Red Hat Security: Linux in Physical, Virtual, and Cloud

Instructions

1. As the root user on the workstation machine, verify the run state of the usbguard virtual machine (VM). Start the usbguard VM if it is not running.

   1. On the workstation machine, log in as the student user and switch to the root user:

      [student@workstation ~]$ sudo -i
      [sudo] password for student: student
      [root@workstation ~]#

   2. Verify the state of the usbguard VM:

      [root@workstation ~]# virsh domstate usbguard
      shut off

   3. Start the usbguard VM if necessary. Allow the usbguard VM about two minutes to complete the startup process.

      [root@workstation ~]# virsh start usbguard
      Domain 'usbguard' started

2. Log in to the console as the student user by using student as the password, and switch to the root user. If the console delays in displaying the login prompt, then press Enter to proceed to the prompt.

   1. Open the console of the usbguard VM, and log in to the console as the student user by using student as the password:

      [root@workstation ~]# virsh console usbguard
      ...output omitted...
      Connected to domain 'usbguard'
      Escape character is ^] (Ctrl + ])
      <Enter>
      
      Red Hat Enterprise Linux 9.2 (Plow)
      Kernel 5.14.0-284.11.1.el9_2.x86_64 on an x86_64
      
      Activate the web console with: systemctl enable --now cockpit.socket
      
      localhost login: student
      Password: student

   2. Switch to the root user:

      [student@localhost ~]$ sudo -i
      [root@localhost ~]#

3. As the root user on the usbguard VM, install the RPM packages to configure, control, and manage USB devices.

   1. Install the usbguard, usbutils, and udisks2 packages:

      [root@localhost ~]# dnf install usbguard usbutils udisks2
      ...output omitted...
      Is this ok [y/N]: y
      ...output omitted...
      Complete!

4. Generate a rule set (policy) that authorizes the currently connected USB devices. Copy the output into the /etc/usbguard/rules.conf file. Use the -X option to suppress the generation of hash attributes for each device.

   [root@localhost ~]# usbguard generate-policy -X | \
   tee /etc/usbguard/rules.conf
   allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" with-interface 09:00:00 with-connect-type ""
   allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""
   allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""
   allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""

5. Start the usbguard service to persist across reboots. Use the usbguard command to verify the USBGuard rules.

   1. Start the usbguard service to persist across reboots:

      [root@localhost ~]# systemctl enable --now usbguard
      Created symlink /etc/systemd/system/basic.target.wants/usbguard.service → /usr/lib/systemd/system/usbguard.service.

   2. List the rule set (policy) that the usbguard daemon uses:

      [root@localhost ~]# usbguard list-rules
      1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" with-interface 09:00:00 with-connect-type ""
      2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""
      3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""
      4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""

6. List all of the USB devices that the USBGuard daemon recognizes. This option lists each device's hash attribute, which is the most specific value to identify a device.

   [root@localhost ~]# usbguard list-devices
   5: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "MhPzffrQEhx5CwP3GXco7JXDbaMzFbD5FPUfFE7nfu0=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
   6: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "9Ii0Zm8Mvu2nYz9z/EgAXJ/ed6bLW8Ctv1iUD5rh6qY=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
   7: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "t7Z0XTvKnMmdqAm1vU+noU318kZsRQQV+JorpRThQ7c=" via-port "usb3" with-interface 09:00:00 with-connect-type ""
   8: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "UyZQuRI+gcw41fsM6Kgyty6pgYN0zfyYjqSpJv7na1E=" via-port "usb4" with-interface 09:00:00 with-connect-type ""

7. Open another terminal window on the workstation machine, and attach the usb-disk-red.img disk image to the usbguard VM:

   [student@workstation ~]$ sudo virsh attach-device usbguard \
   /home/student/RH415/labs/usb-usb/usb-disk-red.xml
   [sudo] password for student: student
   Device attached successfully

8. Return to the terminal window of the usbguard VM, and see the kernel messages. Notice that the RED USB device is not authorized for usage. Press Enter to return to the command prompt.

   [ 1554.522039] usb 1-1: new high-speed USB device number 2 using ehci-pci
   [ 1554.662285] usb 1-1: New USB device found, idVendor=46f4, idProduct=0001, bcdDevice= 0.00
   [ 1554.669411] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
   [ 1554.674855] usb 1-1: Product: QEMU USB HARDDRIVE
   [ 1554.677274] usb 1-1: Manufacturer: QEMU
   [ 1554.679123] usb 1-1: SerialNumber: RED
   [ 1554.689326] usb 1-1: Device is not authorized for usage
   <Enter>

9. Debug the newly attached device and display information about the devices.

   1. Verify that the new device is attached to the system.

      [root@localhost ~]# lsusb
      Bus 001 Device 002: ID 46f4:0001 QEMU QEMU USB HARDDRIVE
      Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
      Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
      Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
      Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

   2. List the available block devices to confirm that the newly added device is absent.

      [root@localhost ~]# lsblk
      NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
      vda    252:0    0   10G  0 disk
      ├─vda1 252:1    0    1M  0 part
      ├─vda2 252:2    0  200M  0 part /boot/efi
      ├─vda3 252:3    0  500M  0 part /boot
      └─vda4 252:4    0  9.3G  0 part /

   3. List the high-level information for the disk drives and block devices. This output confirms that the newly attached device is not available for mounting.

