Install usbguard Package

An XCCDF Rule

Description

The usbguard package can be installed with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-usbguard-install
spec:
  config:
    ignition:
      version: 3.1.0
  extensions:
    - usbguard

This will install the usbguard package in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale

usbguard is a software framework that helps to protect against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes.

ID: xccdf_org.ssgproject.content_rule_package_usbguard_installed
Severity: Medium
References: CCI-001958

1418

CM-8(3) IA-3

SRG-OS-000378-GPOS-00163

CCE-82524-0
Updated: about 1 year ago

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
  extensions:
    - usbguard

Install usbguard Package

Description

Rationale

Remediation - Kubernetes Patch