| Dmitry Teselkin | def4bdd | 2018-08-17 09:41:58 +0300 | [diff] [blame] | 1 | # CIS 1.1.21 Disable Automounting |
| 2 | # |
| 3 | # Description |
| 4 | # =========== |
| 5 | # autofs allows automatic mounting of devices, typically including CD/DVDs |
| 6 | # and USB drives. |
| 7 | # |
| 8 | # Rationale |
| 9 | # ========= |
| 10 | # With automounting enabled anyone with physical access could attach a USB |
| 11 | # drive or disc and have its contents available in system even if they lacked |
| 12 | # permissions to mount it themselves. |
| 13 | # |
| 14 | # Audit |
| 15 | # ===== |
| 16 | # Run the following command to verify autofs is not enabled: |
| 17 | # |
| 18 | # # systemctl is-enabled autofs |
| 19 | # disabled |
| 20 | # |
| 21 | # Verify result is not "enabled". |
| 22 | # |
| 23 | # Remediation |
| 24 | # =========== |
| 25 | # |
| 26 | # Run the following command to disable autofs : |
| 27 | # |
| 28 | # # systemctl disable autofs |
| 29 | # |
| 30 | # Impact |
| 31 | # ====== |
| 32 | # The use portable hard drives is very common for workstation users. If your |
| 33 | # organization allows the use of portable storage or media on workstations |
| 34 | # and physical access controls to workstations is considered adequate there |
| 35 | # is little value add in turning off automounting. |
| 36 | # |
| 37 | # Notes |
| 38 | # ===== |
| 39 | # This control should align with the tolerance of the use of portable drives |
| 40 | # and optical media in the organization. On a server requiring an admin to |
| 41 | # manually mount media can be part of defense-in-depth to reduce the risk of |
| 42 | # unapproved software or information being introduced or proprietary software |
| 43 | # or information being exfiltrated. If admins commonly use flash drives and |
| 44 | # Server access has sufficient physical controls, requiring manual mounting |
| 45 | # may not increase security. |
| 46 | # |
| 47 | parameters: |
| 48 | linux: |
| 49 | system: |
| 50 | service: |
| 51 | autofs: |
| 52 | status: disabled |
| 53 | |