Enable the USBGuard Service

An XCCDF Rule

Description

The USBGuard service should be enabled. The usbguard service can be enabled with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-usbguard-enable
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: usbguard.service
        enabled: true

This will enable the usbguard service in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

Rationale

The usbguard service must be running in order to enforce the USB device authorization policy for all USB devices.

ID: xccdf_org.ssgproject.content_rule_service_usbguard_enabled
Severity: Medium
References: CCI-001958 CCI-003959

1418

CM-8(3)(a) IA-3

FMT_SMF_EXT.1

SRG-OS-000378-GPOS-00163

CCE-82537-2

CNTR-OS-001010 CNTR-OS-001020 CNTR-OS-001030 SRG-APP-000141-CTR-000315
Updated: about 1 month ago

Remediation Templates

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
spec:  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: usbguard.service
        enabled: true

Enable the USBGuard Service

Description

Rationale

Remediation Templates

A Kubernetes Patch