1

I am setting up diskless clients that will run on an internal network. I have disabled SATA and USB ports using a BIOS locked with a password, but this is easy to get around by using the jumper to reset the BIOS.

To prevent data leakage, I would like to disable the SATA and USB ports on each client so that no drive can be connected to them.

How can I create a custom kernel that has SATA and USB ports disabled?

cmorris14
  • 73
  • 1
    What is your distribution? Do you prefer a binary kernel, a local installation, or you don't care? – Faheem Mitha Dec 18 '14 at 15:34
  • @FaheemMitha RHEL 6.5. The clients are booting via PXE from iSCSI targets, so there will not be a local disk or installation. – cmorris14 Dec 18 '14 at 15:52
  • 2
    If someone is determined enough to use a jumper to reset the BIOS, disabling the drives in an installed OS won't stop them from connecting a bootable device and using that instead of the network. – goldilocks Dec 18 '14 at 16:08

1 Answers1

2

Get your current config.gz and deploy it in a source tree as described in this answer.

Start make menuconfig and go into the "Device Drivers" submenu. Make sure "Serial ATA and Parallel ATA drivers (libata)" is disabled. Scroll down to the "USB support" sub-submenu and make sure "USB Mass Storage" is disabled. You could completely disable USB too if you want.

If there's nothing else, you're done with the configuration and can build the kernel.

As per my comment on the question, though, if this is an environment where you are seriously concerned someone might open the box to reset the BIOS, such a person will also find a way around this -- you cannot secure the hardware with the OS. If you really need to do this, disconnect and remove the USB jacks. WRT to the SATA ports, you probably can't do much unless you want to desolder them or something. You'll need to lock the case. A setting where someone can access the motherboard and fool around with impunity is simply not secure otherwise.

Even then, if the machine boots from a network, I imagine I could bring in a laptop and swap some cables around...depends on what you are trying to accomplish, I guess.

Community
  • 1
goldilocks
  • 87,661
  • 30
  • 204
  • 262
  • Hot glue will probably do wonders to the SATA ports (and any onboard USB ports). Easy alternative to desoldering. – derobert Dec 18 '14 at 16:27
  • Thanks, I will not be able to do anything to the ports physically, but I'm planning on locking the case and/or using security screws.The machine boots from the network, but only to a session that is then used for remotely connecting to another machine, which requires authentication. – cmorris14 Dec 18 '14 at 16:57
  • "You could completely disable USB too if you want" Yes...BUT...in this case I would recommend using one of the good ol' PS/2 mice. Because, to connect a mouse the modern way, you DO need an USB port. And supposing that, once logged on, some folks can get around quite well w/o mouse, they might simply connect another USB device to that "mouse" port. That's why it's called Universal Serial Bus: you can connect either hardware to this bus. There are no USB ports which are "only for mice" ;-) – syntaxerror Aug 12 '15 at 17:28