Information
USB storage provides a means to transfer and store files ensuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.
Rationale:
Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware.
Solution
Run the following script to disable usb-storage:
#!/usr/bin/env bash
{
l_mname='usb-storage' # set module name
# Check if the module exists on the system
if [ -z '$(modprobe -n -v '$l_mname' 2>&1 | grep -Pi -- 'h*modprobe:h+FATAL:h+Moduleh+$l_mnameh+noth+foundh+inh+directory')' ]; then
# Remediate loadable
l_loadable='$(modprobe -n -v '$l_mname')'
[ '$(wc -l <<< '$l_loadable')' -gt '1' ] && l_loadable='$(grep -P -- '(^h*install|b$l_mname)b' <<< '$l_loadable')'
if ! grep -Pq -- '^h*install /bin/(true|false)' <<< '$l_loadable'; then
echo -e ' - setting module: '$l_mname' to be not loadable'
echo -e 'install $l_mname /bin/false' >> /etc/modprobe.d/'$l_mname'.conf
fi
# Remediate loaded
if lsmod | grep '$l_mname' > /dev/null 2>&1; then
echo -e ' - unloading module '$l_mname''
modprobe -r '$l_mname'
fi
# Remediate deny list
if ! modprobe --showconfig | grep -Pq -- '^h*blacklisth+$(tr '-' '_' <<< '$l_mname')b'; then
echo -e ' - deny listing '$l_mname''
echo -e 'blacklist $l_mname' >> /etc/modprobe.d/'$l_mname'.conf
fi
else
echo -e ' - Nothing to remediate
- Module '$l_mname' doesn't exist on the system'
fi
}
Additional Information:
An alternative solution to disabling the usb-storage module may be found in USBGuard.
Use of USBGuard and construction of USB device policies should be done in alignment with site policy.
NIST SP 800-53 Rev. 5:
SC-18(4)