1.1.10 Disable USB Storage - blacklist


USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.


Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware.


Run the following script to disable usb-storage:

#!/usr/bin/env bash

l_mname='usb-storage' # set module name
if ! modprobe -n -v '$l_mname' | grep -P -- '^h*install /bin/(true|false)'; then
echo -e ' - setting module: '$l_mname' to be not loadable'
echo -e 'install $l_mname /bin/false' >> /etc/modprobe.d/'$l_mname'.conf
if lsmod | grep '$l_mname' > /dev/null 2>&1; then
echo -e ' - unloading module '$l_mname''
modprobe -r '$l_mname'
if ! grep -Pq -- '^h*blacklisth+$l_mnameb' /etc/modprobe.d/*; then
echo -e ' - deny listing '$l_mname''
echo -e 'blacklist $l_mname' >> /etc/modprobe.d/'$l_mname'.conf

Additional Information:

An alternative solution to disabling the usb-storage module may be found in USBGuard.

Use of USBGuard and construction of USB device policies should be done in alignment with site policy.

NIST SP 800-53 Rev. 5:


See Also