RH415 - ch12s03

Bookmark this page

Lab: Restricting USB Device Access

Selectively control which USB devices may access or be accessed by the system by using USBGuard.

Outcomes

Create a permanent USBGuard policy that allows a specific USB device to interact with the system.
Generate a base policy that maintains currently defined policies and that ignores any additional USB devices that attempt to connect to the system.
Use command-line tools to confirm USB device access policies.

If you did not reset your workstation and server machines at the end of the last chapter, then save any work you want to keep from earlier exercises on those machines, and reset them now.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start compreview-usbguard

Specifications

Configure the usbguard virtual machine that is hosted on the workstation machine to use USBGuard.

The following instructions describe how to use the usbguard virtual machine on the workstation machine, and how to attach virtual USB devices to the usbguard virtual machine:
- The required XML files to define virtual USB devices for testing are present in the /home/student/RH415/labs/compreview-usbguard directory on the workstation machine.
- You can start the virtual machine as the root user by using the virsh start usbguard command.
- You can attach a USB device to the virtual machine by using the virsh attach-device usbguard usb-device.xml command, where usb-device.xml is a USB device configuration file.
- You can connect to the console of the virtual machine by using the virsh console usbguard command.
The USBGuard service on the usbguard virtual machine must be configured to meet the following specifications:
- The usbguard virtual machine should allow only the MRKTG USB device to access the system.
- The usbguard virtual machine should reject any other USB devices from interacting with the system.
- You can use the provided GREEN USB device to test whether device rejection is working.
- Make sure that the USBGuard service is configured, operating, and starts automatically on boot.

On the workstation machine, start the usbguard virtual machine. Open the usbguard VM console and log in as the student user. Use student as the password.
1. Change to the root user on the workstation machine. Use student as the password.
```
[student@workstation ~]$ sudo -i
[sudo] password for student: student
[root@workstation ~]#
```
2. Use the virsh start command to start the usbguard VM. Allow the usbguard VM about two minutes to complete the startup process.
```
[root@workstation ~]# virsh start usbguard
Domain 'usbguard' started
```
3. Use the virsh console command to access the console of the VM. If the console is slow to display the login prompt, then press Enter to proceed to the prompt.
```
[root@workstation ~]# virsh console usbguard
Connected to domain 'usbguard'
Escape character is ^] (Ctrl + ])
<Enter>

localhost login: student
Password: student
...output omitted...
[student@localhost ~]$
```

On the usbguard VM, install the RPM packages to configure, control, and manage USB device access.

Change to the root user. Use student as the password.

[student@localhost ~]$ sudo -i
[root@localhost ~]#

Install the usbguard, usbutils, and udisks2 packages.

[root@localhost ~]# dnf install usbguard usbutils udisks2
...output omitted...
================================================================================
 Package    Arch     Version         Repository                            Size
================================================================================
Installing:
 udisks2    x86_64   2.9.4-7.el9     rhel-9.2-for-x86_64-appstream-rpms   495 k
 usbguard   x86_64   1.0.0-15.el9    rhel-9.2-for-x86_64-appstream-rpms   475 k
 usbutils   x86_64   013-4.el9       rhel-9.2-for-x86_64-baseos-rpms      119 k
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!

Start the usbguard service and configure it to persist across reboots. Run the usbguard list-devices command to list the default devices.

Configure the usbguard service to persist across reboots.

[root@localhost ~]# systemctl enable usbguard --now
Created symlink /etc/systemd/system/basic.target.wants/usbguard.service → /usr/lib/systemd/system/usbguard.service.
...output omitted...

Use the usbguard list-devices command to list all the USB devices that are recognized by USBGuard.

