41 lines
1.3 KiB
Plaintext
41 lines
1.3 KiB
Plaintext
|
The USBGuard software framework helps to protect your
|
||
|
|
computer against unauthorized use of USB ports on
|
||
|
|
a machine. To enforce the user-defined policy, it uses
|
||
|
|
the USB device authorization feature implemented in the
|
||
|
|
Linux kernel since 2007.
|
||
|
|
|
||
|
|
USBGuard supports granular policy options as well as
|
||
|
|
blacklisting and whitelisting capabilities for specifying
|
||
|
|
how USB devices will interact with a particular host system.
|
||
|
|
|
||
|
|
A device that is blocked will be listed by the operating
|
||
|
|
system as being connected, but no communication is allowed
|
||
|
|
for it. A device that is rejected will be completely ignored
|
||
|
|
after it is inserted into the port.
|
||
|
|
|
||
|
|
Optional dependencies:
|
||
|
|
- audit
|
||
|
|
- libseccomp
|
||
|
|
|
||
|
|
To have the USBGuard daemon start and stop with your host,
|
||
|
|
add to /etc/rc.d/rc.local:
|
||
|
|
|
||
|
|
if [ -x /etc/rc.d/rc.usbguard ]; then
|
||
|
|
/etc/rc.d/rc.usbguard start
|
||
|
|
fi
|
||
|
|
|
||
|
|
and to /etc/rc.d/rc.local_shutdown (creating it if needed):
|
||
|
|
|
||
|
|
if [ -x /etc/rc.d/rc.usbguard]; then
|
||
|
|
/etc/rc.d/rc.usbguard stop
|
||
|
|
fi
|
||
|
|
|
||
|
|
Warning: You must configure the daemon before you start it
|
||
|
|
or all USB devices will immediately be blocked!
|
||
|
|
|
||
|
|
In order to view the current policy execute the following
|
||
|
|
command: sudo usbguard generate-policy
|
||
|
|
|
||
|
|
If you are satisfied with the output then copy it to the rules file.
|
||
|
|
sudo usbguard generate-policy >> /etc/usbguard/rules.conf
|