OpenControls Logo

STIG Viewer

NixOS must enable USBguard.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-268139ANIX-00-000930SV-268139r1039607_ruleCCI-000778medium
Description
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000690-GPOS-00140
STIGDate
Anduril NixOS Security Technical Implementation Guide2024-10-25

Details

Check Text (C-268139r1039607_chk)

Verify NixOS had enabled the use of the USBGuard with the following command: $ systemctl status usbguard usbguard.service - USBGuard daemon Loaded: loaded (/etc/systemd/system/usbguard.service; enabled; present: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the usbguard.service is not "active" and "running", this is a finding.

Fix Text (F-71966r1039607_fix)

Configure NixOS to enable USBGuard and generate a USBGuard ruleset. Edit /etc/nixos/configuration.nix and add the following: services.usbguard.enable = true; Rebuild the system configuration by running the following command: $ sudo nixos-rebuild switch Then, as root, generate a usbguard configuration. Using the "usbguard" command, use "usbguard list-devices" to list connected USB devices, "usbguard block-device" to block a device, and "usbguard allow-device" to allow a device. Note that the default behavior is to block devices. When all connected USB devices have been permitted, generate a ruleset by running the following command as root: # usbguard generate-policy Then, edit /etc/nixos/configuration.nix to add the policy: services.usbguard.rules = '' allow id 1d6b:0001 serial "0000:00:01.2" name "UHCI Host Controller" hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" parent-hash "9+Zsfvo9IR/AEQ/Fn4mzdoPGk0rqpjku6uErfS09K4c=" with-interface 09:00:00 with-connect-type "" allow id 0627:0001 serial "28754-0000:00:01.2-1" name "QEMU USB Tablet" hash "5TyVK8wyL5GmiIbZV2Sf/ehIRMCP83miy4kOzG6O+2M=" parent-hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" with-interface 03:00:00 with-connect-type "unknown" ''; Note: This ruleset is only an example; generate a policy using the process described above. Rebuild the system configuration by running the following command: $ sudo nixos-rebuild switch