[root@localhost ~]# usbguard list-devices
1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "MhPzffrQEhx5CwP3GXco7JXDbaMzFbD5FPUfFE7nfu0=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "9Ii0Zm8Mvu2nYz9z/EgAXJ/ed6bLW8Ctv1iUD5rh6qY=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "t7Z0XTvKnMmdqAm1vU+noU318kZsRQQV+JorpRThQ7c=" via-port "usb3" with-interface 09:00:00 with-connect-type ""
4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "UyZQuRI+gcw41fsM6Kgyty6pgYN0zfyYjqSpJv7na1E=" via-port "usb4" with-interface 09:00:00 with-connect-type ""

Set a permanent USBGuard policy to allow the MRKTG USB device access to the system. Use the /home/student/RH415/labs/compreview-usbguard/usb-disk-mrktg.xml file to attach a new MRKTG USB device to the usbguard VM. Create a permanent allow rule target for the MRKTG USB device.

From the workstation machine, open a second terminal session and attach the MRKTG USB device (usb-disk-mrktg.img) to the usbguard VM.

[student@workstation ~]$ sudo virsh attach-device usbguard \
    ~/RH415/labs/compreview-usbguard/usb-disk-mrktg.xml
[sudo] password for student: student
Device attached successfully

On the virsh console terminal that is connected to the usbguard VM, you can see kernel messages indicating that the MRKTG USB device is not authorized for use. Press Enter to return to the command prompt.

[  318.524538] usb 1-1: new high-speed USB device number 2 using ehci-pci
[  318.677164] usb 1-1: New USB device found, idVendor=46f4, idProduct=0001, bcdDevice= 0.00
[  318.686755] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  318.694659] usb 1-1: Product: QEMU USB HARDDRIVE
[  318.700177] usb 1-1: Manufacturer: QEMU
[  318.704553] usb 1-1: SerialNumber: MRKTG
[  318.725665] usb 1-1: Device is not authorized for usage
<Enter>

[root@localhost ~]#

From the usbguard VM, list the blocked USB devices and record the device number for the MRKTG USB device.

The device ID number (5 in the following output) might be different on your system.

[root@localhost ~]# usbguard list-devices --blocked
5: block id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" hash "FyMVaBZ38qpDfKMvXvtwKcgOGcD7N1UQ/KwO4tx/coA=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50 with-connect-type ""

On the usbguard VM, use the usbguard allow-device command to add a permanent allow rule target for the MRKTG USB device.

[root@localhost ~]# usbguard allow-device -p 5
...output omitted...
<Enter>
[  876.176533] sd 6:0:0:0: [sda] Attached SCSI disk

Restart the usbguard services to ensure that the USBGuard daemon loads the /etc/usbguard/rules.conf file.
```
[root@localhost ~]# systemctl restart usbguard
...output omitted...
<Enter>
```

Run the usbguard list-rules command to list persistent rules and verify that the MRKTG USB device is listed. Rule numbers might be different on your system.

[root@localhost ~]# usbguard list-rules
1: allow id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" hash "FyMVaBZ38qpDfKMvXvtwKcgOGcD7N1UQ/KwO4tx/coA=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" with-interface 08:06:50 with-connect-type ""

List the devices to ensure that the MRKTG USB device has a target policy of allow.

[root@localhost ~]# usbguard list-devices
2: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "MhPzffrQEhx5CwP3GXco7JXDbaMzFbD5FPUfFE7nfu0=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
3: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "9Ii0Zm8Mvu2nYz9z/EgAXJ/ed6bLW8Ctv1iUD5rh6qY=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
4: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "t7Z0XTvKnMmdqAm1vU+noU318kZsRQQV+JorpRThQ7c=" via-port "usb3" with-interface 09:00:00 with-connect-type ""
5: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "UyZQuRI+gcw41fsM6Kgyty6pgYN0zfyYjqSpJv7na1E=" via-port "usb4" with-interface 09:00:00 with-connect-type ""
6: block id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" hash "FyMVaBZ38qpDfKMvXvtwKcgOGcD7N1UQ/KwO4tx/coA=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50 with-connect-type "unknown"

From the workstation machine, attach the GREEN USB device to the usbguard VM. Use the provided /home/student/RH415/labs/compreview-usbguard/usb-disk-green.xml file to attach a new GREEN USB device to the usbguard VM. Then, create a permanent block rule target for the GREEN USB device, and detach the GREEN USB device. Leave only the MRKTG USB device attached.

From the workstation machine, attach the GREEN USB device (usb-disk-green.img) to the usbguard VM.

