STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 6 Security Technical Implementation Guide Version: 1 Release: 24 Benchmark Date: 25 Oct 2019: The operating system must enforce requirements for the connection of mobile devices to operating systems.

DISA Rule

SV-50291r6_rule

Vulnerability Number

V-38490

Group Title

SRG-OS-000273

Rule Version

RHEL-06-000503

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d":

install usb-storage /bin/true

This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually.

Check Contents

If the system is configured to prevent the loading of the "usb-storage" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":

$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” | grep -v “#”

If no line is returned, this is a finding.

Vulnerability Number

V-38490

Documentable

False

Rule Version

RHEL-06-000503

Severity Override Guidance

If the system is configured to prevent the loading of the "usb-storage" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":

$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” | grep -v “#”

If no line is returned, this is a finding.

Check Content Reference

M

Target Key

2367

Comments