← Rules Catalog
mediumservicesverified rollback-safe

Ensure USBGuard daemon enables Linux audit logging

usbguard-audit-logging · RHEL ≥ 8 · 1 impl

Description

The USBGuard daemon must be configured to enable Linux audit logging so that USB device authorization decisions are recorded in the audit log.

Rationale

Without audit logging from USBGuard, there is no record of USB device connection attempts, including unauthorized devices that were blocked. Audit logging provides visibility into potential physical attacks via unauthorized USB devices.

Check → Remediate

Checkcommand
conf="/etc/usbguard/usbguard-daemon.conf"
if [ ! -f "$conf" ]; then
  echo "FAIL: USBGuard configuration file not found"
  exit 1
fi
if grep -qiE '^\s*AuditBackend\s*=\s*LinuxAudit' "$conf" 2>/dev/null; then
  echo "OK: USBGuard audit logging to Linux Audit is enabled"
  exit 0
fi
echo "FAIL: USBGuard AuditBackend is not set to LinuxAudit"
exit 1
expected_exit:
0
Remediateconfig_set
path:
/etc/usbguard/usbguard-daemon.conf
key:
AuditBackend
value:
LinuxAudit
restart:
usbguard

Framework references

STIG

V-280965 / RHEL-10-200563V-258037 / RHEL-09-291025V-230470

NIST 800-53

AU-2CM-7

Live verification

rhel8:checkrhel9:check
#usbguard#audit#usb#security