Disable Kernel Support for USB via Bootloader Configuration

An XCCDF Rule

Description

All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, Add the nousb kernel argument via a MachineConfig object.

warning alert: Functionality Warning

Disabling all kernel support for USB will cause problems for systems with USB-based keyboards, mice, or printers. This configuration is infeasible for systems which require USB devices, which is common.

Rationale

Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems.

ID: xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument
Severity: Medium
References: 12 16

APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03

CCI-001250

164.308(a)(3)(i) 164.308(a)(3)(ii)(A) 164.310(d)(1) 164.310(d)(2) 164.312(a)(1) 164.312(a)(2)(iv) 164.312(b)

4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4

SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6

A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1

CM-6(a) MP-7

PR.AC-3 PR.AC-6

CCE-83443-2
Updated: about 1 year ago


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
  kernelArguments:
    - nousb

Disable Kernel Support for USB via Bootloader Configuration

Description

Rationale

Remediation - Kubernetes Patch