{"id":534745,"date":"2025-09-30T17:54:18","date_gmt":"2025-09-30T17:54:18","guid":{"rendered":"https:\/\/www.ninjaone.com\/?post_type=script_hub&p=534745"},"modified":"2025-09-30T17:54:18","modified_gmt":"2025-09-30T17:54:18","slug":"desactiver-les-peripheriques-de-stockage-usb-sur-linux","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/fr\/script-hub\/desactiver-les-peripheriques-de-stockage-usb-sur-linux\/","title":{"rendered":"Comment activer ou d\u00e9sactiver les p\u00e9riph\u00e9riques de stockage USB sur Linux avec un script Shell"},"content":{"rendered":"

Le contr\u00f4le de l’acc\u00e8s aux p\u00e9riph\u00e9riques de stockage USB est une pratique fondamentale pour maintenir l’int\u00e9grit\u00e9 des donn\u00e9es et emp\u00eacher l’exfiltration de donn\u00e9es non autoris\u00e9es dans les environnements d’entreprise. Face \u00e0 la persistance des menaces li\u00e9es aux supports amovibles (des fuites de donn\u00e9es internes aux cl\u00e9s USB charg\u00e9es de logiciels malveillants) les administrateurs informatiques et les fournisseurs de services g\u00e9r\u00e9s (MSP)<\/a> doivent appliquer des politiques strictes en mati\u00e8re d’utilisation des cl\u00e9s USB. Une m\u00e9thode efficace et \u00e9volutive consiste \u00e0 contr\u00f4ler les scripts au niveau du module du noyau (kernel). Cet article plonge dans un script shell performant con\u00e7u pour\u00a0activer, d\u00e9sactiver ou configurer les p\u00e9riph\u00e9riques de stockage USB sur Linux avec un script shell<\/strong>.<\/p>\n

Contexte<\/h2>\n

Sur les syst\u00e8mes Linux<\/a>, l’acc\u00e8s au stockage USB est r\u00e9gi par des modules du noyau, notamment usb-storage et uas (USB Attached SCSI). Ces modules peuvent \u00eatre charg\u00e9s automatiquement lorsque les appareils sont connect\u00e9s (chargement implicite) ou invoqu\u00e9s manuellement (chargement explicite). En bloquant ou en autorisant ces modules au niveau du syst\u00e8me, les professionnels de l’informatique peuvent contr\u00f4ler efficacement le comportement des p\u00e9riph\u00e9riques de stockage USB dans les parcs de terminaux Linux.<\/p>\n

Le script en question est con\u00e7u pour l’automatisation<\/a>, l’application de strat\u00e9gies et la compatibilit\u00e9 avec des plateformes RMM telles que\u00a0NinjaOne<\/strong>. Il cr\u00e9e et g\u00e8re les fichiers de configuration dans \/etc\/modprobe.d\/, met \u00e0 jour le syst\u00e8me de fichiers RAM initial (initramfs) et peut \u00e9ventuellement d\u00e9clencher un red\u00e9marrage du syst\u00e8me, ce qui en fait une solution compl\u00e8te pour la gouvernance des p\u00e9riph\u00e9riques USB.<\/p>\n

Le script\u00a0:<\/h2>\n
#!\/usr\/bin\/env bash\r\n\r\n# Description: Enable or disable USB storage devices on Linux.\r\n# By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n# Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n# Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n# Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n# Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n# Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n# Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n# EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n#\r\n#   There are two methods of loading USB storage drivers that allow mounting of USB storage devices:\r\n#       1. Implicit loading: The USB storage driver is loaded automatically when a USB storage device is connected.\r\n#       2. Explicit loading: The USB storage driver is loaded manually by a user, program, or script.\r\n#\r\n# Release Notes: Initial Release\r\n#\r\n# Notes: This will create config files in \/etc\/modprobe.d\/ as needed to block USB storage devices.