Richard,
On the surface, it appears to have value, but as you say it would need to be extended to other traditional, and non-traditional, removable media. Further, the initial appeal in having the capability directly within the kernel was to make it a little more difficult to subvert, centralise auditing policy/monitoring and, if frame-worked appropriately, easily extensible to other than USB media types (which was the basis for the Proof of Concept developed by RedHat back in 2016).
I have not used USBGuard myself, so will do some experimentation and report back.
Regards
On Tue, 2020-01-21 at 15:16 -0500, Richard Guy Briggs wrote:
Hi Burn, and all,
I've been aware of this issue for a while now, but wasn't directly
working on it. Now that I'm taking a closer look at this issue, I am
wondering how much USBGuard changes the equation?
https://www.kernel.org/doc/Documentation/usb/authorization.txt
https://usbguard.github.io/
https://github.com/USBGuard/usbguard
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard
It has tools to generate baseline lists of devices, but this is only for
usb. Other interfaces would need to be appropriately instrumented.
- RGB
--
Richard Guy Briggs <
rgb@redhat.com
>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635