Install usbguard Package

An XCCDF Rule

Description

The usbguard package can be installed with the following command:

$ sudo yum install usbguard

Rationale

usbguard is a software framework that helps to protect against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes.

ID: xccdf_org.ssgproject.content_rule_package_usbguard_installed
Severity: Medium
References: CCI-001958 CCI-003959

1418

CM-8(3) IA-3

SRG-OS-000378-GPOS-00163

SRG-APP-000141-CTR-000315
Updated: about 1 month ago

Remediation Templates

include install_usbguard
class install_usbguard {
  package { 'usbguard':
    ensure => 'installed',
  }
}

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-8(3)
  - NIST-800-53-IA-3  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_usbguard_installed
- name: Ensure usbguard is installed
  package:
    name: usbguard
    state: present
  when: ( ansible_architecture != "s390x" and "kernel" in ansible_facts.packages )
  tags:
  - NIST-800-53-CM-8(3)
  - NIST-800-53-IA-3
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_usbguard_installed

[[packages]]
name = "usbguard"
version = "*"

package --add=usbguard

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0  extensions:
    - usbguard

# Remediation is applicable only in certain platforms
if ( ! grep -q s390x /proc/sys/kernel/osrelease && rpm --quiet -q kernel ); then
if ! rpm -q --quiet "usbguard" ; then
    yum install -y "usbguard"
fi
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Install usbguard Package

Description

Rationale

Remediation Templates

A Puppet Snippet

An Ansible Snippet

OS Build Blueprint

Anaconda Pre-Install Instructions

A Kubernetes Patch

A Shell Script