From bf1b010001f16a428a0e3401347df0a37ce52e90 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 6 Aug 2020 15:43:31 +0200
Subject: [PATCH 1/8] Break dconf_gnome_disable_automount down into three
separate rules.
---
.../tests/empty.fail.sh | 9 +++
.../ansible/shared.yml | 31 ----------
.../bash/shared.sh | 4 --
.../oval/shared.xml | 60 +------------------
.../dconf_gnome_disable_automount/rule.yml | 25 +++-----
.../tests/correct_value.pass.sh | 11 ++++
.../ansible/shared.yml | 19 ++++++
.../bash/shared.sh | 5 ++
.../oval/shared.xml | 50 ++++++++++++++++
.../rule.yml | 57 ++++++++++++++++++
.../tests/correct_value.pass.sh | 12 ++++
.../tests/wrong_value.fail.sh | 7 +++
.../ansible/shared.yml | 20 +++++++
.../bash/shared.sh | 5 ++
.../oval/shared.xml | 50 ++++++++++++++++
.../dconf_gnome_disable_autorun/rule.yml | 57 ++++++++++++++++++
.../tests/correct_value.pass.sh | 10 ++++
.../tests/wrong_value.fail.sh | 7 +++
shared/references/cce-redhat-avail.txt | 4 --
19 files changed, 328 insertions(+), 115 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh
new file mode 100644
index 0000000000..cb84c5262b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ncp
+
+source $SHARED/dconf_test_functions.sh
+
+install_dconf_and_gdm_if_needed
+
+clean_dconf_settings
+
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
index c13d706df3..eeb7b8f301 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
@@ -17,34 +17,3 @@
regexp: '^/org/gnome/desktop/media-handling/automount'
line: '/org/gnome/desktop/media-handling/automount'
create: yes
-
-- name: "Disable GNOME3 Automounting - automount-open"
- ini_file:
- dest: /etc/dconf/db/local.d/00-security-settings
- section: org/gnome/desktop/media-handling
- option: automount-open
- value: "false"
- create: yes
-
-- name: "Prevent user modification of GNOME3 Automounting - automount-open"
- lineinfile:
- path: /etc/dconf/db/local.d/locks/00-security-settings-lock
- regexp: '^/org/gnome/desktop/media-handling/automount-open'
- line: '/org/gnome/desktop/media-handling/automount-open'
- create: yes
-
-- name: "Disable GNOME3 Automounting - autorun-never"
- ini_file:
- dest: /etc/dconf/db/local.d/00-security-settings
- section: org/gnome/desktop/media-handling
- option: autorun-never
- value: "true"
- create: yes
-
-- name: "Prevent user modification of GNOME3 Automounting - autorun-never"
- lineinfile:
- path: /etc/dconf/db/local.d/locks/00-security-settings-lock
- regexp: '^/org/gnome/desktop/media-handling/autorun-never'
- line: '/org/gnome/desktop/media-handling/autorun-never'
- create: yes
-
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh
index aa7c692c87..5a52153613 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh
@@ -2,8 +2,4 @@
{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount", "false", "local.d", "00-security-settings") }}}
-{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings") }}}
-{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings") }}}
{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount", "local.d", "00-security-settings-lock") }}}
-{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}}
-{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}}
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
index fb359a2278..c05b1d8e1b 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
@@ -1,19 +1,15 @@
<def-group>
- <definition class="compliance" id="dconf_gnome_disable_automount" version="1">
+ <definition class="compliance" id="dconf_gnome_disable_automount" version="2">
{{{ oval_metadata("The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives)
whenever they are inserted into the system. Disable automount and autorun
within GNOME3.") }}}
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
- <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
+ <criteria comment="Disable GNOME3 automount and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
<criterion comment="Disable automount in GNOME3" test_ref="test_dconf_gnome_disable_automount" />
- <criterion comment="Disable automount-open in GNOME3" test_ref="test_dconf_gnome_disable_automount_open" />
- <criterion comment="Disable autorun in GNOME3" test_ref="test_dconf_gnome_disable_autorun" />
