Break dconf_gnome_disable_automount down into three separate rules.

Author: ggbecker

linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ncp
+
+source $SHARED/dconf_test_functions.sh
+
+install_dconf_and_gdm_if_needed
+
+clean_dconf_settings
+

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml

@@ -17,34 +17,3 @@
     regexp: '^/org/gnome/desktop/media-handling/automount'
     line: '/org/gnome/desktop/media-handling/automount'
     create: yes
-
-- name: "Disable GNOME3 Automounting - automount-open"
-  ini_file:
-    dest: /etc/dconf/db/local.d/00-security-settings
-    section: org/gnome/desktop/media-handling
-    option: automount-open
-    value: "false"
-    create: yes
-
-- name: "Prevent user modification of GNOME3 Automounting - automount-open"
-  lineinfile:
-    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
-    regexp: '^/org/gnome/desktop/media-handling/automount-open'
-    line: '/org/gnome/desktop/media-handling/automount-open'
-    create: yes
-
-- name: "Disable GNOME3 Automounting - autorun-never"
-  ini_file:
-    dest: /etc/dconf/db/local.d/00-security-settings
-    section: org/gnome/desktop/media-handling
-    option: autorun-never
-    value: "true"
-    create: yes
-
-- name: "Prevent user modification of GNOME3 Automounting - autorun-never"
-  lineinfile:
-    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
-    regexp: '^/org/gnome/desktop/media-handling/autorun-never'
-    line: '/org/gnome/desktop/media-handling/autorun-never'
-    create: yes
-

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh

@@ -2,8 +2,4 @@
 
 
 {{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount", "false", "local.d", "00-security-settings") }}}
-{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings") }}}
-{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings") }}}
 {{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount", "local.d", "00-security-settings-lock") }}}
-{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}}
-{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}}

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml

@@ -1,19 +1,15 @@
 <def-group>
-  <definition class="compliance" id="dconf_gnome_disable_automount" version="1">
+  <definition class="compliance" id="dconf_gnome_disable_automount" version="2">
     {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount
       devices and removable media (such as DVDs, CDs and USB flash drives)
       whenever they are inserted into the system. Disable automount and autorun
       within GNOME3.") }}}
     <criteria operator="OR">
       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-      <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
+      <criteria comment="Disable GNOME3 automount and prevent user from changing it" operator="AND">
         <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
         <criterion comment="Disable automount in GNOME3" test_ref="test_dconf_gnome_disable_automount" />
-        <criterion comment="Disable automount-open in GNOME3" test_ref="test_dconf_gnome_disable_automount_open" />
-        <criterion comment="Disable autorun in GNOME3" test_ref="test_dconf_gnome_disable_autorun" />
         <criterion comment="Prevent user from changing automount setting" test_ref="test_prevent_user_gnome_automount" />
-        <criterion comment="Prevent user from changing automount-open setting" test_ref="test_prevent_user_gnome_automount_open" />
-        <criterion comment="Prevent user from changing autorun setting" test_ref="test_prevent_user_gnome_autorun" />
       </criteria>
     </criteria>
   </definition>
@@ -43,56 +39,4 @@
     <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="Disable automount-open in GNOME"
-  id="test_dconf_gnome_disable_automount_open" version="1">
-    <ind:object object_ref="obj_dconf_gnome_disable_automount_open" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_dconf_gnome_disable_automount_open"
-  version="1">
-    <ind:path>/etc/dconf/db/local.d/</ind:path>
-    <ind:filename operation="pattern match">^.*$</ind:filename>
-    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="Prevent user from changing automount-open setting"
-  id="test_prevent_user_gnome_automount_open" version="1">
-    <ind:object object_ref="obj_prevent_user_gnome_automount_open" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_prevent_user_gnome_automount_open"
-  version="1">
-    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
-    <ind:filename operation="pattern match">^.*$</ind:filename>
-    <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="Disable autorun in GNOME"
-  id="test_dconf_gnome_disable_autorun" version="1">
-    <ind:object object_ref="obj_dconf_gnome_disable_autorun" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_dconf_gnome_disable_autorun"
-  version="1">
-    <ind:path>/etc/dconf/db/local.d/</ind:path>
-    <ind:filename operation="pattern match">^.*$</ind:filename>
-    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="Prevent user from changing autorun setting"
-  id="test_prevent_user_gnome_autorun" version="1">
-    <ind:object object_ref="obj_prevent_user_gnome_autorun" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_prevent_user_gnome_autorun"
-  version="1">
-    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
-    <ind:filename operation="pattern match">^.*$</ind:filename>
-    <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
 </def-group>

