SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-03-2008, 02:40 PM
| ||||
| ||||
 Locking down USB ports on Ultra45 (Solaris 9) OK. Can't completely turn off the USB ports because, of course, the keyboard and mouse are USB. However, one of our customers has got a requirment that USB be 'controlled' or locked down. Any ideas if this is possible or if there is any software available to allow this to happen?      |
|
04-03-2008, 02:40 PM
| |||
| |||
| Re: Locking down USB ports on Ultra45 (Solaris 9) <BertieBigBollox@gmail.com> wrote in message news:a0852ef2-8177-4a73-a011-dd15ed868be1@a23g2000hsc.googlegroups.com... > OK. Can't completely turn off the USB ports because, of course, the > keyboard and mouse are USB. > > However, one of our customers has got a requirment that USB be > 'controlled' or locked down. Any ideas if this is possible or if there > is any software available to allow this to happen? If someone were to pull the kb/mouse and put in a hub would that not be as big of an issue as having open ports? Physical security is the only thing that comes to mind. Since it is on a bussway I'd be interested in the ability to shut down USB ports myself. Sounds sort of tough. Rob |
|
04-03-2008, 02:40 PM
| |||
| |||
| Re: Locking down USB ports on Ultra45 (Solaris 9) BertieBigBollox@gmail.com wrote: > OK. Can't completely turn off the USB ports because, of course, the > keyboard and mouse are USB. > > However, one of our customers has got a requirment that USB be > 'controlled' or locked down. Any ideas if this is possible or if there > is any software available to allow this to happen? Looking at my ports: kestrel /export/home/drkirkby/house % ls -l /dev/*usb* total 10 lrwxrwxrwx 1 root root 48 Feb 12 16:21 hid0 -> .../../devices/pci@8,700000/usb@5,3/mouse@3:mouse lrwxrwxrwx 1 root root 60 Feb 12 16:21 hid1 -> .../../devices/pci@8,700000/usb@5,3/hub@1/keyboard@4:keyboard lrwxrwxrwx 1 root root 39 Oct 19 23:12 hub0 -> .../../devices/pci@8,700000/usb@5,3:hubd lrwxrwxrwx 1 root root 45 Oct 19 23:13 hub1 -> .../../devices/pci@8,700000/usb@5,3/hub@1:hubd lrwxrwxrwx 1 root root 45 Jan 2 06:33 hub2 -> .../../devices/pci@8,700000/usb@5,3/hub@2:hubd it is clear what one is the USB and what one is the mouse. If the other devices files were removed, would it be possible to use any other ports? I doubt it would - at least not without removing the keyboard or mouse. One would need to be root to create the device files, but then if someone can stick a DVD in the drive, then can get root access anyway. Or, if there is no drive, I guess they could stick one on the SCSI bus, although you can problely control that via the EEPROM. I've never hit the problem myself, but the above might give you a few ideas |
|
04-03-2008, 02:40 PM
| |||
| |||
| Re: Locking down USB ports on Ultra45 (Solaris 9) On Apr 2, 5:22*am, "BertieBigBol...@gmail.com" <BertieBigBol...@gmail.com> wrote: > OK. Can't completely turn off the USB ports because, of course, the > keyboard and mouse are USB. > > However, one of our customers has got a requirment that USB be > 'controlled' or locked down. Any ideas if this is possible or if there > is any software available to allow this to happen? See http://www.sun.com/io_technologies/u....html#Security Add the following line to /etc/system and reboot. exclude: drv/usba10_scsa2usb Have NOT VERIFIED this procedure to work as advertised. |
|
04-03-2008, 02:40 PM
| |||
| |||
| Re: Locking down USB ports on Ultra45 (Solaris 9) BertieBigBollox@gmail.com wrote: > OK. Can't completely turn off the USB ports because, of course, the > keyboard and mouse are USB. > > However, one of our customers has got a requirment that USB be > 'controlled' or locked down. Any ideas if this is possible or if there > is any software available to allow this to happen? I'm afraid that your customer may have to lower their expectations or spend a hell of a lot of money. I suppose they are concerned that someone will plug in a "thumb drive" and walk off with a lot of proprietary data. My response would be that if they can't trust the people who have access, they either hired the wrong people or gave too many of them too much access. It might be possible to modify the USB driver so that it will not talk to anything BUT the keyboard and mouse. The people who can do that sort of thing don't come cheaply!! It would have to be redone for every Solaris upgrade and maybe for some patches. Not a very good solution! |
|
04-03-2008, 02:40 PM
| |||
| |||
| Re: Locking down USB ports on Ultra45 (Solaris 9) Dave wrote: > BertieBigBollox@gmail.com wrote: > >> OK. Can't completely turn off the USB ports because, of course, the >> keyboard and mouse are USB. >> >> However, one of our customers has got a requirment that USB be >> 'controlled' or locked down. Any ideas if this is possible or if there >> is any software available to allow this to happen? > > > Looking at my ports: > > kestrel /export/home/drkirkby/house % ls -l /dev/*usb* > total 10 > lrwxrwxrwx 1 root root 48 Feb 12 16:21 hid0 -> > ../../devices/pci@8,700000/usb@5,3/mouse@3:mouse > lrwxrwxrwx 1 root root 60 Feb 12 16:21 hid1 -> > ../../devices/pci@8,700000/usb@5,3/hub@1/keyboard@4:keyboard > lrwxrwxrwx 1 root root 39 Oct 19 23:12 hub0 -> > ../../devices/pci@8,700000/usb@5,3:hubd > lrwxrwxrwx 1 root root 45 Oct 19 23:13 hub1 -> > ../../devices/pci@8,700000/usb@5,3/hub@1:hubd > lrwxrwxrwx 1 root root 45 Jan 2 06:33 hub2 -> > ../../devices/pci@8,700000/usb@5,3/hub@2:hubd > > > > it is clear what one is the USB and what one is the mouse. If the other > devices files were removed, would it be possible to use any other ports? > I doubt it would - at least not without removing the keyboard or mouse. > > > One would need to be root to create the device files, but then if > someone can stick a DVD in the drive, then can get root access anyway. > Or, if there is no drive, I guess they could stick one on the SCSI bus, > although you can problely control that via the EEPROM. > > > I've never hit the problem myself, but the above might give you a few ideas That doesn't prevent somebody from plugging in some sort of "Keystroke Logger" or something similar that monitors the bus and steals the data. |
