mediumservicesverified ✓rollback-safe
Ensure USBGuard daemon enables Linux audit logging
usbguard-audit-logging · RHEL ≥ 8 · 1 impl
Description
The USBGuard daemon must be configured to enable Linux audit logging so that USB device authorization decisions are recorded in the audit log.
Rationale
Without audit logging from USBGuard, there is no record of USB device connection attempts, including unauthorized devices that were blocked. Audit logging provides visibility into potential physical attacks via unauthorized USB devices.
Check → Remediate
Checkcommand
conf="/etc/usbguard/usbguard-daemon.conf" if [ ! -f "$conf" ]; then echo "FAIL: USBGuard configuration file not found" exit 1 fi if grep -qiE '^\s*AuditBackend\s*=\s*LinuxAudit' "$conf" 2>/dev/null; then echo "OK: USBGuard audit logging to Linux Audit is enabled" exit 0 fi echo "FAIL: USBGuard AuditBackend is not set to LinuxAudit" exit 1
- expected_exit:
- 0
Remediateconfig_set
- path:
- /etc/usbguard/usbguard-daemon.conf
- key:
- AuditBackend
- value:
- LinuxAudit
- restart:
- usbguard
Framework references
STIG
V-280965 / RHEL-10-200563V-258037 / RHEL-09-291025V-230470
NIST 800-53
AU-2CM-7
Live verification
rhel8:checkrhel9:check
#usbguard#audit#usb#security