1. Home
  2. Security
  3. How do I disable USB?
Searching...

How do I disable USB?

Short answer: Two options:

1. BIOS configuration (with or without password protection)

2. Kernel configuration (with or without password protection)

Detail answer:
BIOS configuration

Several BIOS configuration utilities offer the option to disable the USB system. The manuals can be referred to,  or the hardware vendor can be contacted to find out out if that option is available.

Most BIOSes do provide an option to disable USB.

[root@node003 ~]# dmesg | grep -i usb
Command line: BOOT_IMAGE=vmlinuz initrd=initrd nousb ip=10.141.0.3:10.141.255.254:10.141.255.254:255.255.0.0 BOOTIF=01-48-5b-39-c9-9b-3c
DMI: System manufacturer System Product Name/M4A88TD-V EVO/USB3, BIOS 1015    03/31/2010
Kernel command line: BOOT_IMAGE=vmlinuz initrd=initrd nousb ip=10.141.0.3:10.141.255.254:10.141.255.254:255.255.0.0 BOOTIF=01-48-5b-39-c9-
9b-3c
usbcore: USB support disabled

Kernel Configuration

If the system BIOS does not offer that option, or if the system administrator would like an additional safeguard against BIOS misconfiguration, then the USB subsystem subsystem can be disabled altogether by adding the ‘nousb’ option to the kernel comand line of GRUB:

For the head node:

Edit /etc/grub.conf annd append nosub to the end of each kernel line:

Change

title Red Hat Enterprise Linux Server (2.6.32-431.17.1.el6.x86_64)
  root (hd0,0)
  kernel (hd0,0)/vmlinuz-2.6.32-431.17.1.el6.x86_64 root=UUID=0f2962af-fa73-4543-9c0e-f999237b7025 selinux=0 rdblacklist=nouveau
crashkernel=auto SYSFONT=latarcyrheb-sun16 LANG=en_US.UTF-8 KEYTABLE=us
  initrd /initramfs-2.6.32-431.17.1.el6.x86_64.img
to

title Red Hat Enterprise Linux Server (2.6.32-431.17.1.el6.x86_64)
  root (hd0,0)
  kernel (hd0,0)/vmlinuz-2.6.32-431.17.1.el6.x86_64 root=UUID=0f2962af-fa73-4543-9c0e-f999237b7025 selinux=0 rdblacklist=nouveau
crashkernel=auto SYSFONT=latarcyrheb-sun16 LANG=en_US.UTF-8 KEYTABLE=us nousb
  initrd /initramfs-2.6.32-431.17.1.el6.x86_64.img
For the nodes the kernelparameters property of the software image must be modified:

[root@demo ~]#
[root@demo ~]# cmsh
[demo]% softwareimage use default-image
[demo->softwareimage[default-image]]% get kernelparameters
rdblacklist=nouveau
[demo->softwareimage[default-image]]% set kernelparameters "rdblacklist=nouveau nosub"
[demo->softwareimage*[default-image*]]% commit

The changes described in the preceding require a system reboot.

Password protection can be considered by the system administrator:

  • to protect access to the BIOS configuration menu
  • to protect the GRUB menu
Updated on May 19, 2020
Tagged:

Related Articles

Leave a Comment