1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
documentation_complete: true
title: 'Authorize USB hubs in USBGuard daemon'
description: |-
To allow authorization of USB hub devices by USBGuard daemon,
add line
<tt>allow with-interface match-all { 09:00:* }</tt>
to <tt>/etc/usbguard/rules.conf</tt>.
rationale: |-
Without allowing hubs, it might not be possible to use any
USB devices on the system.
warnings:
- general: |-
This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB hub devices are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB hub devices are allowed. This assumes that an administrator modified the file with some purpose in mind.
severity: medium
identifiers:
cce@rhel8: CCE-82273-4
cce@rhel10: CCE-89404-8
references:
srg: SRG-OS-000114-GPOS-00059
ocil_clause: 'USB devices of class 9 are not authorized'
ocil: |-
To verify that USB hubs will be authorized by the USBGuard daemon,
run the following command:
<pre>$ sudo grep allow /etc/usbguard/rules.conf</pre>
One of the output lines should be
<pre>allow with-interface match-all { 09:00:* }</pre>
fixtext: |-
Configure the USBGuard daemon to allow USB hubs.
Add or edit the following line in "/etc/usbguard/rules.conf"
allow with-interface match-all { 09:00:* }
|
