Information
USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.
Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware.
Solution
Run the following script to disable the cramfs module:
If the module is available in the running kernel:
- Create a file with install usb-storage /bin/false in the /etc/modprobe.d/ directory
- Create a file with blacklist usb-storage in the /etc/modprobe.d/ directory
- Unload usb-storage from the kernel
If available in ANY installed kernel:
- Create a file with blacklist usb-storage in the /etc/modprobe.d/ directory
If the kernel module is not available on the system:
- No remediation is necessary
#!/usr/bin/env bash
{
l_mname="usb-storage" # set module name
l_mtype="drivers" # set module type
l_mpath="/lib/modules/**/kernel/$l_mtype"
l_mpname="$(tr '-' '_' <<< "$l_mname")"
l_mndir="$(tr '-' '/' <<< "$l_mname")"
module_loadable_fix()
{
# If the module is currently loadable, add "install {MODULE_NAME} /bin/false" to a file in "/etc/modprobe.d"
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^h*install|b$l_mname)b" <<< "$l_loadable")"
if ! grep -Pq -- '^h*install /bin/(true|false)' <<< "$l_loadable"; then
echo -e "
- setting module: \"$l_mname\" to be not loadable"
echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mpname".conf
fi
}
module_loaded_fix()
{
# If the module is currently loaded, unload the module
if lsmod | grep "$l_mname" > /dev/null 2>&1; then
echo -e "
- unloading module \"$l_mname\""
modprobe -r "$l_mname"
fi
}
module_deny_fix()
{
# If the module isn't deny listed, denylist the module
if ! modprobe --showconfig | grep -Pq -- "^h*blacklisth+$l_mpnameb"; then
echo -e "
- deny listing \"$l_mname\""
echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mpname".conf
fi
}
# Check if the module exists on the system
for l_mdir in $l_mpath; do
if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
echo -e "
- module: \"$l_mname\" exists in \"$l_mdir\"
- checking if disabled..."
module_deny_fix
if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
module_loadable_fix
module_loaded_fix
fi
else
echo -e "
- module: \"$l_mname\" doesn't exist in \"$l_mdir\"
"
fi
done
echo -e "
- remediation of module: \"$l_mname\" complete
"
}
Impact:
Disabling the usb-storage module will disable any usage of USB storage devices.
If requirements and local site policy allow the use of such devices, other solutions should be configured accordingly instead. One example of a commonly used solution is USBGuard