So after looking at udev and figuring out how sysfs and hotplug all play into this. I think what your looking for is USB device authorization.
Take a look at the following. http://www.mjmwired.net/kernel/Documentation/usb/authorization.txt On Wed, Oct 6, 2010 at 7:29 AM, Adrian Crenshaw <[email protected]> wrote: > Thanks, but the first thing there mention is loading a kernel without USB, > which is not really a workable option on recent hardware. The rest seems to > be about just USB flash drives. I suppose I can black list the HID modules, > but that would also cause issues. What I really need is to be selective > about what devices it let's install. > > > Thanks, > Adrian > > On Wed, Oct 6, 2010 at 9:26 AM, Tidball, Christopher > <[email protected]> wrote: >> >> You might want to check out the CIS RedHat Benchmarks. There is a section >> on disabling USB devices. >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Michael >> Miller >> Sent: Tuesday, October 05, 2010 4:53 PM >> To: PaulDotCom Security Weekly Mailing List >> Subject: Re: [Pauldotcom] Blocking new devices with UDEV? >> >> Adrian, >> >> Are you looking to block USB storage devices? Or are you looking to have >> a whitelist of USB devices? >> >> On Sat, Oct 2, 2010 at 11:23 AM, Adrian Crenshaw <[email protected]> >> wrote: >> > Hi all, >> > I'm trying to figure out how to block the install of new USB >> > hardware in Linux, sort of like how I can do it in Windows: >> > >> > http://www.irongeek.com/i.php?page=security/locking-down-windows-vista >> > -and-windows-7-against-malicious-usb-devices >> > >> > I'm using blacklisting Dell stuff by vendor ID as an example, though >> > it's not my end goal I'm just trying to figure out how things work. >> > >> > I do a "cat /proc/bus/input/devices" to figure out which keyboard is >> > which, then a "udevadm info -a -p /class/input/input10" to probe it >> > for strings I can use in a udev rule. My rule looks like this (I tried >> > two different ones, and commented things out): >> > >> > ATTRS{idVendor}=="413c", MODE="0000", RUN+="/opt/kde3/bin/kate" >> > #ATTR{modalias}=="input:b0003v413Cp2106e0110-e0,1,4,11,14,k71,72,73,74 >> > ,75,77,79,7A,7B,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89,8A,8C,8E,96, >> > 98,9E,9F,A1,A3,A4,A5,A6,AD,B0,B1,B2,B3,B4,B7,B8,B9,BA,BB,BC,BD,BE,BF,C >> > 0,C1,C2,F0,ram4,l0,1,2,sfw", MODE="0000", RUN+="/opt/kde3/bin/kate" >> > >> > >> > Neather seems to do anything. Any ideas? I'm also not sure how to make >> > some rules override others. Yes, I've seen >> > http://www.reactivated.net/writing_udev_rules.html#external-run but >> > it's not really helping me. >> > >> > Thanks, >> > Adrian >> > >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> This communication is the property of Qwest and may contain confidential >> or >> privileged information. Unauthorized use of this communication is strictly >> prohibited and may be unlawful. If you have received this communication >> in error, please immediately notify the sender by reply e-mail and destroy >> all copies of the communication and any attachments. >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
