LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Disallow users to mount usb flash drives or HDD (https://www.linuxquestions.org/questions/linux-security-4/disallow-users-to-mount-usb-flash-drives-or-hdd-4175654328/)

FBorges22 05-21-2019 11:50 AM
Disallow users to mount usb flash drives or HDD
 
Hi there,

I am looking for a precise way to block the users from mount USB mass storage devices (i.e., flash drives, hard disks and etc) in my Debian 9 diskless stations.

I checked the PolicyKit instructions but I still have no idea in how to prevent the users from the users from mounting USB media.

Disabling the udisks2 service is not working and even if I can stop the udisks2 he can start again and allow the users to mount their removeable usb media normally. I need to secure my server and cannot allow anyone mount their media on the server.

Best regards,
F.Borges

teckk 05-21-2019 01:01 PM
Couple of thoughts

Remove the kernel module
Code:
mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /home/somewhere
Use you own path, on arch something like
Code:
/usr/lib/modules/5.0.9-arch1-1-ARCH/kernel/drivers/usb/storage/usb-storage.ko.xz
Blacklist usb storage
Code:
cat /etc/modprobe.d/blacklist.conf
blacklist usb-storage
Or modprobe -r usb-storage

You can modprobe it back though.

Turn off usb in BIOS/UEFI

Deny access
Code:
chmod 000 /media
Grub, in grub.conf or menu.lst, add nousb to kernel line

lsusb to see whats attached, then
Code:
echo "disabled" > /sys/bus/usb/devices/usbX/power/wakeup
echo "suspend" > /sys/bus/usb/devices/usbX/power/level
On this arch box
Code:
cat /sys/bus/usb/devices/usb1/power/wakeup
disabled
I think that you could also do that with sysctl -w

Then there is
Code:
pacman -Si usbguard
...
Description    : Software framework for implementing USB device authorization
                  policies
Architecture    : x86_64
URL            : https://github.com/dkopecek/usbguard
Licenses        : GPL2
Groups          : None
Provides        : libusbguard.so=0-64
Depends On      : glibc  libqb  libqb.so=0-64  libsodium  libcap-ng  protobuf
                  polkit  dbus-glib
...
Download Size  : 394.82 KiB
Installed Size  : 1514.00 KiB
...
https://wiki.archlinux.org/index.php/USBGuard

proMusic 05-21-2019 10:53 PM
Check out usbguard

To start protecting your system, you can use the USBGuard shell command and its generate-policy sub-command to generate an initial policy for your system instead of writing one from scratch. The tool generates an allow policy for all devices currently connected to your system.

Code:
sudo apt-get update ; sudo apt-get install usbguard
usbguard generate-policy > rules.conf
sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
sudo systemctl restart usbguard

FBorges22 05-22-2019 09:50 AM
Thanks for the help. I also successfully blocked the USB mounting with the policykit by adding the following rule at /etc/polkit-1/localauthority/50-local.d by creating the file disallow-mounting.pkla with the following contents:

Quote:
[Dissallow users to mount devices]
Identity=unix-group:users
Action=org.freedesktop.udisks2.*
ResultAny=no
ResultInactive=no
ResultActive=no
What do you think of the use of PolicyKit to block mounting all mass storage devices?


All times are GMT -5. The time now is 02:45 AM.