RH415 - ch04s03

Bookmark this page

Lab: Restricting USB Device Access

Selectively control which USB devices may access or be accessed by the system by using USBGuard.

Outcomes

Create a permanent USBGuard rule that allows a specific USB device to interact with the system.
Generate a base policy that maintains the current rules that are defined, and that rejects any additional USB devices that attempt to connect to the system.
Use usbguard, lsblk, and other command-line tools to confirm USB device access policies.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start usb-review

Instructions

As the root user on the workstation machine, ensure that the usbguard virtual machine (VM) is running.
On the workstation machine, log in as the student user and switch to the root user.
[student@workstation ~]$ sudo -i [sudo] password for student: student [root@workstation ~]#
Verify the state of the usbguard VM.
[root@workstation ~]# virsh list --all Id Name State --------------------------- - usbguard shut off
Start the usbguard VM if it is not running. Allow the usbguard VM about two minutes to complete the startup process.
[root@workstation ~]# virsh start usbguard Domain 'usbguard' started
On the usbguard VM, install the RPM packages to configure, control, and manage USB device access.
Open the console of the usbguard VM, log in to the console as the student user by using student as the password, and switch to the root user. If the console delays in displaying the login prompt, then press Enter to proceed to the prompt.
[root@workstation ~]# virsh console usbguard Connected to domain 'usbguard' Escape character is ^] (Ctrl + ]) Enter localhost login: student Password: student [student@localhost ~]$
Switch to the root user.
[student@localhost ~]$ sudo -i [root@localhost ~]#
Install the usbguard, usbutils, and udisks2 packages.
[root@localhost ~]# dnf install usbguard usbutils udisks2 ...output omitted... Is this ok [y/N]: y ...output omitted... Complete!

Start the USBGuard service and configure it to persist across reboots. List the default devices.

Configure the usbguard service to persist across reboots.

[root@localhost ~]# systemctl enable --now usbguard
Created symlink /etc/systemd/system/basic.target.wants/usbguard.service → /usr/lib/systemd/system/usbguard.service.

List all of the USB devices that USBGuard recognizes.

The device numbers might differ in your classroom.

[root@localhost ~]# usbguard list-devices
1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "MhPzffrQEhx5CwP3GXco7JXDbaMzFbD5FPUfFE7nfu0=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "9Ii0Zm8Mvu2nYz9z/EgAXJ/ed6bLW8Ctv1iUD5rh6qY=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "t7Z0XTvKnMmdqAm1vU+noU318kZsRQQV+JorpRThQ7c=" via-port "usb3" with-interface 09:00:00 with-connect-type ""
4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "UyZQuRI+gcw41fsM6Kgyty6pgYN0zfyYjqSpJv7na1E=" via-port "usb4" with-interface 09:00:00 with-connect-type ""

Set a permanent USBGuard rule to allow the RED USB device access to the system.

Open another console on the workstation machine and attach the usb-disk-red.img disk image to the usbguard VM.

[student@workstation ~]$ sudo virsh attach-device usbguard \
~/RH415/labs/usb-usb/usb-disk-red.xml
[sudo] password for student: student
Device attached successfully

Return to the console of the usbguard VM, and notice the kernel messages that indicate that the RED USB device is not authorized for usage. Press Enter to return to the command prompt.

[  511.777583] usb 1-1: new high-speed USB device number 2 using ehci-pci
[  511.911206] usb 1-1: New USB device found, idVendor=46f4, idProduct=0001, bcdDevice= 0.00
[  511.915994] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  511.920071] usb 1-1: Product: QEMU USB HARDDRIVE
[  511.922966] usb 1-1: Manufacturer: QEMU
[  511.925236] usb 1-1: SerialNumber: RED
[  511.934510] usb 1-1: Device is not authorized for usage
Enter

On the usbguard VM, list the blocked USB devices and record the device number for the RED USB device.

The device numbers might differ in your classroom.

[root@localhost ~]# usbguard list-devices --blocked
5: block id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50 with-connect-type ""

Allow the device to access the system persistently.

[root@localhost ~]# usbguard allow-device -p 5
[ 5014.063516] usb 1-1: authorized to connect
...output omitted...
Enter

List the persistent rules and ensure that the RED USB device is added.

[root@localhost ~]# usbguard list-rules
6: allow id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" with-interface 08:06:50 with-connect-type ""

Note

If the device is not listed, then restart the usbguard services to ensure that the USBGuard daemon loads the /etc/usbguard/rules.conf file.

[root@localhost ~]# systemctl restart usbguard

List the devices to ensure that the RED USB device has a rule target of allow.

[root@localhost ~]# usbguard list-devices | grep RED
5: allow id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50 with-connect-type ""

Return to the workstation machine, and attach the BLUE USB device to the usbguard VM. Confirm that the BLUE USB device is blocked from interacting with the usbguard VM, and then detach the USB device from the usbguard VM.

Attach the usb-disk-blue.img disk image to the usbguard VM.

[student@workstation ~]$ sudo virsh attach-device usbguard \
~/RH415/labs/usb-usb/usb-disk-blue.xml
[sudo] password for student: student
Device attached successfully

Return to the console of the usbguard VM, and notice the kernel messages indicate that the BLUE USB device is not authorized for usage. Press Enter to return to the command prompt.

