org/gnome/desktop/media-handling]

-    automount=false

-    automount-open=false

-    autorun-never=true

+    automount=false

     Once the settings have been added, add a lock to

     <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.

     For example:

-    
/org/gnome/desktop/media-handling/automount

-    /org/gnome/desktop/media-handling/automount-open

-    /org/gnome/desktop/media-handling/autorun-never

+    
/org/gnome/desktop/media-handling/automount

     After the settings have been set, run <tt>dconf update</tt>.

 rationale: |-

@@ -48,16 +43,10 @@ ocil_clause: 'GNOME automounting is not disabled'

 ocil: |-

     These settings can be verified by running the following:

-    
$ gsettings get org.gnome.desktop.media-handling automount

-    $ gsettings get org.gnome.desktop.media-handling automount-open

-    $ gsettings get org.gnome.desktop.media-handling autorun-never

+    
$ gsettings get org.gnome.desktop.media-handling automount

     If properly configured, the output for <tt>automount</tt> should be <tt>false</tt>.

-    If properly configured, the output for <tt>automount-open</tt>should be <tt>false</tt>.

-    If properly configured, the output for <tt>autorun-never</tt> should be <tt>true</tt>.

-    To ensure that users cannot enable automount and autorun in GNOME3, run the following:

-    
$ grep 'automount\|autorun' /etc/dconf/db/local.d/locks/*

+    To ensure that users cannot enable automount in GNOME3, run the following:

+    
$ grep 'automount' /etc/dconf/db/local.d/locks/*

     If properly configured, the output for <tt>automount</tt> should be <tt>/org/gnome/desktop/media-handling/automount</tt>

-    If properly configured, the output for <tt>automount-open</tt> should be <tt>/org/gnome/desktop/media-handling/auto-open</tt>

-    If properly configured, the output for <tt>autorun-never</tt> should be <tt>/org/gnome/desktop/media-handling/autorun-never</tt>

 platform: machine

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh

new file mode 100644

index 0000000000..685f5925c5

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh

@@ -0,0 +1,11 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+. $SHARED/dconf_test_functions.sh

+

+yum -y install dconf

+clean_dconf_settings

+

+add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings"

+add_dconf_lock "org/gnome/desktop/media-handling" "automount" "local.d" "00-security-settings"

+

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml

new file mode 100644

index 0000000000..680d148347

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml

@@ -0,0 +1,19 @@

+# platform = multi_platform_rhel,multi_platform_fedora

+# reboot = false

+# strategy = unknown

+# complexity = low

+# disruption = medium

+- name: "Disable GNOME3 Automounting - automount-open"

+  ini_file:

+    dest: /etc/dconf/db/local.d/00-security-settings

+    section: org/gnome/desktop/media-handling

+    option: automount-open

+    value: "false"

+    create: yes

+

+- name: "Prevent user modification of GNOME3 Automounting - automount-open"

+  lineinfile:

+    path: /etc/dconf/db/local.d/locks/00-security-settings-lock

+    regexp: '^/org/gnome/desktop/media-handling/automount-open'

+    line: '/org/gnome/desktop/media-handling/automount-open'

+    create: yes

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh

new file mode 100644

index 0000000000..7a1497507b

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh

@@ -0,0 +1,5 @@

+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora

+

+

+{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings") }}}

+{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}}

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml

new file mode 100644

index 0000000000..84264fa8f4

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml

@@ -0,0 +1,50 @@

+<def-group>

+  <definition class="compliance" id="dconf_gnome_disable_automount_open" version="1">

+    <metadata>

+      <title>Disable GNOME3 automount-open</title>

+      <affected family="unix">

+        <platform>Red Hat Enterprise Linux 7</platform>

+        <platform>Red Hat Enterprise Linux 8</platform>

+        <platform>multi_platform_fedora</platform>

+      </affected>

+      <description>The system's default desktop environment, GNOME3, will mount

+      devices and removable media (such as DVDs, CDs and USB flash drives)

+      whenever they are inserted into the system. Disable automount-open

+      within GNOME3.</description>

+    </metadata>

+    <criteria operator="OR">

+      <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />

+      <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">

+        <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />

+        <criterion comment="Disable automount-open in GNOME3" test_ref="test_dconf_gnome_disable_automount_open" />

