An error occurred:

Check: ANIX-00-000930

Anduril NixOS STIG: ANIX-00-000930 (in version v1 r1)

Title

NixOS must enable USBguard. (Cat II impact)

Discussion

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000690-GPOS-00140

Check Content

Verify NixOS had enabled the use of the USBGuard with the following command: $ systemctl status usbguard usbguard.service - USBGuard daemon Loaded: loaded (/etc/systemd/system/usbguard.service; enabled; present: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the usbguard.service is not "active" and "running", this is a finding.

Fix Text

Configure NixOS to enable USBGuard and generate a USBGuard ruleset. Edit /etc/nixos/configuration.nix and add the following: services.usbguard.enable = true; Rebuild the system configuration by running the following command: $ sudo nixos-rebuild switch Then, as root, generate a usbguard configuration. Using the "usbguard" command, use "usbguard list-devices" to list connected USB devices, "usbguard block-device" to block a device, and "usbguard allow-device" to allow a device. Note that the default behavior is to block devices. When all connected USB devices have been permitted, generate a ruleset by running the following command as root: # usbguard generate-policy Then, edit /etc/nixos/configuration.nix to add the policy: services.usbguard.rules = '' allow id 1d6b:0001 serial "0000:00:01.2" name "UHCI Host Controller" hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" parent-hash "9+Zsfvo9IR/AEQ/Fn4mzdoPGk0rqpjku6uErfS09K4c=" with-interface 09:00:00 with-connect-type "" allow id 0627:0001 serial "28754-0000:00:01.2-1" name "QEMU USB Tablet" hash "5TyVK8wyL5GmiIbZV2Sf/ehIRMCP83miy4kOzG6O+2M=" parent-hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" with-interface 03:00:00 with-connect-type "unknown" ''; Note: This ruleset is only an example; generate a policy using the process described above. Rebuild the system configuration by running the following command: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268139r1039607_rule

Vulnerability ID: V-268139

Group Title: SRG-OS-000114-GPOS-00059

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000778

Uniquely identify organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection.
CCI-001958

Authenticate organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection.
CCI-003959

Prohibit the use or connection of unauthorized hardware components.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-3

Device Identification and Authentication