In December 2016 I wrote a piece about using Grsecurity to prevent new USB devices from being loaded. Grsecurity has, unfortunately, left this world, but the linux-hardened project has taken on some of the patches and updates. I thought it would be worth a minor update to that post now that linux-hardened has ported the deny_new_usb patches, and uses a marginally different sysctl setting. The new systemd service: Listing 60: deny_new_usb.service[Unit] Description=Prevent new USB devices from ...
