1. Home
  2. Security
  3. How do I disable USB?
Searching...

How do I disable USB?

Contents

Purpose

There are two options to disable USB:

1. Via BIOS configuration (with or without password protection)

2. Via kernel configuration (with or without password protection)

This article will guide you through disabling USB with either option.

Steps

BIOS configuration

Several BIOS configuration utilities offer the option to disable the USB system. To determine if your hardware BIOS provides this option, please refer to the vendor documentation or contact the hardware vendor.

Most BIOSs do provide an option to disable USB, which is visible in the dmesg output:

[root@node003 ~]# dmesg | grep -i usb
Command line: BOOT_IMAGE=vmlinuz initrd=initrd nousb ip=10.141.0.3:10.141.255.254:10.141.255.254:255.255.0.0 BOOTIF=01-48-5b-39-c9-9b-3c
DMI: System manufacturer System Product Name/M4A88TD-V EVO/USB3, BIOS 1015    03/31/2010
Kernel command line: BOOT_IMAGE=vmlinuz initrd=initrd nousb ip=10.141.0.3:10.141.255.254:10.141.255.254:255.255.0.0 BOOTIF=01-48-5b-39-c9-
9b-3c
usbcore: USB support disabled

If USB support does not show as disabled in tbe

Kernel Configuration

If the system BIOS does not offer that option, or if the system administrator would like an additional safeguard against BIOS misconfiguration, then the USB subsystem subsystem can be disabled altogether by adding the ‘nousb’ option to the kernel comand line of GRUB:

For the head node:

Edit /etc/grub.conf annd append nosub to the end of each kernel line:

Change

title Red Hat Enterprise Linux Server (2.6.32-431.17.1.el6.x86_64)
  root (hd0,0)
  kernel (hd0,0)/vmlinuz-2.6.32-431.17.1.el6.x86_64 root=UUID=0f2962af-fa73-4543-9c0e-f999237b7025 selinux=0 rdblacklist=nouveau
crashkernel=auto SYSFONT=latarcyrheb-sun16 LANG=en_US.UTF-8 KEYTABLE=us
  initrd /initramfs-2.6.32-431.17.1.el6.x86_64.img
to

title Red Hat Enterprise Linux Server (2.6.32-431.17.1.el6.x86_64)
  root (hd0,0)
  kernel (hd0,0)/vmlinuz-2.6.32-431.17.1.el6.x86_64 root=UUID=0f2962af-fa73-4543-9c0e-f999237b7025 selinux=0 rdblacklist=nouveau
crashkernel=auto SYSFONT=latarcyrheb-sun16 LANG=en_US.UTF-8 KEYTABLE=us nousb
  initrd /initramfs-2.6.32-431.17.1.el6.x86_64.img
For the nodes the kernelparameters property of the software image must be modified:

[root@demo ~]#
[root@demo ~]# cmsh
[demo]% softwareimage use default-image
[demo->softwareimage[default-image]]% get kernelparameters
rdblacklist=nouveau
[demo->softwareimage[default-image]]% set kernelparameters "rdblacklist=nouveau nosub"
[demo->softwareimage*[default-image*]]% commit

The changes described in the preceding require a system reboot.

Password protection can be considered by the system administrator:

  • to protect access to the BIOS configuration menu
  • to protect the GRUB menu
Updated on September 4, 2025
Tagged:

Related Articles

Leave a Comment