modify usbguard_allow_* rules to use new match-all keyword #5055
Conversation
Nice catch. An use case that should be allowed is devices with any combination of Merging them and treating as a single config seems the sane approach. |
linux_os/guide/services/usbguard/usbguard_allow_hid/bash/shared.sh
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
OK, after internal discussions, based on this rules being considered "convenience" (it does not bring anything security related to the table - that's provided by the default USBGuard installation), we have decided to change the behavior of the rule a bit:
- OVAL will fail when file is empty. Otherwise it is expected that user made deliberate changes and we are OK with it.
- Remediation will allow devices with any combination of
03:*:*and09:00:* - Description will be explicit about this rule being convenience, not security requirement.
|
Also, I have checked there is SRG mapped to this rule - This should be mapped to the |
…yword oval DOES NOT CHECK for actual values, only if file is empty or completely missing taking into account possible modifications by administrator created new shared oval for usbguard_allow_* rules
this rule covers a possibility when devices having both HID and hub USB class need to be allowed this rule also contains tests for the shared oval combinations of usbguard_allow_hid and usbguard_allow_hub are replaced in profiles by usbguard_allow_hid_and_hub
vojtapolasek
force-pushed
the
fix_usbguard
branch
from
ffbd93f
to
4ef359a
Compare
|
Thank you @vojtapolasek , looks great! |
Description:
Usbguard_allow_hid and usbguard_allow_hub now use the new match-all keyword provided by Usbguard rule syntax.
Both rules DO NOT check for actual content of /etc/usbguard/rules.conf file, they just check if the file is not empty or is not missing. If file is empty or missing, they add respective lines. In other cases, intentional modification by administrator is assumed and therefore rule passes. This is reflected by warning in rule.yml.
OCIL, OVAL and Bash remediations are modified.
Also a new rule usbguard_allow_hid_and_hub is created because combining these two separate rules turns out to be difficult. Oval, rule file, Bash remediation and tests are created for this new rule. All three rules use common OVAL check and therefore only one test is provided.
Rationale:
IMPORTANT: usbguard_allow_* rules should be understood primarily as convenience
Rules. They help administrators to ease management of machines.
The match-all keyword allows better matching of USB devices, for example
match-all { 03:: will match HID devices with possibly multiple HID interfaces but will not match devices including any other USB class interface
This was not reasonably easy to do before.