Hello,
On Tuesday, December 17, 2019 7:55:37 AM EST Marek Haicman wrote:
I have stumbled upon a case where I am not sure, if some rule should
have a
reference or not. Can you help me with your view on this situation? I will
use the case as an example (RHEL8 content) :)
Reference: The operating system must uniquely identify peripherals before
establishing a connection.
<
http://securityrules.info/about/xovos-tufes-rumeb-decex/SV-71029r1_rule>
Now we have five rules in two groups
* install USBGuard package
and
* enforce USBGuard service to be enabled
These two rules satisfy, in my opinion, the requirement (at least for the
USB peripherals) -> USBGuard is "drop by default", so anything acceptable
has to be allowed explicitly.
* allow Class 03 (HID) USB devices
* allow Class 08 (HUB) USB devices
* allow any combination of HID and HUB USB devices
These rules are not increasing the security of the system - they soften the
hardening. So they go against the requirement to some extent.
Not really. A hub is harmless. It doesn't do anything except multiplex other
devices. It's the other devices that you should be worried about.
The crux of the requirement really boils down to: know what is being
connected. Do not allow unknown devices. So, you could say that keyboards and
mice are known and approved. Everything else is not.
What /I/ am much more concerned with is if someone plugs in a flash drive,
ethernet adapter, or wifi adapter. These can be used to exfiltrate or infiltrate
data or bypass logging and monitoring. And that seems to also be what the
author was also concerned about given the examples in the vulnerability
discussion.
But without
these, machines would not be usable for general audience, so as a
compromise, we do want to have them available to the users.
And now the question - should the reference be part of all the rules? Or
just the ones that really increases the security of the system?
In my opinion, all of them as a group meet the requirement since they form
the policy. But there is also firewire, bluetooth, external SCSI, RS-232, or
printer connectors. You can really go far down the rabbit hole. :-)
-Steve