<criterion comment="Prevent user from changing automount setting" test_ref="test_prevent_user_gnome_automount" />
- <criterion comment="Prevent user from changing automount-open setting" test_ref="test_prevent_user_gnome_automount_open" />
- <criterion comment="Prevent user from changing autorun setting" test_ref="test_prevent_user_gnome_autorun" />
</criteria>
</criteria>
</definition>
@@ -43,56 +39,4 @@
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
-
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Disable automount-open in GNOME"
- id="test_dconf_gnome_disable_automount_open" version="1">
- <ind:object object_ref="obj_dconf_gnome_disable_automount_open" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_dconf_gnome_disable_automount_open"
- version="1">
- <ind:path>/etc/dconf/db/local.d/</ind:path>
- <ind:filename operation="pattern match">^.*$</ind:filename>
- <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Prevent user from changing automount-open setting"
- id="test_prevent_user_gnome_automount_open" version="1">
- <ind:object object_ref="obj_prevent_user_gnome_automount_open" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_prevent_user_gnome_automount_open"
- version="1">
- <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
- <ind:filename operation="pattern match">^.*$</ind:filename>
- <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Disable autorun in GNOME"
- id="test_dconf_gnome_disable_autorun" version="1">
- <ind:object object_ref="obj_dconf_gnome_disable_autorun" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_dconf_gnome_disable_autorun"
- version="1">
- <ind:path>/etc/dconf/db/local.d/</ind:path>
- <ind:filename operation="pattern match">^.*$</ind:filename>
- <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Prevent user from changing autorun setting"
- id="test_prevent_user_gnome_autorun" version="1">
- <ind:object object_ref="obj_prevent_user_gnome_autorun" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_prevent_user_gnome_autorun"
- version="1">
- <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
- <ind:filename operation="pattern match">^.*$</ind:filename>
- <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
</def-group>
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml
index 551f6cacdf..b7e7192bc0 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml
@@ -7,20 +7,15 @@ title: 'Disable GNOME3 Automounting'
description: |-
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
- they are inserted into the system. To disable automount and autorun within GNOME3, add or set
- <tt>automount</tt> to <tt>false</tt>, <tt>automount-open</tt> to <tt>false</tt>, and
- <tt>autorun-never</tt> to <tt>true</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
+ they are inserted into the system. To disable automount within GNOME3, add or set
+ <tt>automount</tt> to <tt>false</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
For example:
<pre>[org/gnome/desktop/media-handling]
- automount=false
- automount-open=false
- autorun-never=true</pre>
+ automount=false</pre>
Once the settings have been added, add a lock to
<tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
For example:
- <pre>/org/gnome/desktop/media-handling/automount
- /org/gnome/desktop/media-handling/automount-open
- /org/gnome/desktop/media-handling/autorun-never</pre>
+ <pre>/org/gnome/desktop/media-handling/automount</pre>
After the settings have been set, run <tt>dconf update</tt>.
rationale: |-
@@ -48,16 +43,10 @@ ocil_clause: 'GNOME automounting is not disabled'
ocil: |-
These settings can be verified by running the following:
- <pre>$ gsettings get org.gnome.desktop.media-handling automount
- $ gsettings get org.gnome.desktop.media-handling automount-open
- $ gsettings get org.gnome.desktop.media-handling autorun-never</pre>
+ <pre>$ gsettings get org.gnome.desktop.media-handling automount</pre>
If properly configured, the output for <tt>automount</tt> should be <tt>false</tt>.
- If properly configured, the output for <tt>automount-open</tt>should be <tt>false</tt>.
- If properly configured, the output for <tt>autorun-never</tt> should be <tt>true</tt>.
