HI,
This is my first mail to this mailing list.I want to block external usb storage completly on my server running on centos 5 having confidiential data.
For that i used udev and blocked the external usb storage by creating the udev rule mentioning any usb storage will get mounted to /dev/null so that users cant mount as well.
But in the mean time i am getting below logs in my /var/log/messages file when i insert any usb storage device.
###################################################### May 23 12:24:02 localhost kernel: usb 1-4: new high speed USB device using ehci_hcd and address 4 May 23 12:24:02 localhost kernel: usb 1-4: configuration #1 chosen from 1 choice May 23 12:24:02 localhost kernel: scsi3 : SCSI emulation for USB Mass Storage devices May 23 12:24:07 localhost kernel: scsi 3:0:0:0: Direct-Access USB Flash Disk 1100 PQ: 0 ANSI: 0 CCS May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] 1981440 512-byte hardware sectors (1014 MB) May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] Write Protect is off May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] Assuming drive cache: write through May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] 1981440 512-byte hardware sectors (1014 MB) May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] Write Protect is off May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] Assuming drive cache: write through May 23 12:24:07 localhost kernel: sdb: sdb1 May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] Attached SCSI removable disk May 23 12:24:07 localhost kernel: sd 3:0:0:0: Attached scsi generic sg2 type 0 ##############################################
I want to know how device name sdb1[see above log] was allocated and is it possible to block the device node creation,if so wht i can do to block the same in my messages log.
Regards lingu
whoami i wrote:
HI,
This is my first mail to this mailing list.I want to block external usb storage completly on my server running on centos 5 having confidiential data.
For that i used udev and blocked the external usb storage by creating the udev rule mentioning any usb storage will get mounted to /dev/null so that users cant mount as well.
But in the mean time i am getting below logs in my /var/log/messages file when i insert any usb storage device.
###################################################### May 23 12:24:02 localhost kernel: usb 1-4: new high speed USB device using ehci_hcd and address 4 May 23 12:24:02 localhost kernel: usb 1-4: configuration #1 chosen from 1 choice May 23 12:24:02 localhost kernel: scsi3 : SCSI emulation for USB Mass Storage devices May 23 12:24:07 localhost kernel: scsi 3:0:0:0: Direct-Access USB Flash Disk 1100 PQ: 0 ANSI: 0 CCS May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] 1981440 512-byte hardware sectors (1014 MB) May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] Write Protect is off May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] Assuming drive cache: write through May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] 1981440 512-byte hardware sectors (1014 MB) May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] Write Protect is off May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] Assuming drive cache: write through May 23 12:24:07 localhost kernel: sdb: sdb1 May 23 12:24:07 localhost kernel: sd 3:0:0:0: [sdb] Attached SCSI removable disk May 23 12:24:07 localhost kernel: sd 3:0:0:0: Attached scsi generic sg2 type 0 ##############################################
I want to know how device name sdb1[see above log] was allocated and is it possible to block the device node creation,if so wht i can do to block the same in my messages log.
Regards lingu
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Why do you want to block? Why not rather disallow users to use the mount command altogether? If it's a server, why do you have normal users accessing it?
On Friday 23 May 2008 14:16:45 whoami i wrote:
This is my first mail to this mailing list.I want to block external usb storage completly on my server running on centos 5 having confidiential data.
1. unplug any usb storage 2. rmmod ehci_hcd 3. add a line in /etc/modprobe.d/blacklist blacklist ehci_hcd
Fajar Priyanto wrote:
On Friday 23 May 2008 14:16:45 whoami i wrote:
This is my first mail to this mailing list.I want to block external usb storage completly on my server running on centos 5 having confidiential data.
- unplug any usb storage
- rmmod ehci_hcd
- add a line in /etc/modprobe.d/blacklist
blacklist ehci_hcd
Wouldn't that prevent him from using USB as a whole? perhaps a udev rule would play nicely here.
Kevin Faulkner wrote:
Fajar Priyanto wrote:
On Friday 23 May 2008 14:16:45 whoami i wrote:
This is my first mail to this mailing list.I want to block external usb storage completly on my server running on centos 5 having confidiential data.
- unplug any usb storage
- rmmod ehci_hcd
- add a line in /etc/modprobe.d/blacklist
blacklist ehci_hcd
Wouldn't that prevent him from using USB as a whole? perhaps a udev rule would play nicely here.
Yeah, a udev setting 660 or 600 perms to usb devices would only allow admins or admins + those in a "trusted group" to use USB devices.
You would also need to make sure the rules under /etc/security don't override those set by udev.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
On Wed, Jun 4, 2008 at 11:34 AM, Kevin Faulkner kevlar.kernel@gmail.com wrote:
- unplug any usb storage 2. rmmod ehci_hcd
- add a line in /etc/modprobe.d/blacklist
blacklist ehci_hcd
Wouldn't that prevent him from using USB as a whole?
Yes, it would. 'blacklist usb-storage' is a better option.
perhaps a udev rule would play nicely here.
Overkill.
whoami i wrote:
HI,
This is my first mail to this mailing list.I want to block external usb storage completly on my server running on centos 5 having confidiential data.
shouldn't this server be in a secure area where noone unauthorized can access its USB ports in the first place?
on 6-4-2008 9:19 AM John R Pierce spake the following:
whoami i wrote:
HI,
This is my first mail to this mailing list.I want to block external usb storage completly on my server running on centos 5 having confidiential data.
shouldn't this server be in a secure area where no one unauthorized can access its USB ports in the first place?
Sure... The EASY answer! ;-P
You can remove the usb storage modules...usb-storage.ko.
Tom.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Scott Silva Sent: Wednesday, June 04, 2008 9:36 AM To: centos@centos.org Subject: [CentOS] Re: Blocking external usb storage
on 6-4-2008 9:19 AM John R Pierce spake the following:
whoami i wrote:
HI,
This is my first mail to this mailing list.I want to block external
usb storage completly on my server running on centos 5 having confidiential data.
shouldn't this server be in a secure area where no one unauthorized can access its USB ports in the first place?
Sure... The EASY answer! ;-P
-- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!
-
Fajar Priyanto -
Jim Perrin -
John R Pierce -
Kevin Faulkner -
Ross S. W. Walker -
Rudi Ahlers -
Scott Silva -
Tom Poffenberger (tpoffenb) -
whoami i