Re: Blocking new devices with UDEV?

[Adrian Crenshaw <irongeek () irongeek com>]

Thanks, looking at it now. Those settings don't last a reboot so I'll have
to see if I can figure out how to make scripts that start at the right times
in case someone plugs in while the system is off.

Thanks,
Adrian

On Wed, Oct 6, 2010 at 4:28 PM, Michael Miller <mike.mikemiller () gmail com>wrote:

> So after looking at udev and figuring out how sysfs and hotplug all
> play into this.  I think what your looking for is USB device
> authorization.
>
> Take a look at the following.
> http://www.mjmwired.net/kernel/Documentation/usb/authorization.txt
>
>
> On Wed, Oct 6, 2010 at 7:29 AM, Adrian Crenshaw <irongeek () irongeek com>
> wrote:
> > Thanks, but the first thing there mention is loading a kernel without
> USB,
> > which is not really a workable option on recent hardware. The rest seems
> to
> > be about just USB flash drives. I suppose I can black list the HID
> modules,
> > but that would also cause issues. What I really need is to be selective
> > about what devices it let's install.
> >
> >
> > Thanks,
> > Adrian
> >
> > On Wed, Oct 6, 2010 at 9:26 AM, Tidball, Christopher
> > <Christopher.Tidball () qwest com> wrote:
> > > You might want to check out the CIS RedHat Benchmarks. There is a
> section
> > > on disabling USB devices.
> > >
> > > -----Original Message-----
> > > From: pauldotcom-bounces () pdc-mail pauldotcom com
> > > [mailto:pauldotcom-bounces () pdc-mail pauldotcom com] On Behalf Of
> Michael
> > > Miller
> > > Sent: Tuesday, October 05, 2010 4:53 PM
> > > To: PaulDotCom Security Weekly Mailing List
> > > Subject: Re: [Pauldotcom] Blocking new devices with UDEV?
> > >
> > > Adrian,
> > >
> > > Are you looking to block USB storage devices?  Or are you looking to
> have
> > > a whitelist of USB devices?
> > >
> > > On Sat, Oct 2, 2010 at 11:23 AM, Adrian Crenshaw <irongeek () irongeek com
> >
> > > wrote:
> > > > Hi all,
> > > >    I'm trying to figure out how to block the install of new USB
> > > > hardware in Linux, sort of like how I can do it in Windows:
> http://www.irongeek.com/i.php?page=security/locking-down-windows-vista
> > > > -and-windows-7-against-malicious-usb-devices
> > > >
> > > > I'm using blacklisting Dell stuff by vendor ID as an example, though
> > > > it's not my end goal I'm just trying to figure out how things work.
> > > >
> > > > I do a "cat /proc/bus/input/devices" to figure out which keyboard is
> > > > which, then a "udevadm info -a -p /class/input/input10" to probe it
> > > > for strings I can use in a udev rule. My rule looks like this (I tried
> > > > two different ones, and commented things out):
> > > >
> > > > ATTRS{idVendor}=="413c", MODE="0000", RUN+="/opt/kde3/bin/kate"
> > > > #ATTR{modalias}=="input:b0003v413Cp2106e0110-e0,1,4,11,14,k71,72,73,74
> > > > ,75,77,79,7A,7B,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89,8A,8C,8E,96,
> > > > 98,9E,9F,A1,A3,A4,A5,A6,AD,B0,B1,B2,B3,B4,B7,B8,B9,BA,BB,BC,BD,BE,BF,C
> > > > 0,C1,C2,F0,ram4,l0,1,2,sfw", MODE="0000", RUN+="/opt/kde3/bin/kate"
> > > >
> > > >
> > > > Neather seems to do anything. Any ideas? I'm also not sure how to make
> > > > some rules override others. Yes, I've seen
> > > > http://www.reactivated.net/writing_udev_rules.html#external-run but
> > > > it's not really helping me.
> > > >
> > > > Thanks,
> > > > Adrian
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom () mail pauldotcom com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > >
> > > This communication is the property of Qwest and may contain confidential
> > > or
> > > privileged information. Unauthorized use of this communication is
> strictly
> > > prohibited and may be unlawful.  If you have received this communication
> > > in error, please immediately notify the sender by reply e-mail and
> destroy
> > > all copies of the communication and any attachments.
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com