STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Anduril NixOS Security Technical Implementation Guide

V-268139

CAT II (Medium)

NixOS must enable USBguard.

Rule ID

SV-268139r1131083_rule

STIG

Anduril NixOS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000778, CCI-001958, CCI-003959

Discussion

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000690-GPOS-00140

Check Content

Verify NixOS had enabled the use of the USBGuard with the following command:

$ systemctl status usbguard

 usbguard.service - USBGuard daemon
Loaded: loaded (/etc/systemd/system/usbguard.service; enabled; present: enabled)
Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago

If the usbguard.service is not "active" and "running", this is a finding.

Fix Text

Configure NixOS to enable USBGuard and generate a USBGuard ruleset.

Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:

 services.usbguard.enable = true;

Rebuild the system configuration by running the following command:

$ sudo nixos-rebuild switch

As root, generate a usbguard configuration. Using the "usbguard" command, use "usbguard list-devices" to list connected USB devices, "usbguard block-device" to block a device, and "usbguard allow-device" to allow a device. Note that the default behavior is to block devices.

When all connected USB devices have been permitted, generate a ruleset by running the following command as root:

# usbguard generate-policy

Edit the NixOS config to add the policy:

 services.usbguard.rules = ''
  allow id 1d6b:0001 serial "0000:00:01.2" name "UHCI Host Controller" hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" parent-hash "9+Zsfvo9IR/AEQ/Fn4mzdoPGk0rqpjku6uErfS09K4c=" with-interface 09:00:00 with-connect-type ""

  allow id 0627:0001 serial "28754-0000:00:01.2-1" name "QEMU USB Tablet" hash "5TyVK8wyL5GmiIbZV2Sf/ehIRMCP83miy4kOzG6O+2M=" parent-hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" with-interface 03:00:00 with-connect-type "unknown"
 '';

Note: This ruleset is only an example; generate a policy using the process described above.

Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch