RH415 - ch04s02

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

SectionSection 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Controlling USB access with USBGuard

In this exercise, you will install USBGuard, configure dynamic policy, and use USBGuard to block, reject, or permit access by certain USB devices or types of USB device.

Outcomes

You should be able to:

Generate policies to control USB device authorization.
Create USBGuard block and reject policies.
Create dynamic and persistent USBGuard rule sets.
Use command-line tools to list USB device access statuses.

Verify that the workstation and usbguard virtual machines are started.

Log in to workstation as student using student as the password. On workstation, run lab usb-controlling setup to ensure that the environment is ready.

[student@workstation ~]$ lab usb-controlling setup

When using sudo to run commands as a user other than student, use the password student if prompted.

As student on workstation, verify the run state of the usbguard virtual machine (VM). Start the usbguard VM if its not running.
1. Use the virsh command with the domstate option to verify the run state of the usbguard VM.
```
[student@workstation ~]$ sudo virsh domstate usbguard
[sudo] password for student: student
shut off
```
2. If the state of the usbguard VM is shut off, use the virsh command with the start option to start the usbguard VM.
```
[student@workstation ~]$ sudo virsh start usbguard
Domain usbguard started
```
  Allow the usbguard VM about two minutes to complete the startup process.
To access the console and log in to the usbguard VM, use the virsh command with the console option. Log in to the console as student using student as the password. If the console delays in displaying the login prompt, hit the Enter key to proceed to the prompt.
```
[student@workstation ~]$ sudo virsh console usbguard
Connected to domain usbguard
Escape character is ^]
<Enter>

Red Hat Enterprise Linux Server 7.5 (Maipo)
Kernel 3.10.0-862.3.2.el7.x86_64 on an x86_64

localhost login: student
Password: student
```

As student on the usbguard VM, install the RPM packages used to configure, control, and manage USB devices.

Use YUM to install usbguard, usbutils, and udisks2 packages.

[student@localhost ~]$ sudo yum install usbguard usbutils udisks2
...output omitted...
Is this ok [y/d/N]: y
...output omitted...

Complete!
[student@localhost ~]$

Generate a rule set (policy) that authorizes the currently connected USB devices. List the contents of the /home/student/rules.conf file to verify the rule set prior to populating the /etc/usbguard/rules.conf file with the rules.

Use the usbguard command with the generate-policy subcommand to generate a base policy. Use the -X option to suppress generation of hash attributes for each device.
```
[student@localhost ~]$ sudo usbguard generate-policy -X > \
> /home/student/rules.conf
```

Inspect the entries in the /home/student/rules.conf file.

[student@localhost ~]$ cat /home/student/rules.conf
allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" with-interface 09:00:00
allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" with-interface 09:00:00
allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" with-interface 09:00:00
allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" with-interface 09:00:00

Copy the /home/student/rules.conf file to the /etc/usbguard directory.

[student@localhost ~]$ sudo cp /home/student/rules.conf /etc/usbguard

Start the USBGuard service and configure it to persist across reboots. Run the usbguard command to verify the USBGuard rules.

Configure the usbguard daemon to persist across reboots.

[student@localhost ~]$ sudo systemctl enable usbguard --now
Created symlink from /etc/systemd/system/basic.target.wants/usbguard.service to /usr/lib/systemd/system/usbguard.service.
[student@localhost ~]$

List the rule set (policy) used by the usbguard daemon. The command results will be similar to the following.

[student@localhost ~]$ sudo usbguard list-rules
1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" with-interface 09:00:00
2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" with-interface 09:00:00
3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" with-interface 09:00:00
4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" with-interface 09:00:00
[student@localhost ~]$

List all USB devices recognized by the USBGuard daemon. This option will list each device's hash attribute which is the most specific value you can use to identify a device.

[student@localhost ~]$ sudo usbguard list-devices
5: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "qiR4Ubbd7AIXLCz201hJYzaO9KIrOvqqRgqs2vM2NOY=" via-port "usb1" with-interface 09:00:00
6: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "VC8ZB6FZ51WMN42QA3CqGvK9+eLDu4jpdgzSwLFn+fs=" via-port "usb2" with-interface 09:00:00
7: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "0JRYS5mysCKe92s8So5WC7cbttP3haCBtScjU64BJs0=" via-port "usb3" with-interface 09:00:00
8: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "prVi21GR+cpMC0ykIE8H9TC9QoaAkFrbmw2PLcWNGkw=" via-port "usb4" with-interface 09:00:00
[student@localhost ~]$

From a separate terminal session on workstation, attach the usb-disk-red.img disk image to the usbguard VM. From the usbguard VM console, use the usbguard list-devices command to list device status. Verify that the newly attached device with id 46f4:0001 is blocked.

On workstation, use the virsh attach-device command to attach the usb-disk-red.img disk image to the usbguard VM.

[student@workstation ~]$ sudo virsh attach-device usbguard \
> /home/student/RH415/labs/usb-controlling/usb-disk-red.xml
[sudo] password for student: student
Device attached successfully

On the virsh console terminal, connected to usbguard VM, you will see kernel messages indicating that the RED USB device is not authorized for usage. Press Enter to return to the command prompt.