|
04-03-2008, 02:40 PM
| |||
| |||
| Re: Locking down USB ports on Ultra45 (Solaris 9) On 2008-04-02, Richard B. Gilbert <rgilbert88@comcast.net> wrote: > BertieBigBollox@gmail.com wrote: >> OK. Can't completely turn off the USB ports because, of course, the >> keyboard and mouse are USB. >> >> However, one of our customers has got a requirment that USB be >> 'controlled' or locked down. Any ideas if this is possible or if there >> is any software available to allow this to happen? > > I'm afraid that your customer may have to lower their expectations or > spend a hell of a lot of money. I suppose they are concerned that > someone will plug in a "thumb drive" and walk off with a lot of > proprietary data. My response would be that if they can't trust the > people who have access, they either hired the wrong people or gave too > many of them too much access. > > It might be possible to modify the USB driver so that it will not talk > to anything BUT the keyboard and mouse. The people who can do that sort > of thing don't come cheaply!! It would have to be redone for every > Solaris upgrade and maybe for some patches. Not a very good solution! > Fortunately, the USB drivers for Solaris aren't one big indigestible lump. You have a generic driver implementing the basic USB interface, and then other drivers that use the basic interface drivers to run specific devices. Someone upthread gave instructions for how to exclude the USB mass storage drivers (which are a separate driver). -- Christopher Mattern NOTICE Thank you for noticing this new notice Your noticing it has been noted And will be reported to the authorities |
|
04-03-2008, 02:41 PM
| |||
| |||
| Re: Locking down USB ports on Ultra45 (Solaris 9) On 2008-04-02, Richard B. Gilbert <rgilbert88@comcast.net> wrote: > BertieBigBollox@gmail.com wrote: >> OK. Can't completely turn off the USB ports because, of course, the >> keyboard and mouse are USB. >> >> However, one of our customers has got a requirment that USB be >> 'controlled' or locked down. Any ideas if this is possible or if there >> is any software available to allow this to happen? > > I'm afraid that your customer may have to lower their expectations or > spend a hell of a lot of money. I suppose they are concerned that > someone will plug in a "thumb drive" and walk off with a lot of > proprietary data. My response would be that if they can't trust the > people who have access, they either hired the wrong people or gave too > many of them too much access. IIRC, the oddly named Mr. Bollox works in the financial sector. In which case, I suggest you point your finger at the correct people; the regulators. -- "Be thankful that you have a life, and forsake your vain and presumptuous desire for a second one." [email me at huge {at} huge (dot) org <dot> uk] |
|
04-03-2008, 02:41 PM
| |||
| |||
| Re: Locking down USB ports on Ultra45 (Solaris 9) On Apr 2, 10:23 am, jimle...@dorsai.org wrote: > On Apr 2, 5:22 am, "BertieBigBol...@gmail.com" > > <BertieBigBol...@gmail.com> wrote: > > OK. Can't completely turn off the USB ports because, of course, the > > keyboard and mouse are USB. > > > However, one of our customers has got a requirment that USB be > > 'controlled' or locked down. Any ideas if this is possible or if there > > is any software available to allow this to happen? > > Seehttp://www.sun.com/io_technologies/usb/USB-Faq.html#Security > > Add the following line to /etc/system and reboot. > exclude: drv/usba10_scsa2usb > > Have NOT VERIFIED this procedure to work as advertised. Have since seen this. In fact, this is what the NSA recommends you do. Any idea if this would just disable USB storage? Obviouslty, I'd still want the USB mouse and keyboard to work. |
|
04-03-2008, 02:41 PM
| ||||
| ||||
| Re: Locking down USB ports on Ultra45 (Solaris 9) On Apr 2, 11:53 pm, Huge <H...@nowhere.much.invalid> wrote: > On 2008-04-02, Richard B. Gilbert <rgilber...@comcast.net> wrote: > > > BertieBigBol...@gmail.com wrote: > >> OK. Can't completely turn off the USB ports because, of course, the > >> keyboard and mouse are USB. > > >> However, one of our customers has got a requirment that USB be > >> 'controlled' or locked down. Any ideas if this is possible or if there > >> is any software available to allow this to happen? > > > I'm afraid that your customer may have to lower their expectations or > > spend a hell of a lot of money. I suppose they are concerned that > > someone will plug in a "thumb drive" and walk off with a lot of > > proprietary data. My response would be that if they can't trust the > > people who have access, they either hired the wrong people or gave too > > many of them too much access. > > IIRC, the oddly named Mr. Bollox works in the financial sector. In which case, I > suggest you point your finger at the correct people; the regulators. > > -- > "Be thankful that you have a life, and forsake your vain > and presumptuous desire for a second one." > [email me at huge {at} huge (dot) org <dot> uk] Glad you like the name :-) Not Finance. Without going into details, lets just say I work in a government sector where security is a big issue. |
Linear Mode
