Locking down USB ports on Ultra45 (Solaris 9) - SUN

This is a discussion on Locking down USB ports on Ultra45 (Solaris 9) - SUN ; OK. Can't completely turn off the USB ports because, of course, the keyboard and mouse are USB. However, one of our customers has got a requirment that USB be 'controlled' or locked down. Any ideas if this is possible or ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Locking down USB ports on Ultra45 (Solaris 9)

  1. Locking down USB ports on Ultra45 (Solaris 9)

    OK. Can't completely turn off the USB ports because, of course, the
    keyboard and mouse are USB.

    However, one of our customers has got a requirment that USB be
    'controlled' or locked down. Any ideas if this is possible or if there
    is any software available to allow this to happen?

  2. Re: Locking down USB ports on Ultra45 (Solaris 9)


    wrote in message
    news:a0852ef2-8177-4a73-a011-dd15ed868be1@a23g2000hsc.googlegroups.com...
    > OK. Can't completely turn off the USB ports because, of course, the
    > keyboard and mouse are USB.
    >
    > However, one of our customers has got a requirment that USB be
    > 'controlled' or locked down. Any ideas if this is possible or if there
    > is any software available to allow this to happen?


    If someone were to pull the kb/mouse and put in a hub would that not be as
    big of an issue as having open ports? Physical security is the only thing
    that comes to mind. Since it is on a bussway I'd be interested in the
    ability to shut down USB ports myself. Sounds sort of tough.

    Rob



  3. Re: Locking down USB ports on Ultra45 (Solaris 9)

    BertieBigBollox@gmail.com wrote:
    > OK. Can't completely turn off the USB ports because, of course, the
    > keyboard and mouse are USB.
    >
    > However, one of our customers has got a requirment that USB be
    > 'controlled' or locked down. Any ideas if this is possible or if there
    > is any software available to allow this to happen?


    Looking at my ports:

    kestrel /export/home/drkirkby/house % ls -l /dev/*usb*
    total 10
    lrwxrwxrwx 1 root root 48 Feb 12 16:21 hid0 ->
    .../../devices/pci@8,700000/usb@5,3/mouse@3:mouse
    lrwxrwxrwx 1 root root 60 Feb 12 16:21 hid1 ->
    .../../devices/pci@8,700000/usb@5,3/hub@1/keyboard@4:keyboard
    lrwxrwxrwx 1 root root 39 Oct 19 23:12 hub0 ->
    .../../devices/pci@8,700000/usb@5,3:hubd
    lrwxrwxrwx 1 root root 45 Oct 19 23:13 hub1 ->
    .../../devices/pci@8,700000/usb@5,3/hub@1:hubd
    lrwxrwxrwx 1 root root 45 Jan 2 06:33 hub2 ->
    .../../devices/pci@8,700000/usb@5,3/hub@2:hubd



    it is clear what one is the USB and what one is the mouse. If the other
    devices files were removed, would it be possible to use any other ports?
    I doubt it would - at least not without removing the keyboard or mouse.


    One would need to be root to create the device files, but then if
    someone can stick a DVD in the drive, then can get root access anyway.
    Or, if there is no drive, I guess they could stick one on the SCSI bus,
    although you can problely control that via the EEPROM.


    I've never hit the problem myself, but the above might give you a few ideas

  4. Re: Locking down USB ports on Ultra45 (Solaris 9)

    On Apr 2, 5:22*am, "BertieBigBol...@gmail.com"
    wrote:
    > OK. Can't completely turn off the USB ports because, of course, the
    > keyboard and mouse are USB.
    >
    > However, one of our customers has got a requirment that USB be
    > 'controlled' or locked down. Any ideas if this is possible or if there
    > is any software available to allow this to happen?


    See http://www.sun.com/io_technologies/u....html#Security

    Add the following line to /etc/system and reboot.
    exclude: drv/usba10_scsa2usb

    Have NOT VERIFIED this procedure to work as advertised.

  5. Re: Locking down USB ports on Ultra45 (Solaris 9)

    Dave wrote:
    > BertieBigBollox@gmail.com wrote:
    >
    >> OK. Can't completely turn off the USB ports because, of course, the
    >> keyboard and mouse are USB.
    >>
    >> However, one of our customers has got a requirment that USB be
    >> 'controlled' or locked down. Any ideas if this is possible or if there
    >> is any software available to allow this to happen?

