How to protect Linux against rogue USB devices using USBGuard
source link: https://www.cyberciti.biz/security/how-to-protect-linux-against-rogue-usb-devices-using-usbguard/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
How to protect Linux against rogue USB devices using USBGuard
usbgurd
Installing the USBGuard and other utilities
USBGuard only works on Linux, and the following tutorial will not work with other operating systems such as *BSD or macOS.
We need to install USBGuard as follows as per your Linux distro version.
Debian/Ubuntu or Linux mint
Use the apt command or apt-get command on a Debian/Ubuntu or Linux mint:$ sudo apt install usbguard usbutils udisks2
[sudo] password for vivek: Reading package lists... Done Building dependency tree Reading state information... Done usbutils is already the newest version (1:012-2). udisks2 is already the newest version (2.8.4-1ubuntu2). The following packages were automatically installed and are no longer required: linux-headers-5.4.0-84 linux-headers-5.4.0-84-generic linux-image-5.4.0-84-generic linux-modules-5.4.0-84-generic linux-modules-extra-5.4.0-84-generic Use 'sudo apt autoremove' to remove them. The following additional packages will be installed: libqb0 libumockdev0 libusbguard0 The following NEW packages will be installed: libqb0 libumockdev0 libusbguard0 usbguard 0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded. Need to get 580 kB of archives. After this operation, 2,131 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 libqb0 amd64 1.0.5-1 [63.9 kB] Get:2 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 libumockdev0 amd64 0.14.1-1ubuntu0.1 [34.2 kB] Get:3 http://archive.ubuntu.com/ubuntu focal/universe amd64 libusbguard0 amd64 0.7.6+ds-1build1 [350 kB] Get:4 http://archive.ubuntu.com/ubuntu focal/universe amd64 usbguard amd64 0.7.6+ds-1build1 [132 kB] Fetched 580 kB in 3s (229 kB/s) Selecting previously unselected package libqb0:amd64. (Reading database ... 419085 files and directories currently installed.) Preparing to unpack .../libqb0_1.0.5-1_amd64.deb ... Unpacking libqb0:amd64 (1.0.5-1) ... Selecting previously unselected package libumockdev0:amd64. Preparing to unpack .../libumockdev0_0.14.1-1ubuntu0.1_amd64.deb ... Unpacking libumockdev0:amd64 (0.14.1-1ubuntu0.1) ... Selecting previously unselected package libusbguard0. Preparing to unpack .../libusbguard0_0.7.6+ds-1build1_amd64.deb ... Unpacking libusbguard0 (0.7.6+ds-1build1) ... Selecting previously unselected package usbguard. Preparing to unpack .../usbguard_0.7.6+ds-1build1_amd64.deb ... Unpacking usbguard (0.7.6+ds-1build1) ... Setting up libqb0:amd64 (1.0.5-1) ... Setting up libumockdev0:amd64 (0.14.1-1ubuntu0.1) ... Setting up libusbguard0 (0.7.6+ds-1build1) ... Setting up usbguard (0.7.6+ds-1build1) ... Created symlink /etc/systemd/system/dbus-org.usbguard.service → /lib/systemd/system/usbguard-dbus.service. Created symlink /etc/systemd/system/multi-user.target.wants/usbguard-dbus.service → /lib/systemd/system/usbguard-dbus.service. Created symlink /etc/systemd/system/basic.target.wants/usbguard.service → /lib/systemd/system/usbguard.service. Processing triggers for systemd (245.4-4ubuntu3.13) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for dbus (1.12.16-2ubuntu2.1) ... Processing triggers for libc-bin (2.31-0ubuntu9.3) ...
Fedora or RHEL and friends
For Fedora, RHEL and clone use the dnf command:$ sudo dnf install usbguard usbutils udisks2
SUSE/OpenSUSE Linux
SUSE Enterprise Linux or OpenSUSE Linux user try the zypper command as follows:$ sudo zypper in usbguard usbutils udisks2 usbguard-tools
Loading repository data...
Reading installed packages...
