mediumservicesunverified
Ensure USBGuard has a rule policy configured
usbguard-policy-configured · RHEL ≥ 10 · 1 impl
Description
USBGuard must have an active rule policy loaded so that unauthorized USB peripherals are blocked before they can connect. A running daemon with no configured rules provides no protection.
Rationale
USBGuard enforces protection only when a policy is present. An enabled and active service that has no rules loaded ("usbguard list-rules" returns nothing) blocks nothing, leaving the system exposed to BadUSB and data-exfiltration attacks via unauthorized peripherals.
Check → Remediate
Checkcommand
if command -v usbguard >/dev/null 2>&1; then
if usbguard list-rules 2>/dev/null | grep -qE '[^[:space:]]'; then
echo "OK: USBGuard has a rule policy configured"
exit 0
fi
echo "FAIL: USBGuard is installed but no rules are configured (usbguard list-rules is empty)"
exit 1
fi
# usbguard absent. The STIG exempts only a virtual machine with no USB
# peripherals attached; a physical host with no USB blocking is a finding.
if systemd-detect-virt -q 2>/dev/null; then
echo "NOT APPLICABLE: virtual machine without USBGuard (exempt unless USB peripherals are passed through)"
exit 0
fi
echo "FAIL: USBGuard is not installed; unauthorized USB peripherals are not being blocked"
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Generate an initial USBGuard policy from the currently connected, authorized devices and load it: usbguard generate-policy > /etc/usbguard/rules.conf chmod 0600 /etc/usbguard/rules.conf systemctl restart usbguard Review the generated rules before deploying to production.
Framework references
STIG
V-280964 / RHEL-10-200562
NIST 800-53
CM-7SI-3
#usbguard#usb#peripherals#policy#security