PaulDotCom mailing list archives
Re: Blocking new devices with UDEV?
From: Adrian Crenshaw <irongeek () irongeek com>
Date: Wed, 6 Oct 2010 16:53:27 -0400
Thanks, looking at it now. Those settings don't last a reboot so I'll have to see if I can figure out how to make scripts that start at the right times in case someone plugs in while the system is off. Thanks, Adrian On Wed, Oct 6, 2010 at 4:28 PM, Michael Miller <mike.mikemiller () gmail com>wrote:
So after looking at udev and figuring out how sysfs and hotplug all play into this. I think what your looking for is USB device authorization. Take a look at the following. http://www.mjmwired.net/kernel/Documentation/usb/authorization.txt On Wed, Oct 6, 2010 at 7:29 AM, Adrian Crenshaw <irongeek () irongeek com> wrote:Thanks, but the first thing there mention is loading a kernel withoutUSB,which is not really a workable option on recent hardware. The rest seemstobe about just USB flash drives. I suppose I can black list the HIDmodules,but that would also cause issues. What I really need is to be selective about what devices it let's install. Thanks, Adrian On Wed, Oct 6, 2010 at 9:26 AM, Tidball, Christopher <Christopher.Tidball () qwest com> wrote:You might want to check out the CIS RedHat Benchmarks. There is asectionon disabling USB devices. -----Original Message----- From: pauldotcom-bounces () pdc-mail pauldotcom com [mailto:pauldotcom-bounces () pdc-mail pauldotcom com] On Behalf OfMichaelMiller Sent: Tuesday, October 05, 2010 4:53 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Blocking new devices with UDEV? Adrian, Are you looking to block USB storage devices? Or are you looking tohavea whitelist of USB devices? On Sat, Oct 2, 2010 at 11:23 AM, Adrian Crenshaw <irongeek () irongeek comwrote:Hi all, I'm trying to figure out how to block the install of new USB hardware in Linux, sort of like how I can do it in Windows:http://www.irongeek.com/i.php?page=security/locking-down-windows-vista-and-windows-7-against-malicious-usb-devices I'm using blacklisting Dell stuff by vendor ID as an example, though it's not my end goal I'm just trying to figure out how things work. I do a "cat /proc/bus/input/devices" to figure out which keyboard is which, then a "udevadm info -a -p /class/input/input10" to probe it for strings I can use in a udev rule. My rule looks like this (I tried two different ones, and commented things out): ATTRS{idVendor}=="413c", MODE="0000", RUN+="/opt/kde3/bin/kate" #ATTR{modalias}=="input:b0003v413Cp2106e0110-e0,1,4,11,14,k71,72,73,74 ,75,77,79,7A,7B,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89,8A,8C,8E,96, 98,9E,9F,A1,A3,A4,A5,A6,AD,B0,B1,B2,B3,B4,B7,B8,B9,BA,BB,BC,BD,BE,BF,C 0,C1,C2,F0,ram4,l0,1,2,sfw", MODE="0000", RUN+="/opt/kde3/bin/kate" Neather seems to do anything. Any ideas? I'm also not sure how to make some rules override others. Yes, I've seen http://www.reactivated.net/writing_udev_rules.html#external-run but it's not really helping me. Thanks, Adrian _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication isstrictlyprohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail anddestroyall copies of the communication and any attachments. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Blocking new devices with UDEV? Adrian Crenshaw (Oct 02)
- Re: USB DOS attack (was Blocking new devices with UDEV?) Nathan Sweaney (Oct 04)
- Re: Blocking new devices with UDEV? Michael Miller (Oct 05)
- Re: Blocking new devices with UDEV? Tidball, Christopher (Oct 06)
- Re: Blocking new devices with UDEV? Adrian Crenshaw (Oct 06)
- Re: Blocking new devices with UDEV? Michael Miller (Oct 06)
- Re: Blocking new devices with UDEV? Adrian Crenshaw (Oct 06)
- Re: Blocking new devices with UDEV? Tidball, Christopher (Oct 06)
- Re: Blocking new devices with UDEV? Adrian Crenshaw (Oct 06)