Information
USB storage provides a means to transfer and store files ensuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.
Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware.
Solution
Run the following script to unload and disable the usb-storage module:
- IF - the usb-storage kernel module is available in ANY installed kernel:
- Create a file ending inconf with install usb-storage /bin/false in the /etc/modprobe.d/ directory
- Create a file ending inconf with blacklist usb-storage in the /etc/modprobe.d/ directory
- Run modprobe -r usb-storage 2>/dev/null; rmmod usb-storage 2>/dev/null to remove usb-storage from the kernel
- IF - the usb-storage kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary
#!/usr/bin/env bash
{
a_output2=() a_output3=() l_dl="" l_mod_name="usb-storage" l_mod_type="drivers"
l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
f_module_fix()
{
l_dl="y" a_showconfig=()
while IFS= read -r l_showconfig; do
a_showconfig+=("$l_showconfig")
done < <(modprobe --showconfig | grep -P -- 'b(install|blacklist)h+'"${l_mod_chk_name//-/_}"'b')
if lsmod | grep "$l_mod_chk_name" &> /dev/null; then
a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
modprobe -r "$l_mod_chk_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
fi
if ! grep -Pq -- 'binstallh+'"${l_mod_chk_name//-/_}"'h+(/usr)?/bin/(true|false)b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"$(readlink -f /bin/false)\"")
printf '%s
' "install $l_mod_chk_name $(readlink -f /bin/false)" >> /etc/modprobe.d/"$l_mod_name".conf
fi
if ! grep -Pq -- 'bblacklisth+'"${l_mod_chk_name//-/_}"'b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
printf '%s
' "blacklist $l_mod_chk_name" >> /etc/modprobe.d/"$l_mod_name".conf
fi
}
for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
if [ -d "$l_mod_base_directory/${l_mod_name/-//}" ] && [ -n "$(ls -A "$l_mod_base_directory/${l_mod_name/-//}")" ]; then
a_output3+=(" - \"$l_mod_base_directory\"")
l_mod_chk_name="$l_mod_name"
[[ "$l_mod_name" =~ overlay ]] && l_mod_chk_name="${l_mod_name::-2}"
[ "$l_dl" != "y" ] && f_module_fix
else
printf '%s
' " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
fi
done
[ "${#a_output3[@]}" -gt 0 ] && printf '%s
' "" " -- INFO --" " - module: \"$l_mod_name\" exists in:" "${a_output3[@]}"
[ "${#a_output2[@]}" -gt 0 ] && printf '%s
' "" "${a_output2[@]}" || printf '%s
' "" " - No changes needed"
printf '%s
' "" " - remediation of kernel module: \"$l_mod_name\" complete" ""
}
Impact:
Disabling the usb-storage module will disable any usage of USB storage devices.
If requirements and local site policy allow the use of such devices, other solutions should be configured accordingly instead. One example of a commonly used solution is USBGuard