Detections
Analytics

1.1.1.8 Ensure usb-storage kernel module is not available

Information

USB storage provides a means to transfer and store files ensuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.

Rationale:

Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware.

Impact:

Disabling the usb-storage module will disable any usage of USB storage devices.

If requirements and local site policy allow the use of such devices, other solutions should be configured accordingly instead. One example of a commonly used solution is USBGuard.

Solution

Run the following script to disable the usb-storage module:
-IF- the module is available in the running kernel:

Create a file ending in .conf with install usb-storage /bin/false in the /etc/modprobe.d/ directory

Create a file ending in .conf with blacklist usb-storage in the /etc/modprobe.d/ directory

Unload usb-storage from the kernel

-IF- available in ANY installed kernel:

Create a file ending in .conf with blacklist usb-storage in the /etc/modprobe.d/ directory

-IF- the kernel module is not available on the system or pre-compiled into the kernel:

No remediation is necessary

#!/usr/bin/env bash

{
 l_mname='usb-storage' # set module name
 l_mtype='drivers' # set module type
 l_mpath='/lib/modules/**/kernel/$l_mtype'
 l_mpname='$(tr '-' '_' <<< '$l_mname')'
 l_mndir='$(tr '-' '/' <<< '$l_mname')'

 module_loadable_fix()
 {
 # If the module is currently loadable, add 'install {MODULE_NAME} /bin/false' to a file in '/etc/modprobe.d'
 l_loadable='$(modprobe -n -v '$l_mname')'
 [ '$(wc -l <<< '$l_loadable')' -gt '1' ] && l_loadable='$(grep -P -- '(^h*install|b$l_mname)b' <<< '$l_loadable')'
 if ! grep -Pq -- '^h*install /bin/(true|false)' <<< '$l_loadable'; then
 echo -e '
 - setting module: '$l_mname' to be not loadable'
 echo -e 'install $l_mname /bin/false' >> /etc/modprobe.d/'$l_mpname'.conf
 fi
 }
 module_loaded_fix()
 {
 # If the module is currently loaded, unload the module
 if lsmod | grep '$l_mname' > /dev/null 2>&1; then
 echo -e '
 - unloading module '$l_mname''
 modprobe -r '$l_mname'
 fi
 }
 module_deny_fix()
 {
 # If the module isn't deny listed, denylist the module
 if ! modprobe --showconfig | grep -Pq -- '^h*blacklisth+$l_mpnameb'; then
 echo -e '
 - deny listing '$l_mname''
 echo -e 'blacklist $l_mname' >> /etc/modprobe.d/'$l_mpname'.conf
 fi
 }
 # Check if the module exists on the system
 for l_mdir in $l_mpath; do
 if [ -d '$l_mdir/$l_mndir' ] && [ -n '$(ls -A $l_mdir/$l_mndir)' ]; then
 echo -e '
 - module: '$l_mname' exists in '$l_mdir'
 - checking if disabled...'
 module_deny_fix
 if [ '$l_mdir' = '/lib/modules/$(uname -r)/kernel/$l_mtype' ]; then
 module_loadable_fix
 module_loaded_fix
 fi
 else
 echo -e '
 - module: '$l_mname' doesn't exist in '$l_mdir'
'
 fi
 done
 echo -e '
 - remediation of module: '$l_mname' complete
'
}

See Also

https://workbench.cisecurity.org/benchmarks/15286

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7, CSCv7|13.7

Plugin: Unix

Control ID: e35bd00c5f91558219df280ad42d349e0ada0abd7a5a98d9cb628e1ed11943ab