I put this (attached) together a while back to configure USB device whitelisting through udev. If it helps, great. If not, please pardon the intrusion.
Brian From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Trevor Vaughan Sent: Friday, April 18, 2014 11:47 AM To: SCAP Security Guide Subject: Re: [PATCH] [RHEL/6] Search for nousb kernel command line argument in /etc/grub.conf within bootloader_nousb_argument check case-insensitively The authorized and authorized_default files are action toggles. It looks like you need to check /sys/bus/usb/devices/usb*/authorized_default == 1 for a failure case. If those are all '0', then USB is not authorized for any system devices by default. Don't have a chance to test right now but I can play more later. https://www.kernel.org/doc/Documentation/usb/authorization.txt Trevor On Thu, Apr 17, 2014 at 11:51 PM, Shawn Wells <[email protected]<mailto:[email protected]>> wrote: On 4/17/14, 12:54 PM, Trevor Vaughan wrote: Udev is system agnostic and works like a firewall instead of a sledgehammer. Deny all, allow as approved. nousb is a sledgehammer, you can't turn it back on without a reboot. I'm wanting to allow <Vendor> keyboards of type X, not all keyboards that may have who knows what built into them. Udev lets me do this but nousb doesn't. As far as I can tell, udev appears to be supported in almost all modern Linux distros and, if it's not, you can always sledgehammer the system. That said, I'm certainly happy for the discussion since it's what it takes to move things forward (in whatever direction). Reviewed the link you sent over (http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices#3.2_Locking_down_Linux_using_UDEV). Specifically: #Script by Adrian Crenshaw #With info from Michael Miller, Inaky Perez-Gonzalez and VMWare #By default, disable it. #ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'echo 0 >/sys$DEVPATH/authorized'" ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'for host in /sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done'" #Enable hub devices. There may be a better way than this. ACTION=="add", ATTR{bDeviceClass}=="09", RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'" #Other things to enable ACTION=="add", ATTR{idVendor}=="046d", ATTR{idProduct}=="0809", RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'" ACTION=="add", ATTR{serial}=="078606B90DD3", RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'" ACTION=="add", ATTR{product}=="802.11 n WLAN", RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'" #ACTION=="add", ATTR{idVendor}=="413c", ATTR{idProduct}=="2106", RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'" My first reaction was to say "If 'cat $host/authorized_default == 0' or nousb, then pass || if /sys$DEVPATH/authorized != *, pass" It's laughable... but I don't own a USB device. Not even a storage token. Since you're starting the conversation, could you test such a system configuration ou and see if such an approach is even sane? _______________________________________________ scap-security-guide mailing list [email protected]<mailto:[email protected]> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected]<mailto:[email protected]> -- This account not approved for unencrypted proprietary information --
## This file was originally created as (root:root/0644) /etc/udev/rules.d/10-local.rules ## Details about USB classes, subclasses, and protocols can be found at: ## http://www.usb.org/developers/defined_class ## A few usefule websites for writing udev rules: ## http://www.reactivated.net/writing_udev_rules.html ## http://www.linuxforu.com/2012/06/some-nifty-udev-rules-and-examples/ ## https://www.google.com/search?q=udev+man+page ## !! PAY ATTENTION HERE !! ## !! THIS CAN BITE YOU IN THE ASS !! ## Devices are a hiearchy, one device is a child of another (see "lspci -tv" or "lsusb -t" for a better picture) ## Attributes are passed from any single parent device to a child device. While it can be useful, it's potential problem to be aware of. ## For example, the rule: ## BUS=="usb", SYSFS{idVendor}=="0000", SYSFS{idProduct}=="0000", GOTO="usb_device_allowed" ## will match the root EHCI host controller, which is parent to other USB devices. ## This would allow every USB device, even if blacklisted in subsequent lines. ## Make sure you really understand what this means. ## -- End of warning -- ## If it looks like changes to the rule file are not taking effect, a reload can be forced with the command: ## udevcontrol reload_rules ## Observe device events (like plugging in a new device) with: ## udevmonitor --env ## To get information on a specific device, use the DEVPATH= line from udevmonitor output as the "path" for udevinfo. ## For example: ## udevinfo -a -p /devices/pci0000:00/0000:00:1a.7/usb1/1-3/1-3.2 ## No multi-line rules. One line each, no splitting/spanning. ## When intentionally plugging a new device in, uncomment the following line for it to be recognized. ## Make sure to recomment it to re-secure the bus #BUS=="usb", GOTO="usb_device_allowed" ## Specifically allowed devices go here. ## For example: #BUS=="usb", SYSFS{serial}=="079306B8005C", SYSFS{product}=="Patriot Memory", SYSFS{idVendor}=="13fe", SYSFS{idProduct}=="3100", GOTO="usb_device_allowed" ## -- DEFAULT CLASS RULES -- ## Make sure to review/modify for applicability in your environment ## Blacklist Base Class 00h (Device) BUS=="usb", SYSFS{bDeviceClass}=="00", GOTO="usb_device_blacklist" ## Blacklist Base Class 01h (Audio) BUS=="usb", SYSFS{bDeviceClass}=="01", GOTO="usb_device_blacklist" ## Blacklist Base Class 02h (Communications and CDC Control) BUS=="usb", SYSFS{bDeviceClass}=="02", GOTO="usb_device_blacklist" ## Allow Base Class 03h (HID Human Interface Device) BUS=="usb", SYSFS{bDeviceClass}=="03", GOTO="usb_device_allowed" ## Blacklist Base Class 05h (Physical) BUS=="usb", SYSFS{bDeviceClass}=="05", GOTO="usb_device_blacklist" ## Blacklist Base Class 06h (Still Imaging) BUS=="usb", SYSFS{bDeviceClass}=="06", GOTO="usb_device_allowed" ## Allow Base Class 07h (Printer) BUS=="usb", SYSFS{bDeviceClass}=="07", GOTO="usb_device_allowed" ## Blacklist Base Class 08h (Mass Storage) BUS=="usb", SYSFS{bDeviceClass}=="08", GOTO="usb_device_allowed" ## Allow USB hubs, Base Class 09h BUS=="usb", SYSFS{bDeviceClass}=="09", GOTO="usb_device_allowed" ## Blacklist Base Class 0Ah (CDC-Data) BUS=="usb", SYSFS{bDeviceClass}=="0a", GOTO="usb_device_blacklist" ## Allow Base Class 0Bh (Smart Card) BUS=="usb", SYSFS{bDeviceClass}=="0b", GOTO="usb_device_allowed" ## Blacklist Base Class 0Dh (Content Security) BUS=="usb", SYSFS{bDeviceClass}=="0d", GOTO="usb_device_blacklist" ## Blacklist Base Class 0Eh (Video) BUS=="usb", SYSFS{bDeviceClass}=="0e", GOTO="usb_device_blacklist" ## Blacklist Base Class 0Fh (Personal Healthcare) BUS=="usb", SYSFS{bDeviceClass}=="0f", GOTO="usb_device_blacklist" ## Blacklist Base Class 10h (Audio/Video Devices) BUS=="usb", SYSFS{bDeviceClass}=="10", GOTO="usb_device_blacklist" ## Blacklist Base Class DCh (Diagnostic Device) BUS=="usb", SYSFS{bDeviceClass}=="dc", GOTO="usb_device_blacklist" ## Blacklist Base Class E0h (Wireless Controller) BUS=="usb", SYSFS{bDeviceClass}=="e0", GOTO="usb_device_blacklist" ## Blacklist Base Class EFh (Miscellaneous) BUS=="usb", SYSFS{bDeviceClass}=="ef", GOTO="usb_device_blacklist" ## Blacklist Base Class FEh (Application Specific) BUS=="usb", SYSFS{bDeviceClass}=="fe", GOTO="usb_device_blacklist" ## Blacklist Base Class FFh (Vendor Specific) BUS=="usb", SYSFS{bDeviceClass}=="ff", GOTO="usb_device_blacklist" # Where all GOTO="usb_device_blacklist" lines land LABEL="usb_device_blacklist" BUS=="usb", OPTIONS:="ignore_device, ignore_remove, last_rule" # Where all GOTO="usb_device_allowed" lines land, just past the blacklist rule LABEL="usb_device_allowed"
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
