Hello, On Tuesday, December 17, 2019 7:55:37 AM EST Marek Haicman wrote: > I have stumbled upon a case where I am not sure, if some rule should have a > reference or not. Can you help me with your view on this situation? I will > use the case as an example (RHEL8 content) :) > > Reference: The operating system must uniquely identify peripherals before > establishing a connection. > <http://securityrules.info/about/xovos-tufes-rumeb-decex/SV-71029r1_rule> > > Now we have five rules in two groups > * install USBGuard package > and > * enforce USBGuard service to be enabled > These two rules satisfy, in my opinion, the requirement (at least for the > USB peripherals) -> USBGuard is "drop by default", so anything acceptable > has to be allowed explicitly. > > * allow Class 03 (HID) USB devices > * allow Class 08 (HUB) USB devices > * allow any combination of HID and HUB USB devices > These rules are not increasing the security of the system - they soften the > hardening. So they go against the requirement to some extent.
Not really. A hub is harmless. It doesn't do anything except multiplex other devices. It's the other devices that you should be worried about. The crux of the requirement really boils down to: know what is being connected. Do not allow unknown devices. So, you could say that keyboards and mice are known and approved. Everything else is not. What /I/ am much more concerned with is if someone plugs in a flash drive, ethernet adapter, or wifi adapter. These can be used to exfiltrate or infiltrate data or bypass logging and monitoring. And that seems to also be what the author was also concerned about given the examples in the vulnerability discussion. > But without > these, machines would not be usable for general audience, so as a > compromise, we do want to have them available to the users. > > And now the question - should the reference be part of all the rules? Or > just the ones that really increases the security of the system? In my opinion, all of them as a group meet the requirement since they form the policy. But there is also firewire, bluetooth, external SCSI, RS-232, or printer connectors. You can really go far down the rabbit hole. :-) -Steve _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
