Dienstag, 5. Februar 2013

=== Lockdown USB Devices ===

One fundamental security issue to face is that an unwanted person has usb-access and steal your files or even drop trojans or backdoors on your computer. It seems to be neccessary to lock up the usb devices.

I do this by

(I) whitelist the usbdisk that i had bought.

(II) encrypt the filesystem they are using.

The benefits for this is that only your devices can be used. and that nobody is able to access the usb devices you are using other but you. The disadvantages of this that you are the only person how can transfer data via usb to your pc.

(I)
To lockup and whitelist usb devices i luckily found this article in the internetz. Its a bit diffifcult to understand so will explain here how i did it.

(1) First lockup the usb stack by using the script i wrote Basicaly it disables the kernels access to the usb stack after startup by passing the "0" bit to the specific /sys subsystem located in the files

/sys/bus/usb/devices/usb?/authorized_default

You should copy this script to /etc/init.d/usblock. Note: There is no .sh filename extension and add the script as startup service:

chkconfig -a usblock

At this point you do not need to start the script.

(2) Suppose you have a usbstick which is currently mounted from /dev/sdb1. Best practice would allowing the mapping of the usbstick by using something unique like the usb serial number. To get this number run the following command:

udevadm info -a -n /dev/sdb1|grep ATTRS{serial}

ATTRS{serial}=123456789ABC


(3) Thanks to the article i mentioned above i was able to setup the required udev rule in /etc/udev/rules.d/01-udevlockdown.rules:

+++
# Script by Adrian Crenshaw
## With info from Michael Miller, Inaky Perez-Gonzalez and VMWare
#
## By default, disable it.
ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'for host in
/sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done'"
#
## Enable hub devices. There may be a better way than this.
ACTION=="add", ATTR{serial}=="123456789ABC", RUN+="/bin/sh -c 'echo 1>/sys$DEVPATH/authorized'"
## add further lines like above to allow more devices
+++

(4) Now start the usblock "service":

service usblock start
service usblock status

and restart the udev service

service udev restart

and test your result by plugging in the device you just setup and an other usb drive. The result should be that the first one should get mounted normaly according to further udev rules in /lib/udev/rueles.d/ whereas the second device should be ignored.

(5) Whenever you need to add new device rules. Remeber that you first have to disable the usblock by using:

service usblock stop


before you can deploy new whilelist rules following steps 2 to 4.

(II)

(1) To encrypt your usb-sticks you need first to unmount them by using

umount /dev/sdb1

and using luksformat to encrypt and reformat (!) the device. In this step data which is not saved will get lost.

luksformat -t vfat /dev/sdb1

 

thats it for the start of this year.