Profile Applicability:
• Level 1
Description:
The usb-storage kernel module provides support for USB mass storage devices, allowing the system to access USB-connected storage media.
Rationale:
Disabling the usb-storage kernel module when not required reduces the attack surface by preventing unauthorized or malicious USB storage devices from being mounted, which helps mitigate data exfiltration and malware introduction risks.
Impact:
Pros:
Prevents unauthorized USB storage device usage.
Reduces risk of data theft and malware via USB devices.
Cons:
Systems requiring USB storage device access will be unable to mount USB storage devices if the module is disabled.
Default Value:
The usb-storage module is typically enabled and loaded by default on most Linux systems.
Pre-requisites:
Root or sudo privileges to modify kernel module configurations.
Access to /etc/modprobe.d/ to configure blacklisting or disabling.
Remediation:
Test Plan:
Using Linux command line:
Check if the usb-storage module is loaded:
lsmod | grep usb_storage
Verify blacklist or disable entries:
grep -r usb-storage /etc/modprobe.d/
Test module load behavior:
modprobe -n -v usb-storage
Expected output should indicate the module is disabled, e.g., install /bin/false.
Implementation Plan:
Using Linux command line:
Create or edit /etc/modprobe.d/usb-storage.conf:
echo "install usb-storage /bin/false" > /etc/modprobe.d/usb-storage.conf echo "blacklist usb-storage" >> /etc/modprobe.d/usb-storage.conf
Unload the module if currently loaded:
modprobe -r usb-storage
Reboot the system or reload module configurations.
Backout Plan:
Using Linux command line:
Remove blacklist and disable entries:
sed -i '/usb-storage/d' /etc/modprobe.d/usb-storage.conf
Optionally reload the module:
modprobe usb-storage
Reboot the system.
References:
CIS Amazon Linux 2 Benchmark v3.0.0