{"description": "To allow authorization of USB hub devices by USBGuard daemon,\nadd line\n<tt>allow with-interface match-all { 09:00:* }</tt>\nto <tt>/etc/usbguard/rules.conf</tt>.", "rationale": "Without allowing hubs, it might not be possible to use any\nUSB devices on the system.", "severity": "medium", "references": {"srg": ["SRG-OS-000114-GPOS-00059"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "USB devices of class 9 are not authorized", "ocil": "To verify that USB hubs will be authorized by the USBGuard daemon,\nrun the following command:\n<pre>$ sudo grep allow /etc/usbguard/rules.conf</pre>\nOne of the output lines should be\n<pre>allow with-interface match-all { 09:00:* }</pre>", "oval_external_content": null, "fixtext": "Configure the USBGuard daemon to allow USB hubs.\n\nAdd or edit the following line in \"/etc/usbguard/rules.conf\"\n\nallow with-interface match-all { 09:00:* }", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB hub devices are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB hub devices are allowed. This assumes that an administrator modified the file with some purpose in mind."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not_s390x_arch and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_s390x_arch_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Authorize USB hubs in USBGuard daemon", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/usbguard/usbguard_allow_hub/rule.yml", "template": null}