Preventing USB Attacks with `linux-hardened`

In December 2016 I wrote a piece about using Grsecurity to prevent new USB devices from being loaded. Grsecurity has, unfortunately, left this world, but the linux-hardened project has taken on some of the patches and updates. I thought it would be worth a minor update to that post now that linux-hardened has ported the deny_new_usb patches, and uses a marginally different sysctl setting.

The new systemd service:

Listing 1: deny_new_usb.service

[Unit]
Description=Prevent new USB devices from being loaded

[Service]
Type=oneshot
ExecStart=/usr/bin/sysctl kernel.deny_new_usb=1
ExecStop=/usr/bin/sysctl kernel.deny_new_usb=0
RemainAfterExit=yes

[Install]
WantedBy=default.target suspend.target sleep.target

…and the new i3status script:

Listing 2: status

#!/bin/bash

set -e

i3status | while true; do
    read line
    if [ "$(sysctl -n kernel.deny_new_usb)" -eq 1 ];
    then
        usb_status="USB: 🔒"
    else
        usb_status="USB: 🔓"
    fi
    echo "$usb_status | $line"
done

Preventing USB Attacks with linux-hardened

Preventing USB Attacks with `linux-hardened`