Join Log in
Score:0
Syseng avatar Ubuntu

Ubuntu Device Control

in flag
Syseng

I work on the security team and we are trying to lock down our systems. We are looking for a technical solution to lock down media burning, USB blocking etc. I found USBdeview but that only allows me to block a thumb drive once it is used. Is there anything open source or COTS that I can try and use in our environments? We are heavily Debian flavored. Thank you!

83
1 + 1
usb
ru flag
Thomas Ward
Not out of the box. We had such requirements at my FT job. What we did was, for USB devices, a udev rule was written to deny setting up the block device from being mounted. As for media burning, we forced configuration on the system so that it couldn't access `/dev/sr*` for optical media, and with the udev rules blocking USB device mounting (we made a few exceptions for certain wireless mice and keyboard transmitters) we were able to deny access to USB devices. I don't have the UDEV scripts for that anymore though.
2
Reply
Score:2
avatar Ubuntu
ru flag
Thomas Ward

This all depends on what you want to block. There are no out-of-the-box tools to configure this, and most of the ways to restrict this are going to be system-wide restrictions. I'll share some information that I have though on how to block certain things

USB Storage Media: Blocking all USB Storage Devices

One of the chaotic things I ran into with a temporary thing at my Full Time job was we wanted to disable USB storage devices except for a few devices on the system. Adapting that solution we can make it so USB Storage Devices will fail to operate and fail to be mounted or visible. It will also unbind the thing with sysfs, but will also permit the use of non-storage devices (keyboards, mice) theoretically. I do not have an extra system to test these rules at the moment, and they were written around the 12.04 era so they may not function as intended anymore.

  1. Create /etc/udev/rules.d/100-unbind-usb-storage.rules

  2. Add the following rules to the new file:

    KERNELS=="[1-9]*-[0-9]*", SUBSYSTEM=="block", ENV{ID_BUS}=="usb", ENV{IF_STORAGE_REMOVE_ME}="1"
ENV{IF_STORAGE_REMOVE_ME}=="1", RUN+="/bin/sh -c 'echo -n %k >/sys%p/driver/unbind'"

  3. Reboot your system for these rules to take effect. Any time your computer has a USB device connected to it which is a 'block' device (storage) it will trigger an unbind rule that basically disconnects the USB device. Anyone who does not have superuser will not be able to 'rebind' the device, even if they unplug and replug the device.

USB Storage Media blocking rule is based on answers to my six year old question on the UDEV approach to blocking USB devices - udev rules to allow only one vendor and model USB drive but no others

CD/Optical Media: Disallow Use of Drive (i.e. remove/disable driver)

Unless your users are given superuser on the system, you can simply remove the kernel module for the SCSI connected (SATA if you want to be more modern) connection for the sr devices that Optical Media list as.

echo "blacklist sr_mod" >> /etc/modprobe.d/blacklist-sr_mod.conf

This will blacklist the sr_mod kernel module which should render the CD/DVD/Bluray optical drives unusable.

I have not tested the veracity of this solution, as I have no devices with optical media attached, even external optical media reader/writer devices.

Source for the kernel blacklist answer: https://serverfault.com/a/448725/74939

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.