RHEL-07-020100 | SV-86607r4_rule - Disable USB
jmalpede opened this issue · comments
The implemented solution in the class II findings is writing to the same file (blacklist.conf), which results in a open finding. The solution is a two file solution, where you update/ad the usb-storage.conf and the blacklist.conf in order to resolve the findin.
Configure the operating system to disable the ability to use the USB Storage kernel module.
Create a file under "/etc/modprobe.d" with the following command:
touch /etc/modprobe.d/usb-storage.conf
Add the following line to the created file:
install usb-storage /bin/true
Configure the operating system to disable the ability to use USB mass storage devices.
vi /etc/modprobe.d/blacklist.conf
Add or update the line:
blacklist usb-storage
I added a post step in our hardening process to resolve this issue.
- name: RHEL-07-020100 | SV-86607r4_rule - Disable USB
block:-
name: disable usb storage drivers - modprobe
lineinfile:
dest: /etc/modprobe.d/usb-storage.conf
line: 'install usb-storage /bin/true'
mode: "0644"
create: yes
backup: yes -
name: Disable the ability to use USB Devices
lineinfile:
dest: /etc/modprobe.d/blacklist.conf
line: blacklist usb-storage
state: present
mode: '0644'
create: yes
backup: yes
#note this was added to cleanup the record insert in the cert II findings. -
name: Remove the install usb-storage line from file if it exists.
lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^install usb-storage"
state: absent
-
Addressed in PR #367