documentation_complete: true


title: 'Disable Modprobe Loading of USB Storage Driver'

description: |-
    To prevent USB storage devices from being used, configure the kernel module loading system
    to prevent automatic loading of the USB storage driver.
    {{{ describe_module_disable(module="usb-storage") }}}
    This will prevent the <tt>modprobe</tt> program from loading the <tt>usb-storage</tt>
    module, but will not prevent an administrator (or another program) from using the
    <tt>insmod</tt> program to load the module manually.

rationale: |-
    USB storage devices such as thumb drives can be used to introduce
    malicious software.

severity: medium

identifiers:
    cce@rhcos4: CCE-82719-6
    cce@rhel8: CCE-80835-2
    cce@rhel9: CCE-83851-6
    cce@rhel10: CCE-89301-6
    cce@sle12: CCE-83069-5
    cce@sle15: CCE-83294-9
    cce@sle16: CCE-96694-5
    cce@slmicro5: CCE-93784-7
    cce@slmicro6: CCE-94722-6

references:
    cis-csc: 1,12,15,16,5
    cis@sle12: 1.1.23
    cis@sle15: 1.1.23
    cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
    cui: 3.1.21
    hipaa: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.310(d)(1),164.310(d)(2),164.312(a)(1),164.312(a)(2)(iv),164.312(b)
    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.6'
    iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.18.1.4,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
    nist: CM-7(a),CM-7(b),CM-6(a),MP-7
    nist-csf: PR.AC-1,PR.AC-3,PR.AC-6,PR.AC-7
    srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227,SRG-APP-000141-CTR-000315
    stigid@ol7: OL07-00-020100
    stigid@ol8: OL08-00-040080
    stigid@sle12: SLES-12-010580
    stigid@sle15: SLES-15-010480

{{{ complete_ocil_entry_module_disable(module="usb-storage") }}}

platform: system_with_kernel

template:
    name: kernel_module_disabled
    vars:
        kernmodule: usb-storage

fixtext: |-
    Configure {{{ full_name }}} to disable automated loading of the USB storage driver.
    {{{ describe_module_disable(module="usb-storage") }}}

srg_requirement:
    {{{ full_name }}} must be configured to disable USB mass storage.