The USBGuard software framework helps to protect your
computer against unauthorized use of USB ports on
a machine. To enforce the user-defined policy, it uses
the USB device authorization feature implemented in the
Linux kernel since 2007.
USBGuard supports granular policy options as well as
blacklisting and whitelisting capabilities for specifying
how USB devices will interact with a particular host system.
A device that is blocked will be listed by the operating
system as being connected, but no communication is allowed
for it. A device that is rejected will be completely ignored
after it is inserted into the port.
Optional dependencies:
- audit
- libseccomp
To have the USBGuard daemon start and stop with your host,
add to /etc/rc.d/rc.local:
if [ -x /etc/rc.d/rc.usbguard ]; then
/etc/rc.d/rc.usbguard start
fi
and to /etc/rc.d/rc.local_shutdown (creating it if needed):
if [ -x /etc/rc.d/rc.usbguard]; then
/etc/rc.d/rc.usbguard stop
fi
Warning: You must configure the daemon before you start it
or all USB devices will immediately be blocked!
In order to view the current policy execute the following
command: sudo usbguard generate-policy
If you are satisfied with the output then copy it to the rules file.
sudo usbguard generate-policy >> /etc/usbguard/rules.conf