Information
USB storage provides a means to transfer and store files ensuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.
Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware.
Solution
Run the following script to disable usb-storage :
#!/usr/bin/env bash
{
l_mname="usb-storage" # set module name
# Check if the module exists on the system
if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "h*modprobe:h+FATAL:h+Moduleh+$l_mnameh+noth+foundh+inh+directory")" ]; then
# Remediate loadable
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^h*install|b$l_mname)b" <<< "$l_loadable")"
if ! grep -Pq -- '^h*install /bin/(true|false)' <<< "$l_loadable"; then
echo -e " - setting module: \"$l_mname\" to be not loadable"
echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mname".conf
fi
# Remediate loaded
if lsmod | grep "$l_mname" > /dev/null 2>&1; then
echo -e " - unloading module \"$l_mname\""
modprobe -r "$l_mname"
fi
# Remediate deny list
if ! modprobe --showconfig | grep -Pq -- "^h*blacklisth+$(tr '-' '_' <<< "$l_mname")b"; then
echo -e " - deny listing \"$l_mname\""
echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf
fi
else
echo -e " - Nothing to remediate
- Module \"$l_mname\" doesn't exist on the system"
fi
}
Impact:
Disabling the usb-storage module will disable any usage of USB storage devices.
If requirements and local site policy allow the use of such devices, other solutions should be configured accordingly instead. One example of a commonly used solution is USBGuard