Resolving package dependencies...
The following 5 NEW packages are going to be installed:
udisks2 udisks2-lang usbguard usbguard-tools usbutils
The following recommended package was automatically selected:
udisks2-lang
5 new packages to install.
Overall download size: 725.3 KiB. Already cached: 0 B. After the operation,
additional 3.0 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
Retrieving package udisks2-2.8.1-1.39.x86_64
(1/5), 261.9 KiB (929.5 KiB unpacked)
Retrieving: udisks2-2.8.1-1.39.x86_64.rpm ..............................[done]
Retrieving package usbguard-0.7.8-bp153.1.19.x86_64
(2/5), 122.1 KiB (314.0 KiB unpacked)
Retrieving: usbguard-0.7.8-bp153.1.19.x86_64.rpm .......................[done]
Retrieving package udisks2-lang-2.8.1-1.39.noarch
(3/5), 163.3 KiB ( 1.2 MiB unpacked)
Retrieving: udisks2-lang-2.8.1-1.39.noarch.rpm .........................[done]
Retrieving package usbguard-tools-0.7.8-bp153.1.19.x86_64
(4/5), 66.1 KiB (179.7 KiB unpacked)
Retrieving: usbguard-tools-0.7.8-bp153.1.19.x86_64.rpm .................[done]
Retrieving package usbutils-014-3.3.1.x86_64
(5/5), 111.9 KiB (362.2 KiB unpacked)
Retrieving: usbutils-014-3.3.1.x86_64.rpm ..............................[done]
Checking for file conflicts: ...........................................[done]
(1/5) Installing: udisks2-2.8.1-1.39.x86_64 ............................[done]
(2/5) Installing: usbguard-0.7.8-bp153.1.19.x86_64 .....................[done]
(3/5) Installing: udisks2-lang-2.8.1-1.39.noarch .......................[done]
(4/5) Installing: usbguard-tools-0.7.8-bp153.1.19.x86_64 ...............[done]
(5/5) Installing: usbutils-014-3.3.1.x86_64 ............................[done]Controlling the usbguard service
Use the systemctl command to configure the usbguard service at boot time or restart it when you apply new policy. The syntax is:$ sudo systemctl enable usbguard.service --now
$ sudo systemctl start usbguard.service
$ sudo systemctl stop usbguard.service
$ sudo systemctl restart usbguard.service
$ sudo systemctl status usbguard.service
The usbguard service will persist across reboots and finding the current status using the systemctl command on Linux (click to enlarge)
Listing current USB devices
Use the lsusb command or usb-devices command for displaying information about USB buses in the system and the devices connected to them. For example:$ lsusb
$ usb-devices | less
$ sudo usbview
Viewing USBGuard rules
Next cd into /etc/usbguard directory as the root user. So login as the root user:$ sudo -i
### OR ###
$ su -
List files and look for rules.conf file:$ ls -l
total 16 drwxr-xr-x. 2 root root 4096 Mar 31 13:32 IPCAccessControl.d -rw-------. 1 root root 0 Mar 31 13:32 rules.conf drwxr-xr-x. 2 root root 4096 Mar 31 13:32 rules.d -rw-------. 1 root root 5366 Mar 31 12:57 usbguard-daemon.conf
Rule types:
There are three types of target rules for each USB device:
- allow – Authorize the USB device.
