Details
USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.
Rationale:
Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware.
Solution
Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
Example: vim /etc/modprobe.d/usb_storage.conf
Add the following line:
install usb-storage /bin/true
Run the following command to unload the usb-storage module:
rmmod usb-storage
Additional Information:
An alternative solution to disabling the usb-storage module may be found in USBGuard.
Use of USBGuard and construction of USB device policies should be done in alignment with site policy.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management, Identification and Authentication.This control applies to the following type of system Unix.