Disable Kernel Support for USB via Bootloader Configuration
An XCCDF Rule
Description
All USB support can be disabled by adding the nousb
argument to the kernel's boot loader configuration. To do so,
append "nousb" to the kernel line in /etc/default/grub
as shown:
kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb
warning alert: Functionality Warning
Disabling all kernel support for USB will cause problems for systems
with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common.
Rationale
Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems.
- ID
- xccdf_org.ssgproject.content_rule_grub2_nousb_argument
- Severity
- Unknown
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common; then
# Correct the form of default kernel command line in /etc/default/grub
if ! grep -q '^GRUB_CMDLINE_LINUX=".*nousb.*"' /etc/default/grub;
then