- block – Do not authorize the USB device, but the system can still see (visible) the device using the lsusb command. However, users can not use the USB device as it remains blocked until the sysadmin authorizes it. (block the device)
- reject – Do not authorize the USB device, and the device is not visible to the system or users. The USB device needs to be re-inserted again to become visible again. (reject the device)
Understanding /etc/usbguard/usbguard-daemon.conf
The usbguard service reads its default and options from a file named /etc/usbguard/usbguard-daemon.conf:$ sudo less /etc/usbguard/usbguard-daemon.conf
$ sudo grep -vE '^#|^$' /etc/usbguard/usbguard-daemon.conf
Outputs:
RuleFile=/etc/usbguard/rules.conf ImplicitPolicyTarget=block PresentDevicePolicy=apply-policy PresentControllerPolicy=keep InsertedDevicePolicy=apply-policy AuthorizedDefault=none RestoreControllerDeviceState=false DeviceManagerBackend=uevent IPCAllowedUsers=root IPCAllowedGroups=root plugdev IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/ DeviceRulesWithPort=false AuditBackend=FileAudit AuditFilePath=/var/log/usbguard/usbguard-audit.log
| Options | Description |
|---|---|
| RuleFile=path | The USBGuard daemon will use this file to load the policy rule set from it and to write new rules received via the IPC interface. |
| ImplicitPolicyTarget=target | How to treat USB devices that don’t match any rule in the policy. Target should be one of allow, block or reject (logically remove the device node from the system). |
| PresentDevicePolicy=policy | How to treat USB devices that are already connected when the daemon starts. Policy should be one of allow, block, reject, keep (keep whatever state the device is currently in) or apply-policy (evaluate the rule set for every present device). |
| PresentControllerPolicy=policy | How to treat USB controller devices that are already connected when the daemon starts. One of allow, block, reject, keep or apply-policy. |
| InsertedDevicePolicy=policy | How to treat USB devices that are already connected after the daemon starts. One of block, reject, apply-policy. |
| RestoreControllerDeviceState=boolean | The USBGuard daemon modifies some attributes of controller devices like the default authorization state of new child device instances. Using this setting, you can control whether the daemon will try to restore the attribute values to the state before modification on shutdown. |
| DeviceManagerBackend=backend | Which device manager backend implementation to use. Backend should be one of uevent (default) or umockdev. |
| IPCAllowedUsers=username [username ...] | A space delimited list of usernames that the daemon will accept IPC connections from. |
| IPCAllowedGroups=groupname [groupname ...] | A space delimited list of groupnames that the daemon will accept IPC connections from. |
| IPCAccessControlFiles=path | The files at this location will be interpreted by the daemon as IPC access control definition files. See the IPC ACCESS CONTROL section for more details. |
| DeviceRulesWithPort=boolean | Generate device specific rules including the “via-port” attribute. |
| AuditBackend=backend | USBGuard audit events log backend. The backend value should be one of FileAudit or LinuxAudit. |
| AuditFilePath=filepath | USBGuard audit events log file path. Required if AuditBackend is set to FileAudit. |
Creating a base default policy
Execute the following command if the rules.conf file is empty or when you need to set a new policy.
Almost all Linux distros ship with no rules. Hence the file is empty. To generate a rule set (policy) that authorizes the currently connected USB devices, run:$ sudo usbguard generate-policy -X >/etc/usbguard/rules.conf
A note about setting catch all policy
The default last rule should be either reject or block. For example, generate a new base policy with a reject rule target, run:$ sudo usbguard generate-policy -X -t block >/etc/usbguard/rules.conf
OR$ sudo usbguard generate-policy -X -t reject >/etc/usbguard/rules.conf
The reject or block policy as the base policy is recommended because:
- It defined a permanent USBGuard policy that allows a specific USB device to interact with the Linux system.
- In other words, currently, connected devices are accepted, but USBGuard will block or reject any additional USB devices.
