Hello,
I have stumbled upon a case where I am not sure, if some rule should have a reference or not. Can you help me with your view on this situation? I will use the case as an example (RHEL8 content) :)

Reference: The operating system must uniquely identify peripherals before establishing a connection.

Now we have five rules in two groups
* install USBGuard package
and
* enforce USBGuard service to be enabled
These two rules satisfy, in my opinion, the requirement (at least for the USB peripherals) -> USBGuard is "drop by default", so anything acceptable has to be allowed explicitly.

* allow Class 03 (HID) USB devices
* allow Class 08 (HUB) USB devices
* allow any combination of HID and HUB USB devices
These rules are not increasing the security of the system - they soften the hardening. So they go against the requirement to some extent. But without these, machines would not be usable for general audience, so as a compromise, we do want to have them available to the users.

And now the question - should the reference be part of all the rules? Or just the ones that really increases the security of the system?

What's your interpretation of the reference, if you are reading it in the guide?

Thanks!
Marek