Brian, That's a good usage example.Thanks for sharing!
Trevor On Fri, Apr 18, 2014 at 3:22 PM, Roach, Brian <[email protected]> wrote: > I put this (attached) together a while back to configure USB device > whitelisting through udev. If it helps, great. If not, please pardon the > intrusion. > > > > Brian > > > > *From:* [email protected] [ > mailto:[email protected]<[email protected]>] > *On Behalf Of *Trevor Vaughan > *Sent:* Friday, April 18, 2014 11:47 AM > > *To:* SCAP Security Guide > *Subject:* Re: [PATCH] [RHEL/6] Search for nousb kernel command line > argument in /etc/grub.conf within bootloader_nousb_argument check > case-insensitively > > > > The authorized and authorized_default files are action toggles. > > > > It looks like you need to > check /sys/bus/usb/devices/usb*/authorized_default == 1 for a failure case. > > > > If those are all '0', then USB is not authorized for any system devices by > default. > > > > Don't have a chance to test right now but I can play more later. > > > > https://www.kernel.org/doc/Documentation/usb/authorization.txt > > > > Trevor > > > > On Thu, Apr 17, 2014 at 11:51 PM, Shawn Wells <[email protected]> wrote: > > On 4/17/14, 12:54 PM, Trevor Vaughan wrote: > > Udev is system agnostic and works like a firewall instead of a > sledgehammer. Deny all, allow as approved. > > nousb is a sledgehammer, you can't turn it back on without a reboot. > > I'm wanting to allow <Vendor> keyboards of type X, not all keyboards that > may have who knows what built into them. Udev lets me do this but nousb > doesn't. > > > As far as I can tell, udev appears to be supported in almost all modern > Linux distros and, if it's not, you can always sledgehammer the system. > > That said, I'm certainly happy for the discussion since it's what it takes > to move things forward (in whatever direction). > > > > Reviewed the link you sent over ( > http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices#3.2_Locking_down_Linux_using_UDEV). > Specifically: > > > > #Script by Adrian Crenshaw > #With info from Michael Miller, Inaky Perez-Gonzalez and VMWare > > #By default, disable it. > #ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'echo 0 > >/sys$DEVPATH/authorized'" > ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'for host in > /sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done'" > > #Enable hub devices. There may be a better way than this. > ACTION=="add", ATTR{bDeviceClass}=="09", RUN+="/bin/sh -c 'echo 1 > >/sys$DEVPATH/authorized'" > > #Other things to enable > ACTION=="add", ATTR{idVendor}=="046d", ATTR{idProduct}=="0809", > RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'" > ACTION=="add", ATTR{serial}=="078606B90DD3", RUN+="/bin/sh -c 'echo 1 > >/sys$DEVPATH/authorized'" > ACTION=="add", ATTR{product}=="802.11 n WLAN", RUN+="/bin/sh -c 'echo 1 > >/sys$DEVPATH/authorized'" > #ACTION=="add", ATTR{idVendor}=="413c", ATTR{idProduct}=="2106", > RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'" > > > > My first reaction was to say "If 'cat $host/authorized_default == 0' or > nousb, then pass || if /sys$DEVPATH/authorized != *, pass" > > It's laughable... but I don't own a USB device. Not even a storage token. > Since you're starting the conversation, could you test such a system > configuration ou and see if such an approach is even sane? > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 > [email protected] > > -- This account not approved for unencrypted proprietary information -- > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
