MEDIUM M28: USBGuard P3

Partial Compare Branch

Overview

Deploys and enables USBGuard to control USB device access. Blocks unauthorized USB devices while allowing essential HID (keyboard/mouse) and USB hub devices.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Status: Partial — RHCOS does not ship the usbguard RPM. The MachineConfig enables the service and adds device rules, but package-usbguard-installed and service-usbguard-enabled will always fail because the package cannot be installed via MachineConfig on immutable RHCOS.

Compliance Checks

Check Description Status
package-usbguard-installed Install usbguard package FAIL (RPM not on RHCOS)
service-usbguard-enabled Enable usbguard systemd service FAIL (depends on package)
configure-usbguard-auditbackend Configure audit backend PASS (config file deployed)
usbguard-allow-hid-and-hub Permit HID and hub USB devices PASS (rules deployed)

Limitation

RHCOS is an immutable OS — packages cannot be installed via MachineConfig. USBGuard requires the usbguard RPM which is not included in the RHCOS base image. These 2 checks will remain FAIL on any RHCOS-based cluster unless a custom RHCOS image with USBGuard is built.

Verification

oc debug node/<node> -- chroot /host rpm -q usbguard
oc debug node/<node> -- chroot /host systemctl is-active usbguard
← M27 All Groups M29 →
Legend
Status
🔵 In Progress
🟡 Pending
On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only