Generate USBGuard Policy
An XCCDF Rule
Description
By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, the initial policy configuration must be generated based on current connected USB devices.
Rationale
The usbguard
must be configured to allow connected USB devices to work
properly, avoiding the system to become inaccessible.
- ID
- xccdf_org.ssgproject.content_rule_usbguard_generate_policy
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then
if rpm --quiet -q usbguard
then
USBGUARD_CONF=/etc/usbguard/rules.conf
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-08-040140
- NIST-800-53-CM-8(3)(a)