Nutanix OS must disable the ability to use USB mass storage devices.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279602 | NXAC-OS-000158 | SV-279602r1192485_rule | CCI-000778 | medium |
| Description | ||||
| Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, flash drives, external storage, and printers. | ||||
| STIG | Date | |||
| Nutanix Acropolis GPOS Security Technical Implementation Guide | 2026-02-24 | |||
Details
Check Text (C-279602r1192485_chk)
Verify Nutanix OS is set to disable the ability to use USB mass storage devices using the following command.
$ sudo grep -i usb-storage /etc/modprobe.d/stig-reqs.conf
install usb-storage /bin/false
$ sudo grep -i usb-storage /etc/modprobe.d/blacklist.conf
blacklist usb-storage
If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.
Fix Text (F-84060r1192150_fix)
1. For AOS, disable USB mass storage and blacklist from executing using the following command.
$ sudo salt-call state.sls security/CVM/modprobeCVM
2. For Prism Central, disable USB mass storage and blacklist from executing using the following command.
$ sudo salt-call state.sls security/PCVM/modprobePCVM
3. For Files, disable USB mass storage and blacklist from executing using the following command.
$ sudo salt-call state.sls security/AFS/modprobeAFS
4. Configure AHV to disable USB mass storage and blacklist from executing using the following command.
$ sudo salt-call state.sls security/KVM/modprobeKVM