    >
    >
    > Looking at my ports:
    >
    > kestrel /export/home/drkirkby/house % ls -l /dev/*usb*
    > total 10
    > lrwxrwxrwx 1 root root 48 Feb 12 16:21 hid0 ->
    > ../../devices/pci@8,700000/usb@5,3/mouse@3:mouse
    > lrwxrwxrwx 1 root root 60 Feb 12 16:21 hid1 ->
    > ../../devices/pci@8,700000/usb@5,3/hub@1/keyboard@4:keyboard
    > lrwxrwxrwx 1 root root 39 Oct 19 23:12 hub0 ->
    > ../../devices/pci@8,700000/usb@5,3:hubd
    > lrwxrwxrwx 1 root root 45 Oct 19 23:13 hub1 ->
    > ../../devices/pci@8,700000/usb@5,3/hub@1:hubd
    > lrwxrwxrwx 1 root root 45 Jan 2 06:33 hub2 ->
    > ../../devices/pci@8,700000/usb@5,3/hub@2:hubd
    >
    >
    >
    > it is clear what one is the USB and what one is the mouse. If the other
    > devices files were removed, would it be possible to use any other ports?
    > I doubt it would - at least not without removing the keyboard or mouse.
    >
    >
    > One would need to be root to create the device files, but then if
    > someone can stick a DVD in the drive, then can get root access anyway.
    > Or, if there is no drive, I guess they could stick one on the SCSI bus,
    > although you can problely control that via the EEPROM.
    >
    >
    > I've never hit the problem myself, but the above might give you a few ideas


    That doesn't prevent somebody from plugging in some sort of "Keystroke
    Logger" or something similar that monitors the bus and steals the data.


  6. Re: Locking down USB ports on Ultra45 (Solaris 9)

    On 2008-04-02, BertieBigBollox@gmail.com wrote:
    > OK. Can't completely turn off the USB ports because, of course, the
    > keyboard and mouse are USB.
    >
    > However, one of our customers has got a requirment that USB be
    > 'controlled' or locked down. Any ideas if this is possible or if there
    > is any software available to allow this to happen?


    Epoxy the mouse and KB in and fill the other ports with epoxy.

    Half joking.


    --
    "Be thankful that you have a life, and forsake your vain
    and presumptuous desire for a second one."
    [email me at huge {at} huge (dot) org uk]

  7. Re: Locking down USB ports on Ultra45 (Solaris 9)

    BertieBigBollox@gmail.com wrote:

    > OK. Can't completely turn off the USB ports because, of course, the
    > keyboard and mouse are USB.
    >
    > However, one of our customers has got a requirment that USB be
    > 'controlled' or locked down. Any ideas if this is possible or if there
    > is any software available to allow this to happen?


    How about the obvious -- lock up the entire machine and access it only
    in non-privileged accounts from terminals (character or X11).

    Michael

  8. Re: Locking down USB ports on Ultra45 (Solaris 9)

    On Apr 2, 10:23 am, jimle...@dorsai.org wrote:
    > On Apr 2, 5:22 am, "BertieBigBol...@gmail.com"
    >
    > wrote:
    > > OK. Can't completely turn off the USB ports because, of course, the
    > > keyboard and mouse are USB.

    >
    > > However, one of our customers has got a requirment that USB be
    > > 'controlled' or locked down. Any ideas if this is possible or if there
    > > is any software available to allow this to happen?

    >
    > Seehttp://www.sun.com/io_technologies/usb/USB-Faq.html#Security
    >
    > Add the following line to /etc/system and reboot.
    > exclude: drv/usba10_scsa2usb
    >
    > Have NOT VERIFIED this procedure to work as advertised.



    Have since seen this. In fact, this is what the NSA recommends you do.

    Any idea if this would just disable USB storage? Obviouslty, I'd still
    want the USB mouse and keyboard to work.

  9. Re: Locking down USB ports on Ultra45 (Solaris 9)

    I've since found this :-

    developers.sun.com/solaris/driverdev/reference/codesamples/
    usb_security/index.html

    which seems to be a way to do it...

    And, of course, theres physical security (probably better than
    glue!!!)

    http://www.pcguardian.com/products/8...port_lock.html

  10. Re: Locking down USB ports on Ultra45 (Solaris 9)

    On 2008-04-03, BertieBigBollox@gmail.com wrote:
    > On Apr 2, 10:23 am, jimle...@dorsai.org wrote:
    >> On Apr 2, 5:22 am, "BertieBigBol...@gmail.com"
    >>
    >> wrote:
    >> > OK. Can't completely turn off the USB ports because, of course, the
    >> > keyboard and mouse are USB.

    >>
    >> > However, one of our customers has got a requirment that USB be
    >> > 'controlled' or locked down. Any ideas if this is possible or if there
    >> > is any software available to allow this to happen?

    >>
    >> Seehttp://www.sun.com/io_technologies/usb/USB-Faq.html#Security
    >>
    >> Add the following line to /etc/system and reboot.
    >> exclude: drv/usba10_scsa2usb
    >>
    >> Have NOT VERIFIED this procedure to work as advertised.

    >
    >
    > Have since seen this. In fact, this is what the NSA recommends you do.
    >
    > Any idea if this would just disable USB storage? Obviouslty, I'd still
    > want the USB mouse and keyboard to work.


