The implemented solution in the class II findings is writing to the same file (blacklist.conf), which results in a open finding. The solution is a two file solution, where you update/ad the usb-storage.conf and the blacklist.conf in order to resolve the findin.

Configure the operating system to disable the ability to use the USB Storage kernel module.
Create a file under "/etc/modprobe.d" with the following command:

touch /etc/modprobe.d/usb-storage.conf

Add the following line to the created file:
install usb-storage /bin/true
Configure the operating system to disable the ability to use USB mass storage devices.

vi /etc/modprobe.d/blacklist.conf

Add or update the line:
blacklist usb-storage

I added a post step in our hardening process to resolve this issue.

• name: RHEL-07-020100 | SV-86607r4_rule - Disable USB
  block:

  • name: disable usb storage drivers - modprobe
    lineinfile:
    dest: /etc/modprobe.d/usb-storage.conf
    line: 'install usb-storage /bin/true'
    mode: "0644"
    create: yes
    backup: yes

  • name: Disable the ability to use USB Devices
    lineinfile:
    dest: /etc/modprobe.d/blacklist.conf
    line: blacklist usb-storage
    state: present
    mode: '0644'
    create: yes
    backup: yes
    #note this was added to cleanup the record insert in the cert II findings.

  • name: Remove the install usb-storage line from file if it exists.
    lineinfile:
    path: /etc/modprobe.d/blacklist.conf
    regexp: "^install usb-storage"
    state: absent

Addressed in PR #367