Authorize USB hubs in USBGuard daemon

An XCCDF Rule

Description

To allow authorization of USB hub devices by USBGuard daemon, add line allow with-interface match-all { 09:00:* } to /etc/usbguard/rules.conf.

warning alert: Warning

This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB hub devices are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB hub devices are allowed. This assumes that an administrator modified the file with some purpose in mind.

Rationale

Without allowing hubs, it might not be possible to use any USB devices on the system.

ID: xccdf_org.ssgproject.content_rule_usbguard_allow_hub
Severity: Medium
References: FMT_SMF_EXT.1

SRG-OS-000114-GPOS-00059

CCE-82273-4
Updated: about 1 year ago

- name: Allow hubs
  lineinfile:
    path: /etc/usbguard/rules.conf
    create: true
    line: allow with-interface match-all { 09:00:* }
    state: present  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
    "container"] and ansible_architecture != "s390x" )
  tags:
  - CCE-82273-4
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - usbguard_allow_hub

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then

echo "allow with-interface match-all { 09:00:* }" >> /etc/usbguard/rules.conf

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Authorize USB hubs in USBGuard daemon

Description

Rationale

Remediation - Ansible

Remediation - Shell Script