system/usbguard: Added (protection against rogue USB devices).
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
This commit is contained in:
Michael Edie
Willy Sudiarto Raharjo
parent
ef3c179517
commit
96cadfe7d1
|
|
@ -0,0 +1,40 @@
|
|||
The USBGuard software framework helps to protect your
|
||||
computer against unauthorized use of USB ports on
|
||||
a machine. To enforce the user-defined policy, it uses
|
||||
the USB device authorization feature implemented in the
|
||||
Linux kernel since 2007.
|
||||
|
||||
USBGuard supports granular policy options as well as
|
||||
blacklisting and whitelisting capabilities for specifying
|
||||
how USB devices will interact with a particular host system.
|
||||
|
||||
A device that is blocked will be listed by the operating
|
||||
system as being connected, but no communication is allowed
|
||||
for it. A device that is rejected will be completely ignored
|
||||
after it is inserted into the port.
|
||||
|
||||
Optional dependencies:
|
||||
- audit
|
||||
- libseccomp
|
||||
|
||||
To have the USBGuard daemon start and stop with your host,
|
||||
add to /etc/rc.d/rc.local:
|
||||
|
||||
if [ -x /etc/rc.d/rc.usbguard ]; then
|
||||
/etc/rc.d/rc.usbguard start
|
||||
fi
|
||||
|
||||
and to /etc/rc.d/rc.local_shutdown (creating it if needed):
|
||||
|
||||
if [ -x /etc/rc.d/rc.usbguard]; then
|
||||
/etc/rc.d/rc.usbguard stop
|
||||
fi
|
||||
|
||||
Warning: You must configure the daemon before you start it
|
||||
or all USB devices will immediately be blocked!
|
||||
|
||||
In order to view the current policy execute the following
|
||||
command: sudo usbguard generate-policy
|
||||
|
||||
If you are satisfied with the output then copy it to the rules file.
|
||||
sudo usbguard generate-policy >> /etc/usbguard/rules.conf
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Start/Stop/Restart the USBGuard daemon.
|
||||
#
|
||||
|
||||
PIDFILE=/var/run/usbguard.pid
|
||||
USBGUARD_OPTS="-f -s"
|
||||
|
||||
# Start
|
||||
usbguard_start() {
|
||||
if [ -x /usr/sbin/usbguard-daemon ]; then
|
||||
if [ -e "$PIDFILE" ]; then
|
||||
echo "USBGuard daemon already started!"
|
||||
else
|
||||
echo "Starting USBGuard daemon..."
|
||||
/usr/sbin/usbguard-daemon $USBGUARD_OPTS
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# Stop
|
||||
usbguard_stop() {
|
||||
echo "Stopping USBGuard daemon..."
|
||||
if [ -e "$PIDFILE" ]; then
|
||||
kill $(cat $PIDFILE)
|
||||
rm -f $PIDFILE 2>&1 >/dev/null
|
||||
fi
|
||||
# Just in case:
|
||||
killall usbguard-daemon 2>&1 >/dev/null
|
||||
}
|
||||
|
||||
# Restart
|
||||
usbguard_restart() {
|
||||
usbguard_stop
|
||||
sleep 3
|
||||
usbguard_start
|
||||
}
|
||||
|
||||
# Status
|
||||
usbguard_status() {
|
||||
if [ -e "$PIDFILE" ]; then
|
||||
echo "usbguard-daemon is running."
|
||||
else
|
||||
echo "usbguard-daemon is stopped."
|
||||
fi
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
'start')
|
||||
usbguard_start
|
||||
;;
|
||||
'stop')
|
||||
usbguard_stop
|
||||
;;
|
||||
'restart')
|
||||
usbguard_restart
|
||||
;;
|
||||
'status')
|
||||
usbguard_status
|
||||
;;
|
||||
*)
|
||||
echo "usage: $0 start|stop|restart|status"
|
||||
esac
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
/var/log/usbguard/usbguard-audit.log {
|
||||
daily
|
||||
rotate 7
|
||||
copytruncate
|
||||
delaycompress
|
||||
compress
|
||||
notifempty
|
||||
missingok
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
config() {
|
||||
NEW="$1"
|
||||
OLD="$(dirname $NEW)/$(basename $NEW .new)"
|
||||
# If there's no config file by that name, mv it over:
|
||||
if [ ! -r $OLD ]; then
|
||||
mv $NEW $OLD
|
||||
elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy
|
||||
rm $NEW
|
||||
fi
|
||||
# Otherwise, we leave the .new copy for the admin to consider...
|
||||
}
|
||||
|
||||
preserve_perms() {
|
||||
NEW="$1"
|
||||
OLD="$(dirname $NEW)/$(basename $NEW .new)"
|
||||
if [ -e $OLD ]; then
|
||||
cp -a $OLD ${NEW}.incoming
|
||||
cat $NEW > ${NEW}.incoming
|
||||
mv ${NEW}.incoming $NEW
|
||||
fi
|
||||
config $NEW
|
||||
}
|
||||
|
||||
preserve_perms etc/rc.d/rc.usbguard.new
|
||||
config etc/logrotate.d/usbguard.new
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# HOW TO EDIT THIS FILE:
|
||||
# The "handy ruler" below makes it easier to edit a package description.
|
||||
# Line up the first '|' above the ':' following the base package name, and
|
||||
# the '|' on the right side marks the last column you can put a character in.
|
||||
# You must make exactly 11 lines for the formatting to be correct. It's also
|
||||
# customary to leave one space after the ':' except on otherwise blank lines.
|
||||
|
||||
|-----handy-ruler------------------------------------------------------|
|
||||
usbguard: usbguard (Software protection against rogue USB devices)
|
||||
usbguard:
|
||||
usbguard: The USBGuard software framework helps to protect your
|
||||
usbguard: computer against rogue USB devices (a.k.a. BadUSB) by
|
||||
usbguard: implementing basic whitelisting and blacklisting
|
||||
usbguard: capabilities based on device attributes.