\r\n#\r\n# Usage: [-Enable | -Disable] [-Reboot]\r\n#\r\n# Preset Parameter: --help\r\n#   Displays the help menu.\r\n#\r\n# Preset Parameter: -Enable\r\n#   Enables USB storage devices.\r\n#\r\n# Preset Parameter: -Disable\r\n#   Disables USB storage devices.\r\n#\r\n# Preset Parameter: -Reboot\r\n#   Reboots the system, if needed, after enabling or disabling USB storage devices.\r\n\r\n# Functions\r\n# Print an error message and exit with a specific status code\r\ndie() {\r\n    local _ret=\"${2:-1}\"\r\n    test \"${_PRINT_HELP:-no}\" = yes && print_help >&2\r\n    echo \"$1\" >&2\r\n    exit \"${_ret}\"\r\n}\r\n\r\nprint_help() {\r\n    printf '\\n\\n%s\\n\\n' 'Usage: [-Enable | -Disable]'\r\n    printf '  %s\\n' '-Enable'\r\n    printf '    Enables USB storage devices'\r\n    printf '  %s\\n' '-Disable'\r\n    printf '    Disables USB storage devices'\r\n}\r\n\r\n# Set the default values\r\n_arg_reboot=\"false\"\r\n\r\n# Parse the command-line arguments\r\nparse_commandline() {\r\n    while test $# -gt 0; do\r\n        _key=\"$1\"\r\n        case \"$_key\" in\r\n        -Enable | --Enable | -enable | --enable | -e | --e)\r\n            _arg_action=\"Enable\"\r\n            ;;\r\n        -Disable | --Disable | -disable | --disable | -d | --d)\r\n            _arg_action=\"Disable\"\r\n            ;;\r\n        --Reboot | --reboot | -Reboot | -reboot | -r | --r)\r\n            _arg_reboot=\"true\"\r\n            ;;\r\n        --help | -help | -h | --h)\r\n            _PRINT_HELP=yes die \"\" 0\r\n            ;;\r\n        *)\r\n            _PRINT_HELP=yes die \"[Error] Got an unexpected argument '$1'\" 1\r\n            ;;\r\n        esac\r\n        shift\r\n    done\r\n}\r\n\r\nparse_commandline \"$@\"\r\n\r\n# Exit if not running as root\r\nif [[ $EUID -ne 0 ]]; then\r\n    die \"[Error] This script must be run as root or SYSTEM from NinjaRMM\" 1\r\nfi\r\n\r\n# If script form variables are used, replace the command line parameters with their value.\r\nif [[ -n \"${action}\" ]] && [[ \"${action}\" == \"Enable\" ]]; then\r\n    _arg_action=\"Enable\"\r\nelif [[ -n \"${action}\" ]] && [[ \"${action}\" == \"Disable\" ]]; then\r\n    _arg_action=\"Disable\"\r\nfi\r\n\r\nif [[ \"${reboot}\" == \"true\" ]]; then\r\n    _arg_reboot=\"true\"\r\nfi\r\n\r\n# Check if action is empty\r\nif [[ -z \"${_arg_action}\" ]]; then\r\n    die \"Invalid action. Use Enable or Disable\" 1\r\nfi\r\n\r\n# Variables\r\n# Modprobe.d folder\r\nmodprobFolder=\"\/etc\/modprobe.d\"\r\n# Config file\r\nconfigFile=\"${modprobFolder}\/ninja-usb-block.conf\"\r\n\r\n# Check if modprobe.d folder does not exists\r\nif ! [ -d \"${modprobFolder}\" ]; then\r\n    die \"[Error] Modprobe folder does not exist\" 1\r\nfi\r\n\r\n# Check if usb-storage and uas kenel drivers are modules\r\nif ! modprobe -n uas >\/dev\/null 2>&1; then\r\n    die \"[Error] USB Attached SCSI driver(uas) must be compiled as a kernel module\" 1\r\nfi\r\nif ! modprobe -n usb-storage >\/dev\/null 2>&1; then\r\n    die \"[Error] USB storage(usb-storage) driver must be compiled as a kernel module\" 1\r\nfi\r\n\r\nif [[ \"${_arg_action}\" == \"Enable\" ]]; then\r\n    # Enable USB storage\r\n\r\n    # Check if our file exists\r\n    if [ -f \"${configFile}\" ]; then\r\n        echo \"[Info] Enabling USB storage devices\"\r\n        # Remove our config file\r\n        rm \"${configFile}\"\r\n        echo \"[Info] Enabled USB storage devices\"\r\n    else\r\n        echo \"[Info] USB storage devices are already enabled\"\r\n    fi\r\n\r\n    # Remove other blocks USB storage in other files\r\n    for file in \"${modprobFolder}\"\/*; do\r\n        # Remove implicit USB Storage block\r\n        if grep -q \"blacklist usb_storage\" \"${file}\"; then\r\n            