documentation_complete: true


title: 'Install usbguard Package'

description: |-
    {{% if product != "rhcos4" %}}
    {{{ describe_package_install(package="usbguard") }}}
    {{% else %}}
    The <tt>usbguard</tt> package can be installed with the following manifest:
    <pre>
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-usbguard-install
    spec:
      config:
        ignition:
          version: 3.1.0
      extensions:
        - usbguard
    </pre>
    <p>
    This will install the <tt>usbguard</tt> package in all the
    nodes labeled with the "master" role.
    </p>
    {{{ machineconfig_description_footer() | indent(4) }}}
    {{% endif %}}

rationale: |-
    <tt>usbguard</tt> is a software framework that helps to protect
    against rogue USB devices by implementing basic whitelisting/blacklisting
    capabilities based on USB device attributes.

severity: medium

identifiers:
    cce@rhcos4: CCE-82524-0
    cce@rhel8: CCE-82959-8
    cce@rhel9: CCE-84203-9
    cce@rhel10: CCE-87756-3

references:
    nist: CM-8(3),IA-3
    ospp: FMT_SMF_EXT.1
    srg: SRG-OS-000378-GPOS-00163,SRG-APP-000141-CTR-000315
    stigid@ol8: OL08-00-040139

ocil_clause: 'the package is not installed'

ocil: '{{{ ocil_package(package="usbguard") }}}'

template:
    name: package_installed
    vars:
        pkgname: usbguard

fixtext: |-
    {{{ describe_package_install(package="usbguard") }}}

srg_requirement: '{{{ srg_requirement_package_installed("usbguard") }}}'