[VHRISO] USBguard vs. new keyboard

[dloseke]

moderator split from post532222.html#p532222

-= Feature Request =-

And let me know if I need to start a new thread for this, but it seems to be the most appropriate place for a VHR ISO request. I'm also unsure how this will be situated in the v13 release as well, but can we please modify the usbguard configuration to allow all keyboards and mice and probably KVM devices as well? As it stands, when the VHR is deployed, only the plugged in keyboard and mouse (or virtually plugged in when using iDRAC/iLO, etc) are added to the authorized list. Last night I discovered even using the same model of keyboard (abeit a different version - Dell Entry Keyboard A00 vs A01 in this case) does not match the one plugged in when deployed), and the keyboard has to be plugged into the same USB port - using the "correct" keyboard but in the wrong port will also generate an unauthorized device error. I get that this is a hardened repository, but this seems pretty extreme that I would need to keep a specific keyboard and plugged into a specific port in order to use it at the console. My understanding is that the configuration file can be modified to allow additional devices, but if I SSH into the repo, I can't sudo to modify the config file - granted I'm no linux wiz, but so far I don't even see an option to add additional devices. Let me know if I'm missing something though.

[HannesK]

Hello,
USB-guard is part of the DISA STIG security profile. It's nothing Veeam-specific.

I was thinking about the idea to modify settings via the Host Management Console / Configurator, but that leaves the challenge that if the keyboard is not available, it's not possible to configure anything. And the V13 Host Management Console web UI also will be disabled per default and not available for configuration.

One alternative could be to add a boot parameter during installation to completely disable USBguard. But I guess nobody would read the user guide and it won't help.

Another alternative would be to disable USBguard completely, because it was mentioned as "cause of pain" multiple times already in this thread. I'm not a big fan of that.

I guess the easiest way would be to document how to uninstall USB-guard by booting into single user mode. By doing that, no code needs to be changed, no new QA tests are needed and the intended level of security is kept.

Best regards
Hannes

[dloseke]

Hi Hannes, yes, if there is a way to do it either via the management console or via another method, that'd be great. While I don't think USBGuard needs to be completely disabled as I see benefit in using it, allowing specific device types would be beneficial. I suspect that might be able to be scripted in when the STIG is being applied but I don't know the mechanics of how that all works. I do like the idea of booting single user mode to modify /etc/usbguard/rules.conf, though that's an additional source of pain during the setup process, but it's also not the end of the world.

[dloseke]

Today I spent some time on a couple machines I had loaded yesterday and was able to boot into single user and modify the rules.conf to allow all keyboard and mouse devices. Posted info at https://www.technotesanddadjokes.com/ve ... for-usage/ if anyone wants to review. Thanks Hannes for your thoughts!

[HannesK]

Hello,
I quickly read through the blog post. It looks good for me and I noticed two things:

1. I put always rw directly in the grub boot options (replace ro to rw). Then I don't need to do "mount -o remount,rw /"
2. I'm surprised that "touch /.autorelabel" is not needed. Normally that's needed when changing files.

Best regards
Hannes