[ 7200.497544] usb 1-2: new high-speed USB device number 3 using ehci-pci
[ 7200.633369] usb 1-2: New USB device found, idVendor=46f4, idProduct=0001, bcdDevice= 0.00
[ 7200.638668] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 7200.640789] usb 1-2: Product: QEMU USB HARDDRIVE
[ 7200.642356] usb 1-2: Manufacturer: QEMU
[ 7200.643703] usb 1-2: SerialNumber: BLUE
[ 7200.648247] usb 1-2: Device is not authorized for usage
Enter

On the usbguard VM, list the USB devices to confirm that the system allows the RED USB device and blocks the BLUE USB device because of the current rules and their rule targets.

The device numbers might differ in your classroom.

[root@localhost ~]# usbguard list-devices | grep "RED\|BLUE"
5: allow id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50 with-connect-type ""
7: block id 46f4:0001 serial "BLUE" name "QEMU USB HARDDRIVE" hash "GT0vx1ANtDVdOaekgV1a9GmXHc2Mwrx4o3w6gXae5Lo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-2" with-interface 08:06:50 with-connect-type ""

Return to the workstation machine and detach the BLUE USB device from the usbguard VM.

[student@workstation ~]$ sudo virsh detach-device usbguard \
~/RH415/labs/usb-usb/usb-disk-blue.xml
[sudo] password for student: student
Device detached successfully

Generate a new base policy with a reject rule target that ignores any additional USB devices that try to interact with the system. Verify that the reject rule is added.

Generate a new base policy with a reject rule target.

[root@localhost ~]# usbguard generate-policy -X \
-t reject > /etc/usbguard/rules.conf

Restart the usbguard service.

[root@localhost ~]# systemctl restart usbguard.service

Confirm the allow rule target for the RED USB device followed by a catch-all reject rule target.

[root@localhost ~]# usbguard list-rules
1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""
3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""
4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""
5: allow id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" with-interface 08:06:50 with-connect-type "unknown"
6: reject

Attach the BLUE USB device to the usbguard VM. Debug the attached device and display the information for all devices.

Return to the workstation machine to attach the BLUE USB device to the usbguard VM.
```
[student@workstation ~]$ sudo virsh attach-device usbguard \
~/RH415/labs/usb-usb/usb-disk-blue.xml
[sudo] password for student: student
Device attached successfully
```
The command output on the usbguard VM indicates that the BLUE USB device is successfully attached. The output further confirms that the attempt to attach a USB device is not authorized. The system shows a blocked USB device, which is not allowed to mount. The system ignores a rejected USB device, and therefore, the device is not displayed in command-line tool listings.

Query the systemd journal records, and notice the kernel action as well as the USBGuard action. Press q to return to the command prompt.

[root@localhost ~]# journalctl -b -e
...output omitted...
Jul 14 15:38:00 localhost.localdomain kernel: usb 1-2: new high-speed USB devic>
Jul 14 15:38:00 localhost.localdomain kernel: usb 1-2: New USB device found, id>
Jul 14 15:38:00 localhost.localdomain kernel: usb 1-2: New USB device strings: >
Jul 14 15:38:00 localhost.localdomain kernel: usb 1-2: Product: QEMU USB HARDDR>
Jul 14 15:38:00 localhost.localdomain kernel: usb 1-2: Manufacturer: QEMU
Jul 14 15:38:00 localhost.localdomain kernel: usb 1-2: SerialNumber: BLUE
Jul 14 15:38:00 localhost.localdomain usbguard-daemon[11644]: uid=0 pid=11642 r>
Jul 14 15:38:00 localhost.localdomain usbguard-daemon[11644]: uid=0 pid=11642 r>
Jul 14 15:38:00 localhost.localdomain kernel: usb 1-2: Device is not authorized>
Jul 14 15:38:00 localhost.localdomain kernel: usb 1-2: USB disconnect, device n>
Jul 14 15:38:00 localhost.localdomain usbguard-daemon[11644]: uid=0 pid=11642 r>
...output omitted...
q

List all USB devices that the USBGuard daemon recognizes, and confirm that the RED USB device is listed, but that the BLUE USB device is ignored and is not listed.

The device numbers might differ in your classroom.

[root@localhost ~]# usbguard list-devices
7: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "MhPzffrQEhx5CwP3GXco7JXDbaMzFbD5FPUfFE7nfu0=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
8: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "9Ii0Zm8Mvu2nYz9z/EgAXJ/ed6bLW8Ctv1iUD5rh6qY=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
9: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "t7Z0XTvKnMmdqAm1vU+noU318kZsRQQV+JorpRThQ7c=" via-port "usb3" with-interface 09:00:00 with-connect-type ""
10: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "UyZQuRI+gcw41fsM6Kgyty6pgYN0zfyYjqSpJv7na1E=" via-port "usb4" with-interface 09:00:00 with-connect-type ""
11: allow id 46f4:0001 serial "RED" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50 with-connect-type "unknown"

Return to the workstation machine as the student user.

Log out of the usbguard VM console session.

[root@localhost ~]# logout
[student@localhost ~]$ logout

Exit the usbguard VM console.

Red Hat Enterprise Linux 9.2 (Plow)
Kernel 5.14.0-284.11.1.el9_2.x86_64 on an x86_64

Activate the web console with: systemctl enable --now cockpit.socket

localhost login:
Ctrl+]

Return to the workstation machine as the student user.

[root@workstation ~]# logout
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade usb-review

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish usb-review

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299