Modprobe usb_storage is missing?

First, thanks for any available help. This is my first time installing Rocky Linux (CentOS) with a security profile and attempting to get a solid workstation going. So far so good. However, seems that modprobe usb_storage is not installed. I noticed this when plugging in a USB drive, but it did not automatically mount or show up in lsblk or gParted as a device. It mounts fine in other Linux distros.

Here is the rest of the story:

Kernel version:

$ uanme -a
Linux gb-rocky 5.14.0-427.16.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Wed May 8 17:48:14 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Drive is recognized when plugged into USB:

$ lsusb
Bus 002 Device 007: ID 152d:0578 JMicron Technology Corp. / JMicron USA Technology Corp. JMS578 SATA 6Gb/s
Bus 002 Device 003: ID 0bda:0411 Realtek Semiconductor Corp. Hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 005: ID 0c45:7403 Microdia Foot Switch
Bus 001 Device 004: ID 30fa:2031 INSTANT USB Keyboard
Bus 001 Device 002: ID 1a40:0101 Terminus Technology Inc. Hub
Bus 001 Device 003: ID 8087:0026 Intel Corp. AX201 Bluetooth
Bus 001 Device 008: ID 0bda:5411 Realtek Semiconductor Corp. RTS5411 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

/var/log/messages recognizes the device, but throws an error:

May 21 17:13:30 localhost kernel: usb 2-1.3: USB disconnect, device number 7
May 21 17:13:32 localhost kernel: usb 2-1.3: new SuperSpeed USB device number 8 using xhci_hcd
May 21 17:13:32 localhost kernel: usb 2-1.3: New USB device found, idVendor=152d, idProduct=0578, bcdDevice= 2.08
May 21 17:13:32 localhost kernel: usb 2-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
May 21 17:13:32 localhost kernel: usb 2-1.3: Product: USB to ATA/ATAPI Bridge
May 21 17:13:32 localhost kernel: usb 2-1.3: Manufacturer: JMicron
May 21 17:13:32 localhost kernel: usb 2-1.3: SerialNumber: 0123456789ABCDEF
May 21 17:13:32 localhost mtp-probe[19083]: checking bus 2, device 8: "/sys/devices/pci0000:00/0000:00:14.0/usb2/2-1/2-1.3"
May 21 17:13:32 localhost mtp-probe[19083]: bus: 2, device: 8 was not an MTP device
May 21 17:13:32 localhost systemd-udevd[19082]: Error running install command '/bin/false' for module usb_storage: retcode 1
May 21 17:13:32 localhost systemd-udevd[19082]: Error running install command '/bin/false' for module usb_storage: retcode 1
May 21 17:13:32 localhost mtp-probe[19086]: checking bus 2, device 8: "/sys/devices/pci0000:00/0000:00:14.0/usb2/2-1/2-1.3"
May 21 17:13:32 localhost mtp-probe[19086]: bus: 2, device: 8 was not an MTP device

So, not an MTP device and Error running install command '/bin/false' for module usb_storage: retcode 1. I guess this is blocking the activation of modprobe usb_storage since when I try to execute that command I get the same error:

$ sudo modprobe usb_storage
modprobe: ERROR: Error running install command '/bin/false' for module usb_storage: retcode 1
modprobe: ERROR: could not insert 'usb_storage': Invalid argument

As I mentioned I have the RHEL Workstation Level 2 security profile enabled from the installation. However, there are no SELinux errors thrown in the /var/log/audit/audit and the problem persists even after sudo setenforce=0.

I also tried to add a rule to /etc/udev/rules.d/ named usb-storage.rules following this post with the contents of below, and restarted the udevd.service, but no luck:

SUBSYSTEMS=="usb", ENV{MODALIAS}=="usb:152d:0578", ENV{MODALIAS}="usb-storage"

Finally, any help would be appreciated!

Does your “security profile” prevent Iranians plugging usb devices into nuclear reactors?

It would help to know where the security profile came from and what it’s supposed to do?

Security profiles can be chosen during installation. It stops certain things from being done, in this instance it stops the usb module from being loaded to stop people using usb devices. There are also settings related to kernel modules and filesystems as well, plus a whole load of other restrictive stuff.

If they wanted to use the usb device, they would have been better installing without a security profile. I’m sure there is probably a way to override it but it’s gonna be a big pain in the ass trying to do that unless you are used to dealing with these security profiles on an every day basis.

Yes, this is the case. From there, the security profile is used when building the kernel itself. Since security profiles will become increasingly important in the future, I would like to learn how to adjust / customize them to benefit from the hardened security while being able to enable certain functions. Is there any documentation to support these goals?

For example, here are some sporadic basic install instructions for enabling a security profile:

I guess the only way, maybe be to use OpenSCAP to modify the system after basic installation without a security profile, but this may miss some changes on the kernel level for added security. Or else build an custom installer with modified versions of the existing security profiles? :thinking:

As an example, according to the RHEL Hardening Guide, The install can be configured for FIPS Encryption standards by enabling a flag such as:

linux /vmlinuz inst.stage2=hd:LABEL=RHEL-9-BaseOS-x86_64 quiet fips=1

Is there any known documentation for granularly altering other security policies such as the usb_storage module?

The link that you posted

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index

already has a chapter on “intrusive” usb devices.

But this is all back to front.

Before applying a security profile, be sure to understand exactly what it does and why you are applying it. If one of it’s features is to disable usb, then why spend hours trying to re-enable it?