[student@workstation ~]$ sudo virsh attach-device usbguard \
    ~/RH415/labs/compreview-usbguard/usb-disk-green.xml
[sudo] password for student: student
Device attached successfully

On the virsh console terminal that is connected to the usbguard VM, you can see kernel messages indicating that the GREEN USB device is not authorized for use. Press Enter to return to the command prompt.

[  417.112529] usb 1-2: new high-speed USB device number 3 using ehci-pci
[  417.249491] usb 1-2: New USB device found, idVendor=46f4, idProduct=0001, bcdDevice= 0.00
[  417.253207] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  417.256561] usb 1-2: Product: QEMU USB HARDDRIVE
[  417.258714] usb 1-2: Manufacturer: QEMU
[  417.260685] usb 1-2: SerialNumber: GREEN
[  417.268334] usb 1-2: Device is not authorized for usage
<Enter>

[root@localhost ~]#

From the usbguard VM, list the USB devices to confirm that the 5 device ID has the allow rule target and that the GREEN USB device has the block rule target.

The device numbers (5 and 7 in the following output) might be different on your system.

[root@localhost ~]# usbguard list-devices
2: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "MhPzffrQEhx5CwP3GXco7JXDbaMzFbD5FPUfFE7nfu0=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
3: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "9Ii0Zm8Mvu2nYz9z/EgAXJ/ed6bLW8Ctv1iUD5rh6qY=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
4: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "t7Z0XTvKnMmdqAm1vU+noU318kZsRQQV+JorpRThQ7c=" via-port "usb3" with-interface 09:00:00 with-connect-type ""
5: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "UyZQuRI+gcw41fsM6Kgyty6pgYN0zfyYjqSpJv7na1E=" via-port "usb4" with-interface 09:00:00 with-connect-type ""
6: block id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" hash "FyMVaBZ38qpDfKMvXvtwKcgOGcD7N1UQ/KwO4tx/coA=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50 with-connect-type "unknown"
7: block id 46f4:0001 serial "GREEN" name "QEMU USB HARDDRIVE" hash "Z7yCmQOvP8sTvvCofXeruT6IHBV1JSQpnvQoyELws5E=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-2" with-interface 08:06:50 with-connect-type ""

On the workstation machine, use the second terminal session to detach the GREEN USB device from the usbguard VM:

[student@workstation ~]$ sudo virsh detach-device usbguard \
    ~/RH415/labs/compreview-usbguard/usb-disk-green.xml
Device detached successfully

From the usbguard VM, generate a new base policy with a reject rule target that ignores any additional USB devices that try to interact with the system. Use the /home/student/RH415/labs/compreview-usbguard/usb-disk-green.xml file to confirm that the GREEN USB device is blocked from interacting with the usbguard VM.

Generate a new base policy with a reject rule target. Restart the usbguard service.

[root@localhost ~]# usbguard generate-policy -X -t \
    reject > /etc/usbguard/rules.conf
[root@localhost ~]# systemctl restart usbguard.service
...output omitted...
<Enter>

Run the usbguard list-rules command to confirm an allow rule target for the MRKTG USB device followed by a catchall reject rule target that applies to any additional USB devices.

[root@localhost ~]# usbguard list-rules
1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""
3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""
4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" with-interface 09:00:00 with-connect-type ""
5: allow id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" with-interface 08:06:50 with-connect-type "unknown"
6: reject

From the workstation machine, attach the GREEN USB device (usb-disk-green.img) to the usbguard VM.
Although the command output indicates that the GREEN USB device was successfully attached, further investigation on the usbguard VM confirms that the attempt to attach a USB device was not authorized. A blocked USB device appears in command-line tool listings but it is not allowed to mount. A rejected USB device is ignored by the system and therefore does not display in command-line tool listings.
```
[student@workstation ~]$ sudo virsh attach-device usbguard \
    ~/RH415/labs/compreview-usbguard/usb-disk-green.xml
Device attached successfully
```

The journal records the kernel action as well as the USBGuard action. Press q to exit the journalctl prompt.