[13865.418288] usb 1-1: new high-speed USB device number 4 using ehci-pci
[13865.544834] usb 1-1: New USB device found, idVendor=46f4, idProduct=0001
[13865.548156] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[13865.552218] usb 1-1: Product: QEMU USB HARDDRIVE
[13865.554899] usb 1-1: Manufacturer: QEMU
[13865.557623] usb 1-1: SerialNumber: RED
[13865.560922] usb 1-1: Device is not authorized for usage
Enter

[student@localhost ~]$

On the usbguard VM, use the lsusb command to list devices. The results show that device ID 46f4:0001 is visible to the system.

The output should be similar to the following:

[student@localhost ~]$ lsusb
Bus 001 Device 002: ID 46f4:0001
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Use the lsblk command to list devices. The absence of the device in the listing indicates that although the device can be seen by the system it is blocked and cannot be mounted.
```
[student@localhost ~]$ lsblk
NAME   MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda    253:0    0  10G  0 disk
└─vda1 253:1    0  10G  0 part /
```

Use the udisksctl status command to see high-level information about disk drives and block devices. This output also confirms that the newly attached device is not available to be mounted.

[student@localhost ~]$ udisksctl status
MODEL                     REVISION  SERIAL               DEVICE
--------------------------------------------------------------------------
VirtIO Disk                                              vda

Use the usbguard command with the list-devices subcommand to list device status and device ID. The device numbers may be different depending on your environment.

[student@localhost ~]$ sudo usbguard list-devices
5: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "qiR4Ubbd7AIXLCz201hJYzaO9KIrOvqqRgqs2vM2NOY=" via-port "usb1" with-interface 09:00:00
6: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "VC8ZB6FZ51WMN42QA3CqGvK9+eLDu4jpdgzSwLFn+fs=" via-port "usb2" with-interface 09:00:00
7: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "0JRYS5mysCKe92s8So5WC7cbttP3haCBtScjU64BJs0=" via-port "usb3" with-interface 09:00:00
8: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "prVi21GR+cpMC0ykIE8H9TC9QoaAkFrbmw2PLcWNGkw=" via-port "usb4" with-interface 09:00:00
9: block id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50
[student@localhost ~]$

The newly attached device displays with device number 9, device ID 46f4:0001, and serial name RED with a target policy of block.

The attached device is seen by the system but remains blocked and therefore unable to be mounted. Dynamically change the target policy from block to allow for this device.

Use the usbguard allow-device command and the device number from the previous listing to dynamically modify authorization for device ID 46f4:0001 to allow it to connect and become available for mounting. The device number may be different depending on your environment.

[student@localhost ~]$ sudo usbguard allow-device 9
[15605.370693] usb 1-1: authorized to connect
[15605.410978] usb-storage 1-1:1.0: USB Mass Storage device detected
[15605.416417] scsi host2: usb-storage 1-1:1.0
[15605.419289] usbcore: registered new interface driver usb-storage
[15605.426512] usbcore: registered new interface driver uas
[15606.421800] scsi 2:0:0:0: Direct-Access     QEMU     QEMU HARDDISK    1.5. PQ: 0 ANSI: 5
[15606.441853] scsi 2:0:0:0: Attached scsi generic sg0 type 0
[15606.473364] sd 2:0:0:0: [sda] 65536 512-byte logical blocks: (33.5 MB/32.0 MiB)
[15606.480720] sd 2:0:0:0: [sda] Write Protect is off
[15606.492142] sd 2:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[15606.537984] sd 2:0:0:0: [sda] Attached SCSI disk
Enter

Use the lsblk command to list devices. This time you should see the device listed as sda which is available to be mounted.

[student@localhost ~]$ lsblk
NAME   MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda      8:0    0  32M  0 disk
vda    253:0    0  10G  0 disk
└─vda1 253:1    0  10G  0 part /

Use the udisksctl status command to see high-level information about disk drives and block devices. This command output displays the device listed as sda and serial RED.

[student@localhost ~]$ udisksctl status
MODEL                     REVISION  SERIAL               DEVICE
--------------------------------------------------------------------------
VirtIO Disk                                              vda
QEMU QEMU HARDDISK        1.5.      RED                  sda

Use the usbguard list-devices command to list device status. Now, the attached device with device number 9 has a target policy allow for device ID 46f4:0001. The device numbers may be different depending on your environment.

[student@localhost ~]$ sudo usbguard list-devices
5: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "qiR4Ubbd7AIXLCz201hJYzaO9KIrOvqqRgqs2vM2NOY=" via-port "usb1" with-interface 09:00:00
6: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "VC8ZB6FZ51WMN42QA3CqGvK9+eLDu4jpdgzSwLFn+fs=" via-port "usb2" with-interface 09:00:00
7: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "0JRYS5mysCKe92s8So5WC7cbttP3haCBtScjU64BJs0=" via-port "usb3" with-interface 09:00:00
8: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "prVi21GR+cpMC0ykIE8H9TC9QoaAkFrbmw2PLcWNGkw=" via-port "usb4" with-interface 09:00:00
9: allow id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50
[student@localhost ~]$

The current rule with the allow target policy for device number 9, ID 46f4:0001, will not persist across a reboot. The device number may be different depending on your environment.