- To ensure that users cannot enable automount and autorun in GNOME3, run the following:
- <pre>$ grep 'automount\|autorun' /etc/dconf/db/local.d/locks/*</pre>
+ To ensure that users cannot enable automount in GNOME3, run the following:
+ <pre>$ grep 'automount' /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output for <tt>automount</tt> should be <tt>/org/gnome/desktop/media-handling/automount</tt>
- If properly configured, the output for <tt>automount-open</tt> should be <tt>/org/gnome/desktop/media-handling/auto-open</tt>
- If properly configured, the output for <tt>autorun-never</tt> should be <tt>/org/gnome/desktop/media-handling/autorun-never</tt>
platform: machine
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..685f5925c5
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/dconf_test_functions.sh
+
+yum -y install dconf
+clean_dconf_settings
+
+add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/desktop/media-handling" "automount" "local.d" "00-security-settings"
+
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
new file mode 100644
index 0000000000..680d148347
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
@@ -0,0 +1,19 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+- name: "Disable GNOME3 Automounting - automount-open"
+ ini_file:
+ dest: /etc/dconf/db/local.d/00-security-settings
+ section: org/gnome/desktop/media-handling
+ option: automount-open
+ value: "false"
+ create: yes
+
+- name: "Prevent user modification of GNOME3 Automounting - automount-open"
+ lineinfile:
+ path: /etc/dconf/db/local.d/locks/00-security-settings-lock
+ regexp: '^/org/gnome/desktop/media-handling/automount-open'
+ line: '/org/gnome/desktop/media-handling/automount-open'
+ create: yes
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh
new file mode 100644
index 0000000000..7a1497507b
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh
@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora
+
+
+{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings") }}}
+{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}}
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
new file mode 100644
index 0000000000..84264fa8f4
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
@@ -0,0 +1,50 @@
+<def-group>
+ <definition class="compliance" id="dconf_gnome_disable_automount_open" version="1">
+ <metadata>
+ <title>Disable GNOME3 automount-open</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 7</platform>
+ <platform>Red Hat Enterprise Linux 8</platform>
+ <platform>multi_platform_fedora</platform>
+ </affected>
+ <description>The system's default desktop environment, GNOME3, will mount
+ devices and removable media (such as DVDs, CDs and USB flash drives)
+ whenever they are inserted into the system. Disable automount-open
+ within GNOME3.</description>
+ </metadata>
+ <criteria operator="OR">
+ <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
+ <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
+ <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
+ <criterion comment="Disable automount-open in GNOME3" test_ref="test_dconf_gnome_disable_automount_open" />
+ <criterion comment="Prevent user from changing automount-open setting" test_ref="test_prevent_user_gnome_automount_open" />
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Disable automount-open in GNOME"
+ id="test_dconf_gnome_disable_automount_open" version="1">
+ <ind:object object_ref="obj_dconf_gnome_disable_automount_open" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_dconf_gnome_disable_automount_open"
+ version="1">
+ <ind:path>/etc/dconf/db/local.d/</ind:path>
+ <ind:filename operation="pattern match">^.*$</ind:filename>
+ <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Prevent user from changing automount-open setting"
+ id="test_prevent_user_gnome_automount_open" version="1">
+ <ind:object object_ref="obj_prevent_user_gnome_automount_open" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_prevent_user_gnome_automount_open"
+ version="1">
+ <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
+ <ind:filename operation="pattern match">^.*$</ind:filename>
+ <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
new file mode 100644
index 0000000000..07ce263102
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
@@ -0,0 +1,57 @@
+documentation_complete: true
+
+prodtype: fedora,rhel7,rhel8
+
+title: 'Disable GNOME3 Automount Opening'
+
+description: |-
+ The system's default desktop environment, GNOME3, will mount
+ devices and removable media (such as DVDs, CDs and USB flash drives) whenever
+ they are inserted into the system. To disable automount-open within GNOME3, add or set
+ <tt>automount-open</tt> to <tt>false</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
+ For example:
+ <pre>[org/gnome/desktop/media-handling]
+ automount-open=false</pre>
+ Once the settings have been added, add a lock to
+ <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
+ For example:
+ <pre>/org/gnome/desktop/media-handling/automount-open</pre>
+ After the settings have been set, run <tt>dconf update</tt>.
+
+rationale: |-
+ Disabling automatic mounting in GNOME3 can prevent
+ the introduction of malware via removable media.