|
||||
usbguard:
|
||||
usbguard:
|
||||
usbguard: https://usbguard.github.io/
|
||||
usbguard:
|
||||
usbguard:
|
||||
|
|
@ -0,0 +1,108 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Slackware build script for usbguard
|
||||
|
||||
# Copyright 2019 Michael Edie Orlando, FL USA
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use of this script, with or without modification, is
|
||||
# permitted provided that the following conditions are met:
|
||||
#
|
||||
# 1. Redistributions of this script must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
|
||||
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
|
||||
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
||||
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
||||
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
||||
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
||||
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
PRGNAM=usbguard
|
||||
VERSION=${VERSION:-0.7.4}
|
||||
BUILD=${BUILD:-1}
|
||||
TAG=${TAG:-_SBo}
|
||||
|
||||
if [ -z "$ARCH" ]; then
|
||||
case "$( uname -m )" in
|
||||
i?86) ARCH=i586 ;;
|
||||
arm*) ARCH=arm ;;
|
||||
*) ARCH=$( uname -m ) ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
CWD=$(pwd)
|
||||
TMP=${TMP:-/tmp/SBo}
|
||||
PKG=$TMP/package-$PRGNAM
|
||||
OUTPUT=${OUTPUT:-/tmp}
|
||||
|
||||
if [ "$ARCH" = "i586" ]; then
|
||||
SLKCFLAGS="-O2 -march=i586 -mtune=i686"
|
||||
LIBDIRSUFFIX=""
|
||||
elif [ "$ARCH" = "i686" ]; then
|
||||
SLKCFLAGS="-O2 -march=i686 -mtune=i686"
|
||||
LIBDIRSUFFIX=""
|
||||
elif [ "$ARCH" = "x86_64" ]; then
|
||||
SLKCFLAGS="-O2 -fPIC"
|
||||
LIBDIRSUFFIX="64"
|
||||
else
|
||||
SLKCFLAGS="-O2"
|
||||
LIBDIRSUFFIX=""
|
||||
fi
|
||||
|
||||
set -e
|
||||
|
||||
rm -rf $PKG
|
||||
mkdir -p $TMP $PKG $OUTPUT
|
||||
cd $TMP
|
||||
rm -rf $PRGNAM-$VERSION
|
||||
tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
|
||||
cd $PRGNAM-$VERSION
|
||||
chown -R root:root .
|
||||
find -L . \
|
||||
\( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
|
||||
-o -perm 511 \) -exec chmod 755 {} \; -o \
|
||||
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
|
||||
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
|
||||
|
||||
CFLAGS="$SLKCFLAGS" \
|
||||
CXXFLAGS="$SLKCFLAGS" \
|
||||
./configure \
|
||||
--prefix=/usr \
|
||||
--libdir=/usr/lib${LIBDIRSUFFIX} \
|
||||
--sysconfdir=/etc \
|
||||
--localstatedir=/var \
|
||||
--mandir=/usr/man \
|
||||
--build=$ARCH-slackware-linux \
|
||||
--with-crypto-library=sodium \
|
||||
--with-bundled-catch \
|
||||
--with-bundled-pegtl
|
||||
|
||||
make
|
||||
make install DESTDIR=$PKG
|
||||
|
||||
find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
|
||||
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
|
||||
|
||||
DOCS="VERSION LICENSE CHANGELOG.md README.adoc"
|
||||
|
||||
find $PKG/usr/man -type f -exec gzip -9 {} \;
|
||||
for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
|
||||
|
||||
install -D -m 0644 $CWD/config/usbguard.logrotate $PKG/etc/logrotate.d/usbguard.new
|
||||
install -D -m 0644 $CWD/config/rc.usbguard $PKG/etc/rc.d/rc.usbguard.new
|
||||
|
||||
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
|
||||
cp -a $DOCS $PKG/usr/doc/$PRGNAM-$VERSION
|
||||
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
|
||||
|
||||
mkdir -p $PKG/install
|
||||
cat $CWD/slack-desc > $PKG/install/slack-desc
|
||||
cat $CWD/doinst.sh > $PKG/install/doinst.sh
|
||||
|
||||
cd $PKG
|
||||
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
PRGNAM="usbguard"
|
||||
VERSION="0.7.4"
|
||||
HOMEPAGE="https://usbguard.github.io/"
|
||||
DOWNLOAD="https://github.com/USBGuard/usbguard/releases/download/usbguard-0.7.4/usbguard-0.7.4.tar.gz"
|
||||
MD5SUM="1cebf50ed9fdbd83f989fcb2e1ae4493"
|
||||
DOWNLOAD_x86_64=""
|
||||
MD5SUM_x86_64=""
|
||||
REQUIRES="protobuf libqb libsodium"
|
||||
MAINTAINER="Michael Edie"
|
||||
EMAIL="michael@sawbox.net"
|
||||
Loading…
Reference in New Issue