Information
USB storage provides a means to transfer and store files ensuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.
Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware.
Solution
Run the following script to disable usb-storage :
#!/usr/bin/env bash
{
l_mname="usb-storage" # set module name
# Check if the module exists on the system
if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "h*modprobe:h+FATAL:h+Moduleh+$l_mnameh+noth+foundh+inh+directory")" ]; then
# Remediate loadable
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^h*install|b$l_mname)b" <<< "$l_loadable")"
if ! grep -Pq -- '^h*install /bin/(true|false)' <<< "$l_loadable"; then
echo -e " - setting module: \"$l_mname\" to be not loadable"
echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mname".conf
fi
# Remediate loaded
if lsmod | grep "$l_mname" > /dev/null 2>&1; then
echo -e " - unloading module \"$l_mname\""
modprobe -r "$l_mname"
fi
# Remediate deny list
if ! modprobe --showconfig | grep -Pq -- "^h*blacklisth+$(tr '-' '_' <<< "$l_mname")b"; then
echo -e " - deny listing \"$l_mname\""
echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf
fi
else
echo -e " - Nothing to remediate
- Module \"$l_mname\" doesn't exist on the system"
fi
}