Building a version of ubuntu without any USB functionality
I'd like to build a version of Ubuntu that has absolutely no ability to recognize any USB device inserted. Is this possible?
There's the issue that mouses and keyboards nowadays are connected via usb, so I wonder if it's possible to recognize these but not everything else.
In the end it's a security measure, so different solutions to achieve this goal are also welcome.
USBGuard
USBGuard software framework helps to protect your computer against rogue USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce the user-defined policy, it uses the USB device authorization feature implemented in the Linux kernel since 2007.
By default, USBGuard blocks all newly connected devices and devices connected before daemon startup are left as is.
A quick way to start using USBGuard to protect your system from USB attacks is to first generate a policy for your system. Then, start the usbguard-daemon with the command sudo systemctl start usbguard.service
. You can use the usbguard
command-line interface command and its generate-policy
subcommand ( usbguard generate-policy
) to generate an initial policy for your system instead of writing one from scratch. The tool generates an allow policy for all devices currently connected to your system at the moment of execution.1
Features
- Rule language for writing USB device authorization policies
- Daemon component with an IPC interface for dynamic interaction and policy enforcement
- Command line and GUI interface to interact with a running USBGuard instance
- C++ API for interacting with the daemon component implemented in a shared library
Installation
To install USBGuard in Ubuntu 17.04 and later open the terminal and type:
sudo apt install usbguard
Installation of USBGuard in earlier releases requires compilation from source which in turn requires the installation of several other packages as dependencies.
1Revised from: Built-in protection against USB security attacks with USBGuard
I tested this solution on my Ubuntu running on VirtualBox:
- remove the kernel module from its original location
sudo mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root/
- insert the information about usb_storage module to blacklisted modules list:
echo 'blacklist usb_storage' >> /etc/modprobe.d/blacklist.conf
- update the initramfs image
sudo update-initramfs -k all -c -v
- reboot.
NB! You should do it with unmounted USB stick otherwise you will receive an error that module is in use.
Here you can find additional information about this procedure. Good luck!