Detections
Analytics

1.1.10 Disable USB Storage

Information

USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.

Rationale:

Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware.

Impact:

Disabling the usb-storage module will disable any usage of USB storage devices.

If requirements and local site policy allow the use of such devices, other solutions should be configured accordingly instead. One example of a commonly used solution is USBGuard.

Solution

Run the following script to disable the cramfs module:
If the module is available in the running kernel:

Create a file with install usb-storage /bin/false in the /etc/modprobe.d/ directory

Create a file with blacklist usb-storage in the /etc/modprobe.d/ directory

Unload usb-storage from the kernel

If available in ANY installed kernel:

Create a file with blacklist usb-storage in the /etc/modprobe.d/ directory

If the kernel module is not available on the system:

No remediation is necessary

#!/usr/bin/env bash

{
 l_mname='usb-storage' # set module name
 l_mtype='drivers' # set module type
 l_mpath='/lib/modules/**/kernel/$l_mtype'
 l_mpname='$(tr '-' '_' <<< '$l_mname')'
 l_mndir='$(tr '-' '/' <<< '$l_mname')'

 module_loadable_fix()
 {
 # If the module is currently loadable, add 'install {MODULE_NAME} /bin/false' to a file in '/etc/modprobe.d'
 l_loadable='$(modprobe -n -v '$l_mname')'
 [ '$(wc -l <<< '$l_loadable')' -gt '1' ] && l_loadable='$(grep -P -- '(^h*install|b$l_mname)b' <<< '$l_loadable')'
 if ! grep -Pq -- '^h*install /bin/(true|false)' <<< '$l_loadable'; then
 echo -e '
 - setting module: '$l_mname' to be not loadable'
 echo -e 'install $l_mname /bin/false' >> /etc/modprobe.d/'$l_mpname'.conf
 fi
 }
 module_loaded_fix()
 {
 # If the module is currently loaded, unload the module
 if lsmod | grep '$l_mname' > /dev/null 2>&1; then
 echo -e '
 - unloading module '$l_mname''
 modprobe -r '$l_mname'
 fi
 }
 module_deny_fix()
 {
 # If the module isn't deny listed, denylist the module
 if ! modprobe --showconfig | grep -Pq -- '^h*blacklisth+$l_mpnameb'; then
 echo -e '
 - deny listing '$l_mname''
 echo -e 'blacklist $l_mname' >> /etc/modprobe.d/'$l_mpname'.conf
 fi
 }
 # Check if the module exists on the system
 for l_mdir in $l_mpath; do
 if [ -d '$l_mdir/$l_mndir' ] && [ -n '$(ls -A $l_mdir/$l_mndir)' ]; then
 echo -e '
 - module: '$l_mname' exists in '$l_mdir'
 - checking if disabled...'
 module_deny_fix
 if [ '$l_mdir' = '/lib/modules/$(uname -r)/kernel/$l_mtype' ]; then
 module_loadable_fix
 module_loaded_fix
 fi
 else
 echo -e '
 - module: '$l_mname' doesn't exist in '$l_mdir'
'
 fi
 done
 echo -e '
 - remediation of module: '$l_mname' complete
'
}

See Also

https://workbench.cisecurity.org/benchmarks/13007

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|8.5, CSCv7|13.7

Plugin: Unix

Control ID: cce971a0fff66915cb7c73775725b7c718e986d75d34be3581dcdc96f1d237e6