| # CIS 1.1.21 Disable Automounting |
| # |
| # Description |
| # =========== |
| # autofs allows automatic mounting of devices, typically including CD/DVDs |
| # and USB drives. |
| # |
| # Rationale |
| # ========= |
| # With automounting enabled anyone with physical access could attach a USB |
| # drive or disc and have its contents available in system even if they lacked |
| # permissions to mount it themselves. |
| # |
| # Audit |
| # ===== |
| # Run the following command to verify autofs is not enabled: |
| # |
| # # systemctl is-enabled autofs |
| # disabled |
| # |
| # Verify result is not "enabled". |
| # |
| # Remediation |
| # =========== |
| # |
| # Run the following command to disable autofs : |
| # |
| # # systemctl disable autofs |
| # |
| # Impact |
| # ====== |
| # The use portable hard drives is very common for workstation users. If your |
| # organization allows the use of portable storage or media on workstations |
| # and physical access controls to workstations is considered adequate there |
| # is little value add in turning off automounting. |
| # |
| # Notes |
| # ===== |
| # This control should align with the tolerance of the use of portable drives |
| # and optical media in the organization. On a server requiring an admin to |
| # manually mount media can be part of defense-in-depth to reduce the risk of |
| # unapproved software or information being introduced or proprietary software |
| # or information being exfiltrated. If admins commonly use flash drives and |
| # Server access has sufficient physical controls, requiring manual mounting |
| # may not increase security. |
| # |
| parameters: |
| linux: |
| system: |
| service: |
| autofs: |
| status: disabled |
| |