Reboot the usbguard VM and wait for the login prompt to display. Log in as student with student as the password.

[student@localhost ~]$ sudo reboot
...output omitted...
Red Hat Enterprise Linux Server 7.5 (Maipo)
Kernel 3.10.0-862.3.2.el7.x86_64 on an x86_64

localhost login: student
Password: student

List the devices to confirm that the entry for device number 9, ID 46f4:0001, has changed back to block.

[student@localhost ~]$ sudo usbguard list-devices
5: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "qiR4Ubbd7AIXLCz201hJYzaO9KIrOvqqRgqs2vM2NOY=" via-port "usb1" with-interface 09:00:00
6: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "VC8ZB6FZ51WMN42QA3CqGvK9+eLDu4jpdgzSwLFn+fs=" via-port "usb2" with-interface 09:00:00
7: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "0JRYS5mysCKe92s8So5WC7cbttP3haCBtScjU64BJs0=" via-port "usb3" with-interface 09:00:00
8: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "prVi21GR+cpMC0ykIE8H9TC9QoaAkFrbmw2PLcWNGkw=" via-port "usb4" with-interface 09:00:00
9: block id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50
[student@localhost ~]$

Use the usbguard command with the list-rules subcommand to view the rules located in the /etc/usbguard/rules.conf file. Notice that there is not a rule listed for device number 9, ID 46f4:0001.

[student@localhost ~]$ sudo usbguard list-rules
1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" with-interface 09:00:00
2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" with-interface 09:00:00
3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" with-interface 09:00:00
4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" with-interface 09:00:00

Create a persistent rule that allows device number 9, ID 46f4:0001 access to the system and is available to be mounted. The device number may be different depending on your environment.

Use the usbguard command with the allow-device subcommand, the -p option, and the device number to add the rule to the /etc/usbguard/rules.conf file.

[student@localhost ~]$ sudo usbguard allow-device -p 9
[ 1035.432891] usb-storage 1-1:1.0: USB Mass Storage device detected
[ 1035.442976] scsi host3: usb-storage 1-1:1.0
[ 1035.445525] usb 1-1: authorized to connect
[student@localhost ~]$ [ 1036.449638] scsi 3:0:0:0: Direct-Access     QEMU     QEMU HARDDISK    1.5. PQ: 0 ANSI: 5
[ 1036.458792] sd 3:0:0:0: Attached scsi generic sg0 type 0
[ 1036.469776] sd 3:0:0:0: [sda] 65536 512-byte logical blocks: (33.5 MB/32.0 MiB)
[ 1036.476097] sd 3:0:0:0: [sda] Write Protect is off
[ 1036.484820] sd 3:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 1036.513755] sd 3:0:0:0: [sda] Attached SCSI disk
Enter

Reboot the usbguard VM again and confirm that the allow rule persists across reboots.

[student@localhost ~]$ sudo reboot
...output omitted...
Red Hat Enterprise Linux Server 7.5 (Maipo)
Kernel 3.10.0-862.3.2.el7.x86_64 on an x86_64

localhost login: student
Password: student

List the devices to confirm that the entry for device ID 46f4:0001 has an allow rule target. The device numbers may be different depending on your environment.

[student@localhost ~]$ sudo usbguard list-devices
5: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "qiR4Ubbd7AIXLCz201hJYzaO9KIrOvqqRgqs2vM2NOY=" via-port "usb1" with-interface 09:00:00
6: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "VC8ZB6FZ51WMN42QA3CqGvK9+eLDu4jpdgzSwLFn+fs=" via-port "usb2" with-interface 09:00:00
7: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "0JRYS5mysCKe92s8So5WC7cbttP3haCBtScjU64BJs0=" via-port "usb3" with-interface 09:00:00
8: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "prVi21GR+cpMC0ykIE8H9TC9QoaAkFrbmw2PLcWNGkw=" via-port "usb4" with-interface 09:00:00
9: allow id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50
[student@localhost ~]$

Use the usbguard command with the list-rules subcommand to view the rules located in the /etc/usbguard/rules.conf file. There should now be a persistent rule for device ID 46f4:0001, listed. The device numbers may be different depending on your environment.

[student@localhost ~]$ sudo usbguard list-rules
1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" with-interface 09:00:00
2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" with-interface 09:00:00
3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" with-interface 09:00:00
4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" with-interface 09:00:00
5: allow id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" with-interface 08:06:50

Log out from the usbguard VM and exit from the serial console.

Log out from the usbguard VM terminal session.
```
[student@localhost ~]$ logout
```

Exit the VM's serial console.

Red Hat Enterprise Linux Server 7.5 (Maipo)
Kernel 3.10.0-862.3.2.el7.x86_64 on an x86_64

localhost login: 
Ctrl+]
[student@workstation ~]$

Cleanup

On workstation, run the lab usb-controlling cleanup script to clean up this exercise.

[student@workstation ~]$ lab usb-controlling cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083