Mention deny_new_usb sysctl

privacyguides · Mar 20, 2022 · 15b1e1c · 15b1e1c
1 parent 76a05a5
commit 15b1e1c
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/collections/_evergreen/linux-desktop.md b/collections/_evergreen/linux-desktop.md
@@ -81,9 +81,7 @@ Atomic updating distributions apply updates in full or not at all. Typically tra
 
 A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails part of the way through (perhaps because of a power failure), rolling the update back to the "last known good state" is easy.
 
-For fast-moving distributions like Silverblue, Tumbleweed, and NixOS reliability can be achieved with this model.
-
-[Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue:
+For fast-moving distributions like Silverblue, Tumbleweed, and NixOS reliability can be achieved with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue:
 
 <iframe width="640" height="480"
   src="https://www.youtube-nocookie.com/embed/-hpV5l-gJnQ"
@@ -294,6 +292,8 @@ On systems where [`pam_faillock`](https://man7.org/linux/man-pages/man8/pam_tall
 ### USB port protection
 To better protect your [USB](https://en.wikipedia.org/wiki/USB) ports from attracks such as [BadUSB](https://en.wikipedia.org/wiki/BadUSB) we recommend either [USBGuard](https://github.com/USBGuard/usbguard). USBGuard has [documentation](https://github.com/USBGuard/usbguard#documentation) and does the [Arch Wiki](https://wiki.archlinux.org/title/USBGuard).
 
+Another alternative option if you're using the [linux-hardened](/linux-hardened) is the [`deny_new_usb`](https://github.com/GrapheneOS/linux-hardened/commit/96dc427ab60d28129b36362e1577b6673b0ba5c4) sysctl. See [Preventing USB Attacks with `linux-hardened`](https://blog.lizzie.io/preventing-usb-attacks-with-linux-hardened.html).
+
 ### Secure Boot
 [Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot) can be used to secure the boot process by preventing the loading of [unsigned](https://en.wikipedia.org/wiki/Public-key_cryptography) [UEFI](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) drivers or [boot loaders](https://en.wikipedia.org/wiki/Bootloader). Some guidance for this is provided in [21. Physical security](https://madaidans-insecurities.github.io/guides/linux-hardening.html#physical-security) and [21.4 Verified boot](https://madaidans-insecurities.github.io/guides/linux-hardening.html#verified-boot).