Enable the USBGuard Service

An XCCDF Rule

Description

The USBGuard service should be enabled. The usbguard service can be enabled with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-usbguard-enable
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: usbguard.service
        enabled: true

This will enable the usbguard service in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale

The usbguard service must be running in order to enforce the USB device authorization policy for all USB devices.

ID: xccdf_org.ssgproject.content_rule_service_usbguard_enabled
Severity: Medium
References: CCI-000416 CCI-001958

1418

CM-8(3)(a) IA-3

FMT_SMF_EXT.1

SRG-OS-000378-GPOS-00163

CCE-82537-2
Updated: about 1 year ago

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installedspec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: usbguard.service
        enabled: true

Enable the USBGuard Service

Description

Rationale

Remediation - Kubernetes Patch