+ It will, however, also prevent desktop users from legitimate use
+ of removable media.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83692-4
+ cce@rhel8: CCE-83693-2
+
+references:
+ cui: 3.1.7
+ nist: CM-7(a),CM-7(b),CM-6(a)
+ nist-csf: PR.AC-3,PR.AC-6
+ isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.4,SR 1.5,SR 1.9,SR 2.1,SR 2.6'
+ isa-62443-2009: 4.3.3.2.2,4.3.3.5.2,4.3.3.6.6,4.3.3.7.2,4.3.3.7.4
+ cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03
+ iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1
+ cis-csc: 12,16
+ stig@rhel7: RHEL-07-020111
+ disa: CCI-001958
+ srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227
+
+
+ocil_clause: 'GNOME automounting is not disabled'
+
+ocil: |-
+ These settings can be verified by running the following:
+ <pre>$ gsettings get org.gnome.desktop.media-handling automount-open</pre>
+ If properly configured, the output for <tt>automount-open</tt>should be <tt>false</tt>.
+ To ensure that users cannot enable automount opening in GNOME3, run the following:
+ <pre>$ grep 'automount-open' /etc/dconf/db/local.d/locks/*</pre>
+ If properly configured, the output for <tt>automount-open</tt> should be <tt>/org/gnome/desktop/media-handling/automount-open</tt>
+
+platform: machine
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..b9995bf679
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/dconf_test_functions.sh
+
+yum -y install dconf
+clean_dconf_settings
+
+add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings"
+
+
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..33a439cbb6
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/dconf_test_functions.sh
+
+yum -y install dconf
+clean_dconf_settings
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
new file mode 100644
index 0000000000..036246e3be
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
@@ -0,0 +1,20 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+- name: "Disable GNOME3 Automounting - autorun-never"
+ ini_file:
+ dest: /etc/dconf/db/local.d/00-security-settings
+ section: org/gnome/desktop/media-handling
+ option: autorun-never
+ value: "true"
+ create: yes
+
+- name: "Prevent user modification of GNOME3 Automounting - autorun-never"
+ lineinfile:
+ path: /etc/dconf/db/local.d/locks/00-security-settings-lock
+ regexp: '^/org/gnome/desktop/media-handling/autorun-never'
+ line: '/org/gnome/desktop/media-handling/autorun-never'
+ create: yes
+
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh
new file mode 100644
index 0000000000..4c3bcb9547
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh
@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora
+
+
+{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings") }}}
+{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}}
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
new file mode 100644
index 0000000000..4c9840c644
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
@@ -0,0 +1,50 @@
+<def-group>
+ <definition class="compliance" id="dconf_gnome_disable_autorun" version="1">
+ <metadata>
+ <title>Disable GNOME3 Automounting</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 7</platform>
+ <platform>Red Hat Enterprise Linux 8</platform>
+ <platform>multi_platform_fedora</platform>
+ </affected>
+ <description>The system's default desktop environment, GNOME3, will mount
+ devices and removable media (such as DVDs, CDs and USB flash drives)
+ whenever they are inserted into the system. Disable automount and autorun
+ within GNOME3.</description>
+ </metadata>
+ <criteria operator="OR">
+ <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
+ <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
+ <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
+ <criterion comment="Disable autorun in GNOME3" test_ref="test_dconf_gnome_disable_autorun" />
+ <criterion comment="Prevent user from changing autorun setting" test_ref="test_prevent_user_gnome_autorun" />
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Disable autorun in GNOME"
+ id="test_dconf_gnome_disable_autorun" version="1">
+ <ind:object object_ref="obj_dconf_gnome_disable_autorun" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_dconf_gnome_disable_autorun"
+ version="1">
+ <ind:path>/etc/dconf/db/local.d/</ind:path>
+ <ind:filename operation="pattern match">^.*$</ind:filename>
+ <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Prevent user from changing autorun setting"
+ id="test_prevent_user_gnome_autorun" version="1">
+ <ind:object object_ref="obj_prevent_user_gnome_autorun" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_prevent_user_gnome_autorun"
+ version="1">
+ <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
+ <ind:filename operation="pattern match">^.*$</ind:filename>
+ <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
new file mode 100644
index 0000000000..92fa209fb5
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
@@ -0,0 +1,57 @@
+documentation_complete: true
+
+prodtype: fedora,rhel7,rhel8
+
+title: 'Disable GNOME3 Automount running'
+
+description: |-
+ The system's default desktop environment, GNOME3, will mount
+ devices and removable media (such as DVDs, CDs and USB flash drives) whenever
+ they are inserted into the system. To disable autorun-never within GNOME3, add or set
+ <tt>autorun-never</tt> to <tt>true</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
+ For example:
+ <pre>[org/gnome/desktop/media-handling]
+ autorun-never=true</pre>
+ Once the settings have been added, add a lock to
+ <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
+ For example:
+ <pre>/org/gnome/desktop/media-handling/autorun-never</pre>
+ After the settings have been set, run <tt>dconf update</tt>.
