← Rules Catalog
mediumservicesunverified

Ensure USBGuard has a rule policy configured

usbguard-policy-configured · RHEL ≥ 10 · 1 impl

Description

USBGuard must have an active rule policy loaded so that unauthorized USB peripherals are blocked before they can connect. A running daemon with no configured rules provides no protection.

Rationale

USBGuard enforces protection only when a policy is present. An enabled and active service that has no rules loaded ("usbguard list-rules" returns nothing) blocks nothing, leaving the system exposed to BadUSB and data-exfiltration attacks via unauthorized peripherals.

Check → Remediate

Checkcommand
if command -v usbguard >/dev/null 2>&1; then
  if usbguard list-rules 2>/dev/null | grep -qE '[^[:space:]]'; then
    echo "OK: USBGuard has a rule policy configured"
    exit 0
  fi
  echo "FAIL: USBGuard is installed but no rules are configured (usbguard list-rules is empty)"
  exit 1
fi
# usbguard absent. The STIG exempts only a virtual machine with no USB
# peripherals attached; a physical host with no USB blocking is a finding.
if systemd-detect-virt -q 2>/dev/null; then
  echo "NOT APPLICABLE: virtual machine without USBGuard (exempt unless USB peripherals are passed through)"
  exit 0
fi
echo "FAIL: USBGuard is not installed; unauthorized USB peripherals are not being blocked"
exit 1
expected_exit:
0
Remediatemanual
note:
Generate an initial USBGuard policy from the currently connected, authorized devices and load it: usbguard generate-policy > /etc/usbguard/rules.conf chmod 0600 /etc/usbguard/rules.conf systemctl restart usbguard Review the generated rules before deploying to production.

Framework references

STIG

V-280964 / RHEL-10-200562

NIST 800-53

CM-7SI-3
#usbguard#usb#peripherals#policy#security