+        <criterion comment="Prevent user from changing automount-open setting" test_ref="test_prevent_user_gnome_automount_open" />

+      </criteria>

+    </criteria>

+  </definition>

+

+  

+  comment="Disable automount-open in GNOME"

+  id="test_dconf_gnome_disable_automount_open" version="1">

+    <ind:object object_ref="obj_dconf_gnome_disable_automount_open" />

+  </ind:textfilecontent54_test>

+  

+  version="1">

+    <ind:path>/etc/dconf/db/local.d/</ind:path>

+    <ind:filename operation="pattern match">^.*$</ind:filename>

+    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>

+    <ind:instance datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+  

+  comment="Prevent user from changing automount-open setting"

+  id="test_prevent_user_gnome_automount_open" version="1">

+    <ind:object object_ref="obj_prevent_user_gnome_automount_open" />

+  </ind:textfilecontent54_test>

+  

+  version="1">

+    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>

+    <ind:filename operation="pattern match">^.*$</ind:filename>

+    <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>

+    <ind:instance datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+</def-group>

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml

new file mode 100644

index 0000000000..07ce263102

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml

@@ -0,0 +1,57 @@

+documentation_complete: true

+

+prodtype: fedora,rhel7,rhel8

+

+title: 'Disable GNOME3 Automount Opening'

+

+description: |-

+    The system's default desktop environment, GNOME3, will mount

+    devices and removable media (such as DVDs, CDs and USB flash drives) whenever

+    they are inserted into the system. To disable automount-open within GNOME3, add or set

+    <tt>automount-open</tt> to <tt>false</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.

+    For example:

+    
[org/gnome/desktop/media-handling]

+    automount-open=false

+    Once the settings have been added, add a lock to

+    <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.

+    For example:

+    
/org/gnome/desktop/media-handling/automount-open

+    After the settings have been set, run <tt>dconf update</tt>.

+

+rationale: |-

+    Disabling automatic mounting in GNOME3 can prevent

+    the introduction of malware via removable media.

+    It will, however, also prevent desktop users from legitimate use

+    of removable media.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: CCE-83692-4

+    cce@rhel8: CCE-83693-2

+

+references:

+    cui: 3.1.7

+    nist: CM-7(a),CM-7(b),CM-6(a)

+    nist-csf: PR.AC-3,PR.AC-6

+    isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.4,SR 1.5,SR 1.9,SR 2.1,SR 2.6'

+    isa-62443-2009: 4.3.3.2.2,4.3.3.5.2,4.3.3.6.6,4.3.3.7.2,4.3.3.7.4

+    cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03

+    iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1

+    cis-csc: 12,16

+    stig@rhel7: RHEL-07-020111

+    disa: CCI-001958

+    srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227

+

+

+ocil_clause: 'GNOME automounting is not disabled'

+

+ocil: |-

+    These settings can be verified by running the following:

+    
$ gsettings get org.gnome.desktop.media-handling automount-open

+    If properly configured, the output for <tt>automount-open</tt>should be <tt>false</tt>.

+    To ensure that users cannot enable automount opening in GNOME3, run the following:

+    
$ grep 'automount-open' /etc/dconf/db/local.d/locks/*

+    If properly configured, the output for <tt>automount-open</tt> should be <tt>/org/gnome/desktop/media-handling/automount-open</tt>

+

+platform: machine

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh

new file mode 100644

index 0000000000..b9995bf679

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh

@@ -0,0 +1,12 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+. $SHARED/dconf_test_functions.sh

+

+yum -y install dconf

+clean_dconf_settings

+

+add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings"

+add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings"

+

+

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh

new file mode 100644

index 0000000000..33a439cbb6

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+. $SHARED/dconf_test_functions.sh

+

+yum -y install dconf

+clean_dconf_settings

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml

new file mode 100644

index 0000000000..036246e3be

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml

@@ -0,0 +1,20 @@

+# platform = multi_platform_rhel,multi_platform_fedora

+# reboot = false

+# strategy = unknown

+# complexity = low

+# disruption = medium

+- name: "Disable GNOME3 Automounting - autorun-never"

+  ini_file:

+    dest: /etc/dconf/db/local.d/00-security-settings

+    section: org/gnome/desktop/media-handling

+    option: autorun-never

+    value: "true"