$ sudo more /home/student/rules.confSample outputs:
allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0002 serial "0000:2c:00.0" name "xHCI Host Controller" hash "PwX8KDBTGiYfCyqnWn9KXV2puYMRc5J2oaMUcSSODtY=" parent-hash "pvCnfx3ZtzZduIZZbt74WeR01YZKEEkrJ0aOxulLMOA=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0003 serial "0000:2c:00.0" name "xHCI Host Controller" hash "B2IRioS6Q505Wfk3rv9C5jLWo4iRtvS1rx0ZHSJGEl0=" parent-hash "pvCnfx3ZtzZduIZZbt74WeR01YZKEEkrJ0aOxulLMOA=" with-interface 09:00:00 with-connect-type ""
allow id 045e:082c serial "603378194521" name "Microsoft Ergonomic Keyboard" hash "/XFAtSRVsaZuf7PFiE9mvgEyRjrYL8NVMyDOqboFhrc=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface { 03:01:01 03:00:00 } with-connect-type "hotplug"
allow id 2109:2813 serial "" name "USB2.0 Hub" hash "TysTMKnN62ygTFPyigZ+0VmUsx067cMepEk76682Bo8=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-7" with-interface 09:00:00 with-connect-type "hotplug"
allow id 06cb:00bd serial "46b6e9623725" name "" hash "a9PN3kg0s7LvZgUVOnrGXSBaVPGD2RkCo/lm5dEjTRM=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface ff:00:00 with-connect-type "not used"
allow id 2109:0813 serial "" name "USB3.0 Hub" hash "VXFbt2m/i5krELu+kCSJysCj+m3eetVv3nfC72o9ceg=" parent-hash "B2IRioS6Q505Wfk3rv9C5jLWo4iRtvS1rx0ZHSJGEl0=" via-port "4-2" with-interface 09:00:00 with-connect-type "hotplug"
allow id 8087:0029 serial "" name "" hash "ATK8pCmQtUYaUnwqUVuYssrOMkW8pdCSdZO4OC6zEtg=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-14" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "not used"
allow id 1a40:0101 serial "" name "USB 2.0 Hub" hash "xe96rjr8V53Jw+g7q/yi0C1czVxatehiq7r4gn2dH6s=" parent-hash "TysTMKnN62ygTFPyigZ+0VmUsx067cMepEk76682Bo8=" via-port "1-7.4" with-interface 09:00:00 with-connect-type "unknown"
allow id 2109:0102 serial "0000000000000001" name "USB 2.0 BILLBOARD " hash "9D+MQzO58xal2wcN4ROFKY33xyDuRLfAqDBlArhZi3M=" parent-hash "xe96rjr8V53Jw+g7q/yi0C1czVxatehiq7r4gn2dH6s=" with-interface 11:00:00 with-connect-type "unknown"List the rule set (policy) used by the USBGuard daemon
Run:$ sudo usbguard list-rules
Want to show all devices which are affected by the specific rule? Try:$ sudo usbguard list-rules -d
$ sudo usbguard list-rules --show-devices
We can also show rules having a specific label:$ sudo usbguard list-rules -l {label_here}
$ sudo usbguard list-rules --label
To list all USB devices recognized by the USBGuard daemon:$ sudo usbguard list-devices
$ sudo usbguard list-devices -a ## list allowed devices ##
$ sudo usbguard list-devices -b ## list blocked devices ##
Testing USBGuard
I am going to insert my USB 4G LTE modem and see if it is blocked by default and run lsusb:$ lsusb
Sample outputs indicating that HUAWEI USB attached to USB port (Device 009: ID 12d1:157c) and visible to the system:
Bus 004 Device 002: ID 2109:0813 VIA Labs, Inc. USB3.0 Hub Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 004: ID 06cb:00bd Synaptics, Inc. Bus 001 Device 007: ID 2109:0102 VIA Labs, Inc. Microsoft Ergonomic Keyboard Bus 001 Device 005: ID 1a40:0101 Terminus Technology Inc. Hub Bus 001 Device 003: ID 2109:2813 VIA Labs, Inc. USB2.0 Hub Bus 001 Device 009: ID 12d1:157c Huawei Technologies Co., Ltd. HUAWEI_MOBILE Bus 001 Device 006: ID 8087:0029 Intel Corp. Bus 001 Device 002: ID 045e:082c Microsoft Corp. Microsoft Ergonomic Keyboard Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
However, this device is blocked by USBGuard. You will see kernel messages indicating that the HUAWEI USB device is not authorized for usage as follows:$ sudo dmesg
$ sudo dmesg | grep -i 'authorized'
Sample outputs indicating that by default USBGuard blocked USB modem:
