Nutanix OS must disable the ability to use USB mass storage devices.

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, flash drives, external storage, and printers.

Verify Nutanix OS is set to disable the ability to use USB mass storage devices using the following command. $ sudo grep -i usb-storage /etc/modprobe.d/stig-reqs.conf install usb-storage /bin/false $ sudo grep -i usb-storage /etc/modprobe.d/blacklist.conf blacklist usb-storage If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

1. For AOS, disable USB mass storage and blacklist from executing using the following command. $ sudo salt-call state.sls security/CVM/modprobeCVM 2. For Prism Central, disable USB mass storage and blacklist from executing using the following command. $ sudo salt-call state.sls security/PCVM/modprobePCVM 3. For Files, disable USB mass storage and blacklist from executing using the following command. $ sudo salt-call state.sls security/AFS/modprobeAFS 4. Configure AHV to disable USB mass storage and blacklist from executing using the following command. $ sudo salt-call state.sls security/KVM/modprobeKVM