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml

@@ -7,20 +7,15 @@ title: 'Disable GNOME3 Automounting'
 description: |-
     The system's default desktop environment, GNOME3, will mount
     devices and removable media (such as DVDs, CDs and USB flash drives) whenever
-    they are inserted into the system. To disable automount and autorun within GNOME3, add or set
-    <tt>automount</tt> to <tt>false</tt>, <tt>automount-open</tt> to <tt>false</tt>, and
-    <tt>autorun-never</tt> to <tt>true</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
+    they are inserted into the system. To disable automount within GNOME3, add or set
+    <tt>automount</tt> to <tt>false</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
     For example:
     <pre>[org/gnome/desktop/media-handling]
-    automount=false
-    automount-open=false
-    autorun-never=true</pre>
+    automount=false</pre>
     Once the settings have been added, add a lock to
     <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
     For example:
-    <pre>/org/gnome/desktop/media-handling/automount
-    /org/gnome/desktop/media-handling/automount-open
-    /org/gnome/desktop/media-handling/autorun-never</pre>
+    <pre>/org/gnome/desktop/media-handling/automount</pre>
     After the settings have been set, run <tt>dconf update</tt>.
 
 rationale: |-
@@ -48,16 +43,10 @@ ocil_clause: 'GNOME automounting is not disabled'
 
 ocil: |-
     These settings can be verified by running the following:
-    <pre>$ gsettings get org.gnome.desktop.media-handling automount
-    $ gsettings get org.gnome.desktop.media-handling automount-open
-    $ gsettings get org.gnome.desktop.media-handling autorun-never</pre>
+    <pre>$ gsettings get org.gnome.desktop.media-handling automount</pre>
     If properly configured, the output for <tt>automount</tt> should be <tt>false</tt>.
-    If properly configured, the output for <tt>automount-open</tt>should be <tt>false</tt>.
-    If properly configured, the output for <tt>autorun-never</tt> should be <tt>true</tt>.
-    To ensure that users cannot enable automount and autorun in GNOME3, run the following:
-    <pre>$ grep 'automount\|autorun' /etc/dconf/db/local.d/locks/*</pre>
+    To ensure that users cannot enable automount in GNOME3, run the following:
+    <pre>$ grep 'automount' /etc/dconf/db/local.d/locks/*</pre>
     If properly configured, the output for <tt>automount</tt> should be <tt>/org/gnome/desktop/media-handling/automount</tt>
-    If properly configured, the output for <tt>automount-open</tt> should be <tt>/org/gnome/desktop/media-handling/auto-open</tt>
-    If properly configured, the output for <tt>autorun-never</tt> should be <tt>/org/gnome/desktop/media-handling/autorun-never</tt>
 
 platform: machine

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/dconf_test_functions.sh
+
+yum -y install dconf
+clean_dconf_settings
+
+add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/desktop/media-handling" "automount" "local.d" "00-security-settings"
+

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml

@@ -0,0 +1,19 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+- name: "Disable GNOME3 Automounting - automount-open"
+  ini_file:
+    dest: /etc/dconf/db/local.d/00-security-settings
+    section: org/gnome/desktop/media-handling
+    option: automount-open
+    value: "false"
+    create: yes
+
+- name: "Prevent user modification of GNOME3 Automounting - automount-open"
+  lineinfile:
+    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
+    regexp: '^/org/gnome/desktop/media-handling/automount-open'
+    line: '/org/gnome/desktop/media-handling/automount-open'
+    create: yes

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh

@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora
+
+
+{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings") }}}
+{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}}

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml

@@ -0,0 +1,50 @@
+<def-group>
+  <definition class="compliance" id="dconf_gnome_disable_automount_open" version="1">
+    <metadata>
+      <title>Disable GNOME3 automount-open</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+        <platform>Red Hat Enterprise Linux 8</platform>
+        <platform>multi_platform_fedora</platform>
+      </affected>
+      <description>The system's default desktop environment, GNOME3, will mount
+      devices and removable media (such as DVDs, CDs and USB flash drives)
+      whenever they are inserted into the system. Disable automount-open
+      within GNOME3.</description>
+    </metadata>
+    <criteria operator="OR">
+      <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
+      <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
+        <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
+        <criterion comment="Disable automount-open in GNOME3" test_ref="test_dconf_gnome_disable_automount_open" />
+        <criterion comment="Prevent user from changing automount-open setting" test_ref="test_prevent_user_gnome_automount_open" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="Disable automount-open in GNOME"
+  id="test_dconf_gnome_disable_automount_open" version="1">
+    <ind:object object_ref="obj_dconf_gnome_disable_automount_open" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_dconf_gnome_disable_automount_open"
+  version="1">
+    <ind:path>/etc/dconf/db/local.d/</ind:path>
+    <ind:filename operation="pattern match">^.*$</ind:filename>
+    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="Prevent user from changing automount-open setting"
+  id="test_prevent_user_gnome_automount_open" version="1">
+    <ind:object object_ref="obj_prevent_user_gnome_automount_open" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_prevent_user_gnome_automount_open"
+  version="1">
+    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
+    <ind:filename operation="pattern match">^.*$</ind:filename>
+    <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml

@@ -0,0 +1,57 @@
+documentation_complete: true
+
+prodtype: fedora,rhel7,rhel8
+
+title: 'Disable GNOME3 Automount Opening'
+
+description: |-
+    The system's default desktop environment, GNOME3, will mount
+    devices and removable media (such as DVDs, CDs and USB flash drives) whenever
+    they are inserted into the system. To disable automount-open within GNOME3, add or set
+    <tt>automount-open</tt> to <tt>false</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
+    For example:
+    <pre>[org/gnome/desktop/media-handling]
+    automount-open=false</pre>
+    Once the settings have been added, add a lock to
+    <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
+    For example:
+    <pre>/org/gnome/desktop/media-handling/automount-open</pre>
+    After the settings have been set, run <tt>dconf update</tt>.
+
+rationale: |-
+    Disabling automatic mounting in GNOME3 can prevent
+    the introduction of malware via removable media.
+    It will, however, also prevent desktop users from legitimate use
+    of removable media.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-83692-4
+    cce@rhel8: CCE-83693-2
+
+references:
+    cui: 3.1.7
+    nist: CM-7(a),CM-7(b),CM-6(a)
+    nist-csf: PR.AC-3,PR.AC-6
+    isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.4,SR 1.5,SR 1.9,SR 2.1,SR 2.6'
+    isa-62443-2009: 4.3.3.2.2,4.3.3.5.2,4.3.3.6.6,4.3.3.7.2,4.3.3.7.4
+    cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03
+    iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1
+    cis-csc: 12,16
+    stig@rhel7: RHEL-07-020111
+    disa: CCI-001958
+    srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227
+
+
+ocil_clause: 'GNOME automounting is not disabled'
+
+ocil: |-
+    These settings can be verified by running the following:
+    <pre>$ gsettings get org.gnome.desktop.media-handling automount-open</pre>
+    If properly configured, the output for <tt>automount-open</tt>should be <tt>false</tt>.
+    To ensure that users cannot enable automount opening in GNOME3, run the following:
+    <pre>$ grep 'automount-open' /etc/dconf/db/local.d/locks/*</pre>
+    If properly configured, the output for <tt>automount-open</tt> should be <tt>/org/gnome/desktop/media-handling/automount-open</tt>
+
+platform: machine

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/dconf_test_functions.sh
+
+yum -y install dconf
+clean_dconf_settings
+
+add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings"
+
+

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/dconf_test_functions.sh
+
+yum -y install dconf
+clean_dconf_settings

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml

@@ -0,0 +1,20 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+- name: "Disable GNOME3 Automounting - autorun-never"
+  ini_file:
+    dest: /etc/dconf/db/local.d/00-security-settings
+    section: org/gnome/desktop/media-handling
+    option: autorun-never
+    value: "true"
+    create: yes
+
+- name: "Prevent user modification of GNOME3 Automounting - autorun-never"
+  lineinfile:
+    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
+    regexp: '^/org/gnome/desktop/media-handling/autorun-never'
+    line: '/org/gnome/desktop/media-handling/autorun-never'
+    create: yes
+

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh

@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora
+
+
+{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings") }}}
+{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}}