Difference between revisions of "USBGuard"

From ArchWiki
Jump to navigation Jump to search
(Rules: all rules explained)
(pre-finish. now reviews)
Line 1: Line 1:
 
This software allows one to implement a white/black-listing mechanism for usb-devices. Inspiration for this is drawn from exploits like BadUSB.
 
This software allows one to implement a white/black-listing mechanism for usb-devices. Inspiration for this is drawn from exploits like BadUSB.
It consists of  
+
It makes use of a device blocking infrastructure included in the linux kernel and consists of a daemon and some front-ends.
  
 
== Installation ==
 
== Installation ==
Line 8: Line 8:
 
== Configuration ==
 
== Configuration ==
  
The main configuration file is found in {{ic|/etc/usbguard/usbguard-deamon.conf}}.
+
The main configuration file is found in {{ic|/etc/usbguard/usbguard-daemon.conf}}.
  
Start the deamon usbguard.service.
+
If you want to use IPC control of the daemon, be sure to add your username to {{ic|IPCAllowedUsers}} or your group to {{ic|IPCAllowedGroups}} to make rules persistent.
  
 
== Usage ==
 
== Usage ==
  
 
USBGuard has a core deamon, a CLI, a QT GUI, a DBUS interface and an API via libusbguard.
 
USBGuard has a core deamon, a CLI, a QT GUI, a DBUS interface and an API via libusbguard.
 +
If you want to use the QT GUI or another program communicating via DBUS, enable and start {{ic|usbguard-dbus.service}}.
 +
If you only want to communicate via API (with the CLI tool or another software using libusbguard) enable and start {{ic|usbguard.service}}.
 +
 +
The CLI is available via {{ic|usbguard}}.
 +
 +
See the according man pages for more info.
  
 
=== Rules ===
 
=== Rules ===
  
To configure usbguard to your needs, you can edit {{ic|/etc/usbguard/rules.conf}}. The rules syntax is formally explained [https://github.com/dkopecek/usbguard#rule-language here].
+
To configure usbguard to your needs, you can edit {{ic|/etc/usbguard/rules.conf}}. However, if using a helper, manual editing of the rules is not necessary.
 +
 
 +
The rules syntax is formally explained [https://github.com/dkopecek/usbguard#rule-language here].
 
An example for a hp printer connected via USB can look like this:
 
An example for a hp printer connected via USB can look like this:
  
Line 60: Line 68:
  
 
== Weblinks ==
 
== Weblinks ==
 +
* [https://github.com/dkopecek/usbguard/ USBGuard Website]
 
* [https://raw.githubusercontent.com/dkopecek/usbguard/master/doc/usbguard-component-diagram.png USBGuard component diagram]
 
* [https://raw.githubusercontent.com/dkopecek/usbguard/master/doc/usbguard-component-diagram.png USBGuard component diagram]
 
* [https://srlabs.de/bites/usb-peripherals-turn/ BadUSB background info]
 
* [https://srlabs.de/bites/usb-peripherals-turn/ BadUSB background info]
*
+
* [https://www.kernel.org/doc/Documentation/usb/authorization.txt Kernel interface for USB device control]

Revision as of 11:47, 23 August 2016

This software allows one to implement a white/black-listing mechanism for usb-devices. Inspiration for this is drawn from exploits like BadUSB. It makes use of a device blocking infrastructure included in the linux kernel and consists of a daemon and some front-ends.

Installation

Install usbguardAUR or usbguard-gitAUR.

Configuration

The main configuration file is found in /etc/usbguard/usbguard-daemon.conf.

If you want to use IPC control of the daemon, be sure to add your username to IPCAllowedUsers or your group to IPCAllowedGroups to make rules persistent.

Usage

USBGuard has a core deamon, a CLI, a QT GUI, a DBUS interface and an API via libusbguard. If you want to use the QT GUI or another program communicating via DBUS, enable and start usbguard-dbus.service. If you only want to communicate via API (with the CLI tool or another software using libusbguard) enable and start usbguard.service.

The CLI is available via usbguard.

See the according man pages for more info.

Rules

To configure usbguard to your needs, you can edit /etc/usbguard/rules.conf. However, if using a helper, manual editing of the rules is not necessary.

The rules syntax is formally explained here. An example for a hp printer connected via USB can look like this:

allow id 03f0:0c17 serial "00CNFD234631" name "hp LaserJet 2020" hash "a0ef07fceb6fb77698f79a44a450121m" parent-hash "69d19c1a5733a31e7e6d9530e6k434a6" with-interface { 07:01:03 07:01:02 07:01:01 }

A rule begins with a policy. allow whitelists a device, block stops the device from being processed now and reject removes the device from the system. Then follows a set of attributes with their options, as detailed below.

Attribute Description
id usb-device-id Match a USB device ID.
id [operator] { usb-device-id ... } Match a set of USB device IDs.
hash "value" Match a hash computed from the device attribute values and the USB descriptor data. The hash is computed for every device by USBGuard.
hash [operator] { "value" ... } Match a set of device hashes.
parent-hash "value" Match a hash of the parent device.
parent-hash [operator] { "value" ... } Match a set of parent device hashes.
name "device-name" Match the USB device name attribute.
name [operator] { "device-name" ... } Match a set of USB device names.
serial "serial-number" Match the USB iSerial device attribute.
serial [operator] { "serial-number" ... } Match a set of USB iSerial device attributes.
via-port "port-id" Match the USB port through which the device is connected. Note that some systems have unstable port numbering which change after the system reboots or certain kernel modules are reloaded (and maybe in other cases). Use the parent-hash attribute if you want to ensure that a device is connected via a specific parent device.
via-port [operator] { "port-id" ... } Match a set of USB ports.
with-interface interface-type Match an interface type that the USB device provides.
with-interface [operator] { interface-type interface-type ... } Match a set of interface types against the set of interfaces that the USB device provides.

Weblinks