...output omitted...
<Enter>
[root@localhost ~]# journalctl -b -e
Jan 23 12:22:40 localhost.localdomain kernel: sd 6:0:0:0: [sda] 65536 512-byte >
Jan 23 12:22:40 localhost.localdomain kernel: sd 6:0:0:0: [sda] Write Protect i>
Jan 23 12:22:40 localhost.localdomain kernel: sd 6:0:0:0: [sda] Mode Sense: 63 >
Jan 23 12:22:40 localhost.localdomain kernel: sd 6:0:0:0: [sda] Write cache: en>
Jan 23 12:22:40 localhost.localdomain kernel: sd 6:0:0:0: [sda] Attached SCSI d>
Jan 23 12:23:26 localhost.localdomain systemd[1]: Starting dnf makecache...
Jan 23 12:23:27 localhost.localdomain dnf[11592]: Failed determining last makec>
Jan 23 12:23:27 localhost.localdomain dnf[11592]: Red Hat Enterprise Linux 9.2 >
Jan 23 12:23:27 localhost.localdomain dnf[11592]: Red Hat Enterprise Linux 9.2 >
Jan 23 12:23:27 localhost.localdomain dnf[11592]: Metadata cache created.
Jan 23 12:23:27 localhost.localdomain systemd[1]: dnf-makecache.service: Deacti>
Jan 23 12:23:27 localhost.localdomain systemd[1]: Finished dnf makecache.
Jan 23 12:24:35 localhost.localdomain kernel: usb 1-2: new high-speed USB devic>
Jan 23 12:24:35 localhost.localdomain kernel: usb 1-2: New USB device found, id>
Jan 23 12:24:35 localhost.localdomain kernel: usb 1-2: New USB device strings: >
Jan 23 12:24:35 localhost.localdomain kernel: usb 1-2: Product: QEMU USB HARDDR>
Jan 23 12:24:35 localhost.localdomain kernel: usb 1-2: Manufacturer: QEMU
Jan 23 12:24:35 localhost.localdomain kernel: usb 1-2: SerialNumber: GREEN
Jan 23 12:24:35 localhost.localdomain usbguard-daemon[11576]: uid=0 pid=11574 r>
Jan 23 12:24:35 localhost.localdomain kernel: usb 1-2: Device is not authorized>
Jan 23 12:24:35 localhost.localdomain usbguard-daemon[11576]: uid=0 pid=11574 r>
Jan 23 12:24:35 localhost.localdomain kernel: usb 1-2: USB disconnect, device n>
Jan 23 12:24:35 localhost.localdomain usbguard-daemon[11576]: uid=0 pid=11574 r>
...output omitted...
<q>

Run the usbguard list-devices command to confirm that the MRKTG USB device is listed but the GREEN USB device is ignored and therefore is not listed.

[root@localhost ~]# usbguard list-devices
7: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "MhPzffrQEhx5CwP3GXco7JXDbaMzFbD5FPUfFE7nfu0=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
8: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "9Ii0Zm8Mvu2nYz9z/EgAXJ/ed6bLW8Ctv1iUD5rh6qY=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
9: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "t7Z0XTvKnMmdqAm1vU+noU318kZsRQQV+JorpRThQ7c=" via-port "usb3" with-interface 09:00:00 with-connect-type ""
10: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "UyZQuRI+gcw41fsM6Kgyty6pgYN0zfyYjqSpJv7na1E=" via-port "usb4" with-interface 09:00:00 with-connect-type ""
11: allow id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" hash "FyMVaBZ38qpDfKMvXvtwKcgOGcD7N1UQ/KwO4tx/coA=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50 with-connect-type "unknown"

Return to the student user on the usbguard VM terminal session:

[root@localhost ~]# logout
[student@localhost ~]$ logout

Exit the virtual machine's console and return to the workstation machine as the student user:

Red Hat Enterprise Linux Server 7.5 (Maipo)
Kernel 3.10.0-862.3.2.el7.x86_64 on an x86_64

localhost login:
Ctrl+]
[root@workstation ~]# logout
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade compreview-usbguard

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish compreview-usbguard

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299