{"description": "To prevent USB storage devices from being used, configure the kernel module loading system\nto prevent automatic loading of the USB storage driver.\n\nTo configure the system to prevent the <code>usb-storage</code>\nkernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/usb-storage.conf</code>:\n<pre>install usb-storage /bin/false</pre>\nThis entry will cause a non-zero return value during a <code>usb-storage</code> module installation\nand additionally convey the meaning of the entry to the user in form of an error message.\nIf you would like to omit a non-zero return value and an error message, you may want to add a different line instead\n(both <code>/bin/true</code> and <code>/bin/false</code> are allowed by OVAL and will be accepted by the scan):\n<pre>install usb-storage /bin/true</pre>\n\nThis will prevent the <tt>modprobe</tt> program from loading the <tt>usb-storage</tt>\nmodule, but will not prevent an administrator (or another program) from using the\n<tt>insmod</tt> program to load the module manually.", "rationale": "USB storage devices such as thumb drives can be used to introduce\nmalicious software.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["APO13.01", "DSS01.04", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.1.21"], "hipaa": ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.310(d)(1)", "164.310(d)(2)", "164.312(a)(1)", "164.312(a)(2)(iv)", "164.312(b)"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.6"], "iso27001-2013": ["A.11.2.6", "A.13.1.1", "A.13.2.1", "A.18.1.4", "A.6.2.1", "A.6.2.2", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "MP-7"], "nist-csf": ["PR.AC-1", "PR.AC-3", "PR.AC-6", "PR.AC-7"], "srg": ["SRG-OS-000114-GPOS-00059", "SRG-OS-000378-GPOS-00163", "SRG-OS-000480-GPOS-00227", "SRG-APP-000141-CTR-000315"], "cis": ["1.1.1.8"], "pcidss4": ["3.4.2", "3.4"], "stigid": ["UBTU-22-291010"], "stigref": ["SV-260540r986276_rule"]}, "control_references": {"cis": ["1.1.1.8"], "pcidss4": ["3.4.2", "3.4"], "stigid": ["UBTU-22-291010"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "\nIf the system is configured to prevent the loading of the <code>usb-storage</code> kernel module,\nit will contain lines inside any file in <code>/etc/modprobe.d</code> or the deprecated<code> /etc/modprobe.conf</code>.\nThese lines instruct the module loading system to run another program (such as <code>/bin/false</code>) upon a module <code>install</code> event.\n\nRun the following command to search for such lines in all files in <code>/etc/modprobe.d</code> and the deprecated <code>/etc/modprobe.conf</code>:\n<pre>$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to disable automated loading of the USB storage driver.\n\nTo configure the system to prevent the <code>usb-storage</code>\nkernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/usb-storage.conf</code>:\n<pre>install usb-storage /bin/false</pre>\nThis entry will cause a non-zero return value during a <code>usb-storage</code> module installation\nand additionally convey the meaning of the entry to the user in form of an error message.\nIf you would like to omit a non-zero return value and an error message, you may want to add a different line instead\n(both <code>/bin/true</code> and <code>/bin/false</code> are allowed by OVAL and will be accepted by the scan):\n<pre>install usb-storage /bin/true</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must be configured to disable USB mass storage.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must be configured to disable USB mass storage.", "vuldiscussion": "USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.", "checktext": "Verify that Ubuntu 22.04 disables the ability to load the USB Storage kernel module with the following command:\n\n$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d/*\n\ninstall usb-storage /bin/false\nblacklist usb-storage\n\nIf the command does not return any output, or either line is commented out, and use of USB Storage is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.", "fixtext": "To configure the system to prevent the usb-storage kernel module from being loaded, add the following lines to the file \"/etc/modprobe.d/usb-storage.conf\" (or create \"usb-storage.conf\" if it does not exist):\n\ninstall usb-storage /bin/false\nblacklist usb-storage"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable Modprobe Loading of USB Storage Driver", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml", "template": {"name": "kernel_module_disabled", "vars": {"kernmodule": "usb-storage"}, "backends": {}}}