[87467.670280] usb 1-2: new high-speed USB device number 8 using xhci_hcd [87467.820572] usb 1-2: New USB device found, idVendor=12d1, idProduct=157c, bcdDevice= 1.02 [87467.820578] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [87467.820581] usb 1-2: Product: HUAWEI_MOBILE [87467.820584] usb 1-2: Manufacturer: HUAWEI_MOBILE [87467.820587] usb 1-2: SerialNumber: 0123456789ABCDEF [87467.820928] usb 1-2: Device is not authorized for usage [87477.196260] usb 1-2: USB disconnect, device number 8 [87477.682044] usb 1-2: new high-speed USB device number 9 using xhci_hcd [87477.831578] usb 1-2: New USB device found, idVendor=12d1, idProduct=157c, bcdDevice= 1.02 [87477.831583] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [87477.831587] usb 1-2: Product: HUAWEI_MOBILE [87477.831590] usb 1-2: Manufacturer: HUAWEI_MOBILE [87477.831593] usb 1-2: SerialNumber: 0123456789ABCDEF [87477.831931] usb 1-2: Device is not authorized for usage
We can use the following command to view blocked USB devices:$ sudo usbguard list-devices -b
Outputs:
24: block id 12d1:157c serial "0123456789ABCDEF" name "HUAWEI_MOBILE" hash "8tSOgfYNylANtACo0ysV5qRAx5Ht+geWMd+QOVNcK70=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { 08:06:50 02:0e:00 0a:00:02 0a:00:02 08:06:50 } with-connect-type "hotplug"
Where the target policy of block is as follows:
- 24 – Device number
- block id 12d1:157c – USB device ID
- serial "0123456789ABCDEF" – USB device serial number
- name "HUAWEI_MOBILE" – USB device name
The USB device number is generated dynamically and will be different on your Linux system.
Allowing access to USB devices temporarily
By default, we know that USBGuard blocks the attached USB device and will remain barred forever. It means USB-based attacks are blocked. But, what if I wanted to give access legitimate USB device? Try the following command that changes block policy to allow using device # 24 with device block ID 12d1:157c:$ sudo usbguard allow-device {device_ID}
$ sudo usbguard allow-device 24
I can also use rule as follows:$ sudo usbguard allow-device '12d1:157c serial "0123456789ABCDEF"'
$ sudo usbguard allow-device '12d1:1506 serial "0123456789ABCDEF"'
Permanent rule
We can make the decision permanent. A device specific allow rule will be appended to the current policy:$ sudo usbguard allow-device {device_ID} -p
$ sudo usbguard allow-device 24 -p
Rule instead of ID:$ sudo usbguard allow-device '12d1:157c serial "0123456789ABCDEF"' -p
sudo usbguard allow-device '12d1:1506 serial "0123456789ABCDEF"' -p
Here are my rules added to the rules.conf using a text editor:$ sudo /etc/usbguard/rules.conf
Append the following
allow id 12d1:157c serial "0123456789ABCDEF" name "HUAWEI_MOBILE" hash "8tSOgfYNylANtACo0ysV5qRAx5Ht+geWMd+QOVNcK70=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { 08:06:50 02:0e:00 0a:00:02 0a:00:02 08:06:50 } with-connect-type "hotplug"
allow id 12d1:1506 serial "" name "HUAWEI_MOBILE" hash "1lr2516yYIsSGGyDZrcgBBNJPlzzthtHbpH1SN5E/VA=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { ff:02:12 ff:02:01 ff:02:16 ff:02:16 08:06:50 08:06:50 } with-connect-type "hotplug"
Save and close the file. Restart the service:$ sudo systemctl restart usbguard.service
Verification
The USBGurad will give USB device access immediately once the rule is added. Now I can connect to the Internet using the USB LTE modem or view USD disk:udisksctl status
MODEL REVISION SERIAL DEVICE -------------------------------------------------------------------------- SAMSUNG MZVLB1T0HBLR-000L7 5M2QEXF7 xyzfooooooooo1 nvme0n1 SAMSUNG MZVLB1T0HBLR-000L7 5M2QEXF7 xyzfooooooooo2 nvme1n1 HUAWEI TF CARD Storage 2.31 HUAWEI_TF_CARD_Storage-0:0 sda HUAWEI Mass Storage 2.31 HUAWEI_Mass_Storage-0:0 sr0