+
+rationale: |-
+ Disabling automatic mount running in GNOME3 can prevent
+ the introduction of malware via removable media.
+ It will, however, also prevent desktop users from legitimate use
+ of removable media.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83741-9
+ cce@rhel8: CCE-83742-7
+
+references:
+ cui: 3.1.7
+ nist: CM-7(a),CM-7(b),CM-6(a)
+ nist-csf: PR.AC-3,PR.AC-6
+ isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.4,SR 1.5,SR 1.9,SR 2.1,SR 2.6'
+ isa-62443-2009: 4.3.3.2.2,4.3.3.5.2,4.3.3.6.6,4.3.3.7.2,4.3.3.7.4
+ cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03
+ iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1
+ cis-csc: 12,16
+ stig@rhel7: RHEL-07-020111
+ disa: CCI-001958
+ srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227
+
+
+ocil_clause: 'GNOME autorun is not disabled'
+
+ocil: |-
+ These settings can be verified by running the following:
+ <pre>$ gsettings get org.gnome.desktop.media-handling autorun-never</pre>
+ If properly configured, the output for <tt>autorun-never</tt>should be <tt>true</tt>.
+ To ensure that users cannot enable autorun in GNOME3, run the following:
+ <pre>$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*</pre>
+ If properly configured, the output for <tt>autorun-never</tt> should be <tt>/org/gnome/desktop/media-handling/autorun-never</tt>
+
+platform: machine
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..8688fc864a
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/dconf_test_functions.sh
+
+yum -y install dconf
+clean_dconf_settings
+
+add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "local.d" "00-security-settings"
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..33a439cbb6
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/dconf_test_functions.sh
+
+yum -y install dconf
+clean_dconf_settings
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index c012e605a9..6c0ea9893b 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -293,8 +293,6 @@ CCE-83688-2
CCE-83689-0
CCE-83690-8
CCE-83691-6
-CCE-83692-4
-CCE-83693-2
CCE-83694-0
CCE-83695-7
CCE-83696-5
@@ -333,8 +331,6 @@ CCE-83735-1
CCE-83736-9
CCE-83739-3
CCE-83740-1
-CCE-83741-9
-CCE-83742-7
CCE-83743-5
CCE-83744-3
CCE-83745-0
From cfdaf607bcc61551032a9b2a48d4ea68c15775a9 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 6 Aug 2020 15:54:22 +0200
Subject: [PATCH 2/8] Update RHEL7 STIG profile with new rules.
- dconf_gnome_disable_automount_open
- dconf_gnome_disable_autorun
---
rhel7/profiles/stig.profile | 3 +++
1 file changed, 3 insertions(+)
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index f9f3e94e2a..0d723117a5 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -77,6 +77,9 @@ selections:
- dconf_gnome_screensaver_idle_activation_locked
- dconf_gnome_screensaver_lock_delay
- dconf_gnome_disable_ctrlaltdel_reboot
+ - dconf_gnome_disable_automount
+ - dconf_gnome_disable_automount_open
+ - dconf_gnome_disable_autorun
- accounts_password_pam_ucredit
- accounts_password_pam_lcredit
- accounts_password_pam_dcredit
From 52d1ac84f72e071a1de46a940d3a4e4cf52d807d Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 6 Aug 2020 15:55:25 +0200
Subject: [PATCH 3/8] Update RHEL7 NCP profile with new rules.
- dconf_gnome_disable_automount_open
- dconf_gnome_disable_autorun
---
rhel7/profiles/ncp.profile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rhel7/profiles/ncp.profile b/rhel7/profiles/ncp.profile
index 7de1c7bb42..cf1ccc4612 100644
--- a/rhel7/profiles/ncp.profile
+++ b/rhel7/profiles/ncp.profile
@@ -317,6 +317,8 @@ selections:
- dconf_db_up_to_date
- dconf_gnome_banner_enabled
- dconf_gnome_disable_automount
+ - dconf_gnome_disable_automount_open
+ - dconf_gnome_disable_autorun
- dconf_gnome_disable_ctrlaltdel_reboot
- dconf_gnome_disable_geolocation
- dconf_gnome_disable_restart_shutdown
From 929054cec387203c53c3e3df166b09e6aa02023b Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 18 Aug 2020 16:44:29 +0200
Subject: [PATCH 4/8] Use bash function to install required testing packages.
dconf and gdm packages are required make checks applicable.
---
.../tests/correct_value.pass.sh | 2 +-
.../tests/wrong_value.fail.sh | 7 +++++++
.../tests/correct_value.pass.sh | 2 +-
.../tests/wrong_value.fail.sh | 2 +-
.../tests/correct_value.pass.sh | 2 +-
.../dconf_gnome_disable_autorun/tests/wrong_value.fail.sh | 2 +-
6 files changed, 12 insertions(+), 5 deletions(-)
create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
index 685f5925c5..6aeeeee8ee 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
@@ -3,7 +3,7 @@
. $SHARED/dconf_test_functions.sh
-yum -y install dconf
+install_dconf_and_gdm_if_needed
clean_dconf_settings
add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings"
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..35c6e417ad
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/dconf_test_functions.sh
+
+install_dconf_and_gdm_if_needed
+clean_dconf_settings
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
index b9995bf679..77c49a861b 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
@@ -3,7 +3,7 @@
. $SHARED/dconf_test_functions.sh
-yum -y install dconf
+install_dconf_and_gdm_if_needed
clean_dconf_settings
add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings"
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
index 33a439cbb6..35c6e417ad 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
@@ -3,5 +3,5 @@
. $SHARED/dconf_test_functions.sh
-yum -y install dconf
+install_dconf_and_gdm_if_needed
clean_dconf_settings
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
index 8688fc864a..0c30c00a3d 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
@@ -3,7 +3,7 @@
. $SHARED/dconf_test_functions.sh
-yum -y install dconf
+install_dconf_and_gdm_if_needed
clean_dconf_settings
add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "local.d" "00-security-settings"
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
index 33a439cbb6..35c6e417ad 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
@@ -3,5 +3,5 @@
. $SHARED/dconf_test_functions.sh
-yum -y install dconf
+install_dconf_and_gdm_if_needed
clean_dconf_settings
From 8eccb4a33a38043224e3ef7d6b591fcaa7c0a8c5 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 21 Sep 2020 16:25:41 +0200
Subject: [PATCH 5/8] Escape bracket character in dconf automount rules
regexes.
---
.../dconf_gnome_disable_automount/oval/shared.xml | 2 +-
.../dconf_gnome_disable_automount_open/oval/shared.xml | 2 +-
.../dconf_gnome_disable_autorun/oval/shared.xml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
index c05b1d8e1b..8024311b23 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
@@ -23,7 +23,7 @@
version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
- <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$</ind:pattern>
+ <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount=false$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
index 84264fa8f4..3230efca62 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
@@ -31,7 +31,7 @@
version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
- <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
+ <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount-open=false$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
index 4c9840c644..a7f54a7f19 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
@@ -31,7 +31,7 @@
version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
- <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
+ <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
From ff380dc7ccab82d40b0c94a782901f439c76b89a Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 21 Sep 2020 16:49:23 +0200
Subject: [PATCH 6/8] Use oval_metadata macro in some dconf gnome rules.
Reduce boilerplate code by using jinja macro.
---
.../oval/shared.xml | 3 +--
.../oval/shared.xml | 15 +++------------
.../dconf_gnome_disable_autorun/oval/shared.xml | 17 ++++-------------
3 files changed, 8 insertions(+), 27 deletions(-)
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
index 8024311b23..7cc031206c 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
@@ -2,8 +2,7 @@
<definition class="compliance" id="dconf_gnome_disable_automount" version="2">
{{{ oval_metadata("The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives)
- whenever they are inserted into the system. Disable automount and autorun
- within GNOME3.") }}}
+ whenever they are inserted into the system. Disable automount within GNOME3.", title="Disable GNOME3 automount") }}}
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
<criteria comment="Disable GNOME3 automount and prevent user from changing it" operator="AND">
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
index 3230efca62..1d2cda88ba 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
@@ -1,17 +1,8 @@
<def-group>
<definition class="compliance" id="dconf_gnome_disable_automount_open" version="1">
- <metadata>
- <title>Disable GNOME3 automount-open</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 7</platform>
- <platform>Red Hat Enterprise Linux 8</platform>
- <platform>multi_platform_fedora</platform>
- </affected>
- <description>The system's default desktop environment, GNOME3, will mount
- devices and removable media (such as DVDs, CDs and USB flash drives)
- whenever they are inserted into the system. Disable automount-open
- within GNOME3.</description>
- </metadata>
+ {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount
+ devices and removable media (such as DVDs, CDs and USB flash drives)
+ whenever they are inserted into the system. Disable automount-open within GNOME3.", title="Disable GNOME3 automount-open") }}}
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
<criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
index a7f54a7f19..6299881f45 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
@@ -1,20 +1,11 @@
<def-group>
<definition class="compliance" id="dconf_gnome_disable_autorun" version="1">
- <metadata>
- <title>Disable GNOME3 Automounting</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 7</platform>
- <platform>Red Hat Enterprise Linux 8</platform>
- <platform>multi_platform_fedora</platform>
- </affected>
- <description>The system's default desktop environment, GNOME3, will mount
- devices and removable media (such as DVDs, CDs and USB flash drives)
- whenever they are inserted into the system. Disable automount and autorun
- within GNOME3.</description>
- </metadata>
+ {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount
+ devices and removable media (such as DVDs, CDs and USB flash drives)
+ whenever they are inserted into the system. Disable autorun within GNOME3.", title="Disable GNOME3 autorun") }}}
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
- <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
+ <criteria comment="Disable GNOME3 autorun and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
<criterion comment="Disable autorun in GNOME3" test_ref="test_dconf_gnome_disable_autorun" />
<criterion comment="Prevent user from changing autorun setting" test_ref="test_prevent_user_gnome_autorun" />
From 90c9b3d5e6796ec5c309af2a8b9e1d6fca1be263 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 21 Sep 2020 16:57:24 +0200
Subject: [PATCH 7/8] Fix ansible remediation for dconf gnome disable mount
rules.
---
.../dconf_gnome_disable_automount/ansible/shared.yml | 1 +
.../dconf_gnome_disable_automount_open/ansible/shared.yml | 1 +
.../dconf_gnome_disable_autorun/ansible/shared.yml | 1 +
3 files changed, 3 insertions(+)
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
index eeb7b8f301..964ba02a4f 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
@@ -10,6 +10,7 @@
option: automount
value: "false"
create: yes
+ no_extra_spaces: yes
- name: "Prevent user modification of GNOME3 Automounting - automount"
lineinfile:
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
index 680d148347..65a6a0784b 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
@@ -10,6 +10,7 @@
option: automount-open
value: "false"
create: yes
+ no_extra_spaces: yes
- name: "Prevent user modification of GNOME3 Automounting - automount-open"
lineinfile:
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
index 036246e3be..7f5394f13a 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
@@ -10,6 +10,7 @@
option: autorun-never
value: "true"
create: yes
+ no_extra_spaces: yes
- name: "Prevent user modification of GNOME3 Automounting - autorun-never"
lineinfile:
From ea3110c04b78c2d7bc3bae9977b4d4a19386e259 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 4 Nov 2020 09:52:08 +0100
Subject: [PATCH 8/8] Deduplicate STIG ID in gnome automount rules.
---
.../dconf_gnome_disable_automount_open/rule.yml | 1 -
.../gnome_media_settings/dconf_gnome_disable_autorun/rule.yml | 1 -
2 files changed, 2 deletions(-)
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
index 07ce263102..f76241a48d 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
@@ -39,7 +39,6 @@ references:
cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03
iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1
cis-csc: 12,16
- stig@rhel7: RHEL-07-020111
disa: CCI-001958
srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
index 92fa209fb5..943b444ceb 100644
--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
@@ -39,7 +39,6 @@ references:
cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03
iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1
cis-csc: 12,16
- stig@rhel7: RHEL-07-020111
disa: CCI-001958
srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227