Block all USB devices except few exceptions
From Notes_Wiki
<yambe:breadcrumb>Blocking USB ports in Linux</yambe:breadcrumb>
Block all USB devices except few exceptions
These steps are mutually exclusive with steps at Block USB completely. Please undo those steps, if you want some devices to work To block all USB devices except few exceptions use: Create file /usr/bin/usb-umount.sh with following contents:
#!/bin/bash #List of allowed device IDS separated by space ALLOWED_DEVICE_IDS="/dev/disk/by-id/usb-JetFlash_Transcend_8GB_SA1LX3TR-0:0 /dev/disk/by-id/usb-SanDisk_Cruzer_Blade_20060877201DE920DA7B-0:0" #Admin email ID ADMIN_EMAIL="saurabh@sbarjatiya.com" #Get current Device ID DEVICE_ID=$(udisks --enumerate-device-files | grep '/usb-.*0:0$') #Record current run for future reference purposes echo "Handler ran at " $(date) " for " $DEVICE_ID >> /root/usb-logs.txt #Do not continue if DEVICE_ID is empty if [[ "$DEVICE_ID" == "" ]]; then exit 0 fi #if device is new allowed then exit script for CURRENT_ID in $ALLOWED_DEVICE_IDS; do echo "Comparing $CURRENT_ID with $DEVICE_ID" >> /root/usb-logs.txt if [[ "$CURRENT_ID" == "$DEVICE_ID" ]] ; then echo "Allowed device $DEVICE_ID connected " >> /root/usb-logs.txt exit 0 fi done #If device is not allowed then get its device-file (/dev/sdb etc.) name DEVICE_FILE=$(udisks --show-info $(udisks --enumerate-device-files | grep '/usb-.*0:0$') | grep device-file | sed 's/device-file://') #Get list of all mounted partitions for this device MOUNTED_PARTITIONS=$(mount | grep $DEVICE_FILE | grep -o '^[^ ]* ') #Umount all mounted partitions for PARTITION in $MOUNTED_PARTITIONS; do udisks --unmount $PARTITION done #Detach drive udisks --detach $DEVICE_FILE #Send email about detached device HOSTNAME=$(hostname --fqdn) IFCONFIG=$(/sbin/ifconfig) LOGGED_IN_USERS=$(w) mail -s "Unauthorized USB DEVICE $DEVICE_ID connected" $ADMIN_EMAIL <<EOF Dear Admin, Unauthorized USB DEVICE $DEVICE_ID was connected to machine with following details: HOSTNAME = $HOSTNAME IP_ADDRESS = $IFCONFIG LOGGED_IN_USERS = $LOGGED_IN_USERS The device was umounted as per policy. Please take necessary action. Regards, Umount script EOF
- Update ADMIN_EMAIL in above script if emails are allowed. If not at least change it to root@localhost so that such emails can be seen during audit by logging in as root.
- chmod +x /usr/bin/usb-umount.sh
- Create file "/etc/udev/rules.d/100-mount-test.rules" with following contents:
- KERNEL=="sd*", ACTION=="add", RUN+="/usr/bin/usb-umount.sh"
- udevadm control --reload-rules
- Now connect any device and admin email ID mentioned should get email with device information. Also look at /root/usb-logs.txt to learn DEVICE_ID of connected device.
- If connected device should be allowed add its device ID to variable ALLOWED_DEVICE_IDS in space separated way in /usr/bin/usb-umount.sh file.
- Again connect the device with exception. This time the device should work. Any other storage device should not work.
Partial steps contributed by Krati Jain and validated by Kiran Kollipara.
To learn about udev rules refer http://www.reactivated.net/writing_udev_rules.html
<yambe:breadcrumb>Blocking USB ports in Linux</yambe:breadcrumb>