Just out of curiosity, is adding nousb to the grub command line actually feasible for enforcement?
I can't remember the last time I used a system where I didn't need a USB keyboard at some point (can you even buy server class systems with PS/2 support any more?) Trevor On Wed, Apr 16, 2014 at 8:23 PM, Shawn Wells <[email protected]> wrote: > On 4/16/14, 5:08 PM, Kayse, Josh wrote: > > > On Apr 16, 2014, at 8:06 PM, Kayse, Josh <[email protected]> > wrote: > > > On Apr 16, 2014, at 7:59 PM, Shawn Wells <[email protected]> wrote: > > On 4/16/14, 5:44 AM, Jan Lieskovsky wrote: > > Patch summary: > * check for 'nousb' argument on kernel command line in /etc/grub.conf > within the bootloader_nousb_argument check in a case-insensitive way > * update comments where appropriate > * add test attestation timestamp > * replace path + filename ind construct with filepath one > > Testing report: > * Tested on RHEL-6. Works fine. > > > I wasn't sure if nousb was case insensitive, so I checked > https://www.kernel.org/doc/Documentation/kernel-parameters.txt > > And found this: > > Note that ALL kernel parameters listed below are CASE SENSITIVE, and that > a trailing = on the name of any parameter states that that parameter will > be entered as an environment variable, whereas its absence indicates that > it will appear as a kernel argument readable via /proc/cmdline by programs > running once the system is up. > > > "nousb" was in the list as case sensitive. > > Applied your patch (RHEL 6.5), added "nOuSB," and things seem to check > out. Should we follow the kernel docs (which say case sensitive), or allow > insensitivity since it actually works? > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > I’d like to point out that the selinux parameter is also within that list. > I vote we should follow what actually works and assume the kernel docs are > out of date. > > -josh > > > Also, according to > https://github.com/torvalds/linux/blame/master/Documentation/kernel-parameters.txt > that > line was last changed 2005. Perhaps someone should brave lkml and submit a > patch. > > -josh > > > Thanks for that link! > > Ack to Jan's patch. > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
