{"description": "To allow authorization of USB devices combining human interface device and hub capabilities\nby USBGuard daemon,\nadd the line\n<tt>allow with-interface match-all { 03:*:* 09:00:* }</tt>\nto <tt>/etc/usbguard/rules.conf</tt>.", "rationale": "Without allowing Human Interface Devices, it might not be possible\nto interact with the system. Without allowing hubs, it might not be possible to use any\nUSB devices on the system.", "severity": "medium", "references": {"nist": ["CM-8(3)", "IA-3"], "ospp": ["FMT_SMF_EXT.1"], "srg": ["SRG-OS-000114-GPOS-00059", "SRG-APP-000092-CTR-000165"], "ism": ["1418"]}, "control_references": {"ism": ["1418"]}, "components": [], "identifiers": {}, "ocil_clause": "USB devices of class 3 and 9:00 are not authorized", "ocil": "To verify that USB Human Interface Devices and hubs will be authorized by the USBGuard daemon,\nrun the following command:\n<pre>$ sudo grep allow /etc/usbguard/rules.conf</pre>\nThe output lines should include\n<pre>allow with-interface match-all { 03:*:* 09:00:* }</pre>", "oval_external_content": null, "fixtext": "Configure the USBGuard daemon to allow USB Human Interface Devices and USB hubs.\n\nAdd or edit the following line in \"/etc/usbguard/rules.conf\":\n\nallow with-interface match-all { 03:*:* 09:00:* }", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not_s390x_arch and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_s390x_arch_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Authorize Human Interface Devices and USB hubs in USBGuard daemon", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml", "template": null}