The authorized and authorized_default files are action toggles.
It looks like you need to
check /sys/bus/usb/devices/usb*/authorized_default == 1 for a failure case.
If those are all '0', then USB is not authorized for any system devices by
default.
Don't have a chance to test right now but I can play more later.
Trevor
On Thu, Apr 17, 2014 at 11:51 PM, Shawn Wells <shawn(a)redhat.com> wrote:
On 4/17/14, 12:54 PM, Trevor Vaughan wrote:
Udev is system agnostic and works like a firewall instead of a
sledgehammer. Deny all, allow as approved.
nousb is a sledgehammer, you can't turn it back on without a reboot.
I'm wanting to allow <Vendor> keyboards of type X, not all keyboards that
may have who knows what built into them. Udev lets me do this but nousb
doesn't.
As far as I can tell, udev appears to be supported in almost all modern
Linux distros and, if it's not, you can always sledgehammer the system.
That said, I'm certainly happy for the discussion since it's what it
takes to move things forward (in whatever direction).
Reviewed the link you sent over (
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-d...).
Specifically:
#Script by Adrian Crenshaw
#With info from Michael Miller, Inaky Perez-Gonzalez and VMWare
#By default, disable it.
#ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'echo 0
>/sys$DEVPATH/authorized'"
ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'for host
in
/sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done'"
#Enable hub devices. There may be a better way than this.
ACTION=="add", ATTR{bDeviceClass}=="09", RUN+="/bin/sh -c
'echo 1
>/sys$DEVPATH/authorized'"
#Other things to enable
ACTION=="add", ATTR{idVendor}=="046d",
ATTR{idProduct}=="0809",
RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'"
ACTION=="add", ATTR{serial}=="078606B90DD3", RUN+="/bin/sh -c
'echo 1
>/sys$DEVPATH/authorized'"
ACTION=="add", ATTR{product}=="802.11 n WLAN", RUN+="/bin/sh -c
'echo 1
>/sys$DEVPATH/authorized'"
#ACTION=="add", ATTR{idVendor}=="413c",
ATTR{idProduct}=="2106",
RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'"
My first reaction was to say "If 'cat $host/authorized_default == 0' or
nousb, then pass || if /sys$DEVPATH/authorized != *, pass"
It's laughable... but I don't own a USB device. Not even a storage token.
Since you're starting the conversation, could you test such a system
configuration ou and see if such an approach is even sane?
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan(a)onyxpoint.com
-- This account not approved for unencrypted proprietary information --