BertieBigBollox@gmail.com wrote:

> OK. Can't completely turn off the USB ports because, of course, the
> keyboard and mouse are USB.
>
> However, one of our customers has got a requirment that USB be
> 'controlled' or locked down. Any ideas if this is possible or if there
> is any software available to allow this to happen?

How about the obvious -- lock up the entire machine and access it only
in non-privileged accounts from terminals (character or X11).

Michael

On 2008-04-02, BertieBigBollox@gmail.com <BertieBigBollox@gmail.com> wrote:
> OK. Can't completely turn off the USB ports because, of course, the
> keyboard and mouse are USB.
>
> However, one of our customers has got a requirment that USB be
> 'controlled' or locked down. Any ideas if this is possible or if there
> is any software available to allow this to happen?

Epoxy the mouse and KB in and fill the other ports with epoxy.

Half joking.


--
"Be thankful that you have a life, and forsake your vain
and presumptuous desire for a second one."
[email me at huge {at} huge (dot) org <dot> uk]

I've since found this :-

developers.sun.com/solaris/driverdev/reference/codesamples/
usb_security/index.html

which seems to be a way to do it...

And, of course, theres physical security (probably better than
glue!!!)

http://www.pcguardian.com/products/8...port_lock.html

On 2008-04-03, BertieBigBollox@gmail.com <BertieBigBollox@gmail.com> wrote:
> On Apr 2, 11:53 pm, Huge <H...@nowhere.much.invalid> wrote:
>> On 2008-04-02, Richard B. Gilbert <rgilber...@comcast.net> wrote:
>>
>> > BertieBigBol...@gmail.com wrote:
>> >> OK. Can't completely turn off the USB ports because, of course, the
>> >> keyboard and mouse are USB.
>>
>> >> However, one of our customers has got a requirment that USB be
>> >> 'controlled' or locked down. Any ideas if this is possible or if there
>> >> is any software available to allow this to happen?
>>
>> > I'm afraid that your customer may have to lower their expectations or
>> > spend a hell of a lot of money. I suppose they are concerned that
>> > someone will plug in a "thumb drive" and walk off with a lot of
>> > proprietary data. My response would be that if they can't trust the
>> > people who have access, they either hired the wrong people or gave too
>> > many of them too much access.
>>
>> IIRC, the oddly named Mr. Bollox works in the financial sector. In which case, I
>> suggest you point your finger at the correct people; the regulators.

>
> Glad you like the name :-)
>
> Not Finance. Without going into details, lets just say I work in a
> government sector where security is a big issue.

Yeah. Right. Well, it is now HMG has lost gigabytes of other people's data.

--
"Be thankful that you have a life, and forsake your vain
and presumptuous desire for a second one."
[email me at huge {at} huge (dot) org <dot> uk]

On 2008-04-03, BertieBigBollox@gmail.com <BertieBigBollox@gmail.com> wrote:
> On Apr 2, 10:23 am, jimle...@dorsai.org wrote:
>> On Apr 2, 5:22 am, "BertieBigBol...@gmail.com"
>>
>> <BertieBigBol...@gmail.com> wrote:
>> > OK. Can't completely turn off the USB ports because, of course, the
>> > keyboard and mouse are USB.
>>
>> > However, one of our customers has got a requirment that USB be
>> > 'controlled' or locked down. Any ideas if this is possible or if there
>> > is any software available to allow this to happen?
>>
>> Seehttp://www.sun.com/io_technologies/usb/USB-Faq.html#Security
>>
>> Add the following line to /etc/system and reboot.
>> exclude: drv/usba10_scsa2usb
>>
>> Have NOT VERIFIED this procedure to work as advertised.
>
>
> Have since seen this. In fact, this is what the NSA recommends you do.
>
> Any idea if this would just disable USB storage? Obviouslty, I'd still
> want the USB mouse and keyboard to work.

