Skip to main content

USB/SD Blocking

USB/SD blocking allows blocking removable USB/SD Card storage from mounting, or forcing devices to be remounted as read-only. This is intended to prevent data exfiltration.

USB blocking notification dialog USB blocking notification dialog

With this feature configured, any time a storage device is mounted Santa will evaluate the mount properties; if the device is removable, or ejectable, connected by USB, or is an SD card and is not internal or virtual, then the mount will be processed.

If no re-mount options are configured, matching mounts will be rejected.

You can optionally configure re-mount flags to apply to new mounts. When Santa evaluates a mount it will check the mount flags against those configured. If they match the mount will be allowed to proceed. Otherwise, the mount will be rejected and the device will be re-mounted using the configured flags. This can be used to force a mount to always be read-only, disable SUID binaries, disable execs from the mount, disable browsing, etc.

Another option that can be configured is what action should be taken on start. By default, any devices that are mounted when Santa starts are ignored, even if they would have been blocked. You can instead configure Santa to unmount or remount.