• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Thursday, June 15, 2017

    How to blacklist or disable USB module in Red Hat 7

    To improve security in our environment many times we have to blacklist certain modules from getting loaded in our setup to avoid any security leak.



    The provided procedure is tested with Red Hat Enterprise Linux 7

    Before starting with the blacklisting let us validate our usb module is properly loaded
    # lsmod | grep -i usb
    usb_storage            66762  0

    So the module looks to be loaded just fine and the below command will show us any usb device which is mounted currently on the blade
    # lsscsi
    [0:0:0:0]    storage HP       P244br           4.52  -
    [0:1:0:0]    disk    HP       LOGICAL VOLUME   4.52  /dev/sda
    [1:0:0:0]    cd/dvd  HP       Virtual DVD-ROM        /dev/sr0

    Lets start blacklisting this module


    Below file must be used to blacklist any module
    /etc/modprobe.d/local-blacklist.conf
    The syntax to be used here is
    blacklist <module name>
    For eg to blacklist usb module:
    # vim /etc/modprobe.d/local-blacklist.conf
    blacklist usb-storage.ko

    save and exit the file.

    Now the above syntax used will blacklist a module only if it is not a part of any dependency.
    For eg. firewire module is a dependency for network drivers like be2net so if I blacklist firewire module but still since it is needed by be2net driver, the be2net will activate the blacklisted module during system startup

    To avoid this append below line. Here for eg I used firewire module, the same can be replaced with usb-storage.ko
    # vim /etc/modprobe.d/local-blacklist.conf
    blacklist firewire.ko
    install firewire.ko /bin/false

    save the file and exit

    Next you must rebuild the initramfs, this is needed to keep your changes persistent across reboot

    IMPORTANT NOTE:
     Take backup of your existing initramfs just in case the new initramfs fails or has any issue
    # cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.before_update.bak
    Next run below command to rebuild the initramfs
    # dracut -v -f
    Next proceed with the reboot of the node but in case you plan to reboot the node later, doing so the active session will still have the usb module enabled so to disable the usb module from the active session

    Disable usb module from the current session

    # rmmod usb-storage.ko
    This will remove the us module from the kernel

    OR

    usb module can also be removed using
    # modprobe -r usb-storage.ko
    Now regenerate your kernel list of dependencies and the loaded modules.
    # depmod -a
    This will probe all the modules

    Now you can validate if the usb module is still loaded on your system
    # lsmod | grep -i usb_storage
    The output should give you nothing so your module is successfully removed and blacklisted

    I hope the article was helpful

    Follow the below links for more tutorials

    How to find the path of any command in Linux
    How to configure a Clustered Samba share using ctdb in Red Hat Cluster
    How to delete an iscsi-target from openfiler and Linux
    How to perform a local ssh port forwarding in Linux
    How to use yum locally without internet connection using cache?
    What is umask and how to change the default value permanently?
    Understanding Partition Scheme MBR vs GPT
    How does a successful or failed login process works in Linux
    How to find all the process accessing a file in Linux
    How to exclude multiple directories from du command in Linux
    How to configure autofs in Linux and what are its advantages?
    How to resize software raid partition in Linux
    How to configure Software RAID 1 mirroring in Linux
    How to prevent a command from getting stored in history in Linux

    0 comments:

    Post a Comment