Authorize Human Interface Devices and USB hubs in USBGuard daemon
An XCCDF Rule
Description
To allow authorization of USB devices combining human interface device and hub capabilities
by USBGuard daemon,
add the line
allow with-interface match-all { 03:*:* 09:00:* }
to /etc/usbguard/rules.conf.
warning alert: Warning
This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind.
Rationale
Without allowing Human Interface Devices, it might not be possible to interact with the system. Without allowing hubs, it might not be possible to use any USB devices on the system.
- ID
- xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
annotations:
complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then
echo "allow with-interface match-all { 03:*:* 09:00:* }" >> /etc/usbguard/rules.conf
else
Remediation - Ansible
- name: Allow HID devices and hubs
lineinfile:
path: /etc/usbguard/rules.conf
create: true
line: allow with-interface match-all { 03:*:* 09:00:* }
state: present