Richard,

On the surface, it appears to have value, but as you say it would need to be extended to other traditional, and non-traditional, removable media. Further, the initial appeal in having the capability directly within the kernel was to make it a little more difficult to subvert, centralise auditing policy/monitoring and, if frame-worked appropriately, easily extensible to other than USB media types (which was the basis for the Proof of Concept developed by RedHat back in 2016).

I have not used USBGuard myself, so will do some experimentation and report back.

Regards

On Tue, 2020-01-21 at 15:16 -0500, Richard Guy Briggs wrote:
Hi Burn, and all,

I've been aware of this issue for a while now, but wasn't directly
working on it.  Now that I'm taking a closer look at this issue, I am
wondering how much USBGuard changes the equation?

https://www.kernel.org/doc/Documentation/usb/authorization.txt

https://usbguard.github.io/

	
https://github.com/USBGuard/usbguard


https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard


It has tools to generate baseline lists of devices, but this is only for
usb.  Other interfaces would need to be appropriately instrumented.

- RGB

--
Richard Guy Briggs <
rgb@redhat.com
>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635