      [root@localhost ~]# udisksctl status
      MODEL                     REVISION  SERIAL               DEVICE
      --------------------------------------------------------------------------
      VirtIO Disk                                              vda

   4. List the blocked USB devices that the USBGuard daemon recognizes. The device numbers might differ in your classroom.

      The output displays the device number 9, the 46f4:0001 device ID, and the RED serial name with the block target policy.

      [root@localhost ~]# usbguard list-devices --blocked
      9: block id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50 with-connect-type ""

10. Create a persistent rule that allows the new device to access the system and to be available for mounting. The device numbers might differ in your classroom.

    1. Allow the device with a persistent rule to access the system:

       [root@localhost ~]# usbguard allow-device -p 9
       [54509.376970] usb 1-1: authorized to connect
       [54509.406321] usb-storage 1-1:1.0: USB Mass Storage device detected
       [54509.413177] scsi host6: usb-storage 1-1:1.0
       [54509.415700] usbcore: registered new interface driver usb-storage
       [54509.424303] usbcore: registered new interface driver uas
       [54510.476342] scsi 6:0:0:0: Direct-Access     QEMU     QEMU HARDDISK    2.5+ PQ: 0 ANSI: 5
       [54510.498202] scsi 6:0:0:0: Attached scsi generic sg0 type 0
       [54510.517945] sd 6:0:0:0: Power-on or device reset occurred
       [54510.524460] sd 6:0:0:0: [sda] 65536 512-byte logical blocks: (33.6 MB/32.0 MiB)
       [54510.536556] sd 6:0:0:0: [sda] Write Protect is off
       [54510.546850] sd 6:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
       [54510.586024] sd 6:0:0:0: [sda] Attached SCSI disk
       <Enter>

    2. Reboot the usbguard VM to confirm that the allow rule persists across reboots. Log in to the console as the student user by using student as the password.

       [root@localhost ~]# reboot
       ...output omitted...
       Red Hat Enterprise Linux 9.2 (Plow)
       Kernel 5.14.0-284.11.1.el9_2.x86_64 on an x86_64
       
       Activate the web console with: systemctl enable --now cockpit.socket
       
       localhost login: student
       Password: student

    3. Switch to the root user:

       [student@localhost ~]$ sudo -i
       [root@localhost ~]#

    4. List the device to confirm that the entry for the device with the RED serial name has the allow rule target. The device numbers might differ in your classroom.

       [root@localhost ~]# usbguard list-devices | grep RED
       9: allow id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50 with-connect-type "unknown"

    5. List the rule set (policy) that the usbguard daemon uses. Notice the persistent rule for device ID 46f4:0001. The device numbers might differ in your classroom.

       [root@localhost ~]# usbguard list-rules | grep RED
       10: allow id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" with-interface 08:06:50 with-connect-type "unknown"

11. Debug the attached device and display the information for the device.

    1. List the available block devices to confirm that the new device is present:

       [root@localhost ~]# lsblk
       NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
       sda      8:0    0   32M  0 disk
       vda    252:0    0   10G  0 disk
       ├─vda1 252:1    0    1M  0 part
       ├─vda2 252:2    0  200M  0 part /boot/efi
       ├─vda3 252:3    0  500M  0 part /boot
       └─vda4 252:4    0  9.3G  0 part /

    2. List the high-level information about disk drives and block devices. Confirm that the attached device is available to be mounted.

       [root@localhost ~]# udisksctl status
       MODEL                     REVISION  SERIAL               DEVICE
       --------------------------------------------------------------------------
       VirtIO Disk                                              vda
       QEMU QEMU HARDDISK        2.5+      RED                  sda

12. Return to the workstation machine as the student user.

    1. Log out of the usbguard VM terminal session:

       [root@localhost ~]# logout
       [student@localhost ~]$ logout

    2. Exit the usbguard VM console:

       Red Hat Enterprise Linux 9.2 (Plow)
       Kernel 5.14.0-284.11.1.el9_2.x86_64 on an x86_64
       
       Activate the web console with: systemctl enable --now cockpit.socket
       
       localhost login:
       Ctrl+]

    3. Return to the workstation machine as the student user:

       [root@workstation ~]# logout
       [student@workstation ~]$