echo \"[Info] Removing implicit USB Storage block in ${file}\"\r\n            sed -i '\/blacklist usb_storage\/d' \"${file}\"\r\n            echo \"[Info] Removed implicit USB Storage block in ${file}\"\r\n        fi\r\n        # Remove implicit USB Attached SCSI block\r\n        if grep -q \"blacklist uas\" \"${file}\"; then\r\n            echo \"[Info] Removing implicit USB Attached SCSI block in ${file}\"\r\n            sed -i '\/blacklist uas\/d' \"${file}\"\r\n            echo \"[Info] Removed implicit USB Attached SCSI block in ${file}\"\r\n        fi\r\n        # Remove explicit USB Storage driver block\r\n        if grep -q \"install usb-storage \/bin\/true\" \"${file}\"; then\r\n            echo \"[Info] Removing explicit USB Storage block in ${file}\"\r\n            sed -i '\/install usb-storage \\\/bin\\\/true\/d' \"${file}\"\r\n            echo \"[Info] Removed explicit USB Storage block in ${file}\"\r\n        fi\r\n        # Remove explicit USB Attached SCSI driver block\r\n        if grep -q \"install uas \/bin\/true\" \"${file}\"; then\r\n            echo \"[Info] Removing explicit USB Attached SCSI block in ${file}\"\r\n            sed -i '\/install uas \\\/bin\\\/true\/d' \"${file}\"\r\n            echo \"[Info] Removed explicit USB Attached SCSI block in ${file}\"\r\n        fi\r\n    done\r\n\r\n    # Check that update-initramfs command exists\r\n    if command -v update-initramfs >\/dev\/null 2>&1; then\r\n        # Update the initramfs\r\n        echo \"[Info] Updating initramfs\"\r\n        update-initramfs -u >\/dev\/null 2>&1\r\n        echo \"[Info] Updated initramfs\"\r\n    fi\r\n\r\n    if [[ \"${_arg_reboot}\" == \"true\" ]]; then\r\n        echo \"[Info] Rebooting the system to enable USB storage devices\"\r\n        # Shutdown in 1 minute\r\n        shutdown -r +1\r\n    else\r\n        echo \"[Info] USB storage devices are enabled, please reboot the system\"\r\n    fi\r\n\r\nelif [[ \"${_arg_action}\" == \"Disable\" ]]; then\r\n    # Disable USB storage\r\n\r\n    # Variables to determine if we should block the drivers\r\n    blacklist_uas=\"false\"\r\n    blacklist_usb_storage=\"false\"\r\n    block_uas=\"false\"\r\n    block_usb_storage=\"false\"\r\n\r\n    # Check if usb_storage or uas is blocked in other files\r\n    for file in \"${modprobFolder}\"\/*; do\r\n\r\n        # Check if implicit loading is already blocked\r\n        if grep -q \"blacklist uas\" \"${file}\"; then\r\n            echo \"[Info] USB Attached SCSI drivers are already implicitly blocked in ${file}\"\r\n        else\r\n            blacklist_uas=\"true\"\r\n        fi\r\n\r\n        # Check if implicit loading is already blocked\r\n        if grep -q \"blacklist usb_storage\" \"${file}\"; then\r\n            echo \"[Info] USB storage drivers are already implicitly blocked in ${file}\"\r\n        else\r\n            blacklist_usb_storage=\"true\"\r\n        fi\r\n\r\n        # Check if explicit loading is already blocked\r\n        if grep -q \"install uas \/bin\/true\" \"${file}\"; then\r\n            echo \"[Info] USB Attached SCSI drivers are already explicitly blocked in ${file}\"\r\n        else\r\n            block_uas=\"true\"\r\n        fi\r\n\r\n        # Check if explicit loading is already blocked\r\n        if grep -q \"install uas \/bin\/true\" \"${file}\"; then\r\n            echo \"[Info] USB storage drivers are already explicitly blocked in ${file}\"\r\n        else\r\n            block_usb_storage=\"true\"\r\n        fi\r\n    done\r\n\r\n    if [ \"${blacklist_uas}\" == \"true\" ]; then\r\n        echo \"[Info] Implicitly Disabling USB Attached SCSI driver\"\r\n\r\n        # Check if config file exists\r\n        if ! [ -f \"${configFile}\" ]; then\r\n            echo \"[Info] Creating blocklist config file (${configFile})\"\r\n            touch \"${configFile}\"\r\n        fi\r\n\r\n        # Write the line to the file\r\n        echo \"blacklist uas\" >>\"${configFile}\"\r\n    fi\r\n\r\n    if [ \"${blacklist_usb_storage}\" == \"true\" ]; then\r\n        echo \"[Info] Implicitly Disabling USB storage driver\"\r\n\r\n        # Check if config file exists\r\n        if ! [ -f \"${configFile}\" ]; then\r\n            echo \"[Info] Creating blocklist config file (${configFile})\"\r\n            touch \"${configFile}\"\r\n        fi\r\n\r\n        # Write the line to the file\r\n        echo \"blacklist usb_storage\" >>\"${configFile}\"\r\n    fi\r\n\r\n    if [ \"${block_uas}\" == \"true\" ]; then\r\n        echo \"[Info] Explicitly Disabling USB Attached SCSI driver\"\r\n\r\n        # Check if uas config file exists\r\n        if ! [ -f \"${modprobFolder}\" ]; then\r\n            echo \"[Info] Creating UAS config file (${modprobFolder}\/uas.conf)\"\r\n            touch \"${modprobFolder}\/uas.conf\"\r\n        fi\r\n\r\n        # Write the line to the file\r\n        echo \"install uas \/bin\/true\" >>\"${modprobFolder}\/uas.conf\"\r\n    fi\r\n\r\n    if [ \"${block_usb_storage}\" == \"true\" ]; then\r\n        echo \"[Info] Explicitly Disabling USB storage driver\"\r\n\r\n        # Check if usb-storage config file exists\r\n        if ! [ -f \"${modprobFolder}\" ]; then\r\n            echo \"[Info] Creating USB storage config file (${modprobFolder}\/usb-storage.conf)\"\r\n            touch \"${modprobFolder}\/usb-storage.conf\"\r\n        fi\r\n\r\n        # Write the line to the file\r\n        echo \"install usb-storage \/bin\/true\" >>\"${modprobFolder}\/usb-storage.conf\"\r\n    fi\r\n\r\n    # Unload the modules\r\n    echo \"[Info] Unloading USB storage modules\"\r\n    modprobe -r uas >\/dev\/null 2>&1\r\n    modprobe -r usb_storage >\/dev\/null 2>&1\r\n    rmmod uas >\/dev\/null 2>&1\r\n    rmmod usb_storage >\/dev\/null 2>&1\r\n\r\n    # Check if the modules are still loaded\r\n    modules_unloaded=\"true\"\r\n    if lsmod | grep -q uas; then\r\n        modules_unloaded=\"false\"\r\n    fi\r\n    if lsmod | grep -q usb_storage; then\r\n        modules_unloaded=\"false\"\r\n    fi\r\n\r\n    # Check that update-initramfs command exists\r\n    if command -v update-initramfs >\/dev\/null 2>&1; then\r\n        # Update the initramfs\r\n        echo \"[Info] Updating initramfs\"\r\n        update-initramfs -u >\/dev\/null 2>&1\r\n        echo \"[Info] Updated initramfs\"\r\n\r\n        # Set to false so we can reboot or warn that a reboot is needed\r\n        modules_unloaded=\"false\"\r\n        if [[ \"${_arg_reboot}\" == \"false\" ]]; then\r\n            echo \"[Warn] USB storage devices can still be mounted, please reboot the system\"\r\n        fi\r\n    fi\r\n\r\n    if [ \"${modules_unloaded}\" == \"true\" ]; then\r\n        echo \"[Info] Unloaded USB storage modules\"\r\n    else\r\n        if [[ \"${_arg_reboot}\" == \"true\" ]]; then\r\n            echo \"[Info] USB storage devices are still mounted, rebooting the system\"\r\n            # Shutdown in 1 minute\r\n            shutdown -r +1\r\n        else\r\n            echo \"[Warn] USB storage devices are still mounted, please unmount them and rerun this script OR reboot the system\"\r\n        fi\r\n    fi\r\n\r\nelse\r\n    die \"[Error] Invalid parameter. Use -Enable or -Disable\" 1\r\nfi<\/pre>\n
 <\/p>\n\n
Description d\u00e9taill\u00e9e<\/h2>\n
Voici comment fonctionne le script, \u00e9tape par \u00e9tape :<\/p>\n
1. Analyse de la ligne de commande<\/h3>\n
Le script accepte les drapeaux suivants :<\/p>\n