Restricting access to USB ports on Solaris 8 and Sun Ray terminals

Andy,

Hi. Try this:

Document ID:79941

Title: How to secure USB ports on SUN computers.

Update Date:Thu May 12 00:00:00 MDT 2005

Products:Third-Party Products, Solaris, Solaris 9 Operating System, S

olaris 8 Operating System, Solaris 10 Operating System

Technical Areas: USB (Universal Serial Bus) Port

Keyword(s):usb, secure, security, mass storage, x86, hid, usbprn, hubd, scsa2usb

, disable, enumerate, prevent

Problem Statement:Top

Is there a way to secure usb ports on SUN computers running Solaris[TM]?

Resolution:Top

There are two methods of securing usb ports on SUN Sparc computers - DISABLE and

RESTRICT.

Each method has its own form of security depending on how secure you need the

ports.

If you need total security use the DISABLE method and if you just need limited

security use the RESTRICT method.

DISABLE

-

This procedure will disable all built-in and addon usb ports.

Note. This procedure not recommended for SUN computers that require use of a usb

keyboard and usb mouse but recommended if the SUN computer is going to be rack

mounted and not attached to a KVM switch.

# pkgrm SUNWusb

# pkgrm SUNWusbx

# pkgrm SUNWuaud(Note. This audio package may not be installed)

#

RESTRICT

--

This procedure allows you to selectively choose which usb devices can use the

usb ports by adding entry(s) to /etc/system file.

I.e. If you want to prevent someone from attaching a flash or thumb drive but

still want to use the mouse and keyboard.

Note. See 'Additional Information' section for another method of restricting usb

devices with Solaris[TM] 10.

Procedure

**CAUTION**

Please make a backup copy of the original 'system' file prior to making changes

and check your changes for accuracy and typos before rebooting.

Steps.

1.) Determine which devices to restrict by matching the devices below with their

associated usb driver.

drv/hidmice, keyboard, joysticks

drv/scsa2usb mass storage (hard drives, floppy, CD, DVD)

drv/usb_acaudio (source)

drv/usb_asaudio (control)

drv/hubdhubs

drv/usb_midcomposite devices such as keyboard with built-in

mouse, kvm's and some audio devices.

drv/usbprnprinters

drv/usbser_edgeEdgeport usb-serial adpaters

2.) Add each driver to /etc/system file using following format.

exclude: <driver1>

exclude: <driver2>

Examples.

To restrict a mass storage device.

exclude: drv/scsa2usb

To restrict printers.

exclude: drv/usbprn

Reboot.

This procedure also applicable to x86 and Solaris[TM] 10.

Available only with Solaris[TM] 10 and above, the update_drv command has a new

feature that will allow you to remove the minor permissions associated with a

USB device driver from /etc/minor_perm. Removing these permissions will build

the usb device with restrictive 600 permissions. These permissions will only

allow 'root' user to use the device.

Example. Securing the usbprn printer class driver.

Checking the minor permissions for usbprn in /etc/minor_perm file.

# grep usbprn /etc/minor_perm

usbprn:* 0666 root sys <-- normal 666 permissions

#

Removing the minor permissions for usbprn.

# update_drv -d -m '* 0666 root sys' usbprn

# grep usbprn /etc/minor_perm

#< perms removed

#

Now when the usbprn printer class printer is attached the device for the printer

gets built with restrictive 600 permissions.

# ls -lL /dev/usb/printer0

total 0

crw-1 rootsys58, 1 Jan 19 10:36 printer0

#

Restoring the removed minor permissions for usbprn.

# update_drv -a -m '* 0666 root sys' usbprn

# grep usbprn /etc/minor_perm

usbprn:* 0666 root sys

#

# ls -lL /dev/usb/printer0

total 0

crw-rw-rw-1 rootsys58, 1 Jan 19 10:41 printer0

#

thifm at 2007-7-7 2:53:00 >