+    create: yes

+

+- name: "Prevent user modification of GNOME3 Automounting - autorun-never"

+  lineinfile:

+    path: /etc/dconf/db/local.d/locks/00-security-settings-lock

+    regexp: '^/org/gnome/desktop/media-handling/autorun-never'

+    line: '/org/gnome/desktop/media-handling/autorun-never'

+    create: yes

+

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh

new file mode 100644

index 0000000000..4c3bcb9547

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh

@@ -0,0 +1,5 @@

+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora

+

+

+{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings") }}}

+{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}}

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml

new file mode 100644

index 0000000000..4c9840c644

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml

@@ -0,0 +1,50 @@

+<def-group>

+  <definition class="compliance" id="dconf_gnome_disable_autorun" version="1">

+    <metadata>

+      <title>Disable GNOME3 Automounting</title>

+      <affected family="unix">

+        <platform>Red Hat Enterprise Linux 7</platform>

+        <platform>Red Hat Enterprise Linux 8</platform>

+        <platform>multi_platform_fedora</platform>

+      </affected>

+      <description>The system's default desktop environment, GNOME3, will mount

+      devices and removable media (such as DVDs, CDs and USB flash drives)

+      whenever they are inserted into the system. Disable automount and autorun

+      within GNOME3.</description>

+    </metadata>

+    <criteria operator="OR">

+      <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />

+      <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">

+        <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />

+        <criterion comment="Disable autorun in GNOME3" test_ref="test_dconf_gnome_disable_autorun" />

+        <criterion comment="Prevent user from changing autorun setting" test_ref="test_prevent_user_gnome_autorun" />

+      </criteria>

+    </criteria>

+  </definition>

+

+  

+  comment="Disable autorun in GNOME"

+  id="test_dconf_gnome_disable_autorun" version="1">

+    <ind:object object_ref="obj_dconf_gnome_disable_autorun" />

+  </ind:textfilecontent54_test>

+  

+  version="1">

+    <ind:path>/etc/dconf/db/local.d/</ind:path>

+    <ind:filename operation="pattern match">^.*$</ind:filename>

+    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>

+    <ind:instance datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+  

+  comment="Prevent user from changing autorun setting"

+  id="test_prevent_user_gnome_autorun" version="1">

+    <ind:object object_ref="obj_prevent_user_gnome_autorun" />

+  </ind:textfilecontent54_test>

+  

+  version="1">

+    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>

+    <ind:filename operation="pattern match">^.*$</ind:filename>

+    <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern>

+    <ind:instance datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+</def-group>

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml

new file mode 100644

index 0000000000..92fa209fb5

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml

@@ -0,0 +1,57 @@

+documentation_complete: true

+

+prodtype: fedora,rhel7,rhel8

+

+title: 'Disable GNOME3 Automount running'

+

+description: |-

+    The system's default desktop environment, GNOME3, will mount

+    devices and removable media (such as DVDs, CDs and USB flash drives) whenever

+    they are inserted into the system. To disable autorun-never within GNOME3, add or set

+    <tt>autorun-never</tt> to <tt>true</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.

+    For example:

+    
[org/gnome/desktop/media-handling]

+    autorun-never=true

+    Once the settings have been added, add a lock to

+    <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.

+    For example:

+    
/org/gnome/desktop/media-handling/autorun-never

+    After the settings have been set, run <tt>dconf update</tt>.

+

+rationale: |-

+    Disabling automatic mount running in GNOME3 can prevent

+    the introduction of malware via removable media.

+    It will, however, also prevent desktop users from legitimate use

+    of removable media.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: CCE-83741-9

+    cce@rhel8: CCE-83742-7

+

+references:

+    cui: 3.1.7

+    nist: CM-7(a),CM-7(b),CM-6(a)

+    nist-csf: PR.AC-3,PR.AC-6

+    isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.4,SR 1.5,SR 1.9,SR 2.1,SR 2.6'

+    isa-62443-2009: 4.3.3.2.2,4.3.3.5.2,4.3.3.6.6,4.3.3.7.2,4.3.3.7.4

+    cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03

+    iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1

+    cis-csc: 12,16

+    stig@rhel7: RHEL-07-020111

+    disa: CCI-001958

+    srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227

+

+

+ocil_clause: 'GNOME autorun is not disabled'

+

+ocil: |-

+    These settings can be verified by running the following:

+    
$ gsettings get org.gnome.desktop.media-handling autorun-never

+    If properly configured, the output for <tt>autorun-never</tt>should be <tt>true</tt>.

