Linux - System Preferences - Disable USB Storage

What the USB Storage Disabler does

This Automox Worklet™ prevents USB mass storage endpoints from being used on Linux endpoints. The Worklet disables USB storage at the kernel level by unloading the usb-storage module and creating a configuration file that prevents the module from loading on future boots.

The Worklet creates a configuration file in /etc/modprobe.d/ that redirects USB storage module loading to /bin/true, effectively blocking the module. Before making changes, it removes any existing USB storage configurations to prevent conflicts.

The Worklet includes a revert option that can re-enable USB storage by removing the blocking configuration and reloading the kernel module. This allows you to temporarily lift restrictions when needed.

Data loss risks from unrestricted USB storage

USB storage endpoints enable immediate data exfiltration without network monitoring detection. Users copy sensitive files to thumb drives, bypassing DLP controls that scan network traffic. Attackers with physical access insert malicious USB endpoints that deliver ransomware, keyloggers, or lateral movement tools directly to endpoints, circumventing perimeter security.

Compliance audits fail when removable media controls are missing. PCI-DSS, HIPAA, and SOC 2 frameworks require documented restrictions on USB storage, creating audit findings when endpoints allow unrestricted removable media access. CIS Benchmarks specifically flag enabled USB storage on systems without documented business justification.

How USB storage blocking works

1. Evaluation phase: The Worklet uses lsmod to check if the usb-storage or usb_storage kernel module is currently loaded. If the module is loaded, the endpoint is flagged for remediation. If the module is not loaded, the endpoint is already compliant.

2. Remediation phase: The Worklet removes any existing USB storage rules from /etc/modprobe.d/, creates a new configuration file with install usb-storage /bin/true to block module loading, then executes rmmod usb-storage to unload the currently loaded module.

USB storage policy requirements

• Linux endpoint with modprobe configuration support

• Root or sudo privileges for kernel module management

• Optional: Set module_config_file_name to customize the configuration filename (default: ax-usb-storage.conf)

• Optional: Set revert=true in remediation script to re-enable USB storage

Outcomes after blocking USB storage

USB mass storage endpoints fail to mount, preventing data exfiltration through removable media. Running lsmod | grep usb-storage returns no output, confirming the module stays unloaded across reboots. Your organization meets PCI-DSS, HIPAA, and SOC 2 removable media control requirements with documented kernel-level restrictions.

USB keyboards, mice, and non-storage peripherals continue functioning normally. Users attempting to connect thumb drives or external hard drives find endpoints unrecognized, protecting sensitive data from unauthorized copying. Your compliance audits pass removable media checks with persistent configuration files in /etc/modprobe.d/ providing audit evidence.

How to validate disable usb storage changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for disable usb storage.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as function, else, check_usb_storage_module.

4. Validate remediation effects from script operations such as function, else, touch, then rerun evaluation for compliance.

Expected state after disable usb storage changes

After remediation, endpoints reflect the target disable usb storage configuration and report compliant status in Automox.

You can confirm results by correlating activity logs with evaluation checks (function, else, check_usb_storage_module) and remediation actions (function, else, touch).