Skip to content

Generate USBGuard Policy

An XCCDF Rule

Description

By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, the initial policy configuration must be generated based on current connected USB devices.

Rationale

The usbguard must be configured to allow connected USB devices to work properly, avoiding the system to become inaccessible.

ID
xccdf_org.ssgproject.content_rule_usbguard_generate_policy
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-09-291030
  - NIST-800-53-CM-8(3)(a)

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then

if rpm --quiet -q usbguard
then
    USBGUARD_CONF=/etc/usbguard/rules.conf