+    To ensure that users cannot enable autorun in GNOME3, run the following:

+    
$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*

+    If properly configured, the output for <tt>autorun-never</tt> should be <tt>/org/gnome/desktop/media-handling/autorun-never</tt>

+

+platform: machine

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh

new file mode 100644

index 0000000000..8688fc864a

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh

@@ -0,0 +1,10 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+. $SHARED/dconf_test_functions.sh

+

+yum -y install dconf

+clean_dconf_settings

+

+add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "local.d" "00-security-settings"

+add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "local.d" "00-security-settings"

diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh

new file mode 100644

index 0000000000..33a439cbb6

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+. $SHARED/dconf_test_functions.sh

+

+yum -y install dconf

+clean_dconf_settings

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index c012e605a9..6c0ea9893b 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -293,8 +293,6 @@ CCE-83688-2

 CCE-83689-0

 CCE-83690-8

 CCE-83691-6

-CCE-83692-4

-CCE-83693-2

 CCE-83694-0

 CCE-83695-7

 CCE-83696-5

@@ -333,8 +331,6 @@ CCE-83735-1

 CCE-83736-9

 CCE-83739-3

 CCE-83740-1

-CCE-83741-9

-CCE-83742-7

 CCE-83743-5

 CCE-83744-3

 CCE-83745-0

From cfdaf607bcc61551032a9b2a48d4ea68c15775a9 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Thu, 6 Aug 2020 15:54:22 +0200

Subject: [PATCH 2/8] Update RHEL7 STIG profile with new rules.

- dconf_gnome_disable_automount_open

- dconf_gnome_disable_autorun

---

 rhel7/profiles/stig.profile | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile

index f9f3e94e2a..0d723117a5 100644

--- a/rhel7/profiles/stig.profile

+++ b/rhel7/profiles/stig.profile

@@ -77,6 +77,9 @@ selections:

     - dconf_gnome_screensaver_idle_activation_locked

     - dconf_gnome_screensaver_lock_delay

     - dconf_gnome_disable_ctrlaltdel_reboot

+    - dconf_gnome_disable_automount

+    - dconf_gnome_disable_automount_open

+    - dconf_gnome_disable_autorun

     - accounts_password_pam_ucredit

     - accounts_password_pam_lcredit

     - accounts_password_pam_dcredit

From 52d1ac84f72e071a1de46a940d3a4e4cf52d807d Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Thu, 6 Aug 2020 15:55:25 +0200

Subject: [PATCH 3/8] Update RHEL7 NCP profile with new rules.

- dconf_gnome_disable_automount_open

- dconf_gnome_disable_autorun

---

 rhel7/profiles/ncp.profile | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/rhel7/profiles/ncp.profile b/rhel7/profiles/ncp.profile

index 7de1c7bb42..cf1ccc4612 100644

--- a/rhel7/profiles/ncp.profile

+++ b/rhel7/profiles/ncp.profile

@@ -317,6 +317,8 @@ selections:

     - dconf_db_up_to_date

     - dconf_gnome_banner_enabled

     - dconf_gnome_disable_automount

+    - dconf_gnome_disable_automount_open

+    - dconf_gnome_disable_autorun

     - dconf_gnome_disable_ctrlaltdel_reboot

     - dconf_gnome_disable_geolocation

     - dconf_gnome_disable_restart_shutdown

From 929054cec387203c53c3e3df166b09e6aa02023b Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Tue, 18 Aug 2020 16:44:29 +0200

Subject: [PATCH 4/8] Use bash function to install required testing packages.

dconf and gdm packages are required make checks applicable.

---

 .../tests/correct_value.pass.sh                            | 2 +-

 .../tests/wrong_value.fail.sh                              | 7 +++++++

 .../tests/correct_value.pass.sh                            | 2 +-

 .../tests/wrong_value.fail.sh                              | 2 +-

 .../tests/correct_value.pass.sh                            | 2 +-

 .../dconf_gnome_disable_autorun/tests/wrong_value.fail.sh  | 2 +-

 6 files changed, 12 insertions(+), 5 deletions(-)

 create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh