So after looking at udev and figuring out how sysfs and hotplug all
play into this.  I think what your looking for is USB device
authorization.

Take a look at the following.
http://www.mjmwired.net/kernel/Documentation/usb/authorization.txt


On Wed, Oct 6, 2010 at 7:29 AM, Adrian Crenshaw <[email protected]> wrote:
> Thanks, but the first thing there mention is loading a kernel without USB,
> which is not really a workable option on recent hardware. The rest seems to
> be about just USB flash drives. I suppose I can black list the HID modules,
> but that would also cause issues. What I really need is to be selective
> about what devices it let's install.
>
>
> Thanks,
> Adrian
>
> On Wed, Oct 6, 2010 at 9:26 AM, Tidball, Christopher
> <[email protected]> wrote:
>>
>> You might want to check out the CIS RedHat Benchmarks. There is a section
>> on disabling USB devices.
>>
>> -----Original Message-----
>> From: [email protected]
>> [mailto:[email protected]] On Behalf Of Michael
>> Miller
>> Sent: Tuesday, October 05, 2010 4:53 PM
>> To: PaulDotCom Security Weekly Mailing List
>> Subject: Re: [Pauldotcom] Blocking new devices with UDEV?
>>
>> Adrian,
>>
>> Are you looking to block USB storage devices?  Or are you looking to have
>> a whitelist of USB devices?
>>
>> On Sat, Oct 2, 2010 at 11:23 AM, Adrian Crenshaw <[email protected]>
>> wrote:
>> > Hi all,
>> >    I'm trying to figure out how to block the install of new USB
>> > hardware in Linux, sort of like how I can do it in Windows:
>> >
>> > http://www.irongeek.com/i.php?page=security/locking-down-windows-vista
>> > -and-windows-7-against-malicious-usb-devices
>> >
>> > I'm using blacklisting Dell stuff by vendor ID as an example, though
>> > it's not my end goal I'm just trying to figure out how things work.
>> >
>> > I do a "cat /proc/bus/input/devices" to figure out which keyboard is
>> > which, then a "udevadm info -a -p /class/input/input10" to probe it
>> > for strings I can use in a udev rule. My rule looks like this (I tried
>> > two different ones, and commented things out):
>> >
>> > ATTRS{idVendor}=="413c", MODE="0000", RUN+="/opt/kde3/bin/kate"
>> > #ATTR{modalias}=="input:b0003v413Cp2106e0110-e0,1,4,11,14,k71,72,73,74
>> > ,75,77,79,7A,7B,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89,8A,8C,8E,96,
>> > 98,9E,9F,A1,A3,A4,A5,A6,AD,B0,B1,B2,B3,B4,B7,B8,B9,BA,BB,BC,BD,BE,BF,C
>> > 0,C1,C2,F0,ram4,l0,1,2,sfw", MODE="0000", RUN+="/opt/kde3/bin/kate"
>> >
>> >
>> > Neather seems to do anything. Any ideas? I'm also not sure how to make
>> > some rules override others. Yes, I've seen
>> > http://www.reactivated.net/writing_udev_rules.html#external-run but
>> > it's not really helping me.
>> >
>> > Thanks,
>> > Adrian
>> >
>> >
>> >
>> > _______________________________________________
>> > Pauldotcom mailing list
>> > [email protected]
>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> > Main Web Site: http://pauldotcom.com
>> >
>> _______________________________________________
>> Pauldotcom mailing list
>> [email protected]
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
>>
>> This communication is the property of Qwest and may contain confidential
>> or
>> privileged information. Unauthorized use of this communication is strictly
>> prohibited and may be unlawful.  If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and destroy
>> all copies of the communication and any attachments.
>> _______________________________________________
>> Pauldotcom mailing list
>> [email protected]
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Reply via email to