Yes, it only disables storage. Solaris implements USB storage by
plugging the basic USB access driver into the SCSI system (hence
the driver name, "scsa2usb"). The keyboard and mouse aren't
involved in this; you haven't touched their drivers, or the
base USB access driver, so they'll continue to work fine.
"man scsa2usb" talks some about the specifics. Read it
carefully, to make sure you get the name of the driver
correct. In Solaris 10, it's called just "scsa2usb".


--
Christopher Mattern

NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities

On Apr 3, 12:49 am, "BertieBigBol...@gmail.com"
<BertieBigBol...@gmail.com> wrote:
> I've since found this :-
>
> developers.sun.com/solaris/driverdev/reference/codesamples/
> usb_security/index.html

Tried this - works really well.

Advantage this has over the other method is that if you disable the
usb storage then no usb storage will work at all (which is fine if you
dont mind).

With this method, you first take a checkpoint of the current usb
bindings, and then run the script to lock down. The advantage is that
current usb devices (which are currently plugged in) are still kept
(so mouse and keyboard are OK).

If you subsequently want to allow a specific device, you just need to
restore the usb bindings (from the checkpoint), plug in the device,
and lock down again.

Only problem I found is that when you perform the lock down script,
you need to check that it has kept the keyboard and mouse bindings.
Once or twice I had to remove/replug the kbd/mouse before it
recognised it as current device.

Of course, you can get your self into possible problems if you've
disabled the usb mouse and keyboard and then reboot !!!! (Just make
sure you can telnet into the machine to change it back !!!!).

BertieBigBollox@gmail.com wrote:
> On Apr 2, 10:23 am, jimle...@dorsai.org wrote:
>
>>On Apr 2, 5:22 am, "BertieBigBol...@gmail.com"
>>
>><BertieBigBol...@gmail.com> wrote:
>>
>>>OK. Can't completely turn off the USB ports because, of course, the
>>>keyboard and mouse are USB.
>>
>>>However, one of our customers has got a requirment that USB be
>>>'controlled' or locked down. Any ideas if this is possible or if there
>>>is any software available to allow this to happen?
>>
>>Seehttp://www.sun.com/io_technologies/usb/USB-Faq.html#Security
>>
>>Add the following line to /etc/system and reboot.
>>exclude: drv/usba10_scsa2usb
>>
>>Have NOT VERIFIED this procedure to work as advertised.
>
>
>
> Have since seen this. In fact, this is what the NSA recommends you do.
>
> Any idea if this would just disable USB storage? Obviouslty, I'd still
> want the USB mouse and keyboard to work.

If you have some other means of gaining access to a test system, why not
just try it????

Dave <foo@coo.com> writes in comp.sys.sun.hardware:
|it is clear what one is the USB and what one is the mouse. If the other
|devices files were removed, would it be possible to use any other ports?
|I doubt it would - at least not without removing the keyboard or mouse.
|
|One would need to be root to create the device files, but then if
|someone can stick a DVD in the drive, then can get root access anyway.

USB device files are automatically created on hotplug by the kernel.
Removing them just makes you unplug & replug the device.

--
Alan Coopersmith * alanc@alum.calberkeley.org * Alan.Coopersmith@Sun.COM
http://blogs.sun.com/alanc/ * http://people.freedesktop.org/~alanc/
http://del.icio.us/alanc/ * http://www.csua.berkeley.edu/~alanc/
Working for, but definitely not speaking for, Sun Microsystems, Inc.

One really-stupid question:

The mouse and keyboard staying connected -- but with Sun having
switched some few years ago from scsi to usb as the way it
connects to its DISKS (eg where the OS lives, etc), why does no
one in this thread talk about that too?

As you can see, I'm confused.


David

dkcombs@panix.com (David Combs) writes:
>One really-stupid question:

>The mouse and keyboard staying connected -- but with Sun having
>switched some few years ago from scsi to usb as the way it
>connects to its DISKS (eg where the OS lives, etc), why does no
>one in this thread talk about that too?

>As you can see, I'm confused.

I'm confused from your statement? USB disk is an option that Sun
treats as a removable temporary drive, same as in the PC world. Most
newest Sun stuff uses SAS disks, with some SATA options, same as most
other server vendors.

There's been a few people talking about USB disk in that basis though?