No more errors too:$ sudo dmesg
And yes, my nmcli or network manager connected to the Internet using a USB LTE modem too. Here is output from the ip command and nmcli command:$ nmcli device status
$ nmcli device show ttyUSB0
$ ip a s | more
$ ip a s wwx001e101f0000
Removing USB device
To remove a rule identified by the rule id from the rule set, run$ sudo usbguard list-devices -a # list rules #
Note down the ID # 27. For example:
27: allow id 12d1:1506 serial "" name "HUAWEI_MOBILE" hash "1lr2516yYIsSGGyDZrcgBBNJPlzzthtHbpH1SN5E/VA=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { ff:02:12 ff:02:01 ff:02:16 ff:02:16 08:06:50 08:06:50 } with-connect-type "hotplug"
Then:$ usbguard block-device {ID_HERE} -p
$ sudo usbguard block-device 27 -p
The above will deauthorize device with ID # 27. But we can use the rule too:$ usbguard block-device {RULE} -p
$ sudo usbguard block-device '12d1:157c serial "0123456789ABCDEF"' -p
$ sudo usbguard block-device '12d1:1506 serial "0123456789ABCDEF"' -p
Of course, you can edit the config file:$ sudo /etc/usbguard/rules.conf
Then remove the entry for the USB device and then restart the service:$ sudo systemctl restart usbguard.service
$ sudo systemctl status usbguard.service
Troubleshooting tips
If you are a new Linux developer or sysadmin, you may find configuration a little tricky. Try the following commands to view and solve issues:
Can the system view my USB device?
$ lsusb
$ sudo usbguard watch
Is the USB device blocked or allowed?
$ sudo usbguard list-rules
$ sudo usbguard list-devices -b # blocked #
$ sudo usbguard list-devices -a # allowed #
Check system logs
$ sudo dmesg
$ sudo dmesg | more
$ sudo journalctl -b -e
$ sudo journalctl -b -e -u usbguard.service
$ sudo cat /var/log/usbguard/usbguard-audit.log
$ sudo tail -f /var/log/usbguard/usbguard-audit.log
Other tools releated to USB
$ nmcli
$ nmcli device status # usb network #
$ ip a s # networking #
$ lsblk # usb block device #
$ udisksctl status
Getting help
Run:$ usbguard -h
$ usbguard {sub-command} -h
$ usbguard list-devices -h
Here is what I see
Usage: usbguard [OPTIONS] <command> [COMMAND OPTIONS] ... Options: Commands: get-parameter <name> Get the value of a runtime parameter. set-parameter <name> <value> Set the value of a runtime parameter. list-devices List all USB devices recognized by the USBGuard daemon. allow-device <id> Authorize a device to interact with the system. block-device <id> Deauthorize a device. reject-device <id> Deauthorize and remove a device from the system. list-rules List the rule set (policy) used by the USBGuard daemon. append-rule <rule> Append a rule to the rule set. remove-rule <id> Remove a rule from the rule set. generate-policy Generate a rule set (policy) based on the connected USB devices. watch Watch for IPC interface events and print them to stdout. read-descriptor Read a USB descriptor from a file and print it in human-readable form. add-user <name> Add USBGuard IPC user/group (requires root privilges) remove-user <name> Remove USBGuard IPC user/group (requires root privileges)
Summing up
This guide explained how to use USBGuard that protects your Linux desktop or server against rogue USB devices by implementing allow listing and blocklisting rules based upon attributes such as USB device ID and serial number. The usbguard service runs in the background and is based upon rules, and it will allow or block access to a USB device. The usbguard command is used to manage the USB device authorization rules and debug problems too.
References
Please see the following man pages using the man command:$ man lsusb
$ man usbview
$ man usb-devices
$ man usbguard
$ man usbguard-daemon
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK