💾 Archived View for axionfield.space › gemlog › 20220615-usbguard.gmi captured on 2024-02-05 at 09:39:06. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-07-16)

-=-=-=-=-=-=-

usbguard

I recently discover usbguard:

https://github.com/USBGuard/usbguard

This is a daemon that uses some kernel constructs to apply policies on whether

the kernel should accept of not usb devices. This can be very useful to prevent

anybody to plug USB stuff in your devices, like a rubber ducky or other bad USB

sticks. The tool allows a vast range of possibilities, but I want to keep my

laptop usable and not have to add rules for anything I plug in.

However, I only want to accept new USB devices when my laptop is not locked.

This should prevent 99% of attacks (that are already highly improbable). So

here's how I did this on Arch.

Installation and configuration

The first thing to do is to install usbguard:

sudo pacman -S usbguard
systemctl enable --now usbguard

Now we want to whitelist our known USB devices. Normally the install process

does it, but just to be sure, I'll show how to do this. It can be also useful to

rerun this, if your set of known devices change. Plug all the things you want to

be always be allowed (if you don't you'll need to add rules yourself later) and

run:

sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf
systemctl restart usbguard

Now usbguard will block any devices that was not plugged at the time of the

policy generation. You can always add new rules later with usbguard append-rule.

You can control the default policy for new devices using:

sudo usbguard set-parameter ImplicitPolicyTarget allow
sudo usbguard set-parameter ImplicitPolicyTarget block

You can check the current state with:

sudo usbguard get-parameter ImplicitPolicyTarget

Avoid having to type a password for sudo usbguard

In my scenario, I don't really care that you can change policies when you have

access to a logged shell. So I just add this to /etc/sudoers.d/usbguard:

YOUR_USERNAME ALL=(ALL) NOPASSWD: /usr/bin/usbguard set-parameter ImplicitPolicyTarget *

Don't forget to replace YOUR_USERNAME by, well, your username.

Change the default policy based on lock status

I use swaylock and a systemd service to lock my screen:

[Unit]
Description=Launch swaylock

[Service]
Type=forking
ExecStart=swaylock

[Install]
WantedBy=default.target

So it's now very easy to add a pre/post hook to block/allow new USB devices by

default. So the file can be edited like so:

[Unit]
Description=Launch swaylock

[Service]
Type=forking
ExecStartPre=sudo usbguard set-parameter ImplicitPolicyTarget block
ExecStart=swaylock
ExecStop=sudo usbguard set-parameter ImplicitPolicyTarget allow

[Install]
WantedBy=default.target

Now everytime you start your lockscreen, it will block new USB devices by

default, and when the lockscreen exits, the policy will be reset to allow all

by default.

Finally, I just add this to my .zprofile (you can adapt to your own shell), so

the policy is set to allow when I login trough a tty:

sudo usbguard set-parameter ImplicitPolicyTarget allow

Life is good.