Block all USB devices except few exceptions

From Notes_Wiki
Revision as of 13:56, 20 May 2021 by Saurabh (talk | contribs)

<yambe:breadcrumb>Blocking USB ports in Linux</yambe:breadcrumb>

Block all USB devices except few exceptions

These steps are mutually exclusive with steps at Block USB completely. Please undo those steps, if you want some devices to work To block all USB devices except few exceptions use: Create file /usr/bin/usb-umount.sh with following contents:

#!/bin/bash

#List of allowed device IDS separated by space
ALLOWED_DEVICE_IDS="/dev/disk/by-id/usb-JetFlash_Transcend_8GB_SA1LX3TR-0:0 /dev/disk/by-id/usb-SanDisk_Cruzer_Blade_20060877201DE920DA7B-0:0"

#Admin email ID
ADMIN_EMAIL="saurabh@example.com"

#Get current Device ID
DEVICE_ID=$(udisks --enumerate-device-files | grep '/usb-.*0:0$')

#Record current run for future reference purposes
echo "Handler ran at " $(date) " for " $DEVICE_ID >> /root/usb-logs.txt

#Do not continue if DEVICE_ID is empty
if [[ "$DEVICE_ID" == "" ]]; then
   exit 0
fi

#if device is new allowed then exit script
for CURRENT_ID in $ALLOWED_DEVICE_IDS; do
    echo "Comparing $CURRENT_ID with $DEVICE_ID" >> /root/usb-logs.txt
    if [[ "$CURRENT_ID" == "$DEVICE_ID" ]] ; then
        echo "Allowed device $DEVICE_ID connected " >> /root/usb-logs.txt  
        exit 0
    fi
done

#If device is not allowed then get its device-file (/dev/sdb etc.) name
DEVICE_FILE=$(udisks --show-info $(udisks --enumerate-device-files | grep '/usb-.*0:0$') | grep device-file | sed 's/device-file://')

#Get list of all mounted partitions for this device
MOUNTED_PARTITIONS=$(mount | grep $DEVICE_FILE | grep -o '^[^ ]* ')

#Umount all mounted partitions
for PARTITION in $MOUNTED_PARTITIONS; do 
    udisks --unmount $PARTITION
done

#Detach drive
udisks --detach $DEVICE_FILE

#Send email about detached device
HOSTNAME=$(hostname --fqdn)
IFCONFIG=$(/sbin/ifconfig)
LOGGED_IN_USERS=$(w)
mail -s "Unauthorized USB DEVICE $DEVICE_ID connected" $ADMIN_EMAIL <<EOF
Dear Admin,
Unauthorized USB DEVICE $DEVICE_ID was connected to machine with following details:

HOSTNAME = $HOSTNAME

IP_ADDRESS = $IFCONFIG

LOGGED_IN_USERS = $LOGGED_IN_USERS

The device was umounted as per policy.  Please take necessary action.

Regards,
Umount script
EOF
  1. Update ADMIN_EMAIL in above script if emails are allowed. If not at least change it to root@localhost so that such emails can be seen during audit by logging in as root.
  2. chmod +x /usr/bin/usb-umount.sh
  3. Create file "/etc/udev/rules.d/100-mount-test.rules" with following contents:
    KERNEL=="sd*", ACTION=="add", RUN+="/usr/bin/usb-umount.sh"
  4. udevadm control --reload-rules
  5. Now connect any device and admin email ID mentioned should get email with device information. Also look at /root/usb-logs.txt to learn DEVICE_ID of connected device.
  6. If connected device should be allowed add its device ID to variable ALLOWED_DEVICE_IDS in space separated way in /usr/bin/usb-umount.sh file.
  7. Again connect the device with exception. This time the device should work. Any other storage device should not work.

Partial steps contributed by Krati Jain and validated by Kiran Kollipara.

To learn about udev rules refer http://www.reactivated.net/writing_udev_rules.html


<yambe:breadcrumb>Blocking USB ports in Linux</yambe:breadcrumb>