Re: Blocking new devices with UDEV?

[Michael Miller <mike.mikemiller () gmail com>]

So after looking at udev and figuring out how sysfs and hotplug all
play into this.  I think what your looking for is USB device
authorization.

Take a look at the following.
http://www.mjmwired.net/kernel/Documentation/usb/authorization.txt


On Wed, Oct 6, 2010 at 7:29 AM, Adrian Crenshaw <irongeek () irongeek com> wrote:
> Thanks, but the first thing there mention is loading a kernel without USB,
> which is not really a workable option on recent hardware. The rest seems to
> be about just USB flash drives. I suppose I can black list the HID modules,
> but that would also cause issues. What I really need is to be selective
> about what devices it let's install.
>
>
> Thanks,
> Adrian
>
> On Wed, Oct 6, 2010 at 9:26 AM, Tidball, Christopher
> <Christopher.Tidball () qwest com> wrote:
> > You might want to check out the CIS RedHat Benchmarks. There is a section
> > on disabling USB devices.
> >
> > -----Original Message-----
> > From: pauldotcom-bounces () pdc-mail pauldotcom com
> > [mailto:pauldotcom-bounces () pdc-mail pauldotcom com] On Behalf Of Michael
> > Miller
> > Sent: Tuesday, October 05, 2010 4:53 PM
> > To: PaulDotCom Security Weekly Mailing List
> > Subject: Re: [Pauldotcom] Blocking new devices with UDEV?
> >
> > Adrian,
> >
> > Are you looking to block USB storage devices?  Or are you looking to have
> > a whitelist of USB devices?
> >
> > On Sat, Oct 2, 2010 at 11:23 AM, Adrian Crenshaw <irongeek () irongeek com>
> > wrote:
> > > Hi all,
> > >    I'm trying to figure out how to block the install of new USB
> > > hardware in Linux, sort of like how I can do it in Windows:
> > >
> > > http://www.irongeek.com/i.php?page=security/locking-down-windows-vista
> > > -and-windows-7-against-malicious-usb-devices
> > >
> > > I'm using blacklisting Dell stuff by vendor ID as an example, though
> > > it's not my end goal I'm just trying to figure out how things work.
> > >
> > > I do a "cat /proc/bus/input/devices" to figure out which keyboard is
> > > which, then a "udevadm info -a -p /class/input/input10" to probe it
> > > for strings I can use in a udev rule. My rule looks like this (I tried
> > > two different ones, and commented things out):
> > >
> > > ATTRS{idVendor}=="413c", MODE="0000", RUN+="/opt/kde3/bin/kate"
> > > #ATTR{modalias}=="input:b0003v413Cp2106e0110-e0,1,4,11,14,k71,72,73,74
> > > ,75,77,79,7A,7B,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89,8A,8C,8E,96,
> > > 98,9E,9F,A1,A3,A4,A5,A6,AD,B0,B1,B2,B3,B4,B7,B8,B9,BA,BB,BC,BD,BE,BF,C
> > > 0,C1,C2,F0,ram4,l0,1,2,sfw", MODE="0000", RUN+="/opt/kde3/bin/kate"
> > >
> > >
> > > Neather seems to do anything. Any ideas? I'm also not sure how to make
> > > some rules override others. Yes, I've seen
> > > http://www.reactivated.net/writing_udev_rules.html#external-run but
> > > it's not really helping me.
> > >
> > > Thanks,
> > > Adrian
> > >
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> >
> > This communication is the property of Qwest and may contain confidential
> > or
> > privileged information. Unauthorized use of this communication is strictly
> > prohibited and may be unlawful.  If you have received this communication
> > in error, please immediately notify the sender by reply e-mail and destroy
> > all copies of the communication and any attachments.
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com