Authorize Human Interface Devices in USBGuard daemon

An XCCDF Rule

Description

To allow authorization of Human Interface Devices (keyboard, mouse) by USBGuard daemon, add the line allow with-interface match-all { 03:*:* } to /etc/usbguard/rules.conf.

warning alert: Warning

This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices are allowed. This assumes that an administrator modified the file with some purpose in mind.

Rationale

Without allowing Human Interface Devices, it might not be possible to interact with the system.

ID: xccdf_org.ssgproject.content_rule_usbguard_allow_hid
Severity: Medium
References: FMT_SMF_EXT.1

SRG-OS-000114-GPOS-00059

CCE-82274-2
Updated: about 1 year ago

- name: Allow HID devices
  lineinfile:
    path: /etc/usbguard/rules.conf
    create: true
    line: allow with-interface match-all { 03:*:* }
    state: present  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
    "container"] and ansible_architecture != "s390x" )
  tags:
  - CCE-82274-2
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - usbguard_allow_hid

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then

# path of file with Usbguard rules
rulesfile="/etc/usbguard/rules.conf"
echo "allow with-interface match-all { 03:*:* }" >> $rulesfile

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Authorize Human Interface Devices in USBGuard daemon

Description

Rationale

Remediation - Ansible

Remediation - Shell Script