    Yes, it only disables storage. Solaris implements USB storage by
    plugging the basic USB access driver into the SCSI system (hence
    the driver name, "scsa2usb"). The keyboard and mouse aren't
    involved in this; you haven't touched their drivers, or the
    base USB access driver, so they'll continue to work fine.
    "man scsa2usb" talks some about the specifics. Read it
    carefully, to make sure you get the name of the driver
    correct. In Solaris 10, it's called just "scsa2usb".


    --
    Christopher Mattern

    NOTICE
    Thank you for noticing this new notice
    Your noticing it has been noted
    And will be reported to the authorities

  11. Re: Locking down USB ports on Ultra45 (Solaris 9)

    On Apr 3, 12:49 am, "BertieBigBol...@gmail.com"
    wrote:
    > I've since found this :-
    >
    > developers.sun.com/solaris/driverdev/reference/codesamples/
    > usb_security/index.html


    Tried this - works really well.

    Advantage this has over the other method is that if you disable the
    usb storage then no usb storage will work at all (which is fine if you
    dont mind).

    With this method, you first take a checkpoint of the current usb
    bindings, and then run the script to lock down. The advantage is that
    current usb devices (which are currently plugged in) are still kept
    (so mouse and keyboard are OK).

    If you subsequently want to allow a specific device, you just need to
    restore the usb bindings (from the checkpoint), plug in the device,
    and lock down again.

    Only problem I found is that when you perform the lock down script,
    you need to check that it has kept the keyboard and mouse bindings.
    Once or twice I had to remove/replug the kbd/mouse before it
    recognised it as current device.

    Of course, you can get your self into possible problems if you've
    disabled the usb mouse and keyboard and then reboot !!!! (Just make
    sure you can telnet into the machine to change it back !!!!).



  12. Re: Locking down USB ports on Ultra45 (Solaris 9)

    BertieBigBollox@gmail.com wrote:
    > On Apr 2, 10:23 am, jimle...@dorsai.org wrote:
    >
    >>On Apr 2, 5:22 am, "BertieBigBol...@gmail.com"
    >>
    >> wrote:
    >>
    >>>OK. Can't completely turn off the USB ports because, of course, the
    >>>keyboard and mouse are USB.

    >>
    >>>However, one of our customers has got a requirment that USB be
    >>>'controlled' or locked down. Any ideas if this is possible or if there
    >>>is any software available to allow this to happen?

    >>
    >>Seehttp://www.sun.com/io_technologies/usb/USB-Faq.html#Security
    >>
    >>Add the following line to /etc/system and reboot.
    >>exclude: drv/usba10_scsa2usb
    >>
    >>Have NOT VERIFIED this procedure to work as advertised.

    >
    >
    >
    > Have since seen this. In fact, this is what the NSA recommends you do.
    >
    > Any idea if this would just disable USB storage? Obviouslty, I'd still
    > want the USB mouse and keyboard to work.


    If you have some other means of gaining access to a test system, why not
    just try it????


  13. Re: Locking down USB ports on Ultra45 (Solaris 9)

    Dave writes in comp.sys.sun.hardware:
    |it is clear what one is the USB and what one is the mouse. If the other
    |devices files were removed, would it be possible to use any other ports?
    |I doubt it would - at least not without removing the keyboard or mouse.
    |
    |One would need to be root to create the device files, but then if
    |someone can stick a DVD in the drive, then can get root access anyway.

    USB device files are automatically created on hotplug by the kernel.
    Removing them just makes you unplug & replug the device.

    --
    Alan Coopersmith * alanc@alum.calberkeley.org * Alan.Coopersmith@Sun.COM
    http://blogs.sun.com/alanc/ * http://people.freedesktop.org/~alanc/
    http://del.icio.us/alanc/ * http://www.csua.berkeley.edu/~alanc/
    Working for, but definitely not speaking for, Sun Microsystems, Inc.

  14. Re: Locking down USB ports on Ultra45 (Solaris 9)

    One really-stupid question:

    The mouse and keyboard staying connected -- but with Sun having
    switched some few years ago from scsi to usb as the way it
    connects to its DISKS (eg where the OS lives, etc), why does no
    one in this thread talk about that too?

    As you can see, I'm confused.


    David



  15. Re: Locking down USB ports on Ultra45 (Solaris 9)

    dkcombs@panix.com (David Combs) writes:
    >One really-stupid question:


    >The mouse and keyboard staying connected -- but with Sun having
    >switched some few years ago from scsi to usb as the way it
    >connects to its DISKS (eg where the OS lives, etc), why does no
    >one in this thread talk about that too?


    >As you can see, I'm confused.


    I'm confused from your statement? USB disk is an option that Sun
    treats as a removable temporary drive, same as in the PC world. Most
    newest Sun stuff uses SAS disks, with some SATA options, same as most
    other server vendors.

    There's been a few people talking about